<div dir="ltr">i raised the problem about persistent identifiers in other contexts.<div>What i understand from others is the the sub is persistent for the life of itself.</div><div>It is not persistent over the life of the real-world entity.</div><div>I, personally, find that unsatisfactory. I have a different meaning for the word subject as tied to the real-world entity.</div><div>But that does not seem to be the openid foundation concept at all.<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 30, 2019 at 2:38 AM Mischa Salle via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Davide, others,<br>
<br>
does the spec actually state that for a given combination OP, RP, user,<br>
it always must create the same pairwise ID? The spec states<br>
"the OpenID Provider MUST calculate a unique sub (subject) value for<br>
each Sector Identifier"<br>
but it seems to me that doesn't imply that it MUST be the same each<br>
time? I.e. it doesn't seem to require a persistent pairwise sub for a<br>
given user? Or do I misread the meaning of unique?<br>
<br>
Cheers,<br>
Mischa<br>
<br>
On Thu, May 30, 2019 at 06:59:40AM +0200, Davide Vaghetti via Openid-specs-ab wrote:<br>
> Hi,<br>
> <br>
> on the point below:<br>
> <br>
> > Transient Subject Identifier Type<br>
> ><br>
> > At IIW, Davide Vaghetti talked about the need for a<br>
> > transient subject_type value, similar to that in SAML<br>
> ><br>
> > Mike and John encouraged him to write a specification for it<br>
> <br>
> ... this is what I've come up with:<br>
> <br>
> <a href="https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9" rel="noreferrer" target="_blank">https://gist.github.com/daserzw/813023b4e1c04d09beb732ef00d7c9e9</a><br>
> <br>
> Cheers,<br>
> Davide<br>
> <br>
> On 09/05/19 17:19, Mike Jones via Openid-specs-ab wrote:<br>
> > Spec Call Notes 9-May-19<br>
> > <br>
> > <br>
> > <br>
> > Mike Jones<br>
> > <br>
> > Roland Hedberg<br>
> > <br>
> > Brian Campbell<br>
> > <br>
> > Torsten Lodderstedt<br>
> > <br>
> > Bjorn Hjelm<br>
> > <br>
> > George Fletcher<br>
> > <br>
> > Tom Jones<br>
> > <br>
> > <br>
> > <br>
> > OpenID Certification<br>
> > <br>
> > Roland created certification tests for Session,<br>
> > Front-Channel, and Back-Channel, which are now being tested<br>
> > <br>
> > Filip Skokan provided a lot of early feedback on the OP tests<br>
> > <br>
> > We now need instructions for testing so others can do so<br>
> > <br>
> > It seems that there will need to be some<br>
> > browser-specific instructions in some cases<br>
> > <br>
> > There are RP logout tests also but they haven't been<br>
> > tested yet by others than Roland<br>
> > <br>
> > <br>
> > <br>
> > Authentication Failed Error Code Draft<br>
> > <br>
> > This is issue #1029<br>
> > <br>
> > The error code is now unmet_authentication_requirements<br>
> > <br>
> > Torsten submitted and Mike will publish the working group<br>
> > draft<br>
> > <br>
> > <br>
> > <br>
> > OpenID Connect for Identity Proofing<br>
> > <br>
> > Another new draft was published at<br>
> > <a href="https://openid.net/specs/openid-connect-4-identity-assurance.html" rel="noreferrer" target="_blank">https://openid.net/specs/openid-connect-4-identity-assurance.html</a><br>
> > <br>
> > Torsten led a discussion at IIW<br>
> > <br>
> > A lot of good feedback was received, including on<br>
> > requirements for other jurisdictions<br>
> > <br>
> > It was pointed out that some proofs will require multiple<br>
> > documents<br>
> > <br>
> > Torsten is working on updated syntax for that<br>
> > <br>
> > See issue #1082: Support for multiple proof<br>
> > sources<br>
> > <br>
> > Reviews are solicited<br>
> > <br>
> > We agreed that Torsten should present this during EIC<br>
> > <br>
> > <br>
> > <br>
> > EIC Next Week<br>
> > <br>
> > Roland, Torsten, Bjorn, George, and Mike will be at EIC<br>
> > next week<br>
> > <br>
> > <br>
> > <br>
> > Distinguishing first and third party cookies<br>
> > <br>
> > George let us know that there's a spec that adds the<br>
> > same-site qualifier to cookies<br>
> > <br>
> > <br>
> > <a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00" rel="noreferrer" target="_blank">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a><br>
> > <br>
> > Values are none, strict, and lax<br>
> > <br>
> > Also see<br>
> > <a href="https://web.dev/samesite-cookies-explained/" rel="noreferrer" target="_blank">https://web.dev/samesite-cookies-explained/</a><br>
> > <br>
> > and<br>
> > <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" rel="noreferrer" target="_blank">https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html</a><br>
> > <br>
> > Google is adding support for this to Chrome<br>
> > <br>
> > George asked whether this might affect iframe and<br>
> > postMessage communication<br>
> > <br>
> > And whether this might affect Session Management<br>
> > <br>
> > <br>
> > <br>
> > Open Issues<br>
> > <br>
> > <br>
> > <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" rel="noreferrer" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a><br>
> > <br>
> > #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT<br>
> > claims registry<br>
> > <br>
> > Brian asked whether Nat really meant the JWT<br>
> > Claims registry or the AS Metadata registry<br>
> > <br>
> > #1081: Need for a persistence user identifier - a PUID<br>
> > <br>
> > We discussed that change of keys is a change<br>
> > of identity for self-issued<br>
> > <br>
> > We discussed the ability to add a "did" claim<br>
> > to the ID Token when it is useful<br>
> > <br>
> > We discussed that the "sub" value must not<br>
> > change at key roll-over time<br>
> > <br>
> > <br>
> > <br>
> > Transient Subject Identifier Type<br>
> > <br>
> > At IIW, Davide Vaghetti talked about the need for a<br>
> > transient subject_type value, similar to that in SAML<br>
> > <br>
> > Mike and John encouraged him to write a specification for it<br>
> > <br>
> > <br>
> > <br>
> > Next Call<br>
> > <br>
> > The May 13th call is cancelled due EIC<br>
> > <br>
> > The next call is Thursday, May 23 at 7am Pacific Time<br>
> > <br>
> > <br>
> > _______________________________________________<br>
> > Openid-specs-ab mailing list<br>
> > <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> > <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
> > <br>
> <br>
> -- <br>
> Davide Vaghetti<br>
> Consortium GARR<br>
> Tel: +390502213158<br>
> Mobile: +393357779542<br>
> Skype: daserzw<br>
> <br>
<br>
<br>
<br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
<br>
-- <br>
Nikhef Room H155<br>
Science Park 105 Tel. +31-20-592 5102<br>
1098 XG Amsterdam Fax +31-20-592 5155<br>
The Netherlands Email <a href="mailto:msalle@nikhef.nl" target="_blank">msalle@nikhef.nl</a><br>
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>