<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thanks all. This looks like an interesting spec.<div class=""><br class=""></div><div class="">I did initially assume the same as others, that the credential would be issued from the userinfo endpoint.</div><div class=""><br class=""></div><div class="">It might be worth considering an alternative name like “user claims” instead of “userinfo”?</div><div class=""><br class=""></div><div class="">It’s also interesting to think about how this might work with the <a href="https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter" class="">OIDC ‘claims’ parameter </a>- that would presumably result in the need for a new entity inside the ‘claims’ object in the request at the same level as “id_token” and “userinfo”.</div><div class=""><br class=""></div><div class="">My initial thought is I’d be in favour of adoption.</div><div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""></div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 13 Dec 2022, at 08:59, Kristina Yasuda via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252" class="">
<div class="">
<div dir="ltr" class="">
<div class=""></div>
<div class="">
<div class="">
<div dir="ltr" class=""><span id="ms-outlook-ios-cursor" class=""></span>Thanks, Jer!</div>
</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">Just to clarify, because it came up during the Pacific Connect call today, "the draft profile does not use UserInfo endpoint (tho the name might imply so)". The endpoint used to issue VCs is Ceedential Endpoint defined in VCI spec.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">We realize the name of the draft might be a little confusing - we are open to suggestions - the core idea is that the claim set included in the VCs is the same as the basic claim set defined in OIDC Core.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">Cheers, </div>
<div dir="ltr" class="">Kristina </div>
<div dir="ltr" class=""><br class="">
</div>
<div id="ms-outlook-mobile-signature" class="">Get <a href="https://aka.ms/o0ukef" class="">Outlook for iOS</a></div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1" class="">
<div id="divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" style="font-size:11pt" class=""><b class="">From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" class="">openid-specs-ab-bounces@lists.openid.net</a>> on behalf of Jeremie Miller via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>><br class="">
<b class="">Sent:</b> Tuesday, December 13, 2022 10:16:50 AM<br class="">
<b class="">To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>><br class="">
<b class="">Cc:</b> Jeremie Miller <<a href="mailto:jmiller@pingidentity.com" class="">jmiller@pingidentity.com</a>><br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab] UserInfo Verifiable Credentials</font>
<div class=""> </div>
</div>
<div class="">
<div dir="ltr" class="">Hi Richard, welcome!
<div class=""><br class="">
</div>
<div class="">I'm in complete support of this, a quick read of the proposed draft looks very complete already as well, great work and thank you!</div>
<div class=""><br class="">
</div>
<div class="">Jer</div>
<div class=""><br class="">
</div>
</div>
<br class="">
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Mon, Dec 12, 2022 at 4:08 PM Richard Barnes (richbarn) via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:<br class="">
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div class="x_msg4046758275480502895">
<div lang="EN-US" style="" class="">
<div class="x_m_-101234039186349967WordSection1"><p class="x_MsoNormal">Hi everyone,<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">I’m Richard Barnes from Cisco. I’m new to OpenID, but might be familiar to some folks from the IETF, where I’ve worked on crypto things like TLS, MLS, and ACME (and JOSE back in the day).<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">I wanted to bring to the group some proposed new work on “UserInfo Verifiable Credentials” that I’ve been working on with Kristina Yasuda, Pieter Kasselman, and Morteza Ansari.
<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">MD: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbifurcation%2Fuserinfo-vc%2Fblob%2Fmain%2Fuserinfo-vc.md&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Gark2ZVyVS%2BhbxKL4%2BbS0VFWppbE7K%2F95g4g8rmnBI4%3D&reserved=0" originalsrc="https://github.com/bifurcation/userinfo-vc/blob/main/userinfo-vc.md" shash="A2YRZmWZGcORinP0Yzf6R0Xi4mVyw2Qe8zwDbyfe3VuU7hrYDcLDOwIcP/YwFpmJTIOqKBWDCIJ1Ydd2LNw7Tnc1J5iOmdWqifEkvMz8IWsqPXU469LeKk+LZ9AlZNCy3BDVYiJ0OEDBU1SjnX1bi01pB2GRo8uyfy3RGZw/NOU=" target="_blank" class="">
https://github.com/bifurcation/userinfo-vc/blob/main/userinfo-vc.md</a><u class=""></u><u class=""></u></p><p class="x_MsoNormal">HTML: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbifurcation.github.io%2Fuserinfo-vc&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Eq7ojFO1OY6PQoSCyd7Bsb26hu%2BT7lhdnaeFphBHje8%3D&reserved=0" originalsrc="https://bifurcation.github.io/userinfo-vc" shash="iSM49IlpczBbjnlPlFMssTPnq4WEIoNYc5nUxxUP0YRHP4WpxjeH6WuActrnHq8WdPsiyXpDz4087YhWEp3YLPhXbWeElVTKIC9KyB+1QZzI2hs6uM8jjcxrnYHbvuMsnxyr410ah1llb7SSkfFePRdVgftJEJcafpXZ7wW/OFs=" target="_blank" class="">
https://bifurcation.github.io/userinfo-vc</a><u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">The high-level idea here is to take the OpenID for Verifiable Credential Issuance spec and give it the same level of easy interoperability as OpenID Connect. The generality of the VCI mechanism is powerful, but means the wallet and issuer
need to agree on a bunch of details, each of which is a chance for interop failure.<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">Concretely, the proposal is to define a profile of VC and VCI that is tailored to OpenID Connect. A “UserInfo VC” carries the same claims that are provided by the UserInfo endpoint, wrapped as a VC. The issuance process is just VCI
with certain knobs pre-set (e.g., proof of possession is always via a JWT).<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">We would love to see this work adopted by this WG. In any case, feedback welcome!<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p><p class="x_MsoNormal">Thanks,<u class=""></u><u class=""></u></p><p class="x_MsoNormal">--Richard<u class=""></u><u class=""></u></p><p class="x_MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=bejZLSXs%2BcFLMSM%2FSw23RyLmex8RRZquL0kESgZPQ%2B8%3D&reserved=0" originalsrc="https://lists.openid.net/mailman/listinfo/openid-specs-ab" shash="Y5c7UGh2T4t6kqmPB1uUm4kwb/jAEL0hhGET2U2YYN1dS+d/62jQ8F9g0t5JhY15X1xStaO+NAjqWrFyI1EBNqBQcMdv87M03eQt3CSMA04UTu5WrtU/eV9FaCInhmzdGRY+7Hwp4IHc4ktg2KmMJjw6nHVgD+vXz27c3j6f/Mc=" rel="noreferrer" target="_blank" class="">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</div>
</blockquote>
</div>
<br class="">
<i style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:rgb(255,255,255); color:rgb(85,85,85)" class=""><span style="margin:0px; padding:0px; border:0px; outline:0px; vertical-align:baseline; background:transparent; font-weight:600" class=""><font size="2" class="">CONFIDENTIALITY
NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify
the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></div>
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">https://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>