<div dir="auto">David, it sounds to me like the issuer is tracking the subject and inferring the subject's real world identity from the hints given in the request. Is that what you intended?<div dir="auto"><br><div data-smartmail="gmail_signature" dir="auto">thx ..Tom (mobile)</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Sep 30, 2023, 3:14 AM David Chadwick via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div>
<p>Using X.500 CAs as an example, if an erroneous request for a PKC
is sent to the CA, the CA is entitled to correct the information
and send back the correct information in the issued PKC. So if the
issuer knows what the correct name of the VC subject is, it could
return the VC with the correct name in the subject field. After
all, the issuer is asserting the truth as it knows it to be. The
holder can always reject the VC if it does not like the values
that have been inserted by the issuer, but it cannot require the
issuer to insert false values. There is no requirement on the
holder to hold any VCs that it receives from the issuer or to
present them to any verifier.</p>
<p>Kind regards</p>
<p>David<br>
</p>
<div>On 29/09/2023 16:07, Joseph Heenan via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
Hi Kai
<div><br>
</div>
<div>I’m not sure any of these cases are really strictly defined.
Certainly we don’t test any behaviours like this in any of the
OpenID Foundation conformance tests, although the testing of the
claims perhaps is certainly not comprehensive.</div>
<div><br>
</div>
<div>Rejecting the request seems fine.</div>
<div><br>
</div>
<div>Accepting the request but ignoring parts of it is probably
acceptable as I can’t see anything that really defines the
behaviour in this case. You should probably NOT return any
claims where the request for that claim is invalid. The caveat
would be that by ignoring that part of the request you’re also
losing your ability to tell the developer why their request is
not working as they expected, which makes it harder for them to
figure out what they’ve done wrong and hence harder for them to
fix their request to be valid.</div>
<div><br>
</div>
<div>In reality we really shouldn’t be expecting a situation like
this to occur except when a developer has badly misread the
specification, and hence my instinct is we should err towards
returning an error that tells the developer what they’ve done
wrong.</div>
<div><br>
</div>
<div>(For clarity the above is not an official position of the
OpenID Foundation.)</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
<div><br>
<blockquote type="cite">
<div>On 28 Sep 2023, at 14:06, Kai Lehmann via
Openid-specs-ab <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer"><openid-specs-ab@lists.openid.net></a>
wrote:</div>
<br>
<div>
<div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">Hi,<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">The OIDCC spec allows RPs to request
individual claims with the claims parameter:<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><a href="https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests" style="color:rgb(5,99,193);text-decoration:underline" target="_blank" rel="noreferrer">https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests</a><u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">I was wondering how strict the OP
should be in handling invalid claim values within
this request. For example:<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">{<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> “first_name”: “INVALID”,<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> “last_name”: 5,<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> “email”: {<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> “essential”: “INVALID”<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> }<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">}<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">My interpretation of “The member values
MUST be one of the following …” would be that the
claims request parameter would be invalid if it
contained invalid member values and thus the server
should reject the request with a redirect back to
the RP’s provided redirect_uri with invalid_request
error. Would a more relaxed parsing (ignoring
invalid claim parameters) also be an option and
still in accordance with the specification?<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">Best regards,<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">Kai<u></u><u></u></span></div>
<div style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"><u></u> <u></u></span></div>
</div>
<span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">Openid-specs-ab
mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<a href="mailto:Openid-specs-ab@lists.openid.net" style="color:rgb(5,99,193);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:rgb(5,99,193);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" rel="noreferrer">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<pre cols="72">--
IMPORTANT NOTICE
The email addresses ..@<a href="http://verifiablecredentials.info" target="_blank" rel="noreferrer">verifiablecredentials.info</a> will shortly stop working.
Can you please use
<a href="mailto:d.w.chadwick@truetrust.co.uk" target="_blank" rel="noreferrer">d.w.chadwick@truetrust.co.uk</a>
from now on</pre>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>