<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The FICAM Trust framework referenced is a Trust Framework is a Government trust framework <a href="http://www.idmanagement.gov/trust-framework-solutions" class="">http://www.idmanagement.gov/trust-framework-solutions</a><div class="">That identity providers for the US Federal Government must be certified against.</div><div class=""><br class=""></div><div class="">The goal of the eGov WG is to use this document as part of defining a profile of Connect that FICAM can use to define “Adopted Identity Scheme” for OpenID Connect.</div><div class=""><br class=""></div><div class="">So it is a bit premature to be tying this document to FICAM.   The FICAM LoA URI are not generic, they apply to that specific trust framework, certification and legal agreements.</div><div class=""><br class=""></div><div class="">Profiles using this should be specifying specific trust frameworks for there jurisdictions/communities of interest.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Nov 28, 2015, at 2:57 PM, Adrian Gropper <<a href="mailto:agropper@healthurl.com" class="">agropper@healthurl.com</a>> wrote:. </div></blockquote><blockquote type="cite" class=""><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">John B's interpretation suggests that Section 5 is unclear. I did not read this section as suggestion that any particular "Trust Framework" must or should be used. I read it as simply saying that the OpenID Provider must label their particular authentication level according to a common definition with no particular framework implied. <br class=""><br class=""></div>Adrian <br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sat, Nov 28, 2015 at 12:14 PM, John Bradley <span dir="ltr" class=""><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">The FICAM acr values may be fine for the US but are probably not going to be used directly by other countries, and even in the US that implies having a FICAM certification to be able to meaningfully assert as a IdP.   That might happen in the US but probably not in the UK etc.  <div class=""><br class=""></div><div class="">We could say "<font face="verdana" size="2" class="">(FICAM) Trust Framework, or equivalent Trust Framework SHOULD be used”.   </font></div><div class=""><font face="verdana" size="2" class=""><br class=""></font></div><div class=""><font face="verdana" size="2" class="">In other words use known and preferably </font><a href="https://tools.ietf.org/html/rfc6711" target="_blank" class="">https://tools.ietf.org/html/rfc6711</a> <span style="font-family:verdana;font-size:small" class="">registered values. </span></div><div class=""><font face="verdana" size="2" class="">It might be useful to add a reference to the LoA registry and ask GSA/NIST to register the FICAM LoA.</font></div><div class=""><font face="verdana" size="2" class=""><br class=""></font></div><div class=""><font face="verdana" size="2" class="">The last one rather then being a conversational must would be better as SHOULD.   </font></div><div class=""><font face="verdana" size="2" class="">It may not be practical for IdP to get agreement from all RP,  using a documented set of values is probably sufficient.</font></div><div class=""><font face="verdana" size="2" class=""><br class=""></font></div><div class=""><font face="verdana" size="2" class="">I think Mile Jones was going to set up a IANA registry for that, but I don’t have a reference at hand.</font></div><div class=""><font face="verdana" size="2" class=""><br class=""></font></div><div class=""><font face="verdana" size="2" class="">John B.</font></div><div class=""><div class="h5"><div class=""><font face="verdana" size="2" class=""><br class=""></font></div><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Nov 28, 2015, at 1:36 PM, Eve Maler <<a href="mailto:eve.maler@forgerock.com" target="_blank" class="">eve.maler@forgerock.com</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class="">A "relying party" is a term of art in the OIDC spec, and is defined up front, so I think we're okay there:<div class=""><br class=""></div><div class=""><a href="http://openid.net/specs/openid-connect-core-1_0.html#Terminology" target="_blank" class="">http://openid.net/specs/openid-connect-core-1_0.html#Terminology</a><br class=""></div><div class="">"Relying Party (RP)</div>








<div class="">OAuth 2.0 Client application requiring End-User Authentication and Claims from an OpenID Provider."</div><div class=""><br class=""></div><div class="">Regarding the should/SHOULD and must/MUST, good questions!</div><div class=""><br class=""></div></div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><p class=""><b class="">Eve Maler<br class=""></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br class="">Cell <a href="tel:%2B1%20425.345.6756" value="+14253456756" target="_blank" class="">+1 425.345.6756</a> | Skype: xmlgrrl | Twitter: @xmlgrrl<br class="">Join our <a href="http://forgerock.org/openuma/" target="_blank" class="">ForgeRock.org OpenUMA</a> community!</p></div></div></div></div></div>
<br class=""><div class="gmail_quote">On Sat, Nov 28, 2015 at 12:11 AM, Danny van Leeuwen <span dir="ltr" class=""><<a href="mailto:danny@health-hats.com" target="_blank" class="">danny@health-hats.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div style="margin:0in;line-height:21pt" class="">1 question</div><div style="margin:0in;line-height:21pt" class="">2 words that might need to be capitalized</div><div style="margin:0in;line-height:21pt" class=""><br class=""></div><div style="margin:0in;line-height:21pt" class="">Otherwise the grammar is good.</div><div style="margin:0in;line-height:21pt" class=""><span style="font-weight:bold;font-family:verdana;font-size:14pt" class=""><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#rfc.abstract" target="_blank" class="">Abstract</a></span></div><div style="margin:0in;font-family:verdana;font-size:10pt" class="">The
OpenID Connect protocol defines an identity federation system that allows a <span style="background:yellow" class="">relying</span> [what is  a <span style="font-weight:bold" class="">relying</span>
party?] party to request and receive authentication and profile information
about an end user</div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin:0in;font-family:Calibri;font-size:9pt;color:rgb(89,89,89)" class="">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank" class="">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>>
</div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin:0in;line-height:21pt" class=""><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#rfc.section.5" target="_blank" class=""><span style="font-weight:bold;font-family:verdana;font-size:14pt" class="">5.</span></a><span style="font-weight:bold;font-family:verdana;font-size:14pt" class=""> </span><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#AuthenticationContext" target="_blank" class=""><span style="font-weight:bold;font-family:verdana;font-size:14pt" class="">Authentication
Context</span></a></div><div style="margin:0in;font-family:verdana;font-size:10pt" class="">OpenID
Providers MUST provide acr (authentication context class reference, equivalent
to the Security Assertion Markup Language (SAML) element of the same name) and
amr (authentication methods reference) values in ID tokens.</div><div style="margin:0in;font-family:verdana;font-size:10pt" class="">The
standardized Uniform Resource Identifiers (URIs) established by the Federal
Identity, Credential, and Access Management (FICAM) Trust Framework <span style="background:yellow" class="">should</span> [SHOULD?] be used
for the acr values, depending on the Level of Assurance (LOA) of the
authentication performed by the OpenID Provider:</div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin:0in;font-family:Calibri;font-size:9pt;color:rgb(89,89,89)" class="">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank" class="">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>>
</div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin:0in;font-family:Calibri" class=""><span style="font-size:11pt" class="">The </span><span style="font-size:10pt" class="">amr</span><span style="font-size:11pt" class=""> value
is an array of strings describing the set of mechanisms used to authenticate
the user to the OpenID Provider. Providers that require multi-factor
authentication will typically provide multiple values (for example, memorized
password plus hardware-token-generated one-time password). The specific values </span><span style="font-size:11pt;background:yellow" class="">must</span><span style="font-size:11pt" class=""> [MUST?] be agreed upon and understood between the
OpenID Provider and any Relying Parties.</span></div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin:0in;font-family:Calibri;font-size:9pt;color:rgb(89,89,89)" class="">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank" class="">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>> </div><span class=""><font color="#888888" class=""><div class=""><br class=""></div>-- <br class=""><div class=""><font color="#330099" class="">Danny van Leeuwen<br class=""><a href="tel:617-304-4681" value="+16173044681" target="_blank" class="">617-304-4681</a><br class=""></font><div class=""><b class=""><font color="#330099" class=""><br class=""></font></b><div class=""><b class=""><font color="#330099" class="">Blog <a href="http://www.health-hats.com/" target="_blank" class="">www.health-hats.com</a> <i class=""><span style="font-size:8pt;font-family:'Arial Black',sans-serif" class="">discovering the magic levers of best health</span></i></font></b></div></div><div class=""><b class=""><font color="#330099" class="">Twitter </font></b><b class=""><font color="#330099" class=""><i class=""><span style="font-size:8pt;font-family:'Arial Black',sans-serif" class="">@healthhats</span></i></font></b></div></div>
</font></span></div>
<br class="">_______________________________________________<br class="">
Openid-specs-heart mailing list<br class="">
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank" class="">Openid-specs-heart@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br class="">
<br class=""></blockquote></div><br class=""></div>
_______________________________________________<br class="">Openid-specs-heart mailing list<br class=""><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank" class="">Openid-specs-heart@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br class=""></div></blockquote></div><br class=""></div></div></div></div><br class="">_______________________________________________<br class="">
Openid-specs-heart mailing list<br class="">
<a href="mailto:Openid-specs-heart@lists.openid.net" class="">Openid-specs-heart@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br class="">
<br class=""></blockquote></div><br class=""><br clear="all" class=""><br class="">-- <br class=""><div class="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><br class=""><div dir="ltr" class="">Adrian Gropper MD<span style="font-size:11pt" class=""></span><br class=""><br class=""><span style="font-family:"Arial",sans-serif;color:#1f497d" class="">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d" class=""><br class="">HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d" class=""></span><span style="font-family:"Arial",sans-serif;color:#1f497d" class=""><br class="">DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank" class=""><span style="color:#0563c1" class="">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d" class=""></span>
</div></div></div></div></div></div></div></div>
</div>
</div></blockquote></div><br class=""></div></body></html>