<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Arial Black";
panose-1:2 11 10 4 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And only when we try and let things break will we learn what will work in the real world involving all the different members of the community.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) 301-540-2311<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) 301-326-6843<o:p></o:p></span></p><p class=MsoNormal><a href="nate-trust.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=205 height=48 id="Picture_x0020_1" src="cid:image001.jpg@01D12B58.83159080"></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Openid-specs-heart [mailto:openid-specs-heart-bounces@lists.openid.net] <b>On Behalf Of </b>Justin Richer<br><b>Sent:</b> Sunday, November 29, 2015 9:34 PM<br><b>To:</b> John Bradley<br><b>Cc:</b> openid-specs-heart@lists.openid.net<br><b>Subject:</b> Re: [Openid-specs-heart] Health Relationship Trust Profile for OpenID Connect 1.0<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ultimately this work should all be referencing VoT and not LoA, but that wasn’t nearly as baked when the document was originally written.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I’m happy to put in alternate values here. Remember that this is an implementers draft, and things can and will break.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> — Justin<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Nov 28, 2015, at 3:33 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>The FICAM Trust framework referenced is a Trust Framework is a Government trust framework <a href="http://www.idmanagement.gov/trust-framework-solutions">http://www.idmanagement.gov/trust-framework-solutions</a><o:p></o:p></p><div><p class=MsoNormal>That identity providers for the US Federal Government must be certified against.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The goal of the eGov WG is to use this document as part of defining a profile of Connect that FICAM can use to define “Adopted Identity Scheme” for OpenID Connect.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So it is a bit premature to be tying this document to FICAM. The FICAM LoA URI are not generic, they apply to that specific trust framework, certification and legal agreements.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Profiles using this should be specifying specific trust frameworks for there jurisdictions/communities of interest.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>John B.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Nov 28, 2015, at 2:57 PM, Adrian Gropper <<a href="mailto:agropper@healthurl.com">agropper@healthurl.com</a>> wrote:. <o:p></o:p></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>John B's interpretation suggests that Section 5 is unclear. I did not read this section as suggestion that any particular "Trust Framework" must or should be used. I read it as simply saying that the OpenID Provider must label their particular authentication level according to a common definition with no particular framework implied. <o:p></o:p></p></div><p class=MsoNormal>Adrian <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Sat, Nov 28, 2015 at 12:14 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>The FICAM acr values may be fine for the US but are probably not going to be used directly by other countries, and even in the US that implies having a FICAM certification to be able to meaningfully assert as a IdP. That might happen in the US but probably not in the UK etc. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We could say "<span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>(FICAM) Trust Framework, or equivalent Trust Framework SHOULD be used”. </span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>In other words use known and preferably </span><a href="https://tools.ietf.org/html/rfc6711" target="_blank">https://tools.ietf.org/html/rfc6711</a> <span style='font-family:"Verdana","sans-serif"'>registered values. </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>It might be useful to add a reference to the LoA registry and ask GSA/NIST to register the FICAM LoA.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>The last one rather then being a conversational must would be better as SHOULD. </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>It may not be practical for IdP to get agreement from all RP, using a documented set of values is probably sufficient.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>I think Mile Jones was going to set up a IANA registry for that, but I don’t have a reference at hand.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>John B.</span><o:p></o:p></p></div><div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Nov 28, 2015, at 1:36 PM, Eve Maler <<a href="mailto:eve.maler@forgerock.com" target="_blank">eve.maler@forgerock.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>A "relying party" is a term of art in the OIDC spec, and is defined up front, so I think we're okay there:<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="http://openid.net/specs/openid-connect-core-1_0.html#Terminology" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#Terminology</a><o:p></o:p></p></div><div><p class=MsoNormal>"Relying Party (RP)<o:p></o:p></p></div><div><p class=MsoNormal>OAuth 2.0 Client application requiring End-User Authentication and Claims from an OpenID Provider."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regarding the should/SHOULD and must/MUST, good questions!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell <a href="tel:%2B1%20425.345.6756" target="_blank">+1 425.345.6756</a> | Skype: xmlgrrl | Twitter: @xmlgrrl<br>Join our <a href="http://forgerock.org/openuma/" target="_blank">ForgeRock.org OpenUMA</a> community!<o:p></o:p></p></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Sat, Nov 28, 2015 at 12:11 AM, Danny van Leeuwen <<a href="mailto:danny@health-hats.com" target="_blank">danny@health-hats.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='line-height:21.0pt'>1 question<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:21.0pt'>2 words that might need to be capitalized<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:21.0pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='line-height:21.0pt'>Otherwise the grammar is good.<o:p></o:p></p></div><div><p class=MsoNormal style='line-height:21.0pt'><b><span style='font-size:14.0pt;font-family:"Verdana","sans-serif"'><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#rfc.abstract" target="_blank">Abstract</a></span></b><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>The OpenID Connect protocol defines an identity federation system that allows a <span style='background:yellow'>relying</span> [what is a <b>relying</b> party?] party to request and receive authentication and profile information about an end user<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#595959'>From <<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>> <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal style='line-height:21.0pt'><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#rfc.section.5" target="_blank"><b><span style='font-size:14.0pt;font-family:"Verdana","sans-serif"'>5.</span></b></a><b><span style='font-size:14.0pt;font-family:"Verdana","sans-serif"'> </span></b><a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html#AuthenticationContext" target="_blank"><b><span style='font-size:14.0pt;font-family:"Verdana","sans-serif"'>Authentication Context</span></b></a><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>OpenID Providers MUST provide acr (authentication context class reference, equivalent to the Security Assertion Markup Language (SAML) element of the same name) and amr (authentication methods reference) values in ID tokens.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>The standardized Uniform Resource Identifiers (URIs) established by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework <span style='background:yellow'>should</span> [SHOULD?] be used for the acr values, depending on the Level of Assurance (LOA) of the authentication performed by the OpenID Provider:<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#595959'>From <<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>> <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The </span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>amr</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> value is an array of strings describing the set of mechanisms used to authenticate the user to the OpenID Provider. Providers that require multi-factor authentication will typically provide multiple values (for example, memorized password plus hardware-token-generated one-time password). The specific values <span style='background:yellow'>must</span> [MUST?] be agreed upon and understood between the OpenID Provider and any Relying Parties.</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#595959'>From <<a href="http://openid.bitbucket.org/HEART/openid-heart-oidc.html" target="_blank">http://openid.bitbucket.org/HEART/openid-heart-oidc.html</a>> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='color:#888888'>-- <o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#330099'>Danny van Leeuwen<br><a href="tel:617-304-4681" target="_blank">617-304-4681</a></span><span style='color:#888888'><o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='color:#330099'>Blog <a href="http://www.health-hats.com/" target="_blank">www.health-hats.com</a> </span></b><b><i><span style='font-size:8.0pt;font-family:"Arial Black","sans-serif";color:#330099'>discovering the magic levers of best health</span></i></b><span style='color:#888888'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><b><span style='color:#330099'>Twitter </span></b><b><i><span style='font-size:8.0pt;font-family:"Arial Black","sans-serif";color:#330099'>@healthhats</span></i></b><span style='color:#888888'><o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><br>-- <o:p></o:p></p><div><div><div><div><div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Adrian Gropper MD<br><br><span style='font-family:"Arial","sans-serif";color:#1F497D'>PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>HELP us fight for the right to control personal health data.<br>DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style='color:#0563C1'>http://patientprivacyrights.org/donate-2/</span></a></span> <o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div><div class=MsoNormal align=center style='text-align:center'><hr size=1 width="100%" noshade style='color:#A0A0A0' align=center></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>No virus found in this message.<br>Checked by AVG - <a href="http://www.avg.com">www.avg.com</a><br>Version: 2016.0.7227 / Virus Database: 4477/11090 - Release Date: 11/29/15<o:p></o:p></p></div></body></html>