[Openid-specs-igov] Latest iGov Profile section 3.4

[Phil Hunt]

Some concerns remaining…
3.4.  Vectors of Trust

   Servers MUST check for the presence of the "vtr" parameter before
   "acr" in Requests.  If both parameters are present the server will
   default to "vtr" as the request to respond to.  "acr" MUST then be
   ignored.

<PH> I thought this was to be changed to “SHOULD” select “vtr” and ignore “acr”.
I would prefer language, 
"If both parameters are present the server MUST choose either “vtr” or “acr” and
ignore the other parameter."



Varley & Grassi         Expires November 23, 2017               [Page 9]


                           openid-igov-profile                  May 2017


   OpenID Providers MAY provide the "vot" and contain valid values from
   the Vectors of Trust [I-D.richer-vectors-of-trust] standard.
<PH>OpenID Providers MAY provide the “vot" — when ? I wonder if it might be helpful to say either
1. “In response to a request containing a “vtr””, or
2. “When responding, an OpenID Provider MAY provide a “vot” whether or not a “vtr” was requested."

   The "vtr" and contain valid values from the Vectors of Trust
   [I-D.richer-vectors-of-trust] standard.
<PH> Is there a word missing above?

   It is out of scope of this document to determine how an organization
   maps their digital identity practices to valid VOT component values.
<PH>If a “vtr” is provided, is a “vot” required in the response? For example, as written, an implementer could process “vtr” and ignore “acr” but it would still be compliant if it did not return a “vot” in response. Is that the intent?

Phil

Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20171003/9ed2eb15/attachment.html>