<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">As discussed, our metadata proposed model in draft. All elements optional, though I expect us to potentially say ‘metadata element A is meaningless without C’. Doesn’t answer the historical
question.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">https://pages.nist.gov/NISTIR-8112<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Paul<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Openid-specs-igov <openid-specs-igov-bounces@lists.openid.net> on behalf of Justin Richer via Openid-specs-igov <openid-specs-igov@lists.openid.net><br>
<b>Reply-To: </b>Justin Richer <jricher@mit.edu><br>
<b>Date: </b>Saturday, August 27, 2016 at 6:23 PM<br>
<b>To: </b>Adam Cooper <adam.cooper@digital.cabinet-office.gov.uk><br>
<b>Cc: </b>Openid-specs-igov <openid-specs-igov@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-igov] iGov Profile - suggestions for User Identifiers and Claim History<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">One issue is that we don’t say how historical information is represented. We need to extend the data model appropriately for this.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> — Justin<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Aug 27, 2016, at 10:01 AM, Adam Cooper via Openid-specs-igov <<a href="mailto:openid-specs-igov@lists.openid.net">openid-specs-igov@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In followup to this week's call I had a couple of actions for suggestions to add to the profile based on UK and EU government backed identity schemes. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><u>User Identifiers</u><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the profile we currently have the following sub vales defined as part of the ID Token:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">sub<o:p></o:p></p>
</div>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">The identifier of the user. SHOULD be a pairwize annonymous identifier, and be unique per client to prevent linkability and traceability between clients.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Based on the eIDAS interoperability specifications (which covers 28 EU member states including for now the UK), I would suggest that we provide the additional guidance for providers when creating "sub" values:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0in">
<div>
<p class="MsoNormal">As a baseline requirement the "sub" identifier value should not include elements that directly identify the Principal i.e. the user. This follows the requirement for a persistent name identifier in other international identity standards
such that persistent identifiers MUST be constructed using pseudo-random values that have no discernible correspondence with the subject's actual identifier (for example, username).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hashing of "sub" identifier values is permitted although this is not mandated by this profile. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The "sub" identifier value MUST NOT contain any whitespace. It is recommended that the "sub" identifier value is at least 32 characters in length. <o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Optionally we may also wish to include some guidance about the stability of uniqueness identifiers:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">The Uniqueness Identifier represented by the "sub" (subject) claim value shall remain unchanged for the lifetime of the identity account (as created by the underlying identity scheme). A Uniqueness Identifier shall never be reused, e.g.
a new Uniqueness Identifier shall not match a Uniqueness Identifier that has been deleted. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Any service that consumes assertions of identity must assume that the Uniqueness Identifier presented for a particular person (natural or legal) may change over time e.g. where the user’s digital identity is replaced or repaired. This should
be handled by a consuming service using the same matching process as used when an identity is first encountered utilising the set of identity attributes used to identify the Principal (i.e. user) within the service. <o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><u>Claim History</u><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Where available previous name, address and date of birth claim values may be provided by the UserInfo Endpoint. These additional historic claim values, where available, should be provided to increase the possibility of a successful match
to a government "account" where the user has changed personal details recently or visits the digital service being accessed infrequently. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">A<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Adam Cooper<o:p></o:p></p>
</div>
<p class="MsoNormal">Identity Assurance Programme <o:p></o:p></p>
<div>
<p class="MsoNormal">Government Digital Service<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">125 Kingsway, London, <span style="font-size:9.0pt;font-family:Arial;background:white">WC2B 6NH</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Tel: 07973 123 038<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">official: <a href="mailto:adam.cooper@digital.cabinet-office.gov.uk" target="_blank">adam.cooper@digital.cabinet-office.gov.uk</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">official sensitive: <a href="mailto:adam.cooper@govdigital.gsi.gov.uk" target="_blank">
adam.cooper@govdigital.gsi.gov.uk</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-igov mailing list<br>
<a href="mailto:Openid-specs-igov@lists.openid.net">Openid-specs-igov@lists.openid.net</a><br>
http://lists.openid.net/mailman/listinfo/openid-specs-igov<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>