<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The section of iGov that refers to VOT basically provides a processing rule that if you receive it then it overrides the ACR value. The values are defined in external profiles such as the one NIST is working on:<div class=""><a href="https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping.md" class="">https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping.md</a><br class=""><div class=""><br class=""></div><div class="">In the NIST case it is string with three elements like a scopes in OAuth 2.</div><div class=""><br class=""></div><div class="">I do think we need to expand the processing rules for that. What happens if you ask for IAL2 with AAL2 and FAL1, but the IdP can has only proofed the user to IAL 1? Do you error or return the best you can do. </div><div class=""><br class=""></div><div class="">If we use the VOT encoding or something else we should still address those issues.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 11, 2017, at 12:24 PM, Mike Jones <michael.jones@microsoft.com> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(0, 32, 96);" class="">Vectors of Trust (VoT) has always seemed like an unnecessarily complicated approach to me. Multi-dimensional attributes reminds me of some the worst and least-used features of SAML. If there’s a normative dependency upon it in iGov, in my view, it should be removed.<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(0, 32, 96);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(0, 32, 96);" class=""> -- Mike<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><a name="_MailEndCompose" class=""><span style="color: rgb(0, 32, 96);" class=""><o:p class=""> </o:p></span></a></div><span class=""></span><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class="">From:</b><span class="Apple-converted-space"> </span>Openid-specs-igov [mailto:openid-specs-igov-bounces@lists.openid.net]<span class="Apple-converted-space"> </span><b class="">On Behalf Of<span class="Apple-converted-space"> </span></b>Grassi, Paul A. (Fed) via Openid-specs-igov<br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Monday, September 11, 2017 9:01 AM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Phil Hunt (IDM) <phil.hunt@oracle.com>; John Bradley <ve7jtb@ve7jtb.com><br class=""><b class="">Cc:</b><span class="Apple-converted-space"> </span>openid-specs-igov@lists.openid.net<br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-igov] Fwd: Regarding the vote on Implementer’s Drafts of Two iGov Specifications<o:p class=""></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">iGov, among many goals, will serve as a single interop baseline for cross-border federation. It can do that without VOT. What it can’t do, is carry an interoperable assertion of assurance in it’s payload WITHOUT VOT. So, since iGov is not experimental, and needs VOT, I assert that VOT has graduated from experimental.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-size: 12pt;" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-size: 12pt;" class="">Openid-specs-igov <<a href="mailto:openid-specs-igov-bounces@lists.openid.net" style="color: purple; text-decoration: underline;" class="">openid-specs-igov-bounces@lists.openid.net</a>> on behalf of "Phil Hunt (IDM) via Openid-specs-igov" <<a href="mailto:openid-specs-igov@lists.openid.net" style="color: purple; text-decoration: underline;" class="">openid-specs-igov@lists.openid.net</a>><br class=""><b class="">Reply-To:<span class="Apple-converted-space"> </span></b>"Phil Hunt (IDM)" <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>><br class=""><b class="">Date:<span class="Apple-converted-space"> </span></b>Monday, September 11, 2017 at 11:07 AM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" style="color: purple; text-decoration: underline;" class="">ve7jtb@ve7jtb.com</a>><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b>"<a href="mailto:openid-specs-igov@lists.openid.net" style="color: purple; text-decoration: underline;" class="">openid-specs-igov@lists.openid.net</a>" <<a href="mailto:openid-specs-igov@lists.openid.net" style="color: purple; text-decoration: underline;" class="">openid-specs-igov@lists.openid.net</a>><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [Openid-specs-igov] Fwd: Regarding the vote on Implementer’s Drafts of Two iGov Specifications<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The VoT spec is also experimental.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Having a normative dependence on an experimental spec creates instability and devalues this spec. Or is the intent that igov be experimental?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class="">Phil<o:p class=""></o:p></div></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br class="">On Sep 11, 2017, at 4:48 AM, John Bradley via Openid-specs-igov <<a href="mailto:openid-specs-igov@lists.openid.net" style="color: purple; text-decoration: underline;" class="">openid-specs-igov@lists.openid.net</a>> wrote:<o:p class=""></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Forwarding a comment on the vote. <span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">It is not uncommon for OIDF implimentors drafts to have dependencies on ID. As it is not uncommon for IETF WG specs to reference other drafts. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Strictly speaking vot is a AD sponsors draft so not the same status as a Individual Draft. Yes the IETF has mysterious ways. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">To discuss the IETF process and that document the SAG list is best.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The iGov WG has had extensive conversations with NIST and the UK and included VOT at there request. NIST is working on a profile of VOT.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">People interested in the iGov discussion with NIST should join the WG. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">As document Sheppard I have been talking to NIST and others about there ability to profile VOT. Getting feedback on that is one of the reasons vot has not been progressed to the IESG yet. That will however happening soon, unless more feedback is received in the IETF process. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Honestly the more feedback the better. Sometimes it takes specs referencing important work like VOT before people become aware of them. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">I don't think we have a issue with the iGov implimentors draft, but others can differ.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Regards <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">John B. <o:p class=""></o:p></div></div></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">---------- Forwarded message ----------<br class="">From: "Prateek Mishra" <<a href="mailto:Prateek.Mishra@oracle.com" style="color: purple; text-decoration: underline;" class="">Prateek.Mishra@oracle.com</a>><br class="">Date: Sep 11, 2017 00:44<br class="">Subject: Fwd: Regarding the vote on Implementer’s Drafts of Two iGov Specifications<br class="">To: "John Bradley" <<a href="mailto:ve7jtb@ve7jtb.com" style="color: purple; text-decoration: underline;" class="">ve7jtb@ve7jtb.com</a>>, "Phil Hunt (IDM)" <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>><br class="">Cc:<span class="Apple-converted-space"> </span><o:p class=""></o:p></p><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin: 5pt 0in 5pt 4.8pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p class=""> </o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Begin forwarded message:<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-family: 'Helvetica Neue';" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-family: 'Helvetica Neue';" class="">Prateek Mishra <<a href="mailto:Prateek.Mishra@oracle.com" target="_blank" style="color: purple; text-decoration: underline;" class="">Prateek.Mishra@oracle.com</a>></span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-family: 'Helvetica Neue';" class="">Subject: Regarding the vote on Implementer’s Drafts of Two iGov Specifications</span></b><o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-family: 'Helvetica Neue';" class="">Date:<span class="Apple-converted-space"> </span></span></b><span style="font-family: 'Helvetica Neue';" class="">September 10, 2017 at 10:42:35 PM PDT</span><o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-family: 'Helvetica Neue';" class="">To:<span class="Apple-converted-space"> </span></span></b><span style="font-family: 'Helvetica Neue';" class=""><a href="mailto:openid-specs-igov@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;" class="">openid-specs-igov@lists.openid.net</a></span><o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The document has a normative reference to a Vectors of Trust “standard”. The so called normative reference is an individual draft and has no standing at this time. <o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The draft <a href="https://tools.ietf.org/html/draft-richer-vectors-of-trust-05" target="_blank" style="color: purple; text-decoration: underline;" class="">https://tools.ietf.org/html/draft-richer-vectors-of-trust-05</a> has been somewhat updated to reflect NIST 800-63-3’s new components, but does not align.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">We have voted “OBJECT” on this draft and would like to see this worked through first.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">— prateek<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div></blockquote></div></div></blockquote></div></div></blockquote></div><br class=""></div></div></body></html>