<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Phll this wasn't sent to is not the iGov WG list.so I added the list to get it into the record.</div><div class=""><br class=""></div><div class="">Phil many of your comments about business logic applies both to VOT and ACR. Yes that needs to be specified.</div><div class="">Glad you are interested in working on it.</div><div class=""><br class=""></div><div class="">FYI there is a IETF VOT mailing list. <a href="https://www.ietf.org/mailman/listinfo/vot" class="">https://www.ietf.org/mailman/listinfo/vot</a> </div><div class="">It could be used more but there is some traffic.</div><div class=""><br class=""></div>VOT uses the “vim” claim value for a URI to define what the trust framework is and if the IdP is registered to make assertions using that trust framework.<div class=""><br class=""></div><div class="">If a given RP doesn’t support VOT or a given trust mark then it should ent include that in its request and fall beck to ACR.</div><div class="">If a RP/client dosen't specify VOT in its request then it can ignore VOT in the response.</div><div class="">If a IdP doesn’t support VOT then it can ignore it and fall back to ACR.</div><div class=""><br class=""></div><div class="">Now for some federations the ACR values may or may not be defined or be defined for some subset of VOT combinations.</div><div class="">Your milage may very in that case.</div><div class=""><br class=""></div><div class="">Yes the business logic needs to be specified around if a hard error is returned or a lower or different value can be returned etc. All the same issues we have with ACR.</div><div class=""><br class=""></div><div class="">So yes it needs to be fleshed out more.</div><div class=""><br class=""></div><div class="">iGov should not define the trust frameworks only the processing rules around how to deal with the requests and responses from the protocol perspective. </div><div class=""><br class=""></div><div class="">The implementors draft vote was a trick to get you to read it, and not the final version.</div><div class=""><br class=""><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 11, 2017, at 4:39 PM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" class="">phil.hunt@oracle.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Paul,</div><div class=""><br class=""></div><div class="">In response to your comment (and this is really iGov related)….</div>The iGov spec says…<div class=""><blockquote type="cite" class=""><span style="font-family: verdana, helvetica, arial, sans-serif; font-size: 13.333333015441895px;" class="">Servers MUST check for the presence of the </span><samp style="font-size: 13.333333015441895px;" class="">vtr</samp><span style="font-family: verdana, helvetica, arial, sans-serif; font-size: 13.333333015441895px;" class=""> parameter before </span><samp style="font-size: 13.333333015441895px;" class="">acr</samp><span style="font-family: verdana, helvetica, arial, sans-serif; font-size: 13.333333015441895px;" class=""> in Requests. If both parameters are present the server will default to </span><samp style="font-size: 13.333333015441895px;" class="">vtr</samp><span style="font-family: verdana, helvetica, arial, sans-serif; font-size: 13.333333015441895px;" class=""> as the request to respond to. </span><samp style="font-size: 13.333333015441895px;" class="">acr</samp><span style="font-family: verdana, helvetica, arial, sans-serif; font-size: 13.333333015441895px;" class=""> MUST then be ignored.</span></blockquote><div class=""><br class="webkit-block-placeholder"></div><div class="">Optionality for the OP/IDP is not optional for the RP/Client.</div><div class=""><br class=""></div><div class="">This text is unclear as to what the client is supposed to do if it gets a “vtr”. What does “default” mean? It is clear that “acr” MUST be ignored.</div><div class=""><br class=""></div><div class="">The spec is unclear about what an iGov compliant client that does not support “vtr" can proceed. It does not say why it must ignore the acr if vtr is present. Remember, in the absence of NIST, a server can easily understand both “acr” and “vtr” through it cannot attach meaning to the “vtr” without the NIST guidelines. What does a server in europe or any other jurisdiction do?</div><div class=""><br class=""></div><div class="">On VoT itself, is it true that *all* claims must be proofed to the same level? From the VoT draft:</div><div class=""><blockquote type="cite" class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"> The Identity Proofing dimension defines, overall, how strongly the
set of identity attributes have been verified and vetted. In other
words, this dimension describes how likely it is that a given digital
identity transaction corresponds to a particular (real-world)
identity subject.</pre></blockquote><div class=""><br class=""></div></div><div class="">What if eye-color or a professional qualification is self asserted(P1) but the name and identifier is P3? What does the OP do, must it:</div><div class="">* only assert claims that meet P3?</div><div class="">* assert P1 as the lowest quality denominator</div><div class=""><br class=""></div><div class="">It may be perfectly reasonable to accept an unverified claim of post-secondary education as good enough (e.g. for employment purposes), but if that claim then gets exported as P3 as evidence that the person is qualified (e.g. as a doctor) then that would be a mistake. </div><div class="">—> I see no guidances on how to handle varying quality of claims. This seems important because almost no system that gathers claims does so to the same degree regarding every claim.</div><div class=""><br class=""></div><div class="">I don’t see any guidance on this in the VoT draft.</div><div class=""><br class=""></div><div class="">Phil</div><div class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><div class=""><br class=""></div><div class="">Oracle Corporation, Identity Cloud Services Architect</div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com/" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="" style="orphans: 2; widows: 2;">phil.hunt@oracle.com</a></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""><div class=""><blockquote type="cite" class=""><div class="">On Sep 11, 2017, at 12:49 PM, Grassi, Paul A. (Fed) <<a href="mailto:paul.grassi@nist.gov" class="">paul.grassi@nist.gov</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">No it's not. We allow good old fashion acr. <br class=""><br class="">Sent from my iPhone</div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="">On Sep 11, 2017, at 3:33 PM, Phil Hunt (IDM) <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class=""><div class=""><div class="">But then igov is not implementable without regional profiling such as from NIST because VoT is mandatory. <br class=""><br class="">Phil</div><div class=""><br class="">On Sep 11, 2017, at 12:30 PM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" style="color: purple; text-decoration: underline;" class="">tonynad@microsoft.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="WordSection1" style="page: WordSection1;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">I totally agree with John, these need to be separated and iGov not cover VOT<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a name="_MailEndCompose" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></a></div><span class=""></span><div class=""><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class="">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span class="Apple-converted-space"> </span>John Bradley [<a href="mailto:ve7jtb@ve7jtb.com" style="color: purple; text-decoration: underline;" class="">mailto:ve7jtb@ve7jtb.com</a>]<span class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Monday, September 11, 2017 11:01 AM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Phil Hunt <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>><br class=""><b class="">Cc:</b><span class="Apple-converted-space"> </span>Kathleen Moriarty <<a href="mailto:kathleen.moriarty.ietf@gmail.com" style="color: purple; text-decoration: underline;" class="">kathleen.moriarty.ietf@gmail.com</a>>; PRATEEK MISHRA <<a href="mailto:prateek.mishra@oracle.com" style="color: purple; text-decoration: underline;" class="">prateek.mishra@oracle.com</a>>; Anthony Nadalin <<a href="mailto:tonynad@microsoft.com" style="color: purple; text-decoration: underline;" class="">tonynad@microsoft.com</a>>; Justin Richer <<a href="mailto:ietf@justin.richer.org" style="color: purple; text-decoration: underline;" class="">ietf@justin.richer.org</a>>; Paul Grassi <<a href="mailto:paul.grassi@nist.gov" style="color: purple; text-decoration: underline;" class="">paul.grassi@nist.gov</a>>; leif Johansson <<a href="mailto:leifj@sunet.se" style="color: purple; text-decoration: underline;" class="">leifj@sunet.se</a>><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: Vectors of Trust - where to discuss?<o:p class=""></o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Adding PAul Grassi from NIST. Because I like to spread the joy.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">To be clear I atleast intended to say NIST is profiling VOT for SP800-63-3 not iGov. <o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I believe that will be section D of SP800-63-3.<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">The particular VOT values would be defined there. I don’t think they belong in the generic iGov doc. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">France might have a different profile of VoT not that I encourage that, but the iGov docs should not be US specific.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">The iGov spec is saying that if VOT is sent that should be used in preference to ACR if that is sent as well.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I agree the wording should be clearer about using VOT profiles defined by organizations like NIST or whoever else wants to define them as we have for ACR in the IANA registry. We may need some sort of IANA registry for these like we have for ACR.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">The iGov working group has already started on a new draft based on feedback during the vote (people wait to after the public review to comment for some reason). Please get involved and contribute wording if you don’t like that section.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">We should probably try and keep the iGov, NIST VOT profile, and IETF track discussions a bit separate.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">John B.<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Sep 11, 2017, at 1:44 PM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">John,<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Regarding your comment that the IGov group has profiled the mapping of 800-63 IAL,AAL,FAL to VoT (which you suggested exists below). I only find the one paragraph as follows:<o:p class=""></o:p></div></div><div class=""><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><h1 id="rfc.section.3.4" style="margin-right: 0in; margin-left: 0in; font-size: 24pt; font-family: 'Times New Roman', serif; line-height: 21pt; break-after: avoid-page;" class=""><span style="font-size: 14pt; font-family: Verdana, sans-serif;" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__xml2rfc.tools.ietf.org_cgi-2Dbin_xml2rfc.cgi-3FSubmit-3DSubmit-26format-3Dascii-26mode-3Dhtml-26type-3Dascii-26url-3Dhttps-3A__bitbucket.org_openid_igov_raw_master_openid-2Digov-2Dprofile.xml-23rfc.section.3.4&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=eFp2OE8xktxoihGrhcWVJ7ErNqFsFDGFkYIhnzl1IGM&e=" style="color: purple; text-decoration: underline;" class=""><span style="color: rgb(51, 51, 51); text-decoration: none;" class="">3.4.</span></a> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__xml2rfc.tools.ietf.org_cgi-2Dbin_xml2rfc.cgi-3FSubmit-3DSubmit-26format-3Dascii-26mode-3Dhtml-26type-3Dascii-26url-3Dhttps-3A__bitbucket.org_openid_igov_raw_master_openid-2Digov-2Dprofile.xml-23vot&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=AQD2AIkbYLlRnUd8e56hpzzkGTqTQ0Li3xUpijsvdWA&e=" id="vot" style="color: purple; text-decoration: underline;" class=""><span style="color: rgb(51, 51, 51); text-decoration: none;" class="">Vectors of Trust</span></a><o:p class=""></o:p></span></h1><div style="margin: 0in 24pt 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class="">Servers MUST check for the presence of the </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">vtr</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> parameter before </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">acr</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> in Requests. If both parameters are present the server will default to </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">vtr</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> as the request to respond to. </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">acr</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> MUST then be ignored. <o:p class=""></o:p></span></div><div style="margin: 0in 24pt 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class="">OpenID Providers MAY provide the </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">vot</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> and contain valid values from the <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__xml2rfc.tools.ietf.org_cgi-2Dbin_xml2rfc.cgi-3FSubmit-3DSubmit-26format-3Dascii-26mode-3Dhtml-26type-3Dascii-26url-3Dhttps-3A__bitbucket.org_openid_igov_raw_master_openid-2Digov-2Dprofile.xml-23I-2DD.richer-2Dvectors-2Dof-2Dtrust&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=LAUK3t8ZhiHqohhQsrlOOBKYmURp4rG9xVGfKEhjlmk&e=" style="color: purple; text-decoration: underline;" class=""><span style="text-decoration: none;" class="">Vectors of Trust</span></a> standard. <o:p class=""></o:p></span></div><div style="margin: 0in 24pt 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class="">The </span><samp style="font-family: 'Courier New';" class=""><span style="font-size: 10pt;" class="">vtr</span></samp><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class=""> and contain valid values from the <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__xml2rfc.tools.ietf.org_cgi-2Dbin_xml2rfc.cgi-3FSubmit-3DSubmit-26format-3Dascii-26mode-3Dhtml-26type-3Dascii-26url-3Dhttps-3A__bitbucket.org_openid_igov_raw_master_openid-2Digov-2Dprofile.xml-23I-2DD.richer-2Dvectors-2Dof-2Dtrust&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=LAUK3t8ZhiHqohhQsrlOOBKYmURp4rG9xVGfKEhjlmk&e=" style="color: purple; text-decoration: underline;" class=""><span style="text-decoration: none;" class="">Vectors of Trust</span></a> standard. <o:p class=""></o:p></span></div><div style="margin: 0in 24pt 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 10pt; font-family: Verdana, sans-serif;" class="">It is out of scope of this document to determine how an organization maps their digital identity practices to valid VOT component values.<o:p class=""></o:p></span></div></blockquote><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">This is not a research and development use of VoT. Further the spec itself doesn’t give useful information to implementers to make use of or implement VoT. As such I have sent my feedback to the iGov list.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">As written, neither spec is actually implementable unless customer orgs give specific one-off requirements. Which is hardly the point of a standard is it?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Phil<o:p class=""></o:p></div></div><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Oracle Corporation, Identity Cloud Services Architect<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">@independentid<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=EZxGffxgFd1WyPV1_pqDnOqn1DbNccBDD2rcLe9MBHU&e=" style="color: purple; text-decoration: underline;" class="">www.independentid.com</a><o:p class=""></o:p></div></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a><o:p class=""></o:p></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Sep 10, 2017, at 2:44 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" style="color: purple; text-decoration: underline;" class="">ve7jtb@ve7jtb.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">There is discussion on mapping SP800-63 to Vectors of trust happening in the iGov working group at the OIDF and at NIST for section D of SP-800-63-3. <o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">It is not anticipated that changes are required to the spec. The Vectors in the spec are examples. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">They are intended to apply to a assertion but someone could apply them to individual claims I suppose. The NIST claim schema work is also going to iGov. We haven't discussed the relationship between the two yet. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Leif and I have talked about the possibility of a IETF operations WG that VOT might fit into. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">For the moment the VOT draft is AD sponsors as experimental. For the moment comments should go to the authors and the document Sheppard. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">John B. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">On Sep 10, 2017 17:13, "Phil Hunt" <<a href="mailto:phil.hunt@oracle.com" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a>> wrote:<o:p class=""></o:p></div><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Kathleen/Justin,<o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I see on the tracker (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dricher-2Dvectors-2Dof-2Dtrust_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=HnX47aB7H65DDQ5ItuDtwI9fRf9R3qP8BtnNL3Tin04&e=" target="_blank" style="color: purple; text-decoration: underline;" class="">https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/</a>) this document is not part of any working group.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">The OpenID Foundation is moving to implementation status on a spec that uses this as as “standard”. Yet the tracker indicates the intent is “experimental” and it has not been reviewed. It remains an individual draft.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I have concerns that the document has not been updated to reflect new approaches published in NIST 800-63-3 and which are also being discussed for alignment in the ISO 29115.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">General questions:<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Do vectors apply to an assertion or an individual claim? How in JWT should Identity Proofing Levels (IAL) be expressed? On a per-claim basis?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">If the vector is contained within a federated assertion (rated FAL1-3) should the vector include the containers rating?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">What about composite cases where there are multiple layers of federation and attribute sources.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">What is the appropriate way to comment and discuss here?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Are there special considerations for zero knowledge proof/privacy systems such as SOVRIN distributed ledgers?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Thanks,<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Phil<o:p class=""></o:p></div></div><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">Oracle Corporation, Identity Cloud Services Architect<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">@independentid<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I67W8OuE8UmEujfQMXuvjnuTNeHphioHLV2RQVoLRJo&s=EZxGffxgFd1WyPV1_pqDnOqn1DbNccBDD2rcLe9MBHU&e=" target="_blank" style="color: purple; text-decoration: underline;" class="">www.independentid.com</a><o:p class=""></o:p></div></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="mailto:phil.hunt@oracle.com" target="_blank" style="color: purple; text-decoration: underline;" class="">phil.hunt@oracle.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div></div></div></blockquote></div></div></div></div></blockquote></div></div></div></div></div></div></blockquote></div></blockquote></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></body></html>