[openid-specs-rande] contacts claim and metadata extension

Nick Roy nroy at internet2.edu
Fri Dec 14 17:29:17 UTC 2018 

I strongly prefer the claim with the JSON object as value. I support working on this as a critical component of federation trust and operations.

Best,

Nick

> On Dec 14, 2018, at 10:17 AM, Davide Vaghetti <davide.vaghetti at garr.it> wrote:
> 
> Hi,
> 
> today I had a very interesting call with Roland Hedberg and Mischa Salle
> to discuss some open issues on the current OpenID Connect Federation
> specification.
> 
> One of the issue discussed was about the `contacts` claim. Being it a
> simple list, it does not allow to specify the contact type, so it can't
> be used for example to communicate at one time a technical contact and a
> security one. Now, in the R&E world we do have such a need, in fact in
> the the Sirtfi framework [1] that establish, among other things, exactly
> that: you need to handle security incidents through a specialized
> security contact (possibly the email of your trustworthy CERT/CSIRT).
> 
> In terms of metadata Sirtfi has also another requirement: entities that
> participate to the framework SHOULD advertise it through the assurance
> entity attribute.
> 
> So, this is one of the use case that can be used as fuel for the
> specification on the "Entity metadata extension for OpenID Connect".
> 
> My personal idea was to define a claim with a JSON object as a value.
> The specific structure of such an object should be defined by a separate
> specification. Not much different than what we are doing in today's R&E
> identity federations.
> 
> So, in the case of an OP that participates to Sirtfi we would have
> something like:
> 
> {
>  "issuer":
>    "https://server.example.com",
>   "authorization_endpoint":
>    "https://server.example.com/",
> 
> [..]
> 
>  "metadata_ext": {
>    "type": "not-sure",
>    "ref_uri": "https://refeds.org/sirtfi",
>    "contact": {
>      "email": ["cert at example.com"],
>      "tel": [
>        "BETTER-CALL-SAUL",
>        "BIG-TROUBLE-IN-LITTLE-CHINA"
>      ]
>    }
>  }
> }
> 
> The `metadata_ext` claim, the `ref_uri` and the `type` claims inside are
> the part in common with every metadata extensions, while the value of
> `ref_uri` and the `contact` claim would be the Sirtfi specific part. It
> could even be specified as a json-schema [2], so the validation could be
> automated.
> 
> Another way to model Sirtfi is, on the contrary, to create a set of flat
> claims to be added to an entity metadata, plus probably a generic claim
> that would point to the Sirtfi specification reference uri
> (`extension_ref_uri` for example).
> 
> Comments are welcome!
> 
> Cheers,
> Davide
> 
> [1] https://refeds.org/sirtfi
> [2] http://json-schema.org
> 
> -- 
> Davide Vaghetti
> Consortium GARR
> Tel: +390502213158
> Mobile: +393357779542
> Skype: daserzw
> 
> 
> -- 
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande

More information about the openid-specs-rande mailing list