[Openid-specs-risc] alternatives for subject identifiers

[Atul Tulshibagwale]

Hi all,
Summarizing my understanding of the issues and alternatives being discussed
in relation to subject identifiers.

*Current Situation*:
The subject identifiers proposed in the IETF SecEvents Subject Identifiers
<https://github.com/richanna/secevent/blob/master/draft-ietf-secevent-subject-identifiers.txt>
draft assume that "subject-type" is sufficient to identify a "subject
principal". Events in the OpenID RISC spec assume that there's only one
subject in an event. The subject principal is defined in the proposed SSE
draft
<https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>
.

*Issues*

   1. Multiple subject identifiers may be required to describe a subject
   principal in some events. (e.g. this user account on this device)
   2. Some events may refer to multiple subject principals (e.g. transferor
   and transferee of a device)
   3. Since subject-types are about the format rather than the principal,
   there may be ambiguity arising out of just using the subject-type (e.g. a
   phone number may describe a user or a device).

*Proposed Solutions*

   1. Allow multiple subjects in an event, the semantic of combining them
   always being "AND". Also Include a "subject-category" identifier in
   addition to a subject-type in a subject identifier
   2. Use a Json "map" to describe a "subject" claim in an event where the
   key is the subject-category and the value is the subject identifier as
   proposed in the SecEvents Subject Identifiers draft
   3. Use a more flexible structure, where each event may have different
   claims that describe a subject (e.g. "transferor"), and the value of such
   claims is a Json map as described above.

Atul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200909/bd085017/attachment.html>