[Openid-specs-risc] openid/sharedsignals: New Issue opened

Fri Jan 24 18:09:26 UTC 2025

openid/sharedsignals event

Issue opened
Issue Title: Minor inconsistancies and misalignments in SSF Spec document
https://github.com/openid/sharedsignals/issues/228

I wanted to capture some conflicting examples in the SSF spec document, **if these have already been addressed for the up coming V1-Final effort you can disregard.** 1. In the example of "conforming events" defined in [The SSF Standard, Section 5 ](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html#name-example-sets-that-conform-t) The `txn` field defined in the examples are json numeric values ``` "iat": 1520364019, "txn": 8675309, "aud": "636C69656E745F6964", ``` However the `txn` claim is defined [here](https://datatracker.ietf.org/doc/html/draft-ietf-secevent-token-09#section-2.1) in the SET token standard, is defined as an Optional String > "txn" (Transaction Identifier) Claim An OPTIONAL string value that represents a unique transaction identifier. In cases in which multiple related JWTs are issued, the transaction identifier claim can be used to correlate these related JWTs. Note that this claim can be used in JWTs that are SETs and also in JWTs using non-SET profiles. So all of these examples should be updated to quote the `txn` value. 2. The [CAEP event defined in the events claims](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html#figure-6) does not match the format as defined in the [CAEP Standard](https://openid.net/specs/openid-caep-specification-1_0.html#rfc.section.2) the `reason_admin` and `reason_user` are defined as a JSON OBJECT that is a set of BCP47 (RFC5646) language tags, with their localized display string. So to correct the above example, it should be ``` { ..., "reason_admin" : { "en" : "Policy Violation: C076E82F" }, "reason_user" : { "en" : "Landspeed violation." } } ``` 3. In section [[10.1.3] ](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html#name-ssf-event-properties) there is an example with a `sub_id` with `format = phone`. This is not a valid id according to this spec, it should be `phone_number` as defined in [Subject Identifiers](https://www.rfc-editor.org/rfc/rfc9493.html#name-phone-number-identifier-for) 4. In section [[10.1.3] ](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html#name-ssf-event-properties) there is another example, where the CAEP event uses the event URL: `https://schemas.openid.net/secevent/caep/event-type/token-claims-changed` with an "ed" on the end of change, but in the spec [here](https://openid.net/specs/openid-caep-specification-1_0.html#rfc.section.3.2) you can see it's defined as: `https://schemas.openid.net/secevent/caep/event-type/token-claims-change` without the "ed".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250124/43ad34a4/attachment-0001.htm>