[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Clarifications to the spec to discuss for our call onThursday
On point 1 (ClientPseudonym): One thing I could have been
clearer on in my initial note is that this clarification is to have our spec match
existing practice. For instance, the OSIS tests http://osis.idcommons.net/wiki/I4:FeatureTest-Selector_Support_for_Auditing_Cards,
http://osis.idcommons.net/wiki/I4:FeatureTest-Selector_Support_for_Auditing-Optional_Cards,
and http://osis.idcommons.net/wiki/I4:FeatureTest-Selector_Support_for_Non-Auditing_Cards
verify that selectors always make a ClientPseudonym/PPID value available to the
IdP when the RP asks for a PPID. All the selectors tested passed this test, so
they’re clearly already doing this. We should update our doc to fix this bug that
was present in the ISIP 1.5 input doc (my bad!). I believe that my initial proposed
wording is still appropriate in this case. On point 2 (IssuerId): Mike, if you believe that this is
valuable even when the card isn’t managed-backed-by-self-issued, I’m fine leaving
things as-is, where it’s expected to be present for all managed cards. This
matches existing practice as well. The one clarification I’d still like to
make is in the sentence about “this can be empty”, which I find misleading as-is,
since for managed cards, it should not be the empty string. (And yes, it shouldn’t
be NULL either, which we should also clarify.) In that case, the only wording
change I suggest that we make is changing “The element content may be
empty” to “The element content SHOULD be the empty string when the card
is self-issued”. On point 3 (Self-issued cards supporting the PPID claim even
when not listed): I agree that I would prefer that we have self-issued cards
explicitly list the PPID claim going forward. I mainly brought this up as a
compatibility note since I was personally surprised when reading some decrypted
.crds files to discover that this claim wasn’t listed. I thought others would
find this surprising as well and so thought I’d bring it to the working group’s
attention as a compatibility note. How about this wording? Compatibility Note: When
saving a self-issued Information Card in the Information Cards Transfer Format
defined in Section 6, some existing Identity Selectors omit listing the PPID
claim as an ic:SupportedClaimType from the ic:SupportedClaimTypeList for a
self-issued card, even though the PPID claim is supported by the card. This
behavior is deprecated, as all supported claims should be listed. Nonetheless,
Identity Selectors may choose to recognize this case and support the PPID claim
for self-issued cards not explicitly listing this claim. To Tony’s point about selectable PPID algorithms, I agree that
there is value in that possibility, but there is no existing practice for us to
standardize. The working group could choose to investigate that as subsequent
work, but I believe that that’s out of scope for the current effort. And finally, I want to ringingly endorse Mike’s point “Any RP that blindly accepts a PPID and not a signed
PPID+Issuer Key as the User's identifier is looking for trouble.” Talk
to you tomorrow, --
Mike From: Michael McIntosh
[mailto:mikemci@us.ibm.com] John Bradley <jbradley@mac.com>
wrote on 01/07/2009 11:00:04 AM: |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]