Create a documentation for Self-Issued Identifiers
Changes to the nature of user’s mobile devices and challenges with the section in the current core doc create a need to revisit some of the assumptions in that section. New implementations are springing up from Distributed Ledger Technology and other areas that make divergence a potentially large issue. The goal is to bring together workers on the various implementations to forge a common spec that all can follow.
Comments (16)
-
-
reporter If you mean compatible with the exact detailed formulation of the sub in section 7, then i disagree. If that becomes a criteria for going forward then i will withdraw the proposal.
-
If you have a profile that needs additional information, then the logical way to do that is to add it as an additional claim. For instance, the Decentralized Identity Foundation SIOP profile uses a “did” claim to convey the DID being authenticated. Whereas, the subject of any particular OpenID Connect Authorization Response remains the JWK Thumbprint of the key used.
-
reporter i guess i disagree that your proposal is a logical solution as the sub is bound up to most of what the rest of the transactions are about. i request that this issue of strict adherence to the largely unused current spec be on the agenda for the next meeting.
-
Tom, can you give specifics on what is exactly wrong with the current assumptions? Why would a separate specification be needed?
-
reporter Having the sub bound to the key make key-rollover undefined. My implementation used a simple sub (which could be a did) and added a jwks.
-
Not sure creating a separate spec is the right thing to do. I understand your issue but as Mike points out there are other ways to handle this, i do believe its fundamental not to have SIOP break core. I would suggest we look at alternative ways to solve your issue.
-
reporter And I believe it is fundamental to have a good user experience. If you can find one that does not break core i will listen, but only if the UX is attractive.
-
What about creating a document anyways so that we can just talk about it? We can integrate it to other drafts anytime.
-
- changed title to Create a documentation for Self-Issued Identifiers
-
Attached is contributed to the mailing list as http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200914/007901.html
-
reporter If it is true that the oidc section 7 requires a sub that does not allow for key roll-over then if object to the change in the title.
-
https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md does this. I believe this issue should be resolved on this basis.
-
- changed status to open
Tom, are you ok to close it?
-
reporter - changed status to resolved
I am disappointed in the approach to solving the problem. I would prefer a standard that was independent of section 7 of the OPIC spec but that does not seem to be the way the committed wants to proceed. I suspect that i will need to introduce a full solution at some time in the future.
-
reporter - changed status to closed
- Log in to comment
I’ll note that the uses of the self-issued OP functionality that I’m aware of, including those used for DID authentication, are compatible with the spec, including using the JWK Thumbprint of the key as the “sub” value. That doesn’t mean that we couldn’t have a separate spec for the convenience of developers, but that spec can and should remain compatible with OpenID Connect Core 1.0.