Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
The specs[0.0] say that authentication using a long-lived browser cookie is one example where the use of "level 0" is appropriate. This is wrong because a long lived browser cookie is actually level 1 based on ISO29115. It also specifies that level 0 doesn't meet the ISO level 1[0] but you can't go lower than Level 1. For example, at LoA1, a MAC address may satisfy a device authentication requirement. There is little confidence that another device will not be able to claim the same MAC address. Therefore a long lived cookie is same or even stronger than a MAC address which can be claimed easier. I don't see any good reason to invent a new level(level 0) with the same specs as level 1. The specifications also miss a reference/url to the actual ISO29115 specification so I've included here a copy I've found[1].
[0.0] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
[0] The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1
[1] https://www.oasis-open.org/committees/download.php/44751/285-17Attach1.pdf
Comments (6)
-
Account Deleted -
- changed milestone to Errata
- changed title to Core - 2 - ID Token acr claim incorrectly specifies the level 0 of assurance
- edited description
Changed spec reference from obsolete draft to current OpenID Connect Core spec.
-
- changed component to Core
-
-
assigned issue to
The direct conflict comes from this sentence "Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate."
John will propose alternate wording stating that for historic reasons, 0 is used to indicate that there is no confidence that the same person is actually there.
-
assigned issue to
-
- changed status to open
John is going to do it next week.
-
- changed status to resolved
- Log in to comment