OpenID Attrib - Beyond AX-SREG
Title: OpenID Attribute, Beyond AX-SREG
Session: Wednesday, Session 5, Space I
Convener, Note Taker: Jay Unger
OpenID, Attributes, Signed Claims, Attribute Exchange
The meeting was attended by about 5 people
- Jay Unger presented a small set of slides regarding his ideas about identity attributes. http://www.slideshare.net/JayUnger/iiw11-beyond-attribute-exchange
- He re-iterated a concept from his earlier session that a pseudonym related to user and the relying party requesting identity information was the only “Attribute” that should be presented to relying party without an additional request of the relying party and permission of the subject (user).
- He also discussed the concept that the “identity triangle” was really a “rectangle or diamond” that included all of: the subject, the identity provider (IdP), the Relying Party (RP) and possibly one or more Attribute Providers (AP). He mentioned that the NSTIC (National Strategy for Trusted Identities in Cyberspace) draft also described eluded to this concept.
- He discussed the role of Attribute providers as brokers of verified, certified or vetted assertions (claims) about the identity of the subject including things like age or date of birth, citizenship, address or other contact information, employment, credit rating etc. There was a good deal of discussion about this role and the overlap with existing business or organizations like governments, credit reporting agencies, insurance companies, motor vehicle bureaus etc.
- In Jay’s presentation he discussed the need for Attributes to have a richer data model than is presently supported by OpenID including things like: conditions of use, duration ( valid / expires ), confidence level or strength of assurance of the assertion, dependency on other attributes or external information etc. He also discussed the requirement that such attribute assertion be digitally signed by the Attribute provider to insure provenance and integrity. He pointed out that SAML XML Assertion markup can include much (but not all) of this information.
- There was a discussion of whether such attributes should be stored (or cached) by IdPs. There was agreement that in many cases storage of the attributes by an IdP was valuable to provide economy in the request -response protocol between an IdP and Relying Party, but we agreed there might be cases where a Relying Party would want to interact directly with the Attribute Provider to close any revocation window and also for trust chaining.
- We discussed briefly how these ideas might mesh with the work being done on the next revision of OpenID including both the OpenID Connect proposal and the Artifact Binding proposal or a convergence of both. It seems that as these proposals mature there is opportunity to get some of these concepts adopted.