Hi all,
In case you’re at I2 TechEx this week I’m happy to continue the discussion in person. I’m up for an ACAMP session about it on Wednesday.
I’m not convinced there’s work for us to do related to RPDNC (Relying Party Defined Namespace Constraints). I think the OIDC spec already gives us unique namespaces, based on ownership of the issuer URL. It’s one of many examples of OIDC learning from the mistakes of the past. http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability says:
“The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.”
Lastly, to help make this a livelier list, I’ll disagree with DavidG and state that I think IGTF *should* set up an alternative OIDC Fed next to eduGAIN. With all due respect to the OIDC Fed discussions happening in eduGAIN/REFEDS, I prefer not to apply all the heavy-weight eduGAIN/REFEDS methodology to OIDC. I think IGTF has a lighter-weight methodology that results in a higher level of trust because it’s focused on supporting e-research.
I’d like this task force to work towards a simple trust anchor distribution that includes https://cilogon.org/.well-known/openid-configuration as an OP that operates under IGTF policies/standards. I’m wondering if I need to produce a CP/CPS-equivalent document for the CILogon OP, borrowing liberally from the current CILogon CP/CPS documents, that demonstrates compliance with Snctfi.
Regards, Jim