atom feed17 messages in org.oasis-open.lists.imiRE: [imi] Clarifications to the spec ...
FromSent OnAttachments
Mike JonesJan 6, 2009 9:45 pm 
Anthony NadalinJan 7, 2009 7:14 am.gif, .gif
John BradleyJan 7, 2009 7:59 am 
Michael McIntoshJan 7, 2009 8:17 am 
Mike JonesJan 7, 2009 9:57 am 
Anthony NadalinJan 7, 2009 10:24 am.gif, .gif
John BradleyJan 7, 2009 11:20 am 
Michael McIntoshJan 7, 2009 12:17 pm 
John BradleyJan 7, 2009 1:01 pm 
Mike JonesJan 7, 2009 6:51 pm 
John BradleyJan 8, 2009 6:23 am 
Anthony NadalinJan 8, 2009 7:07 am.gif, .gif
Michael McIntoshJan 8, 2009 7:42 am 
John BradleyJan 8, 2009 7:57 am 
Mike JonesJan 8, 2009 7:58 am 
Mike JonesJan 8, 2009 8:01 am.gif, .png, .png
John BradleyJan 8, 2009 8:02 am 
Subject:RE: [imi] Clarifications to the spec to discuss for our call on Thursday
From:Michael McIntosh (mike@us.ibm.com)
Date:Jan 8, 2009 7:42:36 am
List:org.oasis-open.lists.imi

Mike Jones <Mich@microsoft.com> wrote on 01/07/2009 09:52:23 PM:

John Bradley, im@lists.oasis-open.org

01/07/2009 09:52 PM

OK, based on a private discussion on this topic with John, I’m going to suggest that we change the language “The IP/STS MAY use this value as-is or as an input seed to a custom function to derive a value for the PPID claim” to “The IP/STS SHOULD combine this PPID seed value with constant information known to the IP/STS and pass the combination through a cryptographically non-invertible function, such as a cryptographic hash function, to generate the PPID claim value sent in the signed token”.

Two things...

1. I've always had trouble with using the term "audit mode" for cards where the IdP wants knowledge of the RP identity. I can think of many reasons why an IdP might want to know the RP identity that are not limited to audit/record-keeping.

2. I think part of the problem with this discussion is that we keep using the term PPID when we mean ClientPsuedonym. The ClientPsuedonym is typically used by an IdP in the computation of a PPID - and as John points out, a poorly implemented IdP might use the identity function for that computation, but calling them the same thing increases that probability.