You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Yaron: "Subject identifiers requested by the RC serve only to identify the RO in the context of the AS and can't be used as communication channels by the RC" - this sounds a bit naive, people will do that anyway. So why is this a useful statement? (And similarly in 3.4)
I agree that people will do dumb things anyway, but that’s why we need to spell out why it’s dumb here.
Yaron: I haven't looked at the OpenID text, but at least here, we do not explain why using the email address to send email is a bad idea, we just say that it is. I think we should give a rationale.
The text was updated successfully, but these errors were encountered:
No idea on email policy (could be transfered to someone else)
Ties to a delivery method (which shouldn't be our goal here)
Also not using email facilitates the distinction with what OIDC/authentication mechanisms provide (more an internal argument for the specification text itself).
Might also want to push forward privacy enhancing mechanisms.
Yaron: "Subject identifiers requested by the RC serve only to identify the RO in the context of the AS and can't be used as communication channels by the RC" - this sounds a bit naive, people will do that anyway. So why is this a useful statement? (And similarly in 3.4)
Justin: This inclusion is based roughly off of a similar constraint in OIDC around subject identifiers: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
I agree that people will do dumb things anyway, but that’s why we need to spell out why it’s dumb here.
Yaron: I haven't looked at the OpenID text, but at least here, we do not explain why using the email address to send email is a bad idea, we just say that it is. I think we should give a rationale.
The text was updated successfully, but these errors were encountered: