Re: [Txauth] Claims [was: - Dictionary]

Justin Richer <> Fri, 24 July 2020 12:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A45043A0A2C for <>; Fri, 24 Jul 2020 05:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QzxyEJe62Keb for <>; Fri, 24 Jul 2020 05:58:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 417A23A0A29 for <>; Fri, 24 Jul 2020 05:58:29 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 06OCwOoN023121 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 24 Jul 2020 08:58:25 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F9B2FD24-14E0-4A5A-A088-0D5C5A064D2E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 24 Jul 2020 08:58:24 -0400
In-Reply-To: <>
Cc: Dick Hardt <>,, Tom Jones <>, Denis <>
To: Francis Pouatcha <>
References: <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Txauth] Claims [was: - Dictionary]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jul 2020 12:58:32 -0000

I want to focus on one aspect here:

> A Claim is a well understood term in the field. We should use it. It is still a Claim if it comes directly from the GS or from an RS. 
> I do not understand why a Resource release by an RS shall be h to as a claim, even if the content of the Resource is an assertion. It will lead to confusion. If we limit claims to information GS releases into Token, User Info, and other objects it returns, this will help separate responsibilities between GS and RS. As soon as RS services and information, this is called a Resource, no matter the nature of the content of that information.

This is exactly why I don’t think we should use “claim” in the way that we’re using it. Yes, a “claim” could come back through an RS — but in the context of GNAP, that makes it a resource. So we need a different word for data coming back directly from the AS to the client. Sometimes it’s going to be about the user, and that’s what we’re going to focus on here, but since you can also get information about the user from a resource we can’t just call it a “claim”. I think this has been at the heart of a lot of confusion in recent threads, as well as confusion about the scope of the inclusion of identity in the GNAP protocol.

So let’s let “claim” mean what it already does, and let’s find a way to differentiate between when an item, claim or otherwise,  comes as part of a resource and when it comes back directly. This is an important differentiating feature for GNAP.

Some straw man ideas, none of which I’m particularly in love with:

 - direct data
 - properties
 - details
 - statements

The important thing here is that it’s not necessarily :about: the RO, and that it is :not: in a resource.

Any other thoughts?

 — Justin