Use of identifiers as communication channels

[jricher]

§2.2 Requesting User Information: Editor's Note:

Subject identifiers requested by the RC serve only to identify the RO in the context of the AS and can't be used as communication channels by the RC, as discussed in Section 3.4. One method of requesting communication channels and other identity claims are discussed in Section 2.8.The AS SHOULD NOT re-use subject identifiers for multiple different ROs.

What we're really saying here is that "even if the AS gives you an email address to identify the user, that isn't a claim that this is a valid email address for that current user, so don't try to email them." In order to get a workable email address, or anything that you can use to contact them, you'd need a full identity protocol and not just this. Also, subject identifiers are asserted by the AS and therefore naturally scoped to the AS. Would changing the name to "as_sub_ids" or "local_sub_ids" help convey that point?

[aaronpk]

Perhaps the example in this section should not include asking for the email here if we want to encourage asking for the email claim from OpenID instead.

[jricher]

@aaronpk that's actually the core point of this issue: there's a semantic difference between asking for "tell me who the current user is, and I know them by an email address identifier" vs. "tell me the email address of the current user so that I can email them". The subject identifiers are the former, OpenID and other identity protocols would give you the latter.

[yaronf]

See also #16.

[fimbault]

It would be better to use examples that are not related to emails, to avoid confusion. I believe an "as_uid" (unique identifier local to the AS) could be best as an example that conveys the message.