[Openid-specs-ab] Issue #1271: Terminology: Identity credential vs claimset (openid/connect)

Tobias Looker issues-reply at bitbucket.org
Fri Jul 23 02:59:27 UTC 2021

New issue 1271: Terminology: Identity credential vs claimset

Tobias Looker:

Currently in the text being proposed in PR \([https://bitbucket.org/openid/connect/pull-requests/39](https://bitbucket.org/openid/connect/pull-requests/39)\), there is a competing set of terminology to describe the new vehicle under which the end-user claims are supplied. 


OpenID already has at least two main vehicles for which End-User claims are made available to relying parties

1. `id_token`
2. `/userinfo` endpoint

The claims aggregation draft \(and the credential provider draft which is currently being merged into it\) outlines more in-direct or distributed applications for obtaining, holding and presenting end-user claims. Because of this difference in model, a push to define a new vehicle for communicating end-user claims has been made. This vehicle through the evolution of the current draft has gone through several proposed names such as c\_token, claimset, credential, identity credential. 

This issue's purpose is to discuss the most appropriate name.

**Why a new name? Why not use an existing mechanism for End-User Claims**

Conceptually within this work because of the distributed nature under which the End-User claims are communicated, there are new concepts that the claims vehicle must support, including:

1. Binding, when the End-User claims are presented via an intermediate provider \(e.g a wallet\) there is a need for the relying party to be able to authenticate the role this party is playing. The means through which this authentication is performed has been referred to as binding.
2. Functional grouping of claims, many of the proposed use-cases for claims aggregation / credential provider, is to be able to communicate more than just simple claims \(e.g first\_name, last\_name\) such as a larger group of claims that represent an identity document \(e.g passport or drivers license\). Thus ways in which to refer to a group of claims in a request or response becomes desirable. As evidence this concept is present in formats such as mDL or W3C verifiable credentials as the concept of document type or credential type.

In my opinion, due to the existing definition in OpenID Connect Core for “credential” it is problematic to recycle this term in a new context. “claimset” would appear to fit well within current terminology for OpenId connect however I think fails to create the right industry associations. Thus I think “Identity Credential” is the most suitable name to date.

More information about the Openid-specs-ab mailing list