[OpenID-Specs-eKYC-IDA] Data minimization in the previously granted clasims access

Vladimir Dzhuvinov vladimir at connect2id.com
Wed Mar 11 09:31:46 UTC 2020


On 11/03/2020 09:42, Torsten Lodderstedt via Openid-specs-ekyc-ida wrote:
> Hi Nat, 
>
> we haven’t discussed this feature yet.
>
> I think it makes sense to have that feature, especially if the RP obtained the authorization to access the user’s claims over a long time. I would assume an interesting use case would be to gather a larger set of data in the first request and update a sub set in subsequent transactions. 
>
> The use case you illustrated, on the other hand, I think, could raise interesting questions regarding data minimisation itself. Why should the RP ask for a broader data set than it needs for the use case at hand?

From what I understood Nat is interested in being able to differentiate
immutable (e.g. National ID Number) vs mutable (e.g. address) claims.
Then marking the first as "release once only". I'm not sure how this can
work with std OAuth access tokens though.

Vladimir

>
> We can discuss in the call today.
>
> best regards,
> Torsten.  
>
>> On 11. Mar 2020, at 06:06, Nat Sakimura via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net> wrote:
>>
>> Hi
>>
>> I was wondering if it has already come up but I have a use-case where only a subset of (verified) claims are needed from time to time.
>> For example, I may need to get the Nationa ID number, address, DoB etc. in the first request, but in the subsequent request, I may just need the address as that is the only dynamic claim.
>>
>> Presumably, I can use the previously obtained access token for this purpose as it is just down scoping, but I am not aware of a standardized way of sending "give me only this claim and nothing else" request to the Userinfo endpoint. From the data minimization point of view, this is pretty important.
>>
>> Has this been discussed in this WG before?
>>
>> Best,
>>
>> Nat Sakimura
>> -- 
>> Openid-specs-ekyc-ida mailing list
>> Openid-specs-ekyc-ida at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
>
-- 
Vladimir Dzhuvinov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20200311/a61e0522/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20200311/a61e0522/attachment-0001.p7s>


More information about the Openid-specs-ekyc-ida mailing list