[OpenID-Specs-eKYC-IDA] json validation and PPID

Kai Lehmann kai.lehmann at 1und1.de
Tue Feb 9 09:05:24 UTC 2021

Hi Alex,

For De-Mail, we at 1&1 also use the restricted id provided by the eID service for identification/authentication. It seems restricted ids is not only used in German eID cards, but also in eHealth cards outside of Germany. Putting it inside of the claims section would be my preference as well. That said, I suggest to stick to the snake_case naming convention used everywhere. So if there is no objection, I can create a PR to add restricted_id to the list of new claims.


On 08.02.21, 20:52, "Openid-specs-ekyc-ida on behalf of Axel.Nennker--- via Openid-specs-ekyc-ida" <openid-specs-ekyc-ida-bounces at lists.openid.net on behalf of openid-specs-ekyc-ida at lists.openid.net> wrote:

    HI Torsten,

    thanks for the quick answer. I think I figured it out.
    My understanding of the validator was wrong. My bad. 
    So, the json validates OK.
    I looked for version differences first, as well. Then, I took an example from the working group and is appeared to be invalid as well. Which seems unlikely. So, I looked for an error in my validation code and found it.

    Regarding the restrictedId, PPID, pcr, I think I will put it in the list of claims. Seems simplest and that way I don't have to change the schema.

    Although I might fiddle with a variant of the schema. I think if the trust_framework is de_tkg111 then some values are not optional anymore.
    Maybe I succeed to put that into the schema.

    I would be happy to chat with you and the group regarding which values to use for txn etc and describe DT's use case. Would be happy if other MNO chime in, too. So, we can standardize more.

    Thanks again

    -----Original Message-----
    From: Torsten Lodderstedt <torsten at lodderstedt.net> 
    Sent: Montag, 8. Februar 2021 18:53
    To: Nennker, Axel <Axel.Nennker at telekom.de>
    Cc: OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>
    Subject: Re: [OpenID-Specs-eKYC-IDA] json validation and PPID

    Hi Axel,

    I think this could be due to different interpretations of JSON schemas.

    I will get in contact with you directly.

    best regards,

    > Am 08.02.2021 um 12:17 schrieb Axel.Nennker--- via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net>:
    > Hi,
    > we, Deutsche Telekom, have a server that allows us to read German eIDs (id_card) and eATs (de_erp).
    > I want to forward the information read from the card to some sales backend using the ekyc_ida format.
    > Here is a json generated by a unit test – hence the dummy values.
    > {
    >   "verified_claims": {
    >     "verification": {
    >       "trust_framework": "de_tkg111",
    >       "time": "2021-02-07T10:53:18.557729Z",
    >       "verification_process": "verification_process_dummy",
    >       "evidence": [
    >         {
    >           "type": "id_document",
    >           "method": "onsite",
    >           "verifier": {
    >             "organization": "organization_dummy",
    >             "txn": "txn_dummy"
    >           },
    >           "time": "2021-02-07T10:53:18.558089Z",
    >           "document": {
    >             "type": "idcard",
    >             "restrictedId": "5a4a9f25a60a8f99064c4e0719a893198869fa06c10d22988c53575593db2a8f",
    >             "date_of_expiry": "2029-11-30"
    >           }
    >         }
    >       ]
    >     },
    >     "claims": {
    >       "given_name": "ERIKA",
    >       "family_name": "MUSTERMANN",
    >       "birthdate": "1964-08-12",
    >       "address": {
    >         "locality": "KÖLN",
    >         "postal_code": "51147",
    >         "street_address": "HEIDESTRASSE 17",
    >         "country": "DE"
    >       }
    >     }
    >   }
    > }
    > What I added to the ekyc_ida format is “restrictedId”, which is an identifier depending on the server’s authorization certificate and the card’s id.
    > RestrictedID is something like a pseudonymous customer reference from Mobile Connect or Pairwise Pseudonymous Identifier from OpenID Connect Core Spec.
    > So I was not sure where to put “restrictedId” – it could be under verifier AND document with equal justification.
    > Could you please help me on this? Is the json valid according the ekyc_ida schema?
    > https://bitbucket.org/openid/ekyc-ida/src/master/schema/verified_claims.json
    > I checked using an online json schema validator which says it is valid. https://www.jsonschemavalidator.net/
    > But using a java schema validator in my unit tests it comes out as invalid.
    >         <dependency>
    >             <groupId>com.networknt</groupId>
    >             <artifactId>json-schema-validator</artifactId>
    >             <version>1.0.48</version>
    >             <scope>test</scope>
    >         </dependency>
    > To summarize:
    > 	• Is the json valid?
    > 	• Where to put the restrictedId?
    > 	• Add restrictedId to schema?
    > -- 
    > Openid-specs-ekyc-ida mailing list
    > Openid-specs-ekyc-ida at lists.openid.net
    > https://www.google.com/url?q=http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida&source=gmail-imap&ust=1613387847000000&usg=AOvVaw2NiPAlftR0mY30osU9AXOy

    Openid-specs-ekyc-ida mailing list
    Openid-specs-ekyc-ida at lists.openid.net

More information about the Openid-specs-ekyc-ida mailing list