[OpenID-Specs-eKYC-IDA] Issue #1255: Missing clarity in Section 5.3 (openid/ekyc-ida)

[Daniel Fett]

New issue 1255: Missing clarity in Section 5.3
https://bitbucket.org/openid/ekyc-ida/issues/1255/missing-clarity-in-section-53

Daniel Fett:

I think that Section 5.3 needs more clarity. It currently reads:

> 5.3. verified\_claims Delivery
>
> OPs can deliver verified\_claims in various ways.
>
> A verified\_claims element can be added to an OpenID Connect UserInfo response or an ID Token.
>
> OAuth Authorization Servers can add verified\_claims to access tokens in JWT format or Token Introspection responses, either in plain JSON or JWT-protected format.
>
> An OP or AS MAY also include verified\_claims in the beforementioned assertions as aggregated or distributed Claims \(see Section 5.6.2 of the OpenID Connect specification \[OpenID\]\).
>
> In this case, every assertion provided by the external Claims source MUST contain
>
> an iss Claim identifying the claims source,
>
> a sub Claim identifying the End-User in the context of the claim source,
>
> a verified\_claims element containing one or more verified\_claims objects.
>
> The verified\_claims element in a response MUST have one of the following forms:
>
> a JSON string referring to a certain claim source \(as defined in \[OpenID\]\)
>
> a JSON array of strings referring to the different claim sources
>
> a JSON object composed of sub elements formated with the syntax as defined for requesting verified\_claims where the name of the object is the name of the respective claim source. Every object contains additional information about the verified\_claims object provided by the respective claims source, i.e., the End-User Claims and verification data provided by the respective claims source. This allows the RP to look ahead before it actually requests distributed Claims in order to prevent extra time, cost, data collisions, etc. caused by these requests.

Questions:

1. Which case does “In this case” refer to? Only the last one?
2. Which case does “The verified\_claims element in a response” refer to? EVERY response? If yes, then why doesn’t it list the cases where no aggregated or distributed claims are used?
3. I found the last point not clear enough. What is the name of the object? \(I can guess from the example, but this really needs a more precise definition.\)

‌