[Openid-specs-igov] Review comments on openid-igov-openid-connect-1_0-03

[Torsten Lodderstedt]

Hi all, 

here are my comments:

section 4.2. aims at defining a minimal data set for cross-jurisdiction authentication. I’m not convinced this objective is fulfilled by the current proposal. 

"profile … It is HIGHLY RECOMMENDED that the attributes for given_name, family_name, address, birthdate be supported by iGov Providers“ 

In Germany identifying a person requires given name, family name, birthdate and place of birth. So at least one element is missing + address does not qualify for a minimal dataset.

I think the design of the „doc" scope and the corresponding claims needs more work. 

1) all claims are supposed to be added as top level elements of the user info/ID Token. I assume this will cause name clashes, esp. for very general field names like „type“. I suggest to consider to introduce a name space and/or put the claims into a JSON object structure.  

2) I suggest to add a list of potential values of the type field. 

3) Based on my own experience, I would also suggest to make the doc type a composite field containing a country identifier, serving as namespace, and the actual doc type. Otherwise, semantically not identical documents with the same name will be mixed up. Potentially, issuer_location could server the same purpose, but I’m not sure. 

kind regards,
Torsten.  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3892 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20181130/feb6b21f/attachment.p7s>