[Openid-specs-ab] New openid-connect-4-identity-assurance-1_0 draft -06

Pawel Kowalik pawel.kowalik at ionos.com
Fri Aug 2 07:21:56 UTC 2019 

Hi Thorsten,

As it's my first post on this list, let me introduce myself. I am working with Marcos in ID4me initiative and within technical group we are right now in the process to define the framework for federated and verified identities for ID4me ecosystem.

> Very interesting question. I had envisioned the external claim provider to provide the while “verified_claims” Claim at
> once. As this is a top level claim, one can rely on the standard OIDC mechanisms. 

This is what I would also expect it to be, to bind "claims" and "verification" under the same object and signature.
The problem we see is that "verified_claims" is a singular claim, so cannot be delegated to two or more entities, which may provide different subset of verified data requested by the RP.

> Now you are proposing to obtain the claims within the “verified_claims” Claim from external providers. Syntactically
> we can make that work on one way or the other. 

> I would like to understand more about the context and use case. How does the IDP asserting the “verified_claims"
> Claim to the RP ensure that the externally provided data comply with the data provided in the verification element?  

I think this is the issue with solution proposed by Marcos, that delegating claims on the second level it is not expected that aggregated/distrtibuted claim would contain whole "verified_claims" object including "verification".

A solution to that would be defining "verified_claims" as an array and using JSON references.

{
   "iss":"https://server.example.com",
   "sub":"248289761001",
   "verified_claims":[
      {
         "claims":{
            ...
         },
         "verification":{
           ...
         }
      },
      {
         "$ref":"#/verified_claims_src1"
      },
      {
         "$ref":"#/verified_claims_src2"
      }
   ],
   "_claim_names":{
      "verified_claims_src1":"src1",
      "verified_claims_src2":"src2"
   },
   "_claim_sources":{
      "src1":{
         "JWT":"..."
      },
      "src2":{
         "JWT":"..."
      }
   }
}	
 
Kind Regards,
Pawel

More information about the Openid-specs-ab mailing list