[Openid-specs-ab] [E] OpenID Connect for Identity Proofing(Proposal)

Fri Feb 15 17:43:04 UTC 2019

Torsten, not sure what you mean by " It does not tell the caller whether the user it interacts with is this person.", as it actually may not be nor does it have to.

-----Original Message-----
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> On Behalf Of Torsten Lodderstedt via Openid-specs-ab
Sent: Friday, February 15, 2019 9:34 AM
To: Tom Jones <thomasclinganjones at gmail.com>
Cc: Torsten Lodderstedt <torsten at lodderstedt.net>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] [E] OpenID Connect for Identity Proofing(Proposal)

> Am 14.02.2019 um 19:22 schrieb Tom Jones <thomasclinganjones at gmail.com>:
> 
> Their API is public, their processes are not. It is my understanding that they do the lookup in the state databases directly. I cannot tell you anything about that api.

I took a look onto the "Driver's License Data Verification (DLDV) Service" (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.aamva.org%2FDLDV%2F&data=02%7C01%7Ctonynad%40microsoft.com%7Ccbf217f0de88480fc9cf08d6936bca54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636858488509504792&sdata=AJnAPaW3m3huHFVy%2FiRvCHJOCfaxT2Zi35DowYLrsWU%3D&reserved=0 and https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.movemag.org%2Fidentity-management%2F172-it-s-a-match.html&data=02%7C01%7Ctonynad%40microsoft.com%7Ccbf217f0de88480fc9cf08d6936bca54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636858488509504792&sdata=0Eu1uJ86ZwMz55NX%2Bi71fpw1TFEK1bMSeXIwfdkK%2F1w%3D&reserved=0)

The service tells the caller whether the data presented in the request is the same as what the issuer has on file. That’s basically a check whether the data presented are consistent, e.g. there is a person John Smith born on 1/1/1976 in New York City. 

It does not tell the caller whether the user it interacts with is this person.

How is this link typically established?

> This is becoming more interesting because the DHS 'Real ID law', which 
> mandates a certain level of proofing be be able to get on an airplane (or certain other venues.) My state already offers two levels of proofing (assurance if you will.)  I can use my enhanced state driver's license as a stand-in for a passport and visa to Canada.
> 
> Health is now the topic of most interest to me.  What sort of user consent is required for each of about 6 different categories of data that could be transferred between providers.
> I think that you are going the wrong way with sending more data than is required for the proofing process. Current history is not on your side.  Legally i have no information about what might be required.
> Peace ..tom
> 
> 
> On Thu, Feb 14, 2019 at 10:09 AM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> 
> > Am 14.02.2019 um 17:47 schrieb Tom Jones <thomasclinganjones at gmail.com>:
> > 
> > AAMVA validates the data provided to it by the client (from the 
> > user) against state issued identity documents
> 
> I’m trying to understand the process. I assume the client sends a set of data to a AAMVA via an API. Does AAMVA look that data up in databases containing the data of state issued identity documents?