[Openid-specs-ab] [E] OpenID Connect for Identity Proofing(Proposal)

Torsten Lodderstedt torsten at lodderstedt.net
Fri Feb 15 18:03:05 UTC 2019 

_Anyone_ can enter a person’s data, it does not need to be the person herself. That’s not what I mean by identity proofing.

Let me first explain a use case, I will come back to identity proofing in the second step.

- Use Case Opening a banking account
 
A person wants to electronically open a new bank account with a bank he never had a business relationship before.

The person claims a name, address and other person data. The bank accepts the application, opens the new account and issues credentials (username + password, potentially bound to the person’s fido key) to the person. 

The person now can use the bank account to transfer money to remote destinations ….

- Identity Proofing

Anti money laundering law obliges the bank to verify the person’s identity before it does business with her. Let’s assume the bank uses DLDV to check the data. All the bank learns, yes, there is a John Smith born 1/1/1976 in New York City. The user in front of the computer actually opening the bank account could be someone else. All this person needs to know is John’s person data. 

To really verify the user is John, the bank would need to establish a really strong binding between the user in front of the computer and the identity. If John’s drivers license would be an eID, he could let it assert his identity towards the bank. He would need to proof legit ownership of the eID, e.g. by entering a pin. One can also use an IDP in a similar role. As a pre-requisite, the IDP must have (physically) checked Johns drivers license in advance, associated the respective data with a user account AND issued strong credentials for that account to John.

> Am 15.02.2019 um 18:43 schrieb Anthony Nadalin <tonynad at microsoft.com>:
> 
> Torsten, not sure what you mean by " It does not tell the caller whether the user it interacts with is this person.", as it actually may not be nor does it have to.
> 
> -----Original Message-----
> From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> On Behalf Of Torsten Lodderstedt via Openid-specs-ab
> Sent: Friday, February 15, 2019 9:34 AM
> To: Tom Jones <thomasclinganjones at gmail.com>
> Cc: Torsten Lodderstedt <torsten at lodderstedt.net>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] [E] OpenID Connect for Identity Proofing(Proposal)
> 
> 
> 
>> Am 14.02.2019 um 19:22 schrieb Tom Jones <thomasclinganjones at gmail.com>:
>> 
>> Their API is public, their processes are not. It is my understanding that they do the lookup in the state databases directly. I cannot tell you anything about that api.
> 
> I took a look onto the "Driver's License Data Verification (DLDV) Service" (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.aamva.org%2FDLDV%2F&data=02%7C01%7Ctonynad%40microsoft.com%7Ccbf217f0de88480fc9cf08d6936bca54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636858488509504792&sdata=AJnAPaW3m3huHFVy%2FiRvCHJOCfaxT2Zi35DowYLrsWU%3D&reserved=0 and https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.movemag.org%2Fidentity-management%2F172-it-s-a-match.html&data=02%7C01%7Ctonynad%40microsoft.com%7Ccbf217f0de88480fc9cf08d6936bca54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636858488509504792&sdata=0Eu1uJ86ZwMz55NX%2Bi71fpw1TFEK1bMSeXIwfdkK%2F1w%3D&reserved=0)
> 
> The service tells the caller whether the data presented in the request is the same as what the issuer has on file. That’s basically a check whether the data presented are consistent, e.g. there is a person John Smith born on 1/1/1976 in New York City. 
> 
> It does not tell the caller whether the user it interacts with is this person.
> 
> How is this link typically established?
> 
>> This is becoming more interesting because the DHS 'Real ID law', which 
>> mandates a certain level of proofing be be able to get on an airplane (or certain other venues.) My state already offers two levels of proofing (assurance if you will.)  I can use my enhanced state driver's license as a stand-in for a passport and visa to Canada.
>> 
>> Health is now the topic of most interest to me.  What sort of user consent is required for each of about 6 different categories of data that could be transferred between providers.
>> I think that you are going the wrong way with sending more data than is required for the proofing process. Current history is not on your side.  Legally i have no information about what might be required.
>> Peace ..tom
>> 
>> 
>> On Thu, Feb 14, 2019 at 10:09 AM Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> 
>>> Am 14.02.2019 um 17:47 schrieb Tom Jones <thomasclinganjones at gmail.com>:
>>> 
>>> AAMVA validates the data provided to it by the client (from the 
>>> user) against state issued identity documents
>> 
>> I’m trying to understand the process. I assume the client sends a set of data to a AAMVA via an API. Does AAMVA look that data up in databases containing the data of state issued identity documents?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3923 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190215/9b84ef2d/attachment.p7s>

More information about the Openid-specs-ab mailing list