[Openid-specs-ab] Issue #1380: Using the subject identifier to re-identify the subject (openid/connect)

[David Chadwick]

New issue 1380: Using the subject identifier to re-identify the subject
https://bitbucket.org/openid/connect/issues/1380/using-the-subject-identifier-to-re

David Chadwick:

The current SIOP model requires the sub identifier to always be the same if the same user returns to the same RP to access the same account. This is no longer necessary with verifiable credentials. 

In the same way that the issuer attests to the subject identifier, VC issuers attest to the subject’s identity attributes. Thus it is perfectly possible for a RP to uniquely identify a subject each time from their verifiable subject attributes. After all, a subject identifier is simply a subject attribute that is guaranteed to uniquely identify the subject within some context. But a combination of subject attributes can equally well do this in a given context. \(And if one subject attribute can do this on its own, e.g. a government issued NI number in a verifiable credential, then it is by definition a subject identifier.\)

The proposal is that we no longer need to rely on the sub identifier to uniquely identify the user. Instead the RP can rely on a set of verifiable subject attribute that it determines for itself \(and that it relays to the user in the request for VCs\). i.e. the RP will specify the set of attributes and their trusted issuers.

Instead of the user having to keep a persistent key pair for communicating with the RP, and asserting this public key as the sub identifier each time, the user can use a transient public key freshly minted for each session, and the RP can rely on trusted VC Issuers to assert the subject’s identity attribute\(s\) each time. 

I don't believe that any change is required to the protocol, but only to the accompanying text that explains how the RP can use verifiable credentials to uniquely identify the user each time instead of relying on the sub identifier.