<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>All of the state registrars have a proofing process which varies by state. The processes are all published and publicly available.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Or do you mean proof-of-presence.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The two are both important, but not necessarily solved by the same method.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I guess the real problem is that no one in Germany trusts a proofing process that does not involve presentment of all the proofing data. It seems like the EU is a war with itself over the meaning of privacy. I guess privacy concerns only applies when then company in question is in the US. Otherwise privacy does not apply?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>thx ..tom</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:torsten@lodderstedt.net">Torsten Lodderstedt</a><br><b>Sent: </b>Friday, February 15, 2019 9:33 AM<br><b>To: </b><a href="mailto:thomasclinganjones@gmail.com">Tom Jones</a><br><b>Cc: </b><a href="mailto:openid-specs-ab@lists.openid.net">Artifact Binding/Connect Working Group</a>; <a href="mailto:jeff.lombardo@gmail.com">Jeff LOMBARDO</a><br><b>Subject: </b>Re: [Openid-specs-ab] [E] OpenID Connect for IdentityProofing(Proposal)</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Am 14.02.2019 um 19:22 schrieb Tom Jones <thomasclinganjones@gmail.com>:</p><p class=MsoNormal>> </p><p class=MsoNormal>> Their API is public, their processes are not. It is my understanding that they do the lookup in the state databases directly. I cannot tell you anything about that api.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I took a look onto the "Driver's License Data Verification (DLDV) Service" (https://www.aamva.org/DLDV/ and http://www.movemag.org/identity-management/172-it-s-a-match.html)</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The service tells the caller whether the data presented in the request is the same as what the issuer has on file. That’s basically a check whether the data presented are consistent, e.g. there is a person John Smith born on 1/1/1976 in New York City. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It does not tell the caller whether the user it interacts with is this person.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>How is this link typically established?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> This is becoming more interesting because the DHS 'Real ID law', which mandates a certain level of proofing be be able to get on an airplane (or certain other venues.)</p><p class=MsoNormal>> My state already offers two levels of proofing (assurance if you will.) I can use my enhanced state driver's license as a stand-in for a passport and visa to Canada.</p><p class=MsoNormal>> </p><p class=MsoNormal>> Health is now the topic of most interest to me. What sort of user consent is required for each of about 6 different categories of data that could be transferred between providers.</p><p class=MsoNormal>> I think that you are going the wrong way with sending more data than is required for the proofing process. Current history is not on your side. Legally i have no information about what might be required.</p><p class=MsoNormal>> Peace ..tom</p><p class=MsoNormal>> </p><p class=MsoNormal>> </p><p class=MsoNormal>> On Thu, Feb 14, 2019 at 10:09 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:</p><p class=MsoNormal>> </p><p class=MsoNormal>> > Am 14.02.2019 um 17:47 schrieb Tom Jones <thomasclinganjones@gmail.com>:</p><p class=MsoNormal>> > </p><p class=MsoNormal>> > AAMVA validates the data provided to it by the client (from the user) against state issued identity documents</p><p class=MsoNormal>> </p><p class=MsoNormal>> I’m trying to understand the process. I assume the client sends a set of data to a AAMVA via an API. Does AAMVA look that data up in databases containing the data of state issued identity documents?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>