[OpenID-Specs-eKYC-IDA] On robustness and extensibility
Marcos Sanz
sanz at denic.de
Thu Feb 20 13:48:14 UTC 2020
Dear all,
this is also one of our oldest open tickets
https://bitbucket.org/openid/ekyc-ida/issues/1094/how-to-treat-unknown-identifiers-in-claims
and a PR to fix it
https://bitbucket.org/openid/ekyc-ida/pull-requests/10/op-reaction-to-unknown-query-restrictions/diff
I'll summarize it for you: the open question at the moment is how should
the OP react to a query where the RP specifies it wants verified_data
for a given trust_framework or by means of a certain evidence
type/method, BUT the OP doesn't understand/support the given value of
the framework/evidence type/method. The two alternatives at the moment are:
A) Omit the whole verified_claims element in the response. It's robust
and allows for extensibility in the classical sense of "ignore what you
don't understand". It also aligns OP behavior with the case when a
constraint is understood, but it cannot be fulfilled. OTOH the RP
doesn't have a clue why it got an empty answer.
B) Return the always-handy invalid_request error with an optional
error_description element about the unknown value in the request. It
gives the RP more information about what went wrong, RP can react
accordingly (e.g. repeat the request with another/no constraint). It can
make interoperability, e.g. within federations, more brittle though.
What do you think? Any other advantages/disadvantages we haven't thought
of? What's your preference?
Best,
Marcos
More information about the Openid-specs-ekyc-ida
mailing list