[OpenID-Specs-eKYC-IDA] Data minimization in the previously granted clasims access

Mischa Salle msalle at nikhef.nl
Wed Mar 11 10:44:53 UTC 2020


Hi all,

On Wed, Mar 11, 2020 at 11:08:12AM +0100, Torsten Lodderstedt via Openid-specs-ekyc-ida wrote:
> Hi Vladimir,
> 
> > On 11. Mar 2020, at 10:31, Vladimir Dzhuvinov via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net> wrote:
> > 
> > On 11/03/2020 09:42, Torsten Lodderstedt via Openid-specs-ekyc-ida wrote:
> >> Hi Nat, 
> >> 
> >> we haven’t discussed this feature yet.
> >> 
> >> I think it makes sense to have that feature, especially if the RP obtained the authorization to access the user’s claims over a long time. I would assume an interesting use case would be to gather a larger set of data in the first request and update a sub set in subsequent transactions. 
> >> 
> >> The use case you illustrated, on the other hand, I think, could raise interesting questions regarding data minimisation itself. Why should the RP ask for a broader data set than it needs for the use case at hand?
> >> 
> > From what I understood Nat is interested in being able to differentiate immutable (e.g. National ID Number) vs mutable (e.g. address) claims. Then marking the first as "release once only". I'm not sure how this can work with std OAuth access tokens though.
> 
> I think the technical solution would need to include two elements: 
> 
> 1) How does the user determine (and consent to) what is being released under what circumstances? That would require extensions to the "claims” structure. 
> 2) How does the client request the data? That would require a new parameter in the UserInfo request to request certain claims. 

just a thought, wouldn't this be better handled in a refresh request,
and then asking for what will be needed next? After all a refresh
request can also be used to down-scope the scope?

I also just found
https://tools.ietf.org/html/draft-spencer-oauth-claims-01
in particular
https://tools.ietf.org/html/draft-spencer-oauth-claims-01#section-2.2
which suggests the same for claims.

Best wishes,
Mischa


> 
> best regards,
> Torsten. 
> 
> > 
> > Vladimir
> > 
> >> 
> >> We can discuss in the call today.
> >> 
> >> best regards,
> >> Torsten.  
> >> 
> >> 
> >>> On 11. Mar 2020, at 06:06, Nat Sakimura via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net>
> >>>  wrote:
> >>> 
> >>> Hi
> >>> 
> >>> I was wondering if it has already come up but I have a use-case where only a subset of (verified) claims are needed from time to time.
> >>> For example, I may need to get the Nationa ID number, address, DoB etc. in the first request, but in the subsequent request, I may just need the address as that is the only dynamic claim.
> >>> 
> >>> Presumably, I can use the previously obtained access token for this purpose as it is just down scoping, but I am not aware of a standardized way of sending "give me only this claim and nothing else" request to the Userinfo endpoint. From the data minimization point of view, this is pretty important.
> >>> 
> >>> Has this been discussed in this WG before?
> >>> 
> >>> Best,
> >>> 
> >>> Nat Sakimura
> >>> -- 
> >>> Openid-specs-ekyc-ida mailing list
> >>> 
> >>> Openid-specs-ekyc-ida at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
> >> 
> > 
> > -- 
> > Vladimir Dzhuvinov
> > 
> > -- 
> > Openid-specs-ekyc-ida mailing list
> > Openid-specs-ekyc-ida at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
> 



> -- 
> Openid-specs-ekyc-ida mailing list
> Openid-specs-ekyc-ida at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20200311/2300565c/attachment.asc>


More information about the Openid-specs-ekyc-ida mailing list