[OpenID-Specs-eKYC-IDA] Issue #1188: Embedded liability implications in the framework? (openid/ekyc-ida)

Vladimir Dzhuvinov vladimir at connect2id.com
Sat Mar 28 07:54:20 UTC 2020

> -----Original Message-----
> From: Richard Backman, Annabelle <richanna at amazon.com> 
> Sent: Friday, March 27, 2020 11:53 AM
> To: OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>
> Cc: Stephane Mouy <sgmouy at stephanemouy.com>; Anthony Nadalin <tonynad at microsoft.com>
> Subject: [EXTERNAL] Re: [OpenID-Specs-eKYC-IDA] Re: Issue #1188: Embedded liability implications in the framework? (openid/ekyc-ida)
> IANAL, but won’t any language in the spec regarding liability be superseded by local regulations and whatever contract exists between the OP and RP, be it explicitly via individual agreements or explicitly via the OP’s Terms of Service? Is there any precedent for an Internet standard holding any legal weight?

A technical spec has no legal weight, unless:

- somebody agrees to adhere to it in a contract, or

- it is legislated.

A contract or regulation will typically state a technical specification
as a requisite in the terms, but it will never derive from it or
supersede it. This is the common practice.

> That said, a guarantee of some sort seems to me to be intrinsic to the concept of a “verified claim.” OPs that aren’t willing to accept any liability regarding verified claims probably shouldn’t be issuing them. Why would an OP issue verified claims if it isn’t willing to stand by them? What value would those be to the RP? Isn’t a verified claim without a guarantee just a “claim”?

What you say is reasonable. But since we're writing a technical
specification, its basic purpose is give an OP the mean to issue claims
marked as "verified" and attach some metadata about the verification.

The OP may be assuming some degree of liability about the issued claims,
but this will be determined in a contract or when providing a service
regulated by law.

My suggestion is to remove the "liability is not in scope (or is in)"
entirely from the spec, because this isn't a contract or regulation
we're writing here and so liability cannot be a subject here.


Vladimir Dzhuvinov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20200328/d1d25fd0/attachment.p7s>

More information about the Openid-specs-ekyc-ida mailing list