[OpenID-Specs-eKYC-IDA] Issue #1212: Should signed assertions be "MUST"? (openid/ekyc-ida)
Kosuke Koiwai
issues-reply at bitbucket.org
Wed Oct 7 13:53:47 UTC 2020
New issue 1212: Should signed assertions be "MUST"?
https://bitbucket.org/openid/ekyc-ida/issues/1212/should-signed-assertions-be-must
Kosuke Koiwai:
In [**4.3.**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#section-4.3) [**verified\_claims Delivery**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#name-verified_claims-delivery),
> Claims sources SHOULD sign the assertions containing `verified_claims` in order to protect integrity and authenticity.
On the other hand, [**10.**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#section-10) [**Security Considerations**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#name-security-considerations) section states that:
> The integrity and authenticity of the issued assertions MUST be ensured in order to prevent identity spoofing. The Claims source MUST therefore cryptographically sign all assertions.
I’m not sure if this should be MUST, as there may be a use case where RP and IdP mutually trust each other and no need to technologically assure the integrity of the Claims.
More information about the Openid-specs-ekyc-ida
mailing list