[OpenID-Specs-eKYC-IDA] Issue #1212: Should signed assertions be "MUST"? (openid/ekyc-ida)

Kosuke Koiwai issues-reply at bitbucket.org
Wed Oct 7 13:53:47 UTC 2020

New issue 1212: Should signed assertions be "MUST"?

Kosuke Koiwai:

In [**4.3.**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#section-4.3) [**verified\_claims Delivery**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#name-verified_claims-delivery),

> Claims sources SHOULD sign the assertions containing `verified_claims` in order to protect integrity and authenticity.

On the other hand, [**10.**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#section-10) [**Security Considerations**](https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#name-security-considerations) section states that:

> The integrity and authenticity of the issued assertions MUST be ensured in order to prevent identity spoofing. The Claims source MUST therefore cryptographically sign all assertions.

I’m not sure if this should be MUST, as there may be a use case where RP and IdP mutually trust each other and no need to technologically assure the integrity of the Claims.

More information about the Openid-specs-ekyc-ida mailing list