[OpenID-Specs-eKYC-IDA] Issue #1221: Same Person different Subject Identifiers (openid/ekyc-ida)

albertopulido issues-reply at bitbucket.org
Tue Dec 1 22:54:25 UTC 2020

New issue 1221: Same Person different Subject Identifiers

Alberto Pulido:

OpenID Core explains the way [Subject Identifiers](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) allows RP/OP exchange the user id however, I believe it does not specify how the OP should deal with multiple users belonging to the same natural person.

I think that trust frameworks would benefit from preventing identity providers to allow same person presenting two or more different identities. Imagine an example scenario where I have two set of credentials for operating with my bank, irrespective of the credential I use, my bank knows I am the same person. However, if I use my bank to login/register with another company, and I choose one or the other each time, for that company I could perfectly be two different persons for them.

That scenario is something we are probably OK with but, giving the relevance of this specification for KYC, my proposal is to somehow introduce a way to enforce OPs to deal with that accordingly and try to return the same subject identifier regardless of the user credentials.

I would love to have your opinion on this topic!



More information about the Openid-specs-ekyc-ida mailing list