[OpenID-Specs-eKYC-IDA] Issue #1224: the trust_framework element contains both the TF and the IAL and they should be separate (openid/ekyc-ida)

[Julian White]

New issue 1224: the trust_framework element contains both the TF and the IAL and they should be separate
https://bitbucket.org/openid/ekyc-ida/issues/1224/the-trust_framework-element-contains-both

Julian White:

The element  “trust\_framework” actually contains two things, the TF and any associated identity level. I think this could be both difficult to manage and create confusion.

In the definition we say:

_trust\_framework: REQUIRED. String determining the trust framework governing the identity verification process and the identity assurance level of the OP._

Which is clear that it is about which trust framework you are using; however we then go on to say:

_An example value is eidas\_ial\_high, which denotes a notified eID system under eIDAS \[eIDAS\] providing identity assurance at level of assurance "High"._

Which seems inconsistent because we did not define that the IAL should be in the TF element.

Having the the level in the TF element means there could be a lot of TF name variants to manage because they must not clash with each other, whereas the number of actual TF’s is much smaller so is a much smaller issue.

Some TF’s do not have multiple assurance levels, so they have nothing to add here; whereas others use a very granular scoring system so could be dozens of “levels”.

The term IAL is not universal, its mostly a NIST-800-63 term, it has no meaning to an eIDAS user, for example, where they use LOA instead. The protocol should deliver something that makes sense to the consuming business, not something that they then have to work out what that means for their TF. It also seems to imply that I would have to map my TF to NIST definitions of IAL, which is not correct.

Lastly when using things like a QES as evidence the IAL isn’t important as that is already set out in the TF itself, its just that its a QES under the eIDAS TF that matters.

My suggestion is that we should make the TF element simply the name of the TF, e.g. eidas, and let each TF extend that with whatever levels they see fit \(or none\) that matches their business use case. For example: under eIDAS it could be loa\_low, loa\_substantial, loa\_high; the Swedish Trust Framework could be loa\_1, loa\_2, loa\_3, loa\_4 \(albeit that loa\_1 is never used in practice\);  the UK trust framework could be cl\_low, cl\_medium, cl\_high and cl\_veryhigh.