[OpenID-Specs-eKYC-IDA] Issue #1232: Spec does not allow the OP to explicitly state how the user has been verified as the owner of the claims (openid/ekyc-ida)

Julian White issues-reply at bitbucket.org
Thu Feb 18 03:11:39 UTC 2021 

New issue 1232: Spec does not allow the OP to explicitly state how the user has been verified as the owner of the claims
https://bitbucket.org/openid/ekyc-ida/issues/1232/spec-does-not-allow-the-op-to-explicitly

Julian White:

Current draft does not allow the explicitly OP to say how a user has been bound to the identity taken from the evidence. Its somewhat implied in the ID\_Document by the ‘method' however that is relies on a number of assumptions which don’t carry through to other types of ID evidence.

The ‘method’ element explicitly says it is a description of how the evidence was verified not how the user has been verified as its owner, i.e. its testing its authenticity. However the ‘methods’ predefined values do go into those things which seems contradictory to the definition of ‘method’.

For example if the proofing process was doing a lookup from a national population register it is not clear how you would express if the user was verified by that register by a biometric match against a centrally held template, or done over the phone by asking them “security questions”. Both processes are valid, and in both instances we are absolutely sure the claimed identity exists because its in the population register, however the strength or confidence in the user being the owner of that identity varies.

This unravels more when you have more than one piece of ID evidence. In the example given of using an ID document and a utility bill we are implying that the user has had their face compared to the ID document, however if they were asked to post in the ID document and asked questions about the utility \(e.g. previous usage or balances\) as a method of verification its not clear how the OP would express that.

I suggest we create two fields, one that covers the provenance or authenticity of the evidence. and one for the binding of the user to it. You cold put this binding either in each evidence where a user was matched to it, or as one field in the verification element. My preference would be to be able to add it into each evidence as it allows the OP to express whether they have matched them to one or more evidences, and its also clear to the RP which things were used for the binding and which were used as supporting or corroborating evidences. 

This is basically the point of the “validation” and “verification” steps in 800-63A.

More information about the Openid-specs-ekyc-ida mailing list