[OpenID-Specs-eKYC-IDA] Issue #1322: evidence type: when to use which (openid/ekyc-ida)

[Kosuke Koiwai]

New issue 1322: evidence type: when to use which
https://bitbucket.org/openid/ekyc-ida/issues/1322/evidence-type-when-to-use-which

Kosuke Koiwai:

OIDF-Japan KYC WG is experiencing some difficulties digesting evidence `type`s.   
Current description might be difficult to understand for people without through knowledge of various trust frameworks.

‌

#### [5.1.1. ](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#section-5.1.1)[evidence Element](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-evidence-element)

* `document`: Verification based on any kind of physical or electronic document provided by the End-User.
* `electronic_record`: Verification based on data or information obtained electronically from an approved or recognized source.
* `vouch`: Verification based on an attestation or reference given by an approved or recognized person declaring they believe to the best of their knowledge that the Claim\(s\) are genuine and true.
* `electronic_signature`: Verification based on an electronic signature.

Given the above, what are the proper `type` in the following situation:

1. when an authoritative source \(i.e. government\) serves as an IDP and returns `verified_claims` directly?

    1. I think it should be `electronic_record`, but a member says it can be `vouch` as the IDP is the primary source \(no other evidence exists than the fact that the IDP believes that the person is the person who is claimed to be\)
    
2. when IDP A provides `verified_claims` with an evidence type `document` to IDP B, then IDP B provides `verified_claims` to RP based on the information received from IDP A? \(note: here IDP B does not use claims aggregation\)

    1. an opinion among the group was, if IDP B verifies `attachment` by themselves, then IDP B should serve `verified_claims` with an evidence type `document`, otherwise `electronic_record`.
    
3. when IDP verifies a claimant with a document signed with the claimant’s private key, and with the electronic certificate in which an authority attests the identity of the holder of the paired public key ?

    1. I believe this is what `electronic_signature` is for, but the description above doesn't technically describe how an electronic signature is used for verification. \(even if IDP uses CRL/OCSP to validate the certificate, we don’t use `electronic_record`, do we?\) 
    

‌