[OpenID-Specs-eKYC-IDA] Connecting OIDC4IDA and Wallet functionality
Kai Lehmann
kai.lehmann at 1und1.de
Fri Nov 18 11:40:12 UTC 2022
Hi all,
sorry in advance for the long mail ….
I would like to discuss the following use case which combines identity assurance and wallet functionality:
A relying party would like to have verified claims about the End-User. The OP responsible for that End-User may or may not be able to provide the verified claims with the restrictions requested by the RP (specific trust framework, type of evidence). If the OP is able to provide the verified data, it can simply return the data to the RP via OIDC4IDA protocol. If it is unable to provide the verified claims as is, the OP may trigger an ad-hoc ident verification process of the End-User by incorporating a 3rd party identification service provider.
instead of (or besides) storing the verified data at the OP for later use/requests from this or other RPs, the OP offers the End-User to store the verified data in a Wallet application. In fact, the Wallet application may not only able to store identities, but also to provide identification services and store the verified identity within the Wallet. So the OP just triggers the whole identification process with the Wallet application and the verified data is then returned by the Wallet – preferably using the OIDC4IDA protocol to have a common interface used by the RP.
Part of the verified claim data is also the email address. The identification service is unable to verify the email address or we may not want to throw another email verification process at the End-User, because the OP already knows the email address and verified it. The OP may possess additional verified claims which we would like to store with the identity inside of the Wallet. The question now is, what is the protocol to be used to provide the Wallet/Identification service provider with already verified data (along with the necessary evidence/process information) which should be stored in the Wallet.
The Wallet/Identification service provider can be seen as a 3rd party OP which essentially provides the verified claims in the end. So the idea is to at least provide the data already verified by the original OP and then do another request to the Wallet as OP and provide the data as identity assertion. We thought of simply providing the ID Token containing the verified data to the Wallet OP with the authorize request would fit nicely. The parameter id_token_hint may not fit here as id_token_hint is supposed to contain the ID Token issued by the same OP and not another one. So a different parameter may be more appropriate. Whatever is transferred from the original OP to the Wallet (directly or indirectly) needs to be signed of course so that the Wallet can verify the authenticity and integrity.
There are drafts regarding Verifiable Presentation (https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) and Verifiable Credentials Issuance (https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html) – the latter is not referenced on the OIDC specs overview page, but can be found with Google by the way – which seem to cater to the use case I described. However the presentation format is based on DID which has some similarities with OIDC4IDA verified claims, but has significant differences.
So are the mentioned drafts the ones which should be used in this scenario? How can we make it easier for RPs that they do not need to understand both protocols?
(I will probably need to address the Connect WG as well as they have been working on the mentioned drafts, but some authors are also involved in this WG.)
Thanks,
Kai
From: Openid-specs-ekyc-ida <openid-specs-ekyc-ida-bounces at lists.openid.net> on behalf of Mark Haine via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net>
Reply to: OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>
Date: Wednesday, 16. November 2022 at 15:34
To: OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>
Cc: Mark Haine <mark at considrd.consulting>
Subject: [OpenID-Specs-eKYC-IDA] Proposed eKYC and IDA WG Agenda for 09-16-2022
Hi All,
Brief review of external Orgs & Events
Future Identity Festival London
IIW
Identiverse call for papers
Main Agenda Items
Shall we move to final review?
Review PRs
Identity Assurance
PR#146 Updates to Authority draft<https://bitbucket.org/openid/ekyc-ida/pull-requests/146> - Adrian
Review Issues
Identity Assurance
New
Close
Review
Issue #1331: possible type confusion with distributed/aggregated claims<https://bitbucket.org/openid/ekyc-ida/issues/1331/possible-type-confusion-with-distributed> – Joseph
Issue #1330: Suggest that there be a default for "attachments_supported"<https://bitbucket.org/openid/ekyc-ida/issues/1330/suggest-that-there-be-a-default-for> – Mark
Advanced Syntax for Claims
Update from Daniel and Mark on SAO syntax thinking
New
Close
Review
Issue #1327: Age verification examples in the Advance Syntax Draft<https://bitbucket.org/openid/ekyc-ida/issues/1327/age-verification-examples-in-the-advance> - Nat
Issue #1276: [SAO] Output claim set varies depending on evaluation order<https://bitbucket.org/openid/ekyc-ida/issues/1276/sao-output-claim-set-varies-depending-on> – Daniel
Issue #1320: Claim Controls<https://bitbucket.org/openid/ekyc-ida/issues/1320/claim-controls> - Taka
Authority
New
Close
Review
Issue #1236: Act as a staff, but assert director's verified claims<https://bitbucket.org/openid/ekyc-ida/issues/1236/act-as-a-staff-but-assert-directors> – Mark
Issue #1258: Represent legal entity beneficial owner<https://bitbucket.org/openid/ekyc-ida/issues/1258/represent-legal-entity-beneficial-owner> Mark
Other non-draft related topics
Additional claims and structured claims
Pending Verification
AOB
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20221118/f8902aed/attachment-0001.html>
More information about the Openid-specs-ekyc-ida
mailing list