[OpenID-Specs-eKYC-IDA] [External Sender] Re: Move transaction specific purpose out of the main specification

Wed Apr 24 18:27:54 UTC 2024

I think this could be as simple as defining the RAR request object as...

[
 {
   "type": "transaction_purpose",
   "dpv": "<dpvValue>"
 }
]

Thanks,
George

On Wed, Apr 24, 2024 at 2:25 PM George Fletcher <
george.fletcher at capitalone.com> wrote:

> Is there a reason that RFC 9396
> <https://datatracker.ietf.org/doc/html/rfc9396> can not be used for this
> purpose (pun intended)? This is exactly why RAR was created to allow for
> this additional detail to be provided. There is provision to return
> additional "RAR" data in the response. I'm sure this was already discussed
> so if you can point me to that thread I would really appreciate it.
>
> Thanks,
> George
>
> On Wed, Apr 24, 2024 at 2:20 PM Axel.Nennker--- via Openid-specs-ekyc-ida <
> openid-specs-ekyc-ida at lists.openid.net> wrote:
>
>> Bjorn,
>>
>>
>>
>> In today's ICM meeting the purpose-parameter proposal died.
>>
>> We are back to encoding-purpose-in-scope.
>>
>>
>>
>> I proposed some new text, that I think is better than the previous 0.1
>> text on encoding-purpose-in-scope.
>>
>>
>>
>> My understanding of the IETF process is that new drafts are send to the
>> mailing list asking the WG to add them as a work item.
>>
>> Yes, I also remember that messages-for-transactions or
>> purpose-for-transactions was tried before.
>>
>> I remember that the last time this was discussed @Torsten Lodderstedt
>> <torsten at lodderstedt.net> said that "transactions" are not well enough
>> understood.
>>
>> But that was years ago and maybe now we find a the next small step
>> forward that helps.
>>
>>
>>
>> Let's see what Dima says
>>
>>
>>
>> Kind regards
>>
>> Axel
>>
>>
>>
>>
>>
>> *From: *Bjorn Hjelm <blhjelm at gmail.com>
>> *Date: *Wednesday, 24. April 2024 at 18:20
>> *To: *Nennker, Axel <Axel.Nennker at telekom.de>, dima at postnikov.net <
>> dima at postnikov.net>
>> *Cc: *Padgaonkar, Shilpa <Shilpa.Padgaonkar at telekom.de>, OpenID eKYC
>> Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>,
>> Bjorn Hjelm <bjorn.hjelm at oidf.org>
>> *Subject: *Re: [OpenID-Specs-eKYC-IDA] Move transaction specific purpose
>> out of the main specification
>>
>> Axel,
>>
>> As noted, Dima has created a draft intended for IETF on purpose based on
>> the discussions in the eKYC-IDA working group. Until introduced, we don't
>> know the feedback from the IETF community on this proposal but it's my
>> understanding that this isn't the first time this topic has been discussed
>> within IETF. There's also a similar discussion about purpose taking place
>> in the DPC working group worth noting that may impact the approach of a
>> technical specification.
>>
>>
>>
>> As Dima is traveling, I believe he'll add some additional details and
>> insight to this e-mail thread.
>>
>>
>>
>> Finally, I would highly encourage CAMARA to take issue to the OpenID
>> Foundation when it relates to parameter usage (as mentioned about tweaking
>> purpose into scopes) to ensure that the OpenID Connect specifications and
>> profiles are utilized in accordance to its purpose and that the Foundation
>> has offered up the wealth of knowledge that exists within the Foundation to
>> assist CAMARA.
>>
>>
>>
>> Kind Regards,
>>
>> Bjorn
>>
>>
>>
>> On Mon, Apr 22, 2024 at 3:35 AM Axel.Nennker--- via
>> Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net> wrote:
>>
>> Hi,
>>
>>
>>
>> in Camara
>> <https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement/__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXkjAsZDU$>
>> there is agreement that we need something like the purpose parameter that
>> was removed from ekyc-ida with this issue.
>>
>>
>> https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of
>> <https://urldefense.com/v3/__https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXiaLHS0T$>
>>
>>
>>
>> We referenced the section from the ekyc-ida spec on the purpose parameter
>> and wanted to use it.
>>
>>
>> https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md#purpose
>> <https://urldefense.com/v3/__https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md*purpose__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXoIajKpK$>
>>
>>
>> Purpose
>>
>> A transaction specific request parameter purpose as specified in
>> openid-connect-4-identity-assurance-1_0-13
>> <https://urldefense.com/v3/__https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html*name-transaction-specific-purpos__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXtMqmcCP$>
>> MUST be used to allow a SP to state the purpose for the transfer of
>> End-User data it is asking for. The purpose string MUST use below format
>> for interoperability
>>
>> dpv:<dpvValue>
>>
>> <dpvValue> is coming from W3C DPV purpose definition
>> <https://urldefense.com/v3/__https://w3c.github.io/dpv/dpv/*vocab-purpose__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXj6-RYjK$>
>>
>> Then, later,  we discovered that ekyc-ida removed that parameter
>> definition from the ekyc-ida protocol, bummer.
>>
>>
>>
>> We found that @dima at postnikov.net <dima at postnikov.net> started writing a
>> new Internet Draft for "purpose" in Oauth2.
>>
>>
>> https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html#name-transaction-specific-purpos
>> <https://urldefense.com/v3/__https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html*name-transaction-specific-purpos__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXrSelMk-$>
>>
>>
>>
>> Deutsche Telekom would support that draft. Other Camara member as well,
>> probably.
>>
>> We, DT, are willing to contribute to the new draft.
>>
>>
>>
>> In Camara we envisioned that the value of the purpose parameter is ONE
>> from the W3C DPV purpose definition.
>>
>> We think that the value should not be a string provided by the client but
>> from a fixed list an that the AZ then shows the end user a text that
>> matches the user's and the AZ/RP's legislation/jurisdiction for that
>> purpose.
>>
>>
>>
>> An end user might give their consent to a location-service for the
>> purpose of account takeover protection but not for some other purpose.
>>
>> A mobile banking app might ask for consent for a location-service, that
>> helps the user find the nearest ATM, but the user does give their consent
>> for this convenience function.
>>
>> A mobile banking app might ask for consent for a location-service, that
>> validates that the user's mobile phone is in the vincinity of the ATM the
>> user is withdrawing money from – and the end user is willing to get that
>> protection.
>>
>> Or the client might have a legitimate-interest
>> <https://urldefense.com/v3/__https://w3c.github.io/dpv/dpv/*LegitimateInterest__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXv-OIqBq$>
>> in using some API like location-service or sim-swap.
>>
>>
>>
>> The removed ekyc-ida purpose parameter sounds like the CIBA
>> binding_message parameter.
>>
>>
>> https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request
>> <https://urldefense.com/v3/__https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html*auth_request__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXpU9xw3r$>
>>
>>
>>
>> Camara also discussed tweaking purpose into scopes, but that did not turn
>> out well. Mainly, I think, because technical scopes have very little
>> relationship with legislation/jurisdiction.
>>
>>
>>
>> Could you please provide some context on why ekyc-ida removed the purpose
>> parameter?
>>
>> And, is there initial feedback from IETF Oauth2 WG on the new draft?
>>
>>
>>
>> Kind regards
>>
>> Axel
>>
>>
>>
>>
>>
>>
>>
>> --
>> Openid-specs-ekyc-ida mailing list
>> Openid-specs-ekyc-ida at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXuvTgGcl$>
>>
>>
>>
>>
>> --
>>
>> Kind Regards,
>>
>> Bjorn
>> --
>> Openid-specs-ekyc-ida mailing list
>> Openid-specs-ekyc-ida at lists.openid.net
>>
>> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXuvTgGcl$
>>
>

______________________________________________________________________

The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20240424/88d3fd1c/attachment-0001.html>