<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:9646019;
mso-list-template-ids:65546424;}
@list l1
{mso-list-id:1238248200;
mso-list-template-ids:591975220;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi John,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Thanks so much for your mail and for bring this topic to the group. In the first instance it would be great if you or colleagues could attend one of our working group meetings and introduce yourselves,
you would be very welcome. We are active in finding real world use cases to test the base hypothesis of our work and it sounds like this is one that we haven’t imagined as yet.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I personally find this use case really interesting and have done a little thinking around something that might be quite similar and looks to address the lack of a standardised interface for Data
Subject Requests although I hadn’t got to the point of specifying an interface.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">With regards to your questions I shall have a go but these are not authoritative answers from the WG! I also hope that I have understood your questions well enough.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">1 – trust model – The OIDF focusses on tools not rules and as such we do not attend to the trust model side of things as that is in the policy domain rather than the technology domain. We have a
partner organisation called the Open Identity Exchange that has been working on a definition of the component parts of a trust framework that you may find quite useful.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">2 – Workflow for claims – I am not sure I understand this question properly but we do have an open issue that relates to how the spec might be able to handle request for claims that need to be established
through a more time consuming process than claims that are readily available to the PIP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">3 – API Authorisation – I expect so<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">4 – other concerns – Have you looked at the security profile work coming out of the FAPI working group? We would encourage use of FAPI to mitigate security risks when using OIDC for IDA with any
sensitive information or PII.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Mark Haine<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">OpenID Foundation eKYC & IDA Working Group Co-chair<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">+44 (0) 777 555 0344 | <a href="mailto:mark@considrd.consulting" title="mailto:mark@considrd.consulting"><span style="color:#0563C1">mark@considrd.consulting</span></a> | <a href="https://www.considrd.consulting/"><span style="color:#0563C1">considrd.consulting</span></a> | </span><span style="color:black">30
The Grange, Irvine. KA11 2EU</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><img border="0" width="98" height="42" style="width:1.0208in;height:.4375in" id="Picture_x0020_3" alt="considrd.consulting logo" data-outlook-trace="F:0|T:1" src="cid:image001.png@01D7B90C.0AD89070"></span><a href="https://www.considrd.consulting/"><span style="font-size:12.0pt;color:black;text-decoration:none"><img border="0" width="136" height="53" style="width:1.4166in;height:.552in" id="Picture_x0020_2" alt="OpenID Logo" data-outlook-trace="F:0|T:1" src="cid:image002.png@01D7B90C.0AD89070"></span></a><span style="color:black"><img border="0" width="83" height="35" style="width:.8645in;height:.3645in" id="Picture_x0020_1" alt="signature_900739338" data-outlook-trace="F:0|T:1" src="cid:image003.png@01D7B90C.0AD89070"></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-ekyc-ida <openid-specs-ekyc-ida-bounces@lists.openid.net> on behalf of John Gronberg via Openid-specs-ekyc-ida <openid-specs-ekyc-ida@lists.openid.net><br>
<b>Reply to: </b>OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida@lists.openid.net><br>
<b>Date: </b>Friday, 1 October 2021 at 19:28<br>
<b>To: </b>"openid-specs-ekyc-ida@lists.openid.net" <openid-specs-ekyc-ida@lists.openid.net>, Dazza Greenwood <dazza.greenwood.consultant@consumer.org>, Ryan Rix <ryan.rix.consultant@consumer.org>, Marc Llahona <marc@datagrail.io><br>
<b>Cc: </b>John Gronberg <gronberg@datagrail.io><br>
<b>Subject: </b>[OpenID-Specs-eKYC-IDA] Data Rights Protocol and eKYC<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">Hello eKYC WG,</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">I'm part of a consortium of privacy infrastructure and technology businesses working to create an open standard for Data Subject Rights (DSR) Requests for businesses under the jurisdiction of
the CCPA. You can read a little bit more about the protocol here: </span><a href="http://datarightsprotocol.org"><span style="font-family:"Arial",sans-serif">http://datarightsprotocol.org</span></a><span style="font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><i><span style="font-family:"Arial",sans-serif">"This specification defines a web protocol encoding a set of standardized request/response data flows such that End-Users can exercise Personal Data Rights provided under regulations like
the California Consumer Privacy Act, General Data Protection Regulation, and other regulatory or voluntary bases, and receive affirmative responses in standardized formats.</span></i><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><i><span style="font-family:"Arial",sans-serif">We aim to make the data rights protocol integrable with an ecosystem of data rights middlewares, agent services, automation tool kits, and privacy-respecting businesses which empower and
build trust with consumers while driving the cost of compliance towards zero."</span></i><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We believe that the eKYC extension to OIDC would be a good fit for our use case. I will lay out the scenario below</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">These are the relevant entities:</span><o:p></o:p></p>
<ul style="margin-top:0cm" type="disc">
<li style="margin-top:10.0pt;margin-bottom:0cm;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">a <b>data subject</b>: A natural person about whom a controller holds personal data and who can be identified, directly or indirectly, by reference to that personal data<o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">an <b>authorized agent</b>: A third party designated by a Consumer to perform Data Subject Requests on their behalf. This would be like a user agent/app.<o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">a <b>Privacy Infrastructure Provider (PIP)</b>: a technology solution that can orchestrate a DSR request for a business. <o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:10.0pt;mso-list:l1 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<b><span style="font-family:"Arial",sans-serif">a covered business</span></b><span style="font-family:"Arial",sans-serif">: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means
of the processing of personal data and is subject to the CCPA.<o:p></o:p></span></li></ul>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">A data subject will initiate one or more data subject requests through an authorized agent. The authorized agent will create these requests with one or more covered businesses. The covered business
will have certain requirements in place for establishing the identity of the data subject. Once the requirements are met, the businesses will process the rights requests (for erasure, access, etc) based on their internal processes, or the PIP will do so on
behalf of the covered business. Upon completion of the internal processes, the results of the rights request will be returned to the authorized agent for delivery to the data subject. </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We're trying to answer the following questions:</span><o:p></o:p></p>
<ol style="margin-top:0cm" start="1" type="1">
<li style="margin-top:10.0pt;margin-bottom:0cm;mso-list:l0 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Identity claims could be supplied by the authorized agent or the PIP/covered business. What is the proper trust model and how can we establish confidence in the claims? <o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:0cm;mso-list:l0 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">The PIP/covered business may need to get identity claims that the authorized agent does not yet have (for instance, if the covered business is an ecommerce company it may want to know the date of the last order placed
by the data subject). What is the right model for us to establish such claims?<o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:0cm;mso-list:l0 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Presumably, for the API authorization that would go along with the identity claims, we would be able to use the standard OIDC flow with the PIP/covered business acting as the authorization server and the authorized
agent acting as a user agent, correct?<o:p></o:p></span></li><li style="margin-top:0cm;margin-bottom:10.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Do you have any concerns or other questions as we figure out how to meet our DSR use cases with OIDC? <o:p></o:p></span></li></ol>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We've put together a few explanatory diagrams in
</span><a href="https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/files/eKYC-WG-feedback.pdf"><span style="font-family:"Arial",sans-serif">this document</span></a><span style="font-family:"Arial",sans-serif"> for further explanation. </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We're looking forward to your input! I will be unavailable via email for the next week, but will respond to comments upon my return.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">Cheers,</span><o:p></o:p></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">John</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>