<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2556497;
mso-list-template-ids:934863992;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:930546279;
mso-list-template-ids:-738012126;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi John,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">You would be very welcome to join us on Wednesday Perhaps I can put an agenda item in for 10-15 minutes for you and any others in your group to introduce yourselves and your work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Tuesday is good for that side huddle if it can be made to work for you and Gail. If we could keep it in UK timezone normal working hours that would suit me better.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">My final question is whether any other members of the mailing group would like to join the pre-meet? If so please make yourselves known
</span><span style="font-family:"Apple Color Emoji";mso-fareast-language:EN-US">😉</span><span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Best Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Mark Haine<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">OpenID Foundation eKYC & IDA Working Group Co-chair<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">+44 (0) 777 555 0344 | <a href="mailto:mark@considrd.consulting" title="mailto:mark@considrd.consulting"><span style="color:#0563C1">mark@considrd.consulting</span></a> | <a href="https://www.considrd.consulting/"><span style="color:#0563C1">considrd.consulting</span></a> | </span><span style="color:black">30
The Grange, Irvine. KA11 2EU</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><img border="0" width="98" height="42" style="width:1.0208in;height:.4375in" id="Picture_x0020_6" alt="considrd.consulting logo" data-outlook-trace="F:0|T:1" src="cid:image001.png@01D7C419.95C76C20"></span><a href="https://www.considrd.consulting/"><span style="font-size:12.0pt;color:black;text-decoration:none"><img border="0" width="136" height="53" style="width:1.4166in;height:.552in" id="Picture_x0020_5" alt="OpenID Logo" data-outlook-trace="F:0|T:1" src="cid:image002.png@01D7C419.95C76C20"></span></a><span style="color:black"><img border="0" width="83" height="35" style="width:.8645in;height:.3645in" id="Picture_x0020_4" alt="signature_900739338" data-outlook-trace="F:0|T:1" src="cid:image003.png@01D7C419.95C76C20"></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-ekyc-ida <openid-specs-ekyc-ida-bounces@lists.openid.net> on behalf of John Gronberg via Openid-specs-ekyc-ida <openid-specs-ekyc-ida@lists.openid.net><br>
<b>Reply to: </b>OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida@lists.openid.net><br>
<b>Date: </b>Friday, 15 October 2021 at 16:53<br>
<b>To: </b>OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida@lists.openid.net><br>
<b>Cc: </b>John Gronberg <gronberg@gmail.com>, Ryan Rix <ryan.rix.consultant@consumer.org>, Dazza Greenwood <dazza.greenwood.consultant@consumer.org><br>
<b>Subject: </b>Re: [OpenID-Specs-eKYC-IDA] Data Rights Protocol and eKYC<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you for the warm welcome, Gail and Mark. I'd be happy to join an upcoming working group meeting to introduce myself and share a bit more about what we're working on with the Data Rights Protocol. Would it be possible to join the October
20th working group session? <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm also open to having a brief 'side huddle' this week to make sure we make the most effective use of the WG's time by agreeing on an agenda/structure. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Oct 5, 2021 at 3:13 AM Gail Hodges via Openid-specs-ekyc-ida <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net">openid-specs-ekyc-ida@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">+ Mike L<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Hi John<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">As Exec Director of the OIDF I’d just like to echo Mark’s comments – we warmly welcome exploration of OIDF standards to support entities seeking to comply with
their CCPA/GDPR obligations. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">eKYC & IDA WG is indeed the best place to start the conversation, and discuss the use case in more detail. Time is weekly 8am PT/ 11am ET every Wednesday, hosted
by Mark Haine. Attendees can also speak to the related standards, OpenID Connect & FAPI. The only requirement to participate in the WG conversation is to sign the IPR contribution agreement, since we are an open standards body. Since you are working on open
standards as well that should not be any impediment. <a href="https://openid.net/wg/ekyc-ida/" target="_blank">
https://openid.net/wg/ekyc-ida/</a><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">As a personal note, I have thought that the standards underway in OIDF (and separately those on mobile driving licenses in ISO18013-5) could help achieve compliance
& conformance to CCPA & GDPR, and partnership with your group could help accelerate that timetable.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Just let me know if you prefer a “side huddle” pre or post the eKYC WG conversation, I’m happy to help organize.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Gail
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-ekyc-ida <<a href="mailto:openid-specs-ekyc-ida-bounces@lists.openid.net" target="_blank">openid-specs-ekyc-ida-bounces@lists.openid.net</a>> on behalf of Mark Haine via Openid-specs-ekyc-ida
<<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>><br>
<b>Reply-To: </b>OpenID eKYC Identity Assurance Working Group <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>><br>
<b>Date: </b>Monday, October 4, 2021 at 2:39 AM<br>
<b>To: </b>Dazza Greenwood <<a href="mailto:dazza.greenwood.consultant@consumer.org" target="_blank">dazza.greenwood.consultant@consumer.org</a>>, Ryan Rix <<a href="mailto:ryan.rix.consultant@consumer.org" target="_blank">ryan.rix.consultant@consumer.org</a>>,
Marc Llahona <<a href="mailto:marc@datagrail.io" target="_blank">marc@datagrail.io</a>>, John Gronberg <<a href="mailto:gronberg@datagrail.io" target="_blank">gronberg@datagrail.io</a>><br>
<b>Cc: </b>Mark Haine <mark@considrd.consulting>, OpenID eKYC Identity Assurance Working Group <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>><br>
<b>Subject: </b>Re: [OpenID-Specs-eKYC-IDA] Data Rights Protocol and eKYC</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi John,<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks so much for your mail and for bring this topic to the group. In the first instance it would be great if you or colleagues could attend one of our working group meetings
and introduce yourselves, you would be very welcome. We are active in finding real world use cases to test the base hypothesis of our work and it sounds like this is one that we haven’t imagined as yet.
<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I personally find this use case really interesting and have done a little thinking around something that might be quite similar and looks to address the lack of a standardised interface
for Data Subject Requests although I hadn’t got to the point of specifying an interface.<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">With regards to your questions I shall have a go but these are not authoritative answers from the WG! I also hope that I have understood your questions well enough.<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">1 – trust model – The OIDF focusses on tools not rules and as such we do not attend to the trust model side of things as that is in the policy domain rather than the technology
domain. We have a partner organisation called the Open Identity Exchange that has been working on a definition of the component parts of a trust framework that you may find quite useful.<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">2 – Workflow for claims – I am not sure I understand this question properly but we do have an open issue that relates to how the spec might be able to handle request for claims
that need to be established through a more time consuming process than claims that are readily available to the PIP<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">3 – API Authorisation – I expect so<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">4 – other concerns – Have you looked at the security profile work coming out of the FAPI working group? We would encourage use of FAPI to mitigate security risks when using OIDC
for IDA with any sensitive information or PII.<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Mark Haine<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="color:black">OpenID Foundation eKYC & IDA Working Group Co-chair</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="color:black"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="color:black">+44 (0) 777 555 0344 | <a href="mailto:mark@considrd.consulting" target="_blank" title="mailto:mark@considrd.consulting"><span style="color:#0563C1">mark@considrd.consulting</span></a> | <a href="https://www.considrd.consulting/" target="_blank"><span style="color:#0563C1">considrd.consulting</span></a> | </span><span style="color:black">30
The Grange, Irvine. KA11 2EU</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;color:black"><img border="0" width="98" height="42" style="width:1.0208in;height:.4375in" id="gmail-m_2721292580538409712Picture_x0020_3" alt="considrd.consulting logo" data-outlook-trace="F:0|T:1" src="cid:image004.png@01D7C419.95C76C20"></span><a href="https://www.considrd.consulting/" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="font-size:12.0pt;color:black"><img border="0" width="136" height="53" style="width:1.4166in;height:.552in" id="gmail-m_2721292580538409712Picture_x0020_2" alt="OpenID Logo" data-outlook-trace="F:0|T:1" src="cid:image005.png@01D7C419.95C76C20"></span></span></a><span style="color:black"><img border="0" width="83" height="35" style="width:.8645in;height:.3645in" id="gmail-m_2721292580538409712Picture_x0020_1" alt="signature_900739338" data-outlook-trace="F:0|T:1" src="cid:image006.png@01D7C419.95C76C20"></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-ekyc-ida <<a href="mailto:openid-specs-ekyc-ida-bounces@lists.openid.net" target="_blank">openid-specs-ekyc-ida-bounces@lists.openid.net</a>> on behalf of John Gronberg via Openid-specs-ekyc-ida
<<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>><br>
<b>Reply to: </b>OpenID eKYC Identity Assurance Working Group <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>><br>
<b>Date: </b>Friday, 1 October 2021 at 19:28<br>
<b>To: </b>"<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>" <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>>, Dazza Greenwood
<<a href="mailto:dazza.greenwood.consultant@consumer.org" target="_blank">dazza.greenwood.consultant@consumer.org</a>>, Ryan Rix <<a href="mailto:ryan.rix.consultant@consumer.org" target="_blank">ryan.rix.consultant@consumer.org</a>>, Marc Llahona <<a href="mailto:marc@datagrail.io" target="_blank">marc@datagrail.io</a>><br>
<b>Cc: </b>John Gronberg <<a href="mailto:gronberg@datagrail.io" target="_blank">gronberg@datagrail.io</a>><br>
<b>Subject: </b>[OpenID-Specs-eKYC-IDA] Data Rights Protocol and eKYC</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">Hello eKYC WG,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">I'm part of a consortium of privacy infrastructure and technology businesses working to create an open standard for Data Subject Rights (DSR) Requests for businesses under the jurisdiction of
the CCPA. You can read a little bit more about the protocol here: </span><a href="http://datarightsprotocol.org" target="_blank"><span style="font-family:"Arial",sans-serif">http://datarightsprotocol.org</span></a><span style="font-family:"Arial",sans-serif"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><i><span style="font-family:"Arial",sans-serif">"This specification defines a web protocol encoding a set of standardized request/response data flows such that End-Users can exercise Personal Data Rights provided under regulations like
the California Consumer Privacy Act, General Data Protection Regulation, and other regulatory or voluntary bases, and receive affirmative responses in standardized formats.</span></i><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><i><span style="font-family:"Arial",sans-serif">We aim to make the data rights protocol integrable with an ecosystem of data rights middlewares, agent services, automation tool kits, and privacy-respecting businesses which empower and
build trust with consumers while driving the cost of compliance towards zero."</span></i><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We believe that the eKYC extension to OIDC would be a good fit for our use case. I will lay out the scenario below</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">These are the relevant entities:</span><span lang="EN-US"><o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="margin-top:10.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">a <b>data subject</b>: A natural person about whom a controller holds personal data and who can be identified, directly or indirectly, by reference to that personal data</span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">an <b>authorized agent</b>: A third party designated by a Consumer to perform Data Subject Requests on their behalf. This would be like a user agent/app.</span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">a <b>Privacy Infrastructure Provider (PIP)</b>: a technology solution that can orchestrate a DSR request for a business. </span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:10.0pt;mso-list:l0 level1 lfo1;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<b><span style="font-family:"Arial",sans-serif">a covered business</span></b><span style="font-family:"Arial",sans-serif">: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means
of the processing of personal data and is subject to the CCPA.</span><span lang="EN-US"><o:p></o:p></span></li></ul>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">A data subject will initiate one or more data subject requests through an authorized agent. The authorized agent will create these requests with one or more covered businesses. The covered business
will have certain requirements in place for establishing the identity of the data subject. Once the requirements are met, the businesses will process the rights requests (for erasure, access, etc) based on their internal processes, or the PIP will do so on
behalf of the covered business. Upon completion of the internal processes, the results of the rights request will be returned to the authorized agent for delivery to the data subject. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We're trying to answer the following questions:</span><span lang="EN-US"><o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoNormal" style="margin-top:10.0pt;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Identity claims could be supplied by the authorized agent or the PIP/covered business. What is the proper trust model and how can we establish confidence in the claims? </span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">The PIP/covered business may need to get identity claims that the authorized agent does not yet have (for instance, if the covered business is an ecommerce company it may want to know the date of the last order placed
by the data subject). What is the right model for us to establish such claims?</span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Presumably, for the API authorization that would go along with the identity claims, we would be able to use the standard OIDC flow with the PIP/covered business acting as the authorization server and the authorized
agent acting as a user agent, correct?</span><span lang="EN-US"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:10.0pt;mso-list:l1 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal">
<span style="font-family:"Arial",sans-serif">Do you have any concerns or other questions as we figure out how to meet our DSR use cases with OIDC? </span><span lang="EN-US"><o:p></o:p></span></li></ol>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We've put together a few explanatory diagrams in
</span><a href="https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/files/eKYC-WG-feedback.pdf" target="_blank"><span style="font-family:"Arial",sans-serif">this document</span></a><span style="font-family:"Arial",sans-serif"> for
further explanation. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">We're looking forward to your input! I will be unavailable via email for the next week, but will respond to comments upon my return.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">Cheers,</span><span lang="EN-US"><o:p></o:p></span></p>
<p style="margin:0cm"><span style="font-family:"Arial",sans-serif">John</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">-- <br>
Openid-specs-ekyc-ida mailing list<br>
<a href="mailto:Openid-specs-ekyc-ida@lists.openid.net" target="_blank">Openid-specs-ekyc-ida@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>