<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Aptos",sans-serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Aptos",sans-serif;
mso-ligatures:none;
mso-fareast-language:EN-GB;
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="en-DE" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">in <a href="https://github.com/camaraproject/IdentityAndConsentManagement/">
Camara</a> there is agreement that we need something like the purpose parameter that was removed from ekyc-ida with this issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt"><a href="https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of"><span lang="EN-US">https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">We referenced the section from the ekyc-ida spec on the purpose parameter and wanted to use it.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><a href="https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md#purpose">https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md#purpose</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><o:p> </o:p></span></p>
<h2>Purpose<o:p></o:p></h2>
<p>A transaction specific request parameter purpose as specified in <a href="https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-transaction-specific-purpos">
openid-connect-4-identity-assurance-1_0-13</a> MUST be used to allow a SP to state the purpose for the transfer of End-User data it is asking for. The purpose string MUST use below format for interoperability<o:p></o:p></p>
<p><code><span style="font-size:10.0pt">dpv:<dpvValue></span></code><o:p></o:p></p>
<p><code><span style="font-size:10.0pt"><dpvValue></span></code> is coming from <a href="https://w3c.github.io/dpv/dpv/#vocab-purpose">
W3C DPV purpose definition</a><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Then, later, we discovered that ekyc-ida removed that parameter definition from the ekyc-ida protocol, bummer.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We found that <a id="OWAAMF8D59EE6245B57489DB23AC2C8456186" href="mailto:dima@postnikov.net">
<span style="font-family:"Aptos",sans-serif;text-decoration:none">@dima@postnikov.net</span></a> started writing a new Internet Draft for "purpose" in Oauth2.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html#name-transaction-specific-purpos">https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html#name-transaction-specific-purpos</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Deutsche Telekom would support that draft. Other Camara member as well, probably.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We, DT, are willing to contribute to the new draft.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In Camara we envisioned that the value of the purpose parameter is ONE from the W3C DPV purpose definition.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We think that the value should not be a string provided by the client but from a fixed list an that the AZ then shows the end user a text that matches the user's and the AZ/RP's legislation/jurisdiction for
that purpose.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">An end user might give their consent to a location-service for the purpose of account takeover protection but not for some other purpose.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A mobile banking app might ask for consent for a location-service, that helps the user find the nearest ATM, but the user does give their consent for this convenience function.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A mobile banking app might ask for consent for a location-service, that validates that the user's mobile phone is in the vincinity of the ATM the user is withdrawing money from – and the end user is willing
to get that protection.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Or the client might have a <a href="https://w3c.github.io/dpv/dpv/#LegitimateInterest">
legitimate-interest</a> in using some API like location-service or sim-swap.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The removed ekyc-ida purpose parameter sounds like the CIBA binding_message parameter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request">https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Camara also discussed tweaking purpose into scopes, but that did not turn out well. Mainly, I think, because technical scopes have very little relationship with legislation/jurisdiction.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Could you please provide some context on why ekyc-ida removed the purpose parameter?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And, is there initial feedback from IETF Oauth2 WG on the new draft?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Kind regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>