<div dir="ltr"><div dir="ltr">I think this could be as simple as defining the RAR request object as...<input name="virtru-metadata" type="hidden" value="{"email-policy":{"disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"enableNoauth":false,"expandedWatermarking":false,"expires":false,"sms":false,"expirationNum":1,"expirationUnit":"days","isManaged":false,"persistentProtection":false},"attachments":{},"compose-id":"5","compose-window":{"secure":false}}"><div><br></div><div>[</div><div> {</div><div> "type": "transaction_purpose",</div><div> "dpv": "<dpvValue>"</div><div> }</div><div>]</div><div><br></div><div>Thanks,<br>George</div></div><br><div class="gmail_quote" style=""><div dir="ltr" class="gmail_attr">On Wed, Apr 24, 2024 at 2:25 PM George Fletcher <<a href="mailto:george.fletcher@capitalone.com">george.fletcher@capitalone.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Is there a reason that <a href="https://datatracker.ietf.org/doc/html/rfc9396" target="_blank">RFC 9396</a> can not be used for this purpose (pun intended)? This is exactly why RAR was created to allow for this additional detail to be provided. There is provision to return additional "RAR" data in the response. I'm sure this was already discussed so if you can point me to that thread I would really appreciate it.<div><br></div><div>Thanks,</div><div>George</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 24, 2024 at 2:20 PM Axel.Nennker--- via Openid-specs-ekyc-ida <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="en-DE">
<div>
<p class="MsoNormal"><span style="font-size:11pt">Bjorn,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">In today's ICM meeting the purpose-parameter proposal died.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We are back to encoding-purpose-in-scope.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">I proposed some new text, that I think is better than the previous 0.1 text on encoding-purpose-in-scope.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">My understanding of the IETF process is that new drafts are send to the mailing list asking the WG to add them as a work item.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Yes, I also remember that messages-for-transactions or purpose-for-transactions was tried before.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">I remember that the last time this was discussed
<a id="m_-3915160659640403374m_-5319366273820782834OWAAM7C7131300E311C4E84E21162EF9A8391" href="mailto:torsten@lodderstedt.net" target="_blank">
<span style="font-family:Aptos,sans-serif;text-decoration:none">@Torsten Lodderstedt</span></a> said that "transactions" are not well enough understood.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">But that was years ago and maybe now we find a the next small step forward that helps.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Let's see what Dima says<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Kind regards<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Axel<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<div id="m_-3915160659640403374m_-5319366273820782834mail-editor-reference-message-container">
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Bjorn Hjelm <<a href="mailto:blhjelm@gmail.com" target="_blank">blhjelm@gmail.com</a>><br>
<b>Date: </b>Wednesday, 24. April 2024 at 18:20<br>
<b>To: </b>Nennker, Axel <<a href="mailto:Axel.Nennker@telekom.de" target="_blank">Axel.Nennker@telekom.de</a>>, <a href="mailto:dima@postnikov.net" target="_blank">dima@postnikov.net</a> <<a href="mailto:dima@postnikov.net" target="_blank">dima@postnikov.net</a>><br>
<b>Cc: </b>Padgaonkar, Shilpa <<a href="mailto:Shilpa.Padgaonkar@telekom.de" target="_blank">Shilpa.Padgaonkar@telekom.de</a>>, OpenID eKYC Identity Assurance Working Group <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>>, Bjorn Hjelm <<a href="mailto:bjorn.hjelm@oidf.org" target="_blank">bjorn.hjelm@oidf.org</a>><br>
<b>Subject: </b>Re: [OpenID-Specs-eKYC-IDA] Move transaction specific purpose out of the main specification<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Axel,<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12pt">As noted, Dima has created a draft intended for IETF on purpose based on the discussions in the eKYC-IDA working group. Until introduced, we don't know the feedback from the IETF community on this proposal
but it's my understanding that this isn't the first time this topic has been discussed within IETF. There's also a similar discussion about purpose taking place in the DPC working group worth noting that may impact the approach of a technical specification. <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">As Dima is traveling, I believe he'll add some additional details and insight to this e-mail thread.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Finally, I would highly encourage CAMARA to take issue to the OpenID Foundation when it relates to parameter usage (as mentioned about tweaking purpose into scopes) to ensure that the OpenID Connect specifications
and profiles are utilized in accordance to its purpose and that the Foundation has offered up the wealth of knowledge that exists within the Foundation to assist CAMARA.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Kind Regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Bjorn<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">On Mon, Apr 22, 2024 at 3:35</span><span style="font-size:12pt;font-family:Arial,sans-serif"> </span><span style="font-size:12pt">AM Axel.Nennker--- via Openid-specs-ekyc-ida <<a href="mailto:openid-specs-ekyc-ida@lists.openid.net" target="_blank">openid-specs-ekyc-ida@lists.openid.net</a>>
wrote:<u></u><u></u></span></p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Hi,</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">in
<a href="https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement/__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXkjAsZDU$" target="_blank">
Camara</a> there is agreement that we need something like the purpose parameter that was removed from ekyc-ida with this issue.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11pt"><a href="https://urldefense.com/v3/__https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXiaLHS0T$" target="_blank"><span lang="EN-US">https://bitbucket.org/openid/ekyc-ida/issues/1386/move-transaction-specific-purpose-out-of</span></a></span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">We referenced the section from the ekyc-ida spec on the purpose parameter and wanted to use it.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"><a href="https://urldefense.com/v3/__https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md*purpose__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXoIajKpK$" target="_blank">https://github.com/AxelNennker/IdentityAndConsentManagement/blob/camara_oidc_profile/documentation/CAMARA-Security-Interoperability.md#purpose</a></span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<h2>Purpose<u></u><u></u></h2>
<p>A transaction specific request parameter purpose as specified in <a href="https://urldefense.com/v3/__https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html*name-transaction-specific-purpos__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXtMqmcCP$" target="_blank">
openid-connect-4-identity-assurance-1_0-13</a> MUST be used to allow a SP to state the purpose for the transfer of End-User data it is asking for. The purpose string MUST use below format for interoperability<u></u><u></u></p>
<p><code><span style="font-size:10pt">dpv:<dpvValue></span></code><u></u><u></u></p>
<p><code><span style="font-size:10pt"><dpvValue></span></code> is coming from <a href="https://urldefense.com/v3/__https://w3c.github.io/dpv/dpv/*vocab-purpose__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXj6-RYjK$" target="_blank">
W3C DPV purpose definition</a><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11pt">Then, later, we discovered that ekyc-ida removed that parameter definition from the ekyc-ida protocol, bummer.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We found that
<a href="mailto:dima@postnikov.net" target="_blank"><span style="text-decoration:none">@dima@postnikov.net</span></a> started writing a new Internet Draft for "purpose" in Oauth2.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><a href="https://urldefense.com/v3/__https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html*name-transaction-specific-purpos__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXrSelMk-$" target="_blank">https://cdn.connectid.com.au/specifications/oauth2-purpose-01.html#name-transaction-specific-purpos</a></span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Deutsche Telekom would support that draft. Other Camara member as well, probably.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We, DT, are willing to contribute to the new draft.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">In Camara we envisioned that the value of the purpose parameter is ONE from the W3C DPV purpose definition.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We think that the value should not be a string provided by the client but from a fixed list an that the AZ then shows the end user a text that matches
the user's and the AZ/RP's legislation/jurisdiction for that purpose.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">An end user might give their consent to a location-service for the purpose of account takeover protection but not for some other purpose.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">A mobile banking app might ask for consent for a location-service, that helps the user find the nearest ATM, but the user does give their consent
for this convenience function.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">A mobile banking app might ask for consent for a location-service, that validates that the user's mobile phone is in the vincinity of the ATM the
user is withdrawing money from – and the end user is willing to get that protection.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Or the client might have a
<a href="https://urldefense.com/v3/__https://w3c.github.io/dpv/dpv/*LegitimateInterest__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXv-OIqBq$" target="_blank">legitimate-interest</a> in using some API like location-service or sim-swap.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">The removed ekyc-ida purpose parameter sounds like the CIBA binding_message parameter.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><a href="https://urldefense.com/v3/__https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html*auth_request__;Iw!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXpU9xw3r$" target="_blank">https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request</a></span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Camara also discussed tweaking purpose into scopes, but that did not turn out well. Mainly, I think, because technical scopes have very little relationship
with legislation/jurisdiction.</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Could you please provide some context on why ekyc-ida removed the purpose parameter?</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">And, is there initial feedback from IETF Oauth2 WG on the new draft?</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Kind regards</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Axel</span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><span style="font-size:12pt"><u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12pt">-- <br>
Openid-specs-ekyc-ida mailing list<br>
<a href="mailto:Openid-specs-ekyc-ida@lists.openid.net" target="_blank">Openid-specs-ekyc-ida@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXuvTgGcl$" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida</a><u></u><u></u></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-size:12pt"><br clear="all">
<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><span><span style="font-size:12pt">--
</span></span><span style="font-size:12pt"><u></u><u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Kind Regards,<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12pt">Bjorn<u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
-- <br>
Openid-specs-ekyc-ida mailing list<br>
<a href="mailto:Openid-specs-ekyc-ida@lists.openid.net" target="_blank">Openid-specs-ekyc-ida@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXuvTgGcl$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!IwQ7eGC6nAUfNRqZ3Vs7XTYq-vkHNtj5Q0IHE7chNKN0yPQQZHLFlDM4Bvn1SfM1bXHRj-jDnJBuUbn1b45lnaOidliy6orgXuvTgGcl$</a> <br>
</div></blockquote></div></div>
</blockquote></div></div>
<HR><table border="0" cellspacing="0" cellpadding="0" width="100%" height="30"><BR>
<tr><BR>
<font color="#404040">The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.</font></td><BR>
</tr><BR>
</table><BR>