[Openid-specs-igov] iGov Profile - suggestions for User Identifiers and Claim History

Adam Cooper adam.cooper at digital.cabinet-office.gov.uk
Sat Aug 27 14:01:40 UTC 2016


Hi all,

In followup to this week's call I had a couple of actions for suggestions
to add to the profile based on UK and EU government backed identity
schemes.

*User Identifiers*

In the profile we currently have the following sub vales defined as part of
the ID Token:

sub

The identifier of the user. SHOULD be a pairwize annonymous identifier, and
be unique per client to prevent linkability and traceability between
clients.



Based on the eIDAS interoperability specifications (which covers 28 EU
member states including for now the UK), I would suggest that we provide
the additional guidance for providers when creating "sub" values:

As a baseline requirement the "sub" identifier value should not include
elements that directly identify the Principal i.e. the user. This follows
the requirement for a persistent name identifier in other international
identity standards such that persistent identifiers MUST be constructed
using pseudo-random values that have no discernible correspondence with the
subject's actual identifier (for example, username).

Hashing of "sub" identifier values is permitted although this is not
mandated by this profile.

The "sub" identifier value MUST NOT contain any whitespace. It is
recommended that the "sub" identifier value is at least 32 characters in
length.


Optionally we may also wish to include some guidance about the stability of
uniqueness identifiers:

The Uniqueness Identifier represented by the "sub" (subject) claim value
shall remain unchanged for the lifetime of the identity account (as created
by the underlying identity scheme). A Uniqueness Identifier shall never be
reused, e.g. a new Uniqueness Identifier shall not match a Uniqueness
Identifier that has been deleted.

Any service that consumes assertions of identity must assume that the
Uniqueness Identifier presented for a particular person (natural or legal)
may change over time e.g. where the user’s digital identity is replaced or
repaired. This should be handled by a consuming service using the same
matching process as used when an identity is first encountered utilising
the set of identity attributes used to identify the Principal (i.e. user)
within the service.



*Claim History*

Where available previous name, address and date of birth claim values may
be provided by the UserInfo Endpoint. These additional historic claim
values, where available, should be provided to increase the possibility of
a successful match to a government "account" where the user has changed
personal details recently or visits the digital service being accessed
infrequently.


Cheers,

A


-- 
Adam Cooper
Identity Assurance Programme
Government Digital Service
125 Kingsway, London, WC2B 6NH

Tel: 07973 123 038
official: adam.cooper at digital.cabinet-office.gov.uk
official sensitive: adam.cooper at govdigital.gsi.gov.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20160827/a21b104f/attachment.html>


More information about the Openid-specs-igov mailing list