OpenID Connect for Identity Assurance
OpenID Connect For Identity Assurance
Session 6B
Convener: Torsten Lodderstedt, Daniel Fett, Bjorn Hjelm
Notes-taker(s): Bjorn Hjelm
Tags for the session - technology discussed/ideas considered:
Based on a proposal on Identity Proofing with OpenID Connect (https://iiw.idcommons.net/Identity_Proofing_w/Open_ID) presented at IIW 27, review proposed extension of OpenID Connect for providing Relying Parties with verified personal data (in accordance with local/regional regulations and laws) to address use cases of identity verification of a person. The proposed extension can be found at https://openid.net/specs/openid-connect-4-identity-assurance.html.
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Presentation from the session can be found at https://www.slideshare.net/TorstenLodderstedt/openid-connect-for-identity-assurance.
Discussion:
- We discussed what data is required to verify a person’s identity and whether compliance to various regional regulations (eIDAS, NIST SP 800-63, etc.) is required for all data input.
- There are additional (non-PII) attributes (one example given was AML, or Anti Money Laundering, level check and other types of watchlists) that may be required for certain use cases.
- We discussed what types of documents and methods that could be used to establish a person’s identity, whether an RP (Relaying Party) could request the use of a specific method/documents, and sample use cases for to exemplify the various requirements.
- There was a discussion on whether a level of identity proofing was sufficient (such as IAL1/IAL2/IAL3), conveying how the identity proofing was done, and whether the intent is to convey verified attributes. On the verified attributes, there was a concern that this could get very complex given the various use cases and regional variations.
It was requested that participants post specific input on the draft specification to the OpenID Connect working group (https://openid.net/wg/connect/) mailing list (openid-specs-ab@lists.openid.net).