Verified Attributes

Monday – Session 4 - F

Convener: Kick Willemse

Notes-taker(s): Chris Obdam

A. Tags for the session - technology discussed/ideas considered: Attribute validation, AX 1.0 (1.1), Defining standard methods/levels of attribute verification, leaving the identity validation to the RP’s. OIX.

• AX - OpenID Attribute Exchange Validate Mode - draft van Google van 24 nov 2009 - http://step2.googlecode.com/svn/spec/attribute_exchange_validate/trunk/openid-attribute-exchange-validate-mode.html

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Methods of Validation 1. Self Assertion 2. Proof of possesion a. Challenge Response Token i. Email ii. Bankaccount iii. Mobile (SMS) iv. Postal Adress 3. Authentic Register 4. Official Statement a. Face-to-Face b. Passport c. Claim

Can a attribute also be validated by a organization that did not issue the information e.g. can Stanford confirm that I am a Berkeley student?

There is need for 2 things: 1. a addition to AX for the validation information: validator, validation date and validation method/level. A way to check if the validation method is executed in the right way (OIX?)

How do you handle the liability for the correctness of the information.

Follow Up Questions:

• Will AX 1.1 support attribute verification ? • What Attribute schemes will be used? – X500 – HCARD – Soap/XML – -AX-Sreg – Other? • What are suitable attribute verification methods? • Open Identity Exchange OIX <> Open Attribute Exchange?