[ID4me Governance] ID4me verified identities framework
vittorio.bertola at open-xchange.com
Fri Aug 23 14:33:36 UTC 2019
> Il 23 agosto 2019 15:09 Marcos Sanz <sanz at denic.de> ha scritto:
> thank you very much for the paper.
Thanks for the review!
> - A conceptual one: the paper leaves optional the existence of a data
> authority for verified identities (cf "Optionally, a verified identity can
> also be associated to a data authority"). That would be for example the
> case if the identity agent itself is performing the identity verification.
> However, I think it'd be easier to have it framed this way: for verified
> identities it *always* exists a data authority, it's a decission of the
> agent if it wants to play that role themselves or delegate it to someone
> else. What do you think?
It's a matter of definitions, but indeed if an identity is "verified" then there must be someone who has verified it, so we could argue that the data authority exists in all cases and sometimes it is just collapsed onto the agent (it's actually the symbolism I used in the accompanying presentation).
This could also depend on the implementation in the protocol; for example, if we decide that you can tell that an identity is verified by the fact that it includes one or more "data authority" claims, then we will require the agent to add itself separately into the token as the data authority. On the other hand, if we envisage verified identities that have no "data authority" indication, but just an additional "level of assurance" claim, which implicitly means that the agent is the party that verified it, then we could have verified identities without an explicit data authority.
> - A technical one, about the entity "certification authority": is that
> specifically an X.509 PKI CA as we know it?
No, actually the idea was more of "certifications" in ISO 9001/14001 style, i.e. someone validates who you are and your operating procedures and gives you a badge that certifies that you adhere to certain organizational standards. I think that the business people that suggested the term had that meaning in mind, but I see why it might confuse engineers (especially the web people) so we should look for a different term... accreditation authority? auditing entity? something like that.
It's also true that, to make that digital badge automatically verifiable by relying parties, and unless someone has better ideas, we have to set up a chain of trust of (X.509?) certificates, so that a relying party can verify that the badge is signed by someone who has been authorized by the trust anchor of the federation. In that sense, however, the root certification authority would be the federation's anchor, not the "certification authority".
> - A nit: If I get the meaning right, in page 5 it says "the relying party
> will then refer to the data authority" but it should say "the relying
> party will then be referred to the data authority". Is that correct?
Yes, I think you got the meaning, we will fix the English.
Head of Policy & Innovation
Cell: +39 348 7015022
Direct Chat: vittorio.bertola (https://chat.open-xchange.com/direct/vittorio.bertola)
Email: vittorio.bertola at open-xchange.com
Twitter: @openexchange (http://twitter.com/openexchange) - Facebook: OpenXchange (https://www.facebook.com/OpenXchange) - Web: www.open-xchange.com (http://www.open-xchange.com)
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin
Chairman of the Board: Richard Seibt
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718
Managing Director: Frank Hoberg
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
More information about the Governance_wg