[ID4me Governance] ID4me verified identities framework

Matthias Pfeifer | dotBERLIN GmbH & Co. KG pfeifer at dot.berlin
Tue Aug 27 13:16:00 UTC 2019


> > Il 23 agosto 2019 15:09 Marcos Sanz <sanz at denic.de> ha scritto:
> >
> > thank you very much for the paper.
> Thanks for the review!
> > - A conceptual one: the paper leaves optional the existence of a data
> > authority for verified identities (cf "Optionally, a verified identity
> > can also be associated to a data authority"). That would be for
> > example the case if the identity agent itself is performing the identity
> verification.
> > However, I think it'd be easier to have it framed this way: for
> > verified identities it *always* exists a data authority, it's a
> > decission of the agent if it wants to play that role themselves or
> > delegate it to someone else. What do you think?
> It's a matter of definitions, but indeed if an identity is "verified" then there
> must be someone who has verified it, so we could argue that the data
> authority exists in all cases and sometimes it is just collapsed onto the agent
> (it's actually the symbolism I used in the accompanying presentation).
> This could also depend on the implementation in the protocol; for example, if
> we decide that you can tell that an identity is verified by the fact that it
> includes one or more "data authority" claims, then we will require the agent
> to add itself separately into the token as the data authority. On the other
> hand, if we envisage verified identities that have no "data authority"
> indication, but just an additional "level of assurance" claim, which implicitly
> means that the agent is the party that verified it, then we could have verified
> identities without an explicit data authority.

[>] when we decide that the "data authority" claim has to be there, would it no be easier in the future to change 
the provider? And in general I think that have just one way to do it, it looks a bit straighter and would minimize complexity (and least for the specs). What do you think?

> > - A technical one, about the entity "certification authority": is that
> > specifically an X.509 PKI CA as we know it?
> No, actually the idea was more of "certifications" in ISO 9001/14001 style, i.e.
> someone validates who you are and your operating procedures and gives
> you a badge that certifies that you adhere to certain organizational
> standards. I think that the business people that suggested the term had that
> meaning in mind, but I see why it might confuse engineers (especially the
> web people) so we should look for a different term... accreditation
> authority? auditing entity? something like that.
> It's also true that, to make that digital badge automatically verifiable by
> relying parties, and unless someone has better ideas, we have to set up a
> chain of trust of (X.509?) certificates, so that a relying party can verify that
> the badge is signed by someone who has been authorized by the trust
> anchor of the federation. In that sense, however, the root certification
> authority would be the federation's anchor, not the "certification authority".
> > - A nit: If I get the meaning right, in page 5 it says "the relying
> > party will then refer to the data authority" but it should say "the
> > relying party will then be referred to the data authority". Is that correct?
> Yes, I think you got the meaning, we will fix the English.
> Ciao,
> --
>  Vittorio Bertola
> Head of Policy & Innovation
> Cell:	 +39 348 7015022
> Direct Chat:	 vittorio.bertola (https://chat.open-
> xchange.com/direct/vittorio.bertola)
> Email:	 vittorio.bertola at open-xchange.com
> Twitter: @openexchange (http://twitter.com/openexchange) - Facebook:
> OpenXchange (https://www.facebook.com/OpenXchange) - Web:
> www.open-xchange.com (http://www.open-xchange.com)
> 	 Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District
> Court Cologne HRB 95366 Managing Board: Rafael Laguna de la Vera, Carsten
> Dirks, Michael Knapstein, Stephan Martin Chairman of the Board: Richard
> Seibt European Office:
> Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District
> Court Siegen, HRB 8718 Managing Director: Frank Hoberg US Office:
> Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified that
> any review, retransmission, conversion to hard copy, copying, circulation or
> other use of this message and any attachments is strictly prohibited. If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, and delete this message and any attachments from your
> system.
> _______________________________________________
> Governance_wg mailing list
> Governance_wg at lists.id4me.org
> https://lists.id4me.org/cgi-bin/mailman/listinfo/governance_wg

More information about the Governance_wg mailing list