Open faragom opened 3 years ago
So this will be the identity of the link request set by the linking module, but what will the data object Type be? Just now the types supported for dataSets are eIDAS, eduGAIN and eMRTD but we need to specify also the types for the linkRequest.
The SPs should also have a way to be able to explicitly request a linked identity so it should be clear how to handle this. Can it be specified in a seal specific URN e.g. urn:seal:eIDAS:edugain ?
So this will be the identity of the link request set by the linking module, but what will the data object Type be? Just now the types supported for dataSets are eIDAS, eduGAIN and eMRTD but we need to specify also the types for the linkRequest.
Well, this is an algorithm to transform the content of the LinkRequest object (well, the object represents the requets and the result of the linking process) in the datasStore. LinkRequests are a unique type. We allow to define issuers of links to specify which entity is asserting the link.
The SPs should also have a way to be able to explicitly request a linked identity so it should be clear how to handle this. Can it be specified in a seal specific URN e.g. urn:seal:eIDAS:edugain ?
That's what we were discussing on the e-mail the other day and we finally postponed, if you remember.
Representing a link as an attribute
For the release of the linking information, we need a text one-line representation of the link between two identities. Unfortunately, it is a complex set of data, involving two identities and a link-level of assurance. We propose a structured URI definition that will uniquely represent the two involved identities, the link issuer and the asserted level of assurance of the link. These are the needed fields to build the link attribute, all extracted from fields of the object in the
dataStore
.LinkIssuerId
(linkRequest.issuer
): A Unique string representing the SEAL module that managed this link issuing and or of the trusted entity that asserted the link. it is set by the module itself.LLoA
(linkRequest.lloa
): The asserted level of certainty of identity A and identity B being the same individual.SubjectA
(**): Identifier of the individual behind identity A.IssuerA
(**): Entity, domain, or any hierarchical combination of these where identity A belongs to. Subject + issuer must be universally unique.SubjectB
(**): Identifier of the individual behind identity A.IssuerB
(**): Entity, domain, or any hierarchical combination of these where identity B belongs to. Subject + issuer must be universally unique.** To canonicalise the link objects and to ensure commutative property of the link
(identityA <-> identityB == identityB <-> identityA)
, a link object will always be built following this algorithm:The final URI string will be formed as stated below:
Example (plain):
Example (encoded):