Open OIDF-automation opened 3 years ago
June 30 call discussed whether we should have a normative text about it in SIOP v.2 etc.
Refer to June 30 notes for more info.
based on a suggestion by Nat here are some:
The data provided to the user and to the RP to enable a trust decision. For example:
The recording of the acceptance of the data and the use that is to be made of it. For example, a consent receipt from an RP based on that statement.
There’s a very big challenge hidden/implicit in 1.1 about what the RP states in order of the user to make a trust evaluation.
How do you know who the RP actually is?
Browsers have a UX lock icon and expect users to trust the domain name displayed.
App stores validate the developer name and display it when you choose to install.
Social media sites do their own validation and iconography.
What do we expect wallets to do to prevent fishing?
This is something that is an explicit function of a trust framework (like the AAMVA’s mDL Digital Trust Service), but is there any general solutions outside of vertical specific governance?
The problem statement as defined by Jeremie is actually the one I raised in the discussion about federations spec.
And I think it’s not only applicable to self-issued identities, but same way applicable to cloud-based OPs or Claim Providers (a.k.a. Issuers). Each party in the process shall be able to receive additional information about the other party supporting end-users and its own trust decisions.
Trust framework and governance is one of the main functions of a federation. The current specification only specifies how to express a binary releation: is a member of a federation or not, but not necessarily any qualitative information about the relation (like LoI) which could be digitally verified by the other parties.
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1255
Original Reporter: tomcjones
The discussion about federation evolved into a discussion about trust. Here are the trust vectors i have so far discovered.
i have more thought and will be tracking on this post https://tcwiki.azurewebsites.net/index.php?title=Self-issued_Trust