Verifier may not be Origin nor AP, Provider versus Source.

[JaapFrancke]

Organization: 2 Type:

Reference (Include section and paragraph number): 3.2.1.1 4.2

Comment (Include rationale for comment): The report distinguishes between the following parties:

• Origin
• Attribute Provider (AP) - it's the entity to which the RP is 'talking'
• Relying Party (RP) - it's the entity that's consuming attributes provided by the AP.

The allowed/recommended values for the Verifier-attribute suggest it's either the Origin or the Provider that is verifying the attribute. It may however be the case that an attribute is verified by neither Origin nor AP. In this case the Pedigree could be "Sourced".

An IDP could act as a attribute 'proxy', acting as a RP towards one or more APs and acting as a AP to various RPs. Note that section 3.2.1.3 recognizes sources other than Origin. In a similar fashion, it makes sense to recognize different Verifiers

Suggested Change: The report could suggest as possible values for Verfier:

• "Origin"
• "Provider"
• "Not Verified"
• Name of an entity that is doing verification

Alternately, the report could explain that the "Provider" (Provenance), does NOT have to be the Attribute Provider itself. In the 2nd use case it says "Verifier: Provider: The clearance was verified by the IDP (also acting as the AP in this instance)", so that suggests that indeed the "Provider" does not have to be the AP. The example in section 4.2 could be improved to give an example value for the Provider attribute, indicating the relevant IDP.

Extending the previous remark, I would suggest

• Relying Party versus Attribute Provider - this makes perfect sense.
• Provenance.Provider could be renamed to Provenance.Source

---

Organization: 1 = Federal, 2 = Industry, 3 = Other 

[RGalluzzo]

We opted to go with a clarifying statement RE:the "provider" does not have be the AP itself.