- edited description
Binding of claims and presentation and OP
Tobias Looker
I would assume the binding is not just to the subject and claim set, but also to the intermediary presenting them (OP)
Nat Sakimura
I am not sure if there needs to be a direct binding.
There needs to be two kinds of strong bindings:
- between the Claim Set from the CP and the OP (Wallet) response (e.g., ID Token)
- Between the OP and OP response.
OP and OP Response is bound by the iss
of the OP response and the signature, and that is given by OIDC Core.
Is there a reason for having direct binding?
Comments (6)
-
reporter -
reporter -
assigned issue to
On 2021-06-22 call, callers agreed that it does not have to be direct binding, but there needs to be a requirement that there MUST be a binding whether direct or indirect.
-
assigned issue to
-
reporter - changed status to open
-
Further to this I think we should have a section in the claims aggregation draft that refers to binding in a more abstract manner, there are multiple different ways of accomplishing claimset or credential binding, including:
- Cryptographic proof of possession (e.g how most W3C VC’s work, and how DPop works with access tokens)
- Transactional binding (e.g a just in-time model where the intermediate provider makes a request back to the claims authority in real time for a claimset/credential to be issued which features the nonce supplied by the relying party in their request to the intermediary)
We should also we crisp as raised above about WHO the binding is between, IMO it is between the Claims authority and the intermediate provider, NOT the end-user.
-
Some of Torsten’s comments on openid / connect / Pull Request #40: Proposal for issue #1270 — Bitbucket appear to be relevant to this issue.
-
reporter Mike, I think you mean PR 39, and this issue was supposed to be dealt with after PR 39. PR 39 was just merging two drafts without technical improvements. That kind of setp-wise approach will make it easier to track.
- Log in to comment