1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Binding of claims and presentation and OP

Issue #1246 open
Nat Sakimura created an issue

Tobias Looker

I would assume the binding is not just to the subject and claim set, but also to the intermediary presenting them (OP)

Nat Sakimura

I am not sure if there needs to be a direct binding.

There needs to be two kinds of strong bindings:

  1. between the Claim Set from the CP and the OP (Wallet) response (e.g., ID Token)
  2. Between the OP and OP response.

OP and OP Response is bound by the iss of the OP response and the signature, and that is given by OIDC Core.

Is there a reason for having direct binding?

Comments (6)

  2. Nat Sakimura reporter

    On 2021-06-22 call, callers agreed that it does not have to be direct binding, but there needs to be a requirement that there MUST be a binding whether direct or indirect.

  4. Tobias Looker

    Further to this I think we should have a section in the claims aggregation draft that refers to binding in a more abstract manner, there are multiple different ways of accomplishing claimset or credential binding, including:

    1. Cryptographic proof of possession (e.g how most W3C VC’s work, and how DPop works with access tokens)
    2. Transactional binding (e.g a just in-time model where the intermediate provider makes a request back to the claims authority in real time for a claimset/credential to be issued which features the nonce supplied by the relying party in their request to the intermediary)

    We should also we crisp as raised above about WHO the binding is between, IMO it is between the Claims authority and the intermediate provider, NOT the end-user.

  6. Nat Sakimura reporter

    Mike, I think you mean PR 39, and this issue was supposed to be dealt with after PR 39. PR 39 was just merging two drafts without technical improvements. That kind of setp-wise approach will make it easier to track.

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
open
Component
Claims Aggregation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!