Terminology: Identity credential vs claimset
Issue #1271
open
Currently in the text being proposed in PR (https://bitbucket.org/openid/connect/pull-requests/39), there is a competing set of terminology to describe the new vehicle under which the end-user claims are supplied.
Context
OpenID already has at least two main vehicles for which End-User claims are made available to relying parties
id_token/userinfoendpoint
The claims aggregation draft (and the credential provider draft which is currently being merged into it) outlines more in-direct or distributed applications for obtaining, holding and presenting end-user claims. Because of this difference in model, a push to define a new vehicle for communicating end-user claims has been made. This vehicle through the evolution of the current draft has gone through several proposed names such as c_token, claimset, credential, identity credential.
This issue's purpose is to discuss the most appropriate name.
Why a new name? Why not use an existing mechanism for End-User Claims
Conceptually within this work because of the distributed nature under which the End-User claims are communicated, there are new concepts that the claims vehicle must support, including:
- Binding, when the End-User claims are presented via an intermediate provider (e.g a wallet) there is a need for the relying party to be able to authenticate the role this party is playing. The means through which this authentication is performed has been referred to as binding.
- Functional grouping of claims, many of the proposed use-cases for claims aggregation / credential provider, is to be able to communicate more than just simple claims (e.g first_name, last_name) such as a larger group of claims that represent an identity document (e.g passport or drivers license). Thus ways in which to refer to a group of claims in a request or response becomes desirable. As evidence this concept is present in formats such as mDL or W3C verifiable credentials as the concept of document type or credential type.
In my opinion, due to the existing definition in OpenID Connect Core for “credential” it is problematic to recycle this term in a new context. “claimset” would appear to fit well within current terminology for OpenId connect however I think fails to create the right industry associations. Thus I think “Identity Credential” is the most suitable name to date.
Comments (6)
-
-
Account Deactivated
Just for easy reference, the definition in OpenID Connect Core for “credential” is:
Data presented as evidence of the right to use an identity or other resources.
The spec uses it in the context of “Client Credentials” and defining an access token to be a type of credential.
-
- changed status to open
-
-
assigned issue to
Tobias Looker
-
assigned issue to
-
reporter
To attempt to move this issue forward I propose the following definition as a starting point, I would suggest that this definition would feature in the glossary of the claims aggregation / credential provider draft.
Identity Credential - A cryptographically signed artefact that is produced by an Issuing Authority (current term we are using in Claims Aggregation) which contains a set of claims about an End-User that is suitable for in-direct presentation to a relying party via an intermediary provider (or identity agent as currently suggested in claims aggregation).
-
We will go with “Identity Credential” as a defined term for now. (Only the concern is that “Credential” is a defined term in OIDC Core.)
- Log in to comment
- Assignee
- Type
- Priority
- Status
- open
- Component
- Claims Aggregation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
As discussed on the 26-Jul-21 working group call, I think the next step to advance the adoption of the Identity Credential term would be to have a proposed definition for the term. The definition should make it clear what the term refers to and what it doesn’t.