Terminology: Identity credential vs claimset

Issue #1271 open
Tobias Looker created an issue

Currently in the text being proposed in PR (https://bitbucket.org/openid/connect/pull-requests/39), there is a competing set of terminology to describe the new vehicle under which the end-user claims are supplied.


OpenID already has at least two main vehicles for which End-User claims are made available to relying parties

  1. id_token
  2. /userinfo endpoint

The claims aggregation draft (and the credential provider draft which is currently being merged into it) outlines more in-direct or distributed applications for obtaining, holding and presenting end-user claims. Because of this difference in model, a push to define a new vehicle for communicating end-user claims has been made. This vehicle through the evolution of the current draft has gone through several proposed names such as c_token, claimset, credential, identity credential.

This issue's purpose is to discuss the most appropriate name.

Why a new name? Why not use an existing mechanism for End-User Claims

Conceptually within this work because of the distributed nature under which the End-User claims are communicated, there are new concepts that the claims vehicle must support, including:

  1. Binding, when the End-User claims are presented via an intermediate provider (e.g a wallet) there is a need for the relying party to be able to authenticate the role this party is playing. The means through which this authentication is performed has been referred to as binding.
  2. Functional grouping of claims, many of the proposed use-cases for claims aggregation / credential provider, is to be able to communicate more than just simple claims (e.g first_name, last_name) such as a larger group of claims that represent an identity document (e.g passport or drivers license). Thus ways in which to refer to a group of claims in a request or response becomes desirable. As evidence this concept is present in formats such as mDL or W3C verifiable credentials as the concept of document type or credential type.

In my opinion, due to the existing definition in OpenID Connect Core for “credential” it is problematic to recycle this term in a new context. “claimset” would appear to fit well within current terminology for OpenId connect however I think fails to create the right industry associations. Thus I think “Identity Credential” is the most suitable name to date.

Comments (6)

  1. Michael Jones

    As discussed on the 26-Jul-21 working group call, I think the next step to advance the adoption of the Identity Credential term would be to have a proposed definition for the term. The definition should make it clear what the term refers to and what it doesn’t.

  2. Jeremie Miller

    Just for easy reference, the definition in OpenID Connect Core for “credential” is:

    Data presented as evidence of the right to use an identity or other resources.

    The spec uses it in the context of “Client Credentials” and defining an access token to be a type of credential.

  3. Tobias Looker reporter

    To attempt to move this issue forward I propose the following definition as a starting point, I would suggest that this definition would feature in the glossary of the claims aggregation / credential provider draft.

    Identity Credential - A cryptographically signed artefact that is produced by an Issuing Authority (current term we are using in Claims Aggregation) which contains a set of claims about an End-User that is suitable for in-direct presentation to a relying party via an intermediary provider (or identity agent as currently suggested in claims aggregation).

  4. Nat Sakimura

    We will go with “Identity Credential” as a defined term for now. (Only the concern is that “Credential” is a defined term in OIDC Core.)

  5. Log in to comment