1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. ekyc-ida
  4. Issues

Clarify what the IDP MUST/SHOULD/MAY send in verification data.

Issue #1201 resolved
Daniel Fett created an issue

We currently say:

The RP MUST explicitly request any data it wants the OP to add to the verification element.

We do not say that the IDP MUST only send data if it was requested by the RP.

Do we want to say that?

If so, we also need to take a look at this example, where the IDP delivers much more verification data than requested: https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#section-6.5.1

(possibly other examples as well)

Comments (3)

  1. Vladimir Dzhuvinov

    +1 for the following reasons:

    1. Data minimisation
    2. An OP returning unrequested verification data could end up creating the impression that certain data is going to be always present, which can then lead to things breaking when that changes
    3. If a piece of verification data wasn’t requested then the RP has likely no use for it.

  4. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Votes
0
Watchers
4
Jira: the preferred issue tracker for Bitbucket. Join the team!