Account providers often outsource the process of identifying the end-user to third party ident service providers. I was wondering if this protocol could be used for transfering the identities form the ident service providers to the account providers. Part of those transfered datasets is usually also a set of files (video recordings of the video ident process, screenshots of the id document, signed documents of the person performing the in person identification, documents certifying a companies entry in a public legal register, …). Those files are usually sent to the account provider (client in this case) along with the end user’s personal data. The documents need to be signed as well (e.g. by including the SHA-256 hash of each document in the JWT which in turn is signed.
It might also make sense to provide those attachments as evidence to other parties downstream, when requested. We might want to think of an extension to the protocol allowing for attaching those evidence documents.