Match by hashed value

Issue #1218 open
Kosuke Koiwai created an issue

The following issue was raised during a discussion at OIDF-Japan WG. 

An IdP in Japan provides KYC services with “fill-in” (IdP provides claims) API and “match” (RP gives values and IdP returns  just true/false) API in their menu.

There are effort going on by Alberto to provide conditional claims in #1186, but machino of a few generic claims (name, birthdate, etc) can be included to the ekyc core spec as well as age verification claims (#1172) if a wide range of IdP is willing to provide “match” functions.

Also, there was an occasion where both IdP and RP were reluctant to provide their customer data to the other party, and they wanted to conduct matching through hashed values.

MobileConnect already has specs to mach by hashed values.

https://developer.mobileconnect.io/kyc-claims

Although prone to brute-forth attack of the hashed data, I think it is still worth considering together.

Comments (7)

  1. Kai Lehmann

    For the trust framework DeMail in Germany a matching is also part of the process. However, it is a bit different as the identification provider does not simply return true or false, but returns the actual end user data back (signed) if the sent user info matched the data retrieved from the id document within predefined tolerances (e.g. typos, “street” abbreviated, at most one of the first names was not given).

  2. Daniel Fett

    I’ll propose a new function within ASC/TC to address hashing and hash matching. For fuzzy matching (raised by Kai), we would need to put more effort into defining the tolerances.

  3. Log in to comment