Match by hashed value
The following issue was raised during a discussion at OIDF-Japan WG.
An IdP in Japan provides KYC services with “fill-in” (IdP provides claims) API and “match” (RP gives values and IdP returns just true/false) API in their menu.
There are effort going on by Alberto to provide conditional claims in #1186, but machino of a few generic claims (name, birthdate, etc) can be included to the ekyc core spec as well as age verification claims (#1172) if a wide range of IdP is willing to provide “match” functions.
Also, there was an occasion where both IdP and RP were reluctant to provide their customer data to the other party, and they wanted to conduct matching through hashed values.
MobileConnect already has specs to mach by hashed values.
https://developer.mobileconnect.io/kyc-claims
Although prone to brute-forth attack of the hashed data, I think it is still worth considering together.
Comments (8)
-
-
- changed component to Conditional Claims
Discussed briefly at WG on 21/04/2021
Decided to join it to conditional claims development work
-
PR #71 should now address this issue - @Kosuke Koiwai do you agree?
-
Yes. now @Daniel Fett or @Kosuke Koiwai will come up with new function in openid-advanced-syntax-for-claims.md and make another PR.
-
I’ll propose a new function within ASC/TC to address hashing and hash matching. For fuzzy matching (raised by Kai), we would need to put more effort into defining the tolerances.
-
Please take a look at https://bitbucket.org/openid/ekyc-ida/pull-requests/73/proposal-for-hashing-in-asc-tc
I wonder if we should try to defend against brute forcing by adding something like argon2; but then we need to discuss memory and execution time limits.
-
- changed status to open
-
- changed status to resolved
Resolved by PR #73
- Log in to comment
For the trust framework DeMail in Germany a matching is also part of the process. However, it is a bit different as the identification provider does not simply return true or false, but returns the actual end user data back (signed) if the sent user info matched the data retrieved from the id document within predefined tolerances (e.g. typos, “street” abbreviated, at most one of the first names was not given).