verified_claim without trust_framework

Issue #1235 resolved
Naohiro Fujie created an issue

from discussion in OIDF-Japan working group.


  • Add “generic” as a supported trust_framework


  • providing continuous identity proofing mechanism from various claims providers. for example, mobile operators are required to verify their customer identity on onboarding process, but they it is not enough to verify their customers continuously. so not they are collecting their customer data through various way such as subscribing to a sports gym studio using their payment method. on such case, the sports gym(OP) can provide verified claims to the mobile operator(RP) but they are not controlled by certain regulations, no trust_framework, but they can provide evidence and id_documents to the RP.

Example response from the gym will be following,

  "verified_claims": {
    "verification": {
      "trust_framework": "generic",
      "time": "2012-04-23T18:25Z",
      "verification_process": "f24c6f-6d3f-4ec5-973e-b0d8506f3bc7",
      "evidence": [
          "type": "id_document",
          "method": "pipp",
          "time": "2012-04-22T11:30Z",
          "document": {
            "type": "idcard",
            "issuer": {
              "name": "Stadt Augsburg",
              "country": "DE"
            "number": "53554554",
            "date_of_issuance": "2010-03-23",
            "date_of_expiry": "2020-03-22"
    "claims": {
      "given_name": "Max",
      "family_name": "Meier",
      "birthdate": "1956-01-28",
      "place_of_birth": {
        "country": "DE",
        "locality": "Musterstadt"
      "nationalities": [
      "address": {
        "locality": "Maxstadt",
        "postal_code": "12344",
        "country": "DE",
        "street_address": "An der Weide 22"

Comments (2)

  1. Torsten Lodderstedt

    The trust_framework value is not tight to regulation. It is the identifier of the set of processes and technical mechanisms used to verify a user‘s identity. It’s important that the RP can deduce enough information about the process so it can assess to what degree it relies on the verification of the user claims. „generic“ is not sufficient for that purpose. The mobile operator could define its own identifier, like „<operatorname>_customeridentity“.

  2. Log in to comment