Act as a staff, but assert director's verified claims
Feedback from METI to the authority claims/regal entity.
Comment:
- It will be needed to provide verified claims of director or president as well as the delegated staff’s claims
Current use-case of METI:
- In case of a corporate staff act as the president during application process he/she will be needed to provide the president’s attribute as well as his/her attributes.
- for example, Bob login to a application system using his account which acts as a corporate director. During the process, Bob will be required to provide both his attributes and the director’s attributes, e.g, register the director’s attributes as owner of the business and register his own attribute as contact information of the application.
- Current implementation on METI, they define 2 types of claims for both corporate profile includes director/president’s attributes and user’s attributes.
Current id_token from METI’s IdP:
{
"sub": "BSmith",
"rep_last_nm": "Johnson",
"rep_first_nm": "Alice",
"user_last_nm": "Smith",
"user_first_nm": "Bob",
"user_post_code": "0000000",
"user_prefecture_name": "Tokyo",
"user_address1": "Minato-ku",
"user_address2": "1-2-3",
"user_department": "XX dept.",
"user_tel_no_contact": "11111111111",
"user_email": "bob.smith@example.co.jp"
}
Proposal:
- add claims of director/president under authority element.
example)
{
"sub": "BSmith",
"email": "bobsmith@example.com",
"verified_claims":{
"verification":{
"trust_framework": "entity_claims_example_framework",
...omit...
},
"claims":{
"givenName": "Bob",
...omit...
"
},
"authority": [ {
"applies_to": {
"company_name": "Example Company Limited",
"company_number": "12351235",
"jurisdiction": "england-wales",
"rep_givenName": "Alice", <-- Add claims for representative
"rep_familyName": "Johnson"
},
"permission": [ {
...omit...
}
Comments (6)
-
-
Following discussion I will raise a PR to update the document
-
- changed milestone to Authority ID1
-
I have looked at this again and I think that this case is best delivered by including the details in the
role
object already mentioned under thepermission
element. The topic of what goes in therole
object should probably be expanded and the discussion at WG this week of ISO 5009 is pertinent to this -
For my understanding they want to get the identity of the user, the identity of the legal entity they are acting on behalf of, and the identity of one or more of the directors/president? Does it matter which director is it if there is more than one?
-
Just noticed ISO 5009:2022 was published.
- Log in to comment
So in the example provided above the End-User is actually Bob and Alice is the president - correct?
My following comments are assuming that is correct…
The applies to is supposed to represent the entity that Bob has authority over. Bob does not have authority over Alice.
It feels better to me to reflect this in the “permission” element. One of Bob’s permissions is to represent Alice in relation to “Example Company Limited”. There will probably be other elements expressing positive permissions or restrictions.
I would even suggest that we should possibly define a special structured object to generically describe “on behalf of” another end user.