value/values on verified_claims/claims?

Issue #1247 resolved
Daniel Fett created an issue

The current spec does not say whether value/values constraints are allowed on verified_claims/claims, but it also does not explicitly forbid it.

As a related topic, it is largely undefined in the OIDC world how to handle value/values when used on object claims. This may be a topic for our syntax extension for OIDC.

Comments (11)

  1. Takahiko Kawasaki

    Section 7.7.2. Data not Matchin Requirements of Implementer’s Draft 3 (published in November 2021) says as follows:

    When the available data does not fulfill the requirements of the RP expressed through value, values, or max_age, the following logic applies:

    * If the respective requirement was expressed for a Claim within verified_claims/verification, the whole verified_claims element MUST be omitted.

    * Otherwise, the respective Claim MUST be omitted from the response.

    In both cases, the OP MUST NOT return an error to the RP.

    This description implies that value, values and max_age can be used under both verified_claims/verification and verified_claims/claims. The ID2 (published in May, 2020) does not contain this explicit description.

    In addition, discussions about value and values in the OIDC world were done at some places (e.g. comment in Issue 1276).

    So, the concerns pointed out (before the ID3 was published) by this issue have been resolved so far, I think. This issue can be marked as “resolved”.

  2. Torsten Lodderstedt

    We should at least state that value/values can be used in verified_claims/claims (in the same way as in OIDC Core).

  3. Daniel Fett reporter

    The section “Defining further constraints on Verification Data” is actually already really clear that you can use restrictions in verification claims:

    The RP MAY limit the possible values of the elements `trust_framework`, `evidence/method`, `evidence/check_details`, and `evidence/document/type` by utilizing the `value` or `values` fields and the element `evidence/type` by utilizing the `value` field.

    For verified claims, however, the current spec excludes value/values explicitly (probably by accident):

    The `verified_claims` element includes a `claims` element, which in turn includes the desired Claims as keyswitha`null` value.

    I created a PR to fix this: https://bitbucket.org/openid/ekyc-ida/pull-requests/115/proposal-to-fix-issue-1247

  4. Log in to comment