1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. ekyc-ida
  4. Issues

evidence type: when to use which

Issue #1322 resolved
Kosuke Koiwai created an issue

OIDF-Japan KYC WG is experiencing some difficulties digesting evidence types.
Current description might be difficult to understand for people without through knowledge of various trust frameworks.

5.1.1. evidence Element

  • document: Verification based on any kind of physical or electronic document provided by the End-User.
  • electronic_record: Verification based on data or information obtained electronically from an approved or recognized source.
  • vouch: Verification based on an attestation or reference given by an approved or recognized person declaring they believe to the best of their knowledge that the Claim(s) are genuine and true.
  • electronic_signature: Verification based on an electronic signature.

Given the above, what are the proper type in the following situation:

  1. when an authoritative source (i.e. government) serves as an IDP and returns verified_claims directly?

    1. I think it should be electronic_record, but a member says it can be vouch as the IDP is the primary source (no other evidence exists than the fact that the IDP believes that the person is the person who is claimed to be)

  2. when IDP A provides verified_claims with an evidence type document to IDP B, then IDP B provides verified_claims to RP based on the information received from IDP A? (note: here IDP B does not use claims aggregation)

    1. an opinion among the group was, if IDP B verifies attachment by themselves, then IDP B should serve verified_claims with an evidence type document, otherwise electronic_record.

  3. when IDP verifies a claimant with a document signed with the claimant’s private key, and with the electronic certificate in which an authority attests the identity of the holder of the paired public key ?

    1. I believe this is what electronic_signature is for, but the description above doesn't technically describe how an electronic signature is used for verification. (even if IDP uses CRL/OCSP to validate the certificate, we don’t use electronic_record, do we?)

Comments (8)

  2. Adrian Field

    Suggested edits for evidence descriptions:

    • document: Verification based on any kind of physical document provided by the End-User, e.g., paper passport (with or without a chip), plastic driving license or ID card.
    • electronic_record: Verification based on data obtained electronically from a designated authoritative source such as a Government or organisation approved, recognized, regulated or certified as such a source, e.g., bank, utility provider, credit reference agency, fraud or AML data source.
    • vouch: Verification based on an attestation given by an approved or recognized natural person declaring they believe that Claim(s) presented by another natural person (who lacks a required means of direct identification) are to the best of their knowledge genuine and true.
    • electronic_signature: Verification based on the End-User’s electronic signature with a defined identity link, e.g., an Advanced Electronic Signature (AES) or Qualified Electronic Signature (QES) under the European eIDAS scheme.

    Are these clearer?

    1 - Government direct source is electronic_record

    2 - In my view, the original evidence type should be preserved to understand the chain of events; IDP A checked a document, IDP B just forwarded to their RP (with a claim ‘IDP A checked document’). Changing the evidence type obfuscates what happened. Does an attachment count as a document? It’s a photo so could be forged.

    3 - I think electronic reading of a chip in a document is still a documentevidence type (it needs the physical object as source rather than a database). The keys/signatures in the document chip are part of securing the reading process/proofing the document rather than evidence themselves. https://www.readid.com/blog/cloning-detection-epassports

  3. Kosuke Koiwai reporter

    Thanks,

    1 and 2 are clear to me.

    It will be a bit complicated around 3. What if a user used an eIDAS-recognized electronic signature with the signing key in a national ID (physical) card?

    Also, how about a PDF signed by an authority. I think it is still document if we refer to the original definition

    document: Verification based on any kind of physical or electronic document provided by the End-User.

  4. Julian White

    The ambiguity appears to be coming from the source of the evidence used by the OP.

    For document it comes from the end-user, regardless of whether its a physical or electronic document.

    As noted electronic_record comes from an authoritative source which is neither the OP or the end-user.

    vouch appears to have some confusion. Kosuke Koiwai your interpretation is correct, the point is that the person giving the vouch is a 3rd party which is neither an OP, RP, or end-user. The only evidence is the attestation of the person giving the vouch, the person must have some sort of personal knowledge/relationship of the user being known by those in the claims, no other evidence exists.

    An OP/IDP can not give a vouch, they can provide evidence of one of the other types.

  5. Kosuke Koiwai

    Thanks,

    My understanding is, if a user signed a document with a secret key in her national ID card, and the signing scheme is recognized by eIDAS or similar trust framework, it should be electronic_signature but not document.

    Also, just to clarify, a Verifiable Credential signed by an issuer can be document as well as signed PDFs. I don’t necessary mean to put it in the spec though.

  6. Julian White

    That is a good question.

    It depends on where the proof of the Claim(s) is coming from. If the claim is being proven by the contents of the document, then the evidence should be document (and in those cases it has to be from a recognised issuer).

    If its a signed document and the proof is coming from the signing process/certificate then you are correct, its an electronic_signature , the contents of the signed object could be nonsensical, or a blank document, its somewhat superfluous, what you are interested in is the ability of the End-User to create an electronic signature that is able to prove the Claim(s) relate to them.

    There’s an interesting edge case where an issuer provides a document that is signed by both the issuer and the End-User. In this case you could use it both the document and electronic signature as evidence, e.g. you could kill two birds with one stone.

    Yes, a VC is a document in this context.

  9. Log in to comment
Assignee
Type
enhancement
Priority
trivial
Status
resolved
Component
Core eKYC&IDA
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!