- removed milestone
evidence type: when to use which
OIDF-Japan KYC WG is experiencing some difficulties digesting evidence type
s.
Current description might be difficult to understand for people without through knowledge of various trust frameworks.
5.1.1. evidence Element
document
: Verification based on any kind of physical or electronic document provided by the End-User.electronic_record
: Verification based on data or information obtained electronically from an approved or recognized source.vouch
: Verification based on an attestation or reference given by an approved or recognized person declaring they believe to the best of their knowledge that the Claim(s) are genuine and true.electronic_signature
: Verification based on an electronic signature.
Given the above, what are the proper type
in the following situation:
-
when an authoritative source (i.e. government) serves as an IDP and returns
verified_claims
directly?- I think it should be
electronic_record
, but a member says it can bevouch
as the IDP is the primary source (no other evidence exists than the fact that the IDP believes that the person is the person who is claimed to be)
- I think it should be
-
when IDP A provides
verified_claims
with an evidence typedocument
to IDP B, then IDP B providesverified_claims
to RP based on the information received from IDP A? (note: here IDP B does not use claims aggregation)- an opinion among the group was, if IDP B verifies
attachment
by themselves, then IDP B should serveverified_claims
with an evidence typedocument
, otherwiseelectronic_record
.
- an opinion among the group was, if IDP B verifies
-
when IDP verifies a claimant with a document signed with the claimant’s private key, and with the electronic certificate in which an authority attests the identity of the holder of the paired public key ?
- I believe this is what
electronic_signature
is for, but the description above doesn't technically describe how an electronic signature is used for verification. (even if IDP uses CRL/OCSP to validate the certificate, we don’t useelectronic_record
, do we?)
- I believe this is what
Comments (8)
-
-
Suggested edits for evidence descriptions:
document
: Verification based on any kind of physical document provided by the End-User, e.g., paper passport (with or without a chip), plastic driving license or ID card.electronic_record
: Verification based on data obtained electronically from a designated authoritative source such as a Government or organisation approved, recognized, regulated or certified as such a source, e.g., bank, utility provider, credit reference agency, fraud or AML data source.vouch
: Verification based on an attestation given by an approved or recognized natural person declaring they believe that Claim(s) presented by another natural person (who lacks a required means of direct identification) are to the best of their knowledge genuine and true.electronic_signature
: Verification based on the End-User’s electronic signature with a defined identity link, e.g., an Advanced Electronic Signature (AES) or Qualified Electronic Signature (QES) under the European eIDAS scheme.
Are these clearer?
1 - Government direct source is
electronic_record
2 - In my view, the original evidence type should be preserved to understand the chain of events; IDP A checked a
document
, IDP B just forwarded to their RP (with a claim ‘IDP A checked document’). Changing the evidence type obfuscates what happened. Does an attachment count as a document? It’s a photo so could be forged.3 - I think electronic reading of a chip in a
document
is still adocument
evidence type (it needs the physical object as source rather than a database). The keys/signatures in the document chip are part of securing the reading process/proofing the document rather than evidence themselves. https://www.readid.com/blog/cloning-detection-epassports -
reporter Thanks,
1 and 2 are clear to me.
It will be a bit complicated around 3. What if a user used an eIDAS-recognized
electronic signature
with the signing key in a national ID (physical) card?Also, how about a PDF signed by an authority. I think it is still
document
if we refer to the original definitiondocument
: Verification based on any kind of physical or electronic document provided by the End-User.
-
The ambiguity appears to be coming from the source of the evidence used by the OP.
For
document
it comes from the end-user, regardless of whether its a physical or electronic document.As noted
electronic_record
comes from an authoritative source which is neither the OP or the end-user.vouch
appears to have some confusion. Kosuke Koiwai your interpretation is correct, the point is that the person giving the vouch is a 3rd party which is neither an OP, RP, or end-user. The only evidence is the attestation of the person giving the vouch, the person must have some sort of personal knowledge/relationship of the user being known by those in the claims, no other evidence exists.An OP/IDP can not give a vouch, they can provide evidence of one of the other types.
-
Thanks,
My understanding is, if a user signed a document with a secret key in her national ID card, and the signing scheme is recognized by eIDAS or similar trust framework, it should be
electronic_signature
but notdocument
.Also, just to clarify, a Verifiable Credential signed by an issuer can be
document
as well as signed PDFs. I don’t necessary mean to put it in the spec though. -
That is a good question.
It depends on where the proof of the
Claim(s)
is coming from. If the claim is being proven by the contents of the document, then the evidence should bedocument
(and in those cases it has to be from a recognised issuer).If its a signed document and the proof is coming from the signing process/certificate then you are correct, its an
electronic_signature
, the contents of the signed object could be nonsensical, or a blank document, its somewhat superfluous, what you are interested in is the ability of the End-User to create an electronic signature that is able to prove theClaim(s)
relate to them.There’s an interesting edge case where an issuer provides a document that is signed by both the issuer and the End-User. In this case you could use it both the document and electronic signature as evidence, e.g. you could kill two birds with one stone.
Yes, a VC is a
document
in this context. -
- changed status to open
-
- changed status to resolved
Resolved by PR #137
- Log in to comment
Removed from IDA ID4 milestone as that is already passed