OpenID Connect for Identity Assurance

Published November 14, 2019

This week the OpenID Foundation announced the approval of the Implementer’s Draft of the OpenID Connect for Identity Assurance specification. This new specification is a product of the OpenID Connect Working group. An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The global adoption of OpenID Connect is demonstrated in the many profiles it has generated. OpenID Connect’s value is seen the range of use cases it serves and its impact on the privacy, security, and ease of use it delivers to end users. As its global adoption grows, OpenID Connect is increasingly being used in scenarios requiring higher identity assurance levels. Some examples include:

  • Anti-Money Laundering
  • Telecommunications
  • eGovernment
  • Access to Health Data
  • Risk mitigation
  • Fraud prevention

One can observe that current implementations often rely on implicit attestation of the verification status of the data provided based on the context the relying party (RP) and the trust framework the IDP has joined. Implicit attestation may cause ambiguity. For example, what claims in result set are verified and which are not? As a further challenge, the RP lacks metadata and evidence needed for mapping between regulatory/legal contexts, dispute resolution, and auditing.

The new OpenID Connect for Identity Assurance specification defines a representation for verified claims and associated metadata and evidence while enabling legal compliance for the aforementioned use cases. This specification provides important support for explicit attestation in a trust framework wherein the identity provider can supply:

  • Time of verification
  • Verifier: what party verified the user's identity
  • Evidence: which evidence where used
  • Verification Method: how were the evidence verified

The specification advances solutions for privacy wherein the RP asks for individual claims and verification data elements. This makes clear that the purpose of inquiry can be conveyed per transaction or individual claim.

This effort is intentionally and importantly internationally driven and benefits from contributions from the UK, US, CA, DE, and JP. The specification includes (growing number) of pre-defined identifiers for:

  • Trust frameworks, e.g., eIDAS, NIST 800-63A, Japanese and German AML
  • Identity documents, e.g., ID Card, Passport, Driving Permit
  • Verification Methods, e.g., „“Physical In-Person Proofing” and “Supervised remote In-Person Proofing”

The Foundation plans to start a new working group dedicated to eKYC and Identity Assurance. The working group’s charter has roots in contributions from the UK, US, CA, DE, and JP. We would benefit from an even broader group of participants to build on the initial contributions drawing from Torsten Lodderstedt’s domain expertise and experience at yes.com.

Finally thanks to Torsten, on behalf of the Foundation and community, for advancing this important specification. Bravo Torsten!

 

Don Thibeau
OpenID Foundation Executive Director