Verified Attribute Schema

Issue/Topic: Verified Attributes

Monday – Session 4 - F

Conference: IIW10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Kick Willemse

Notes-taker(s): Chris Obdam

A. Tags for the session - technology discussed/ideas considered: Attribute validation, AX 1.0 (1.1), Defining standard methods/levels of attribute verification, leaving the identity validation to the RP’s. OIX.

• AX - OpenID Attribute Exchange Validate Mode - draft van Google van 24 nov 2009 - http://step2.googlecode.com/svn/spec/attribute_exchange_validate/trunk/openid-attribute-exchange-validate-mode.html

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Methods of Validation

1. Self Assertion

2. Proof of possession 3. Authentic Register
 * a. Challenge Response Token
 * i. Email
 * ii. Bank Account
 * iii. Mobile (SMS)
 * iv. Postal Address

4. Official Statement
 * a. Face-to-Face
 * b. Passport
 * c. Claim

Can an attribute also be validated by a organization that did not issue the information e.g. can Stanford confirm that I am a Berkeley student?

There is need for 2 things:

1. An addition to AX for the validation information: validator, validation date and validation method/level.

2. A way to check if the validation method is executed in the right way (OIX?)

How do you handle the liability for the correctness of the information?

Follow Up Questions:


 * Will AX 1.1 support attribute verification ?
 * What Attribute schemes will be used?
 * X500
 * HCARD
 * Soap/XML
 * AX-Sreg
 * Other?
 * What are suitable attribute verification methods?
 * Open Identity Exchange OIX <> Open Attribute Exchange?