Stream: FHIR at Scale Taskforce (FAST): Identity
Topic: Using DIDs, OIDC, etc. to verify email address or other a...
Julie Maas (Aug 05 2021 at 18:47):
@John Moehrke would it be OK to move the topic of verifying email address (beyond verification code) into a separate topic?
John Moehrke (Aug 05 2021 at 18:49):
yup
John Moehrke (Aug 05 2021 at 18:49):
not sure there is much more to be said. Eeyore sulks away
Julie Maas (Aug 05 2021 at 18:51):
I'm optimistic about this :) Interoperable Digital Identities, for one, should have email address in user profile and requirements will firm up the associated identity so that existence of the address in the profile can be relied upon.
John Moehrke (Aug 05 2021 at 18:52):
change it to DID and you will have a whole herd of people piling on.
Julie Maas (Aug 05 2021 at 18:56):
Done! Welcoming suggestions re: account types and/or workflows that help patient email address to be relied on as associated with a real world identity...
Jim StClair (Aug 25 2021 at 19:54):
Wait! Are we talking DIDs now?! I'm all over this.... :grinning_face_with_smiling_eyes:
Jim StClair (Aug 25 2021 at 19:57):
@Julie Maas I'm a little fuzzy about the arbitrary relationship of an email address, but happy to talk through the approach
Julie Maas (Aug 25 2021 at 20:12):
Good point @Jim StClair - this came out of another conversation (see "How to establish attribute...") and we were expecting to see interest from DID & OIDC enthusiasts re: using user profile data or other verifiable claims from trusted parties, to establish that one or more PII elements relate to a real world identity. I changed the topic title slightly to go beyond email address. As you might expect, if some elements of an identity like name, address, date of birth have been verified through a trusted issuer's claims linked to a DID or OIDC credential, such a credential might also be relied upon to indicate that a certain email address also relates to that individual. What requirements might have to be in place (attestation from individual, verification code, etc.) to consider the email address associated with the identity?
Jim StClair (Aug 26 2021 at 17:06):
Hi @Julie Maas , great question. In the DID/VC model, we have not typically discussed assigning DIDs to specific identity attributes used for IdP, not to say it couldn't be done (and actually may have some other benefits as well). We're just now examining an IdP integration process as the "front end" to an issuer issuing a VC to a holder, at which point the presentation of the VC by the holder to the verifier is considered the trusted attestation of identity, and supports selective disclosure of attributes.
Julie Maas (Aug 26 2021 at 17:20):
@Jim StClair I am not suggesting attribute-specific DIDs but rather disclosing of attributes, as you mention later in the note, with some responsibility on the issuer's side (or a trusted 3rd party) to first perform attribute verification prior to signing the VC.
Jim StClair (Aug 26 2021 at 17:57):
aha! yes, ma'am, I think we're in agreement. Happy to explore further!
Julie Maas (Aug 26 2021 at 19:34):
So the question in last sentence remains: if you can verify some PII, and related "declaration of identity" attestation from subject, is the subject's self-assertion of their email address sufficient to associate it with that digital identity or would we look to also require confirmation of control using a code of suitable entropy, or more than those two things?
Josh Mandel (Aug 26 2021 at 20:20):
(if the email address is being asserted in a verifiable credential, we could also ask issuers to convey in the VC whether they have confirmed control already if they have, not could simplify the downstream workflow, by avoiding the need to reconfirm it every step.)
Last updated: Apr 12 2022 at 19:14 UTC
