Review of Authentication to GovStack with IDBB

 Jaume

UC prepared here, still waiting for review by WG.

Discussion around Identity Verification Use case requested by Ingmar.

Jaume, Sasi, Ramkumar

Jaume has preparer a draft UC for Ingmar to come in and clarify its Use Case, also answer to questions on privacy.

Sasi expressed a valid concern about the fact that opening an API to the IDBB registry thanks to which any system/operator could access to collect personnal information of any (even all) indivuals is an issue.

We agreed that such API is required for many usecase when a functional system need to get information collected by IDBB when following single-source-of-truth principles, but that specific authorization should be given to the relying party trying to access the information.

An authentication would be necessary to make sure that this authorization is given by the right person, but i’s not sufficient, and the authorization itself mentionning in a verifiable way all the details of what is consented by who and for who. This recorded authorization is a consent.

This consent is tighly connected to the identity, it would be collected by the ID building block (TBC), have a limited duration (sessiontime), it should be recorded and notified to the relying party.

We noted that the indivual's privacy should be respected by using a sectorial token of its identity, usable in all systems of this sector but not outside the sector. Cross sector interoperability is still a challenge in this model and will be the purpose of the ID Mapping study to be ran before the end of the year.

Jaume will prepare a web sequence diagram to illustrare a generic ID Attribute sharing based on a consent given. It will be reviewed this week within the working group and if agreed will be presented as part of the Technical Committee of w41.

Demo status

Sasi

Sasi confirmed availability of URL/openAPI for next week allowing to run the integration betwen IDDB demo and GovStack demo on-time in coming days.