Re: [VoT] How to express duplicate checks with VoT?

Nick Roy <> Fri, 11 March 2016 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9EBBE12DA43 for <>; Fri, 11 Mar 2016 10:46:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.123
X-Spam-Status: No, score=-1.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WYiho-DPVXcE for <>; Fri, 11 Mar 2016 10:46:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A31212DA3D for <>; Fri, 11 Mar 2016 10:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-internet2-edu; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0d2ICaGSyxcqI+Is3snMdsv45sVKAsh7yVuH8hAFaYU=; b=R4MHOL0sxC2Du88G09c0y9fv3Ds590qhY40AyYLmXbzhxM6KTy0s6dHYqLKlpMBHiAF3xIWpnQyRg3v/xkGzHejQQo9ywdM+p1H3Vc9qp23E1KLEH/+Oe9VuCDsq4z5Jd80VRUXGUTVpvD+x5hloAxBcFpX8J6BTl6Ufu0aZf8s=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.427.16; Fri, 11 Mar 2016 18:46:07 +0000
Received: from ([]) by ([]) with mapi id 15.01.0427.020; Fri, 11 Mar 2016 18:46:07 +0000
From: Nick Roy <>
To: Joanne Knight <>, 'Rolf Brugger' <>, "" <>
Thread-Topic: [VoT] How to express duplicate checks with VoT?
Thread-Index: AQHReu5sFTVOaoCnpU27iqOSviuFLp9TfLUAgACknwA=
Date: Fri, 11 Mar 2016 18:46:07 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2601:283:4202:d50:756b:2df:437f:a10c]
x-ms-office365-filtering-correlation-id: 422bde18-2ade-4612-cb86-08d349dd6841
x-microsoft-exchange-diagnostics: 1; SN2PR0801MB557; 5:JuwH/gPuvmydrwWZid/DMOA4x8noND+GqOaYN3cEa/V7QYaD69d5K7nbqGTdF95aiQV4hRvEUyUsRcuAvfiFbbuJjL+8g+2V+SilVWskBhw69PGr23Wp7icmk6ifRUKcmsfhbhmRTsLPMxwB1l2SMA==; 24:kG9iY72rIM9qgE+ZqCR6MTFmsmfKjGztXqI96grXWzBACzrKDxoE0Flo80UYU0w6rArkdsUJcZvbQ2NVJUlr3ojwzjAkjlIJBlfTXGgK5yc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN2PR0801MB557;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:SN2PR0801MB557; BCL:0; PCL:0; RULEID:; SRVR:SN2PR0801MB557;
x-forefront-prvs: 087894CD3C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(479174004)(377454003)(13464003)(53754006)(24454002)(83716003)(106116001)(189998001)(5001770100001)(107886002)(75432002)(19580395003)(99286002)(82746002)(88552002)(19580405001)(2906002)(122556002)(10400500002)(33656002)(90282001)(77096005)(2950100001)(15975445007)(1096002)(2900100001)(3280700002)(1220700001)(3660700001)(36756003)(5008740100001)(87936001)(11100500001)(92566002)(6116002)(102836003)(586003)(54356999)(86362001)(16601075003)(81166005)(2501003)(50986999)(5002640100001)(76176999)(5004730100002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR0801MB557;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2016 18:46:07.3083 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 78ea4b46-9f08-4ef5-949b-2dae057c55d8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR0801MB557
Archived-At: <>
Subject: Re: [VoT] How to express duplicate checks with VoT?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Vectors of Trust discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Mar 2016 18:46:15 -0000

Rolf, are your RPs use cases ever approaching the last level that Joanne mentions below?  Hopefully not...


On 3/10/16, 6:56 PM, "vot on behalf of Joanne Knight" < on behalf of>; wrote:

>Hi All
>There are three aspect or levels when looking at uniqueness to be considered.
>First level is that the identity is unique - that is, within a context there is a set of attributes that are unique for each identity registered.
>Second level is sole claimant - this is a check that only one entity has claimed a particular set of attributes. At the higher levels of identity proofing where authoritative sources are used it may be possible to achieve this. This is sufficient in most RPs cases. At this level while it is possible for a single entity to claim more than one identity, they do so at the risk of causing a counter-fraud flag should the real owner (or any other party) also attempt to claim the identity.
>The final level is one and only one - This is a check - usually biometric - that an entity has only one claim in the context. This is usually only reserved for the highest level of identity and would also require equally high levels of credential and credential issuance processes.
>As to how this relates to VoT - 
>The first should be innately built into all levels of P - it is the sole requirement of all levels
>The second could be built into P3 if the wording was amended slightly.
>The last item only is substantively missing and to date (in the conversations I have been having elsewhere) there has been insufficient appetite to add it as an explicit requirement. 
>Should we have a PU? Maybe, but steer clear of the term 'unique'
>If we do, in my mind it would only have two values - P?0 - Claims per entity not checked, P?1 - Claims per entity restricted to one.
>-----Original Message-----
>From: Rolf Brugger [] 
>Sent: Friday, 11 March 2016 5:51 a.m.
>Subject: [VoT] How to express duplicate checks with VoT?
>Hi all,
>I'm new to this list and I hope my question is not totally irrelevant here.
>We have plenty of use cases where RPs need to have confidence, that a person does not have multiple identities in one IdP. I don't see how this aspect of identity quality can be expressed, and I believe it is pretty orthogonal to the P, C, M and A dimensions that are currently specified in the VoT draft.
>We could imagine multiple ways to gradually prove that an identity has been checked against duplicates. The most straightforward approach would be to make sure that unique personal attributes are used only once within one IdP or an IdP federation, like
>- email address(es)
>- mobile phone number
>- home postal address
>- social security number
>- ID / passport number
>- the combination of name and birth date
>- etc.
>Would it make sense to express this in VoT?
>best regards
>Rolf Brugger, project Swiss edu-ID
>Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 15 89,
>vot mailing list