For example, the Attribute Provider generates the attribute value through a Derivation process, then the Attribute Provider would be the Data Origin. The key distinction between the Data Origin and the Attribute Provider is the act of initially generating, capturing, or provisioning the Attribute Value, rather than just asserting the attribute’s value to an Relying Party. Inclusion of Data Origin metadata element provides the Relying Party with substantial insight, but at a potential cost to the individual as it may also reveal additional information about the subject to whom the attribute value is bound.
For example, this value could reveal employment status and location, socio-economic information, or even health history; all of which may have unintended and potentially negative consequences. Selection and use of this metadata element should be carefully considered based on both authorization needs as well as Privacy Considerations.
For example, when leveraging attributes for access to moderate assurance level services that involve customers (i.e., non-enterprise users) it may be sufficient for the Relying Party to request an Attribute Value verification method without the origin element-which can reveal unnecessary information about a subject. The original source of the information may not be essential as long as the value has been verified using an acceptable method.