...
- Credential defined in a Governance Framework at a stated level of assurance
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key
- The degree of authentication of data that is performed on the contents of a verifiable credential
- The security and protection of the wallet containing the credential
- The security and availability of a registry containing in the credential (if not held in a wallet)
- The security and availability of the public key in a credential for verification purposes
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential
- The asserted policies of the Issuer
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme
- The rigor of a trust assurance scheme of the ecosystem that governs the credential
Class 1 – Untrusted Credentials
Attribute of class: Credentials that are not under standard or ToIP guidance
Examples: Peer to peer transactions, convenience credentials
- Credential defined in a Governance Framework at a stated level of assurance: No
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key: No assurance
- The degree of authentication of data that is performed on the contents of a verifiable credential: None
- The security and protection of the wallet containing the credential: None
- The security and availability of a registry containing in the credential (if not held in a wallet): No controls
- The security and availability of the public key in a credential for verification purposes: No requirements
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: No requirements
- The asserted policies of the Issuer: No requirements
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme: No trust assurance scheme
- The rigor of a trust assurance scheme of the ecosystem that governs the credential: No trust assurance scheme
- Mapped Level to other Standards:
- NIST 800-63-3: IAL1, AAL1, FAL1
- PCTF: Level 1
- eIDAS: Low
- Vectors of Trust: P0, C0 , Ma, Aa
Class 2 – Minimum Internet Grade Credentials
- Attributes of Class:
- Credentials covered under minimum guidance of the ToIP Foundation : Includes most unregulated verifiable claims
- Example credentials: College degree credentials, non-title provenance claims
- Credential defined in a Governance Framework at a stated level of assurance:
- Minimum Level of Assurance Covered by ToIP Foundation Guidance
- Examples of Transactions: Identity Credential Used for non-Asset Transfer
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Yes at Class 2
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key: Moderate Assurance
- The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place and self-asserted
- The security and protection of the wallet containing the credential: ToIP Compliant Wallet Optional
- The security and availability of a registry containing in the credential (if not held in a wallet): Moderate controls identified in Class 2 Credential Policy
- The security and availability of the public key in a credential for verification purposes: Moderate controls identified in Class 2 Credential Policy
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Moderate controls identified in Class 2 Credential Policy
- The asserted policies of the Issuer: Class 2 Credential Policy
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
- The rigor of a trust assurance scheme of the ecosystem that governs the credential: Self-Assertion by ecosystem rolesTrust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL2, AAL2AAL1, FAL?FAL1
- PCTF: Level 2
- eIDAS: Simple: Between low and substantial
- Vectors of Trust: P2, Ce, Mb, Ab?
- Class 3 – Asset Value Grade Credentials
- Attributes of Class:
- Identity Credential Used for Asset Transfer
- Examples of Transactions: AML/CFT
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- such as digital driver's license, passport or bank identity credential, title claims
- Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 3
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key: Medium Assurance
- The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party
- The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2)
- The security and availability of a registry containing in the credential (if not held in a wallet): Medium level controls identified in Class 3 Credential Policy
- The security and availability of the public key in a credential for verification purposes: Medium level controls identified in Class 3 Credential Policy
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Medium level controls identified in Class 3 Credential Policy
- The asserted policies of the Issuer: Class 3 Credential Policy
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
- The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third partyTrust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL2, AAL3AAL2, FAL?FAL2
- PCTF: Level 3
- eIDAS: Qualified: Substantial
- Vectors of Trust: P2, Cf, Mc, Ac?
Class 4 – High Assurance Grade Credentials
- Attributes of Class:
- Examples of Transactions:
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Identity Credential Used for High Assurance, High Value, Sensitive Purposes
- Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 4
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key: High Assurance
- The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party and certified by a recognized certification body
- The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2) that is FIPS 140-2 3 compliant
- The security and availability of a registry containing in the credential (if not held in a wallet): High level controls identified in Class 4 Credential Policy
- The security and availability of the public key in a credential for verification purposes: High level controls identified in Class 4 Credential Policy
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: High level controls identified in Class 4 Credential Policy
- The asserted policies of the Issuer: Class 4 Credential Policy
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
- The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third party and certified by a recognized certification bodyTrust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL3, AAL3, FAL?FAL3
- PCTF: Level 4
- eIDAS: Qualified: High
- Vectors of Trust: P3, Cf, Mc, Ad?