Versions Compared

Old Version 12

changes.mady.by.user Scott Perry

Saved on

compared with

New Version Current

changes.mady.by.user Scott Perry

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The concept of classes for credentials is far from new.  Back in late 1990's the US Office of Management and Budget had issued guidance, OMB M-04-04, which defined four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of identification credentials:

  • Level 1 - Little or no confidence in the asserted identity’s validity;
  • Level 2 - Some confidence in the asserted identity’s validity;
  • Level 3 - High confidence in the asserted identity’s validity; and
  • Level 4 - Very high confidence in the asserted identity’s validity.

...

In order to define discrete class classes of verifiable transactions, it is key to identify the variables that make a credential more trustable.  The following are factors embodied in the class definitions:

  • Credential defined in a Governance Framework at a stated level of assurance
  • The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key
  • The degree of authentication of data that is performed on the contents of a verifiable credential
  • The security and protection of the wallet containing the credential
  • The security and availability of a registry containing in the credential (if not held in a wallet)
  • The security and availability of the public key in a credential for verification purposes
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential
  • The asserted policies of the Issuer
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential


Proposed Classes of Verifiable Credentials

The next sections on this page present the proposed classes of credentials under Trust over IP guidance

Class 1 – Untrusted Credentials

Attribute of class: Credentials that are not under standard or ToIP guidance

...

  • Credential defined in a Governance Framework at a stated level of assurance: No
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key : No assurance(early OMB guidance): Level 1
  • The degree of authentication of data that is performed on the contents of a verifiable credential: None
  • The security and protection of the wallet containing the credential: None
  • The security and availability of a registry containing in the credential (if not held in a wallet): No controls
  • The security and availability of the public key in a credential for verification purposes: No requirements
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: No requirements
  • The asserted policies of the Issuer: No requirements
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: No trust assurance scheme
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: No trust assurance scheme
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL1, AAL1, FAL1
    • PCTF: Level 1
    • eIDAS: Low
    • Vectors of Trust: P0, C0 Ma, Aa

Class 2 – Minimum Internet Grade Credentials

Examples: College transcripts, professional credentials, loyalty credentials

  • Attributes of Class:
    • Credentials covered under minimum guidance of the ToIP Foundation :  Includes most unregulated verifiable claims
  • Example credentials: College degree credentials, non-title provenance claims
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 2
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key : Moderate Assurance(early OMB guidance): Level 2
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place and self-asserted
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Optional
  • The security and availability of a registry containing in the credential (if not held in a wallet): Moderate controls identified in Class 2 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: Moderate controls identified in Class 2 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Moderate controls identified in Class 2 Credential Policy
  • The asserted policies of the Issuer: Class 2 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Self-Assertion by ecosystem roles
  • US Federal PKI equivalence: Basic Assurance
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL2, AAL1, FAL1
    • PCTF: Level 2
    • eIDAS: Between low and substantial
    • Vectors of Trust: P2, Ce, Mb, Ab?

Class 3 – Asset Value Grade Credentials

Examples: Digital driver's license, bank transfer credentials. Title claims

  • Attributes of Class:
    • Identity Credential Used for Asset Transfer such as digital driver's license, passport or bank identity credential, title claims
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 3
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key : Medium Assurance(early OMB guidance): Level 3
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2)
  • The security and availability of a registry containing in the credential (if not held in a wallet): Medium level controls identified in Class 3 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: Medium level controls identified in Class 3 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Medium level controls identified in Class 3 Credential Policy
  • The asserted policies of the Issuer: Class 3 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third party
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL2, AAL2, FAL2
    • PCTF: Level 3
    • eIDAS: Substantial
    • Vectors of Trust: P2, Cf, Mc, Ac?

Class 4 – High Assurance Grade Credentials

Examples: Clearance credentials, Military operations, access to Coke recipe.

  • Attributes of Class:
    • Identity Credential Used for High Assurance, High Value, Sensitive Purposes
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 4
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key : High Assurance(early OMB guidance): Level 4
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party and certified by a recognized certification body
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2) that is FIPS 140-2 3 compliant
  • The security and availability of a registry containing in the credential (if not held in a wallet): High level controls identified in Class 4 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: High level controls identified in Class 4 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: High level controls identified in Class 4 Credential Policy
  • The asserted policies of the Issuer: Class 4 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third party and certified by a recognized certification body
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL3, AAL3, FAL3
    • PCTF: Level 4
    • eIDAS: High
    • Vectors of Trust: P3, Cf, Mc, Ad?

...