Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Class 2 – Minimum Internet Grade Credentials

Examples: College transcripts, professional credentials, loyalty credentials

  • Attributes of Class:
    • Credentials covered under minimum guidance of the ToIP Foundation :  Includes most unregulated verifiable claims
  • Example credentials: College degree credentials, non-title provenance claims
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 2
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key (early OMB guidance): Level 2
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place and self-asserted
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Optional
  • The security and availability of a registry containing in the credential (if not held in a wallet): Moderate controls identified in Class 2 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: Moderate controls identified in Class 2 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Moderate controls identified in Class 2 Credential Policy
  • The asserted policies of the Issuer: Class 2 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Self-Assertion by ecosystem roles
  • US Federal PKI equivalence: Basic Assurance
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL2, AAL1, FAL1
    • PCTF: Level 2
    • eIDAS: Between low and substantial
    • Vectors of Trust: P2, Ce, Mb, Ab?

Class 3 – Asset Value Grade Credentials

Examples: Digital driver's license, bank transfer credentials. Title claims

  • Attributes of Class:
    • Identity Credential Used for Asset Transfer such as digital driver's license, passport or bank identity credential, title claims
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 3
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key (early OMB guidance): Level 3
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2)
  • The security and availability of a registry containing in the credential (if not held in a wallet): Medium level controls identified in Class 3 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: Medium level controls identified in Class 3 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: Medium level controls identified in Class 3 Credential Policy
  • The asserted policies of the Issuer: Class 3 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third party
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL2, AAL2, FAL2
    • PCTF: Level 3
    • eIDAS: Substantial
    • Vectors of Trust: P2, Cf, Mc, Ac?

Class 4 – High Assurance Grade Credentials

Examples: Clearance credentials, Military operations, access to Coke recipe.

  • Attributes of Class:
    • Identity Credential Used for High Assurance, High Value, Sensitive Purposes
  • Credential defined in a Governance Framework at a stated level of assurance: Yes at Class 4
  • The degree of commensurate assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key (early OMB guidance): Level 4
  • The degree of authentication of data that is performed on the contents of a verifiable credential: Authentication Procedures are in place, asserted and attested by a third party and certified by a recognized certification body
  • The security and protection of the wallet containing the credential: ToIP Compliant Wallet Required (Layer2) that is FIPS 140-2 3 compliant
  • The security and availability of a registry containing in the credential (if not held in a wallet): High level controls identified in Class 4 Credential Policy
  • The security and availability of the public key in a credential for verification purposes: High level controls identified in Class 4 Credential Policy
  • The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential: High level controls identified in Class 4 Credential Policy
  • The asserted policies of the Issuer: Class 4 Credential Policy
  • The degree that practices that meet the Issuer policies are part of a trust assurance scheme: A Defined Trust Assurance Framework
  • The rigor of a trust assurance scheme of the ecosystem that governs the credential: Assertion by ecosystem roles and attestation by independent third party and certified by a recognized certification body
  • Mapped Level to other Standards:
    • NIST 800-63-3: IAL3, AAL3, FAL3
    • PCTF: Level 4
    • eIDAS: High
    • Vectors of Trust: P3, Cf, Mc, Ad?

...