Versions Compared

Old Version 5

changes.mady.by.user Scott Perry

Saved on

compared with

New Version 6

changes.mady.by.user Scott Perry

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In addition to NIST levels above,  other standards have addressed levels of assurance that are applied to the classess classes of verifiable credeintials:

Pan-Canadian Trust Framework (PCTF) Levels of Assurance (LOA) Qualifiers
:  The current version of the PCTF conformance criteria use the four PanCanadian Levels of Assurance (LOA):

  • Level 1: little or no confidence required
  • Level 2: some confidence required
  • Level 3: high confidence required
  • Level 4: very high confidence required

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market.  eIDAS has established level of Assuarnce qualifiers which can be used in verifiable credential classification. eIDAS qualifiers may be based on the three levels of assurance defined by the European Regulation No 910/2014 on electronic identification and trust services for electronic transactions:

...

Classes below also consider Vectors of Trust, a proposed IETF standard (RFC 8485, October 2018). Currently, the VoT proposal consists of four components that may be used as qualifiers:

  • Identity Proofing (P): describes how likely it is that a given digital identity transaction corresponds to a particular, realworld identity
    • P0: No proofing is done, and data is not guaranteed to be persistent across sessions
    • P1: Attributes are self-asserted but consistent over time, potentially pseudonymous
    • P2: Identity has been proofed either in person or remotely using trusted mechanisms (such as social proofing)
    • P3: There is a binding relationship between the identity provider and the identified party (such as signed/notarized documents and employment records)
  • Primary Credential Usage (C): defines how strongly the primary credential can be verified. The primary credential usage component of this attribute represents distinct categories of primary credential that MAY be used together in a single transaction. Multiple distinct values from this category MAY be used in a single transaction.
    • C0: No credential is used / anonymous public service
    • Ca: Simple session HTTP cookies (with nothing else)
    • Cb: Known device, such as those indicated through device posture or device management systems
    • Cc: Shared secret, such as a username and password combination
    • Cd: Cryptographic proof of key possession using shared key
    • Ce: Cryptographic proof of key possession using asymmetric key
    • Cf: Sealed hardware token / keys stored in a trusted platform module
    • Cg: Locally verified biometric
  • Primary Credential Management :The primary credential management component of this vector definition represents distinct categories of management that MAY be considered separately or together in a single transaction. Many trust framework deployments MAY use a single value for this component as a baseline for all transactions and thereby omit it. Multiple distinct values from this category MAY be used in a single transaction. component conveys information about the expected lifecycle of the primary credential in use, including its binding, rotation, and revocation
    • Ma: Self-asserted primary credentials (user chooses their own credentials and must rotate or revoke them manually) / no additional verification for primary credential issuance or rotation
    • Mb: Remote issuance and rotation / use of backup recover credentials (such as email verification) / deletion on user request
    • Mc: Full proofing required for each issuance and rotation / revocation on suspicious activity
    Richer & Johansson Standards Track [Page 20]
  • Assertion Presentation: defines how well the credential information can be communicated across the network without information leaking to unintended parties and without spoofing RFC 8485 Vectors of Trust October 2018 A.4. Assertion Presentation The assertion presentation component of this vector definition represents distinct categories of assertion that are RECOMMENDED to be used in a subsumptive manner but MAY be used together. Multiple distinct values from this category MAY be used in a single transaction.
      • Aa: No protection / unsigned bearer identifier (such as an HTTP session cookie in a web browser)
      • Ab: Signed and verifiable assertion, passed through the user agent (web browser)
      • Ac: Signed and verifiable assertion, passed through a back channel
      • Ad: Assertion encrypted to the RP's key

      subject
      • subject

    In
     Primary Credential Management (M): conveys information
    about the expected lifecycle of the primary credential in use,
    including its binding, rotation, and revocation
     Assertion Presentation (A): defines how well the TDI can be
    communicated across the network without information leaking
    to unintended parties and without spoofingin order to define discrete class of verifiable transactions, it is key to identify the variables that make a credential more trustable.  The following are factors embodied in the class definitions:

    ...