...
In the context of today's Internet traffic, transaction are mostly untrusted which has led to digital identity theft, spoofing, man in the middle attacks and ransomware. The advent of verifiable credentials brings the promise of a more trustworthy infrastructure for reliable transactions. When that infrastructure is combined with other trust assurance elements, verifiable credentials can be highly trustworthy and relied upon for a myriad of transformative digital applications.
An example of assigning class levels to digital credentials exist for SSL/TLS certificates that encrypt traffic from clients to web servers to protect web traffic. Classes of server authentication certificates have ben established as follows:
- Class 1 Certificates are considered to be low assurance, as the verification method simply confirms that the Subscriber controls the asserted email address. No verification checks of the Subscriber’s identity are performed. This level of validation is referred to as Domain Validation (DV).
- Class 2 Certificates are considered to be medium assurance. They provide a greater level of assurance over Class 1 Certificates, because in addition to email address control, basic verification steps are performed to confirm the identity of the Subscriber. This level of validation is referred to as Organization Validation (OV). The following Certificate types qualify as Class 2 Certificates:
- Standard SSL
- Wildcard SSL
- Code Signing
- Document Signing
- Class 3 Certificates provide a high level of assurance. They are issued only after rigorous validation of the identity of the Subscriber. This level of validation is referred to as Extended Validation (EV). The following Entrust Certificate types qualify as Class 3 Certificates:
- EV SSL
- EV Code Signing
The US National Institute of Standards (NIST) has published (https://pages.nist.gov/800-63-3/sp800-63-3.html) generally accepted associated classes as it relates to identity credentials. Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases. Digital identity is hard. Proving someone is who they say they are — especially remotely, via a digital service — is fraught with opportunities for an attacker to successfully impersonate someone. The standards associated with identity assurance create a solid model for other claims made in a verifiable credential
...