...
In the context of today's Internet traffic, transaction are mostly untrusted which has led to digital identity theft, spoofing, man in the middle attacks and ransomware. The advent of verifiable credentials brings the promise of a more trustworthy infrastructure for reliable transactions. When that infrastructure is combined with other trust assurance elements, verifiable credentials can be highly trustworthy and relied upon for a myriad of transformative digital applications.
The concept of classes for credentials is far from new. Back in late 1990's the US Office of Management and Budget had issued guidance, which defined four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level, and Level 4 is the highest. The OMB guidance defined the required level of authentication assurance in terms of the likely consequences of an authentication error. As the consequences of an authentication error become more serious, the required level of assurance increases. The OMB guidance provided US Federal agencies with the criteria for determining the level of authentication assurance required for specific applications and transactions, based on the risks and their likelihood of occurrence of each application or transaction.
An example of assigning class levels to digital credentials exist for SSL/TLS certificates that encrypt traffic from clients to web servers to protect web traffic. Classes of server authentication certificates have ben established as follows:
- Class 1 Certificates are considered to be low assurance, as the verification method simply confirms that the Subscriber controls the asserted email address. No verification checks of the Subscriber’s identity are performed. This level of validation is referred to as Domain Validation (DV).
- Class 2 Certificates are considered to be medium assurance. They provide a greater level of assurance over Class 1 Certificates, because in addition to email address control, basic verification steps are performed to confirm the identity of the Subscriber. This level of validation is referred to as Organization Validation (OV). The following Certificate types qualify as Class 2 Certificates:
- Standard SSL
- Wildcard SSL
- Code Signing
- Document Signing
- Class 3 Certificates provide a high level of assurance. They are issued only after rigorous validation of the identity of the Subscriber. This level of validation is referred to as Extended Validation (EV). The following Entrust Certificate types qualify as Class 3 Certificates:
- EV SSL
- EV Code Signing
The US National Institute of Standards (NIST ) has more recently published (https://pages.nist.gov/800-63-3/sp800-63-3.html) generally accepted associated classes as it relates to identity credentials. Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases. Digital identity is hard. Proving someone is who they say they are — especially remotely, via a digital service — is fraught with opportunities for an attacker to successfully impersonate someone. The standards associated with identity assurance create a solid model for other claims made in a verifiable credential
...