Purpose
In order to be properly relied upon, every verifiable credential must be associated with a stated level of assurance. Since there are infinite variables in play to determine the level of assurance to be assumed, it is best to classify verifiable credentials in discrete class levels. This will allow a set of policies, practices and infrastructure to be defined and associated with specific classes. In the pre-verifiable credential world of the internet a variety of difference class structures are loosely defined depending on where a credential is stored and the level of authentication is used on the contents of a digital certificate. Multi-factor verification techniques are also used to upgrade amorphous classes of certificates and traffic.All Internet transactions and Verifiable Credentials have different purposes.
In the context of today's Internet traffic, transaction are mostly untrusted which has led to digital identity theft, spoofing, man in the middle attacks and ransomware. The advent of verifiable credentials brings the promise of a more trustworthy infrastructure for reliable transactions. When that infrastructure is combined with other trust assurance elements, verifiable credentials can be highly trustworthy and relied upon for a myriad of transformative digital applications.
In order to define discrete class of verifiable transactions, it is key to identify the variables that make a credential more trustable. The following are factors embodied in the class definitions:
- Credential defined in a Governance Framework at a stated level of assurance
- The degree of assurance that the public key of the signer in a verifiable credential is matched to the possessor of the private key
- The degree of authentication of data that is performed on the contents of a verifiable credential
- The security and protection of the wallet containing the credential
- The security and availability of a registry containing in the credential (if not held in a wallet)
- The security and availability of the public key in a credential for verification purposes
- The trustworthiness of the personnel and infrastructure of the Issuer of a verifiable credential
- The asserted policies of the Issuer
- The degree that practices that meet the Issuer policies are part of a trust assurance scheme
- The rigor of a trust assurance scheme of the ecosystem that governs the credential
Class 1 – Untrusted
- Attributes of Class:
- Transactions that are not governed by any ecosystem
- Examples of Transactions: Peer to Peer Communication
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Trust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL1, AAL1, FAL?
- PCTF: Level 1
Class 2 – Minimum Internet Grade
- Attributes of Class:
- Minimum Level of Assurance Covered by ToIP Foundation Guidance
- Examples of Transactions: Identity Credential Used for non-Asset Transfer
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Trust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL2, AAL2, FAL?
- PCTF: Level 2
- eIDAS: Simple
Class 3 – Asset Value Grade
- Attributes of Class:
- Identity Credential Used for Asset Transfer
- Examples of Transactions: AML/CFT
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Trust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL2, AAL3, FAL?
- PCTF Level 3
- eIDAS: Qualified
Class 4 – High Assurance Grade
- Attributes of Class:
- Examples of Transactions:
- Examples of Verifiable Credentials
- Governance Mechanisms
- Underlying Infrastructure
- Trust Assurance Practices
- Mapped Level to other Standards:
- NIST 800-63-3: IAL3, AAL3, FAL?
- PCTF Level 4
- eIDAS: Qualified