In order to be properly relied upon, every verifiable credential must be associated with a stated level of assurance.  Since there are infinite variables in play to determine the level of assurance to be assumed, it is best to classify verifiable credentials in discrete class levels.  This will allow a set of policies, practices and infrastructure to be defined and associated with specific classes.  In the pre-verifiable credential world of the internet a variety of difference class structures are loosely defined depending on where a credential is stored and the level of authentication is used on the contents of a digital certificate.  Multi-factor verification techniques are also used to upgrade amorphous classes of certificates and traffic.All Internet transactions and Verifiable Credentials have different purposes.  

In the context of today's Internet traffic, transaction are mostly untrusted which has led to digital identity theft, spoofing, man in the middle attacks and ransomware.  The advent of verifiable credentials brings the promise of a more trustworthy infrastructure for reliable transactions.  When that infrastructure is combined with other trust assurance elements, verifiable credentials can be highly trustworthy and relied upon for a myriad of transformative digital applications.

The concept of classes for credentials is far from new.  Back in late 1990's the US Office of Management and Budget had issued guidance, OMB M-04-04, which defined four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of identification credentials:

The OMB guidance defined the required level of authentication assurance in terms of the likely consequences of an authentication error. As the consequences of an authentication error become more serious, the required level of assurance increases. The OMB guidance provided US Federal agencies with the criteria for determining the level of authentication assurance required for specific applications and transactions, based on the risks and their likelihood of occurrence of each application or transaction. 

An example of assigning class levels to digital credentials exist for SSL/TLS certificates that encrypt traffic from clients to web servers to protect web traffic.  Classes of server authentication certificates have ben established as follows:

NIST has more recently published (https://pages.nist.gov/800-63-3/sp800-63-3.html) generally accepted associated classes as it relates to identity credentials. Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases. Digital identity is hard. Proving someone is who they say they are — especially remotely, via a digital service — is fraught with opportunities for an attacker to successfully impersonate someone.  The standards associated with identity assurance create a solid model for other claims made in a verifiable credential

The components of identity assurance detailed in the NIST guidelines are as follows:

Identity proofing establishes that a subject is who they claim to be.  The process of identity proofing can be translated to other claims made in a verifiable credential.  Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as that which accessed the service previously.  This directly translates to the usage of verifiable credentials

In addition to NIST levels above,  other standards have addressed levels of assurance that are applied to the classes of verifiable credeintials:

Pan-Canadian Trust Framework (PCTF) Levels of Assurance (LOA) Qualifiers:  The current version of the PCTF conformance criteria use the four PanCanadian Levels of Assurance (LOA):

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market.  eIDAS has established level of Assuarnce qualifiers which can be used in verifiable credential classification. eIDAS qualifiers may be based on the three levels of assurance defined by the European Regulation No 910/2014 on electronic identification and trust services for electronic transactions:

Classes below also consider Vectors of Trust, a proposed IETF standard (RFC 8485, October 2018). Currently, the VoT proposal consists of four components that may be used as qualifiers:

In order to define discrete classes of verifiable transactions, it is key to identify the variables that make a credential more trustable.  The following are factors embodied in the class definitions:

Proposed Classes of Verifiable Credentials

The next sections on this page present the proposed classes of credentials under Trust over IP guidance

Class 1 – Untrusted Credentials

Attribute of class: Credentials that are not under standard or ToIP guidance

Examples: Peer to peer transactions, convenience credentials

Class 2 – Minimum Internet Grade Credentials

Examples: College transcripts, professional credentials, loyalty credentials

Class 3 – Asset Value Grade Credentials

Examples: Digital driver's license, bank transfer credentials. Title claims

Class 4 – High Assurance Grade Credentials

Examples: Clearance credentials, Military operations, access to Coke recipe.