14D/ Fusion: Leveraging Federated Identity to Scale Verified Credentials

From IIW

Fusion: Leveraging Federated Identity to Scale Verified Credentials


Wednesday 14D

Convener: Ken Klingenstein

Notes-taker(s): Judith Bush


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


We want to leverage not just federated credentials but federated trust to take advantage to verified credentials. If i am issuing an academic badge or certification: institution is issuing an assertion - you are a faculty member - and a domain of expertise. Can a student deposit a DID in an enterprise directory. When i as an institution want to mint a credential for a student, i as a human am authorized by the institution to issue that credential. As institutions we have built levels of assurance in what we do.


Global ID -- will verify an existing physical credential, could be issued by another organization and user.


GlobaliD is receiving attestations / credentials from external party and then issuing the, GlobaliD verifies they are a company … GlobaliD tries to bring in companies that meet the needs of different levels of assurance. The SSI element is a value to reduce PII. GlobaliD creates a bridge between verifiers and institutions that need the credentials checked. The consuming institution integrates with GlobalId, Globalid tries to work with the consuming institution to minimize the data from credentials that are not needed.


The credentials are issued by specific agencies, some credentials can be obtained from different agencies, create a schema, all agencies express the values in the schema, GlobaId can mediate….


Globalid has defined schema for things like Drivers License with some values optional -- because some DL don’t have expiration dates, for example. Then the agency will not report an expiry on Singapore - -trust the agency to have validated the DL even though there’s an absent expiry. Also encourage the consuming institution to simply accept that they could get access through the agency if needed but not require the access to all the data -- simply confirmation that the agency has the data .


European SSI laboratory eIDAS -- eIDAS was launched as the trans European cross border goverment ID -- verifiable credentials confirm the credential comes from assured place . “Seal of approval”


USE CASES

Fusion1.png


IMS Global -- syntax of badge

Fusion2.png


Fusion3.png

Verifying the issuing authority -- some challenges here. The organizational structure needs to decide if a particular individual can issue the credential.

Is the software for minting the credential assured?

A group of hospitals is trusted, an individual from the organization , issued the role, …

Do you trust the issuer and is the schema something you expect if you are automating this.

Global Legal Identifier Foundation -- that organization provides an id to act as a root of trust. Can give them a list of users who can issue. GLEIF … https://www.gleif.org/en/ https://www.gleif.org/en/about-lei/introducing-the-legal-entity-identifier-lei


REVOCATION


Is revocation an issue? It has come up with GlobaliD. However the relevance has gone away. “I no longer want to carry this credential.” “This has expired, no longer valid”

Is the credential still valid? (Individual not on watch list, eg) checked every day. Need to revoke the credential if the user shows up on the list. However, the organizations want to know if it’s checked -- instead Ongoing Verification.

Negative verified credentials? User will always provide access to the fact that a credential had been given to them. Is the absence of a specific credential a negative fact. Need the absence to not be a negative….


At Human Colossus : Whenever data is ported it’s linked to a credential with the consent and a life time, after which point at the data is invalidated.

Licenses need to support revocation?

80% credentials don’t need revocation.

Credential over 21 based on a license that has been revoked.

Duration of the credential - boarding pass, ticket to event -- no need to revoke because the lifetime is so short.

Termination of an employee.


WALLET INTEGRITY


Need to go to the trusted digital assistant. Wallets not interoperable beyond Indy Hyperledger. Something other than the wallet. The question of credentials tied to different wallets, then the need to prove something with credentials from different wallets -- how?

Does KERI (or HOLOCHAIN) that don’t need global consensus solve the problem? Suspicion no that there can’t be one local universal resolver . 60+ (70+?) DID methods. Different wallet for different purposes. Wallet hidden in the hospital’s app, the bank’s app. Very correllated, not trust over IP.

Multilateral federation SSO is dead -- but R&E federations really about moving attributes with trust

How does an orthodox community that needs a shared consensus solution approach a collection of lone wolves who are innovating their own special sauce to distinguish themselves as a vendor?

Verified credentials need to be interoperable -- how to we span the diversity? Demand will impact the many different silos to make interoperable worth pursing.

Hoping KERI will align and solve the issue of the variety of DIDs. DIDs not required for verified credentials, verified credentials depend on URIs. Structure of DIDs particularly useful in linked data to pull issuer and make a pointer…. Just using a URI to point to a certificate may be easier for an institution.

Big pharma has a huge volume, make their own standard. Yet another identifier framework.

Retrieved from "https://iiw.idcommons.net/index.php?title=14D/_Fusion:_Leveraging_Federated_Identity_to_Scale_Verified_Credentials&oldid=23416"