By Mark Haine & Drummond Reed
A persistent goal of digital identity technology is to enable relying parties to reach the level of identity assurance they need to proceed with any specific interaction. Although there are many descriptions of “identity assurance levels”, such as the three levels defined in the NIST SP 800-63 series, the goal itself is technology-independent, i.e., it remains the same no matter what technology is used to achieve it.
For the past three years, the eKYC & IDA Working Group at the OpenID Foundation (OIDF) has been working on a specification called OpenID Connect for Identity Assurance as an extension to OpenID Connect. This specification has had contributions from a wide range of countries and industries as well as multiple early implementations.
More recently, the verifiable credentials (VC) community has begun to discuss how digital wallets and VCs could convey the information necessary to achieve different levels of identity assurance. But they have not yet converged on the specifics.
Given the universal need for identity assurance, the underlying meaning of the terms we use should be the same regardless of the specific technology used to convey the assertions. That was exactly the conclusion reached by the OIDF eKYC & IDA Working Group. They decided to modularize the OpenID Connect for Identity Assurance draft, separating out the schema definition for an element called “verified_claims”. They realised that this JSON structure could be, in their words, “re-usable across many different contexts and application layer protocols including but not limited to OpenID Connect and Verifiable Credentials”. The separated schema definition will also be available to the newly formed Digital Credential Protocols Working Group (DCP WG), that is working on OpenID for Verifiable Credential Issuance and OpenID for Verifiable Presentations drafts.
The new specification is called OpenID Identity Assurance Schema Definition. The schema it defines allows representation of the wide variety of semantics defined in different identity assurance standards such as NIST 800-63, ISO/IEC 29115, UK GPG45, and eIDAS. It includes a significant number of optional elements to allow for any depth of description (from minimised to very verbose) of the identity assurance level, process and evidence that underpin the digital identity in question.
This new specification reflects the advice of a recent white paper from the Open Identity Exchange (OIX) called Data Standards for Digital ID Interoperability. Regarding international interoperability of higher assurance digital identity, it says:
“A single protocol independent data standard must be created. It must allow core ID information and evidence to be communicated consistently, regardless of the protocol used to securely exchange it (e.g.OIDC, Verifiable Credentials). The OIX view is that this should be based on the OIDC for Identity Assurance standard.”
The Trust Over IP (ToIP) Foundation welcomes this new specification and looks forward to reviewing and commenting because it fits perfectly into the goal of ToIP architecture: enabling universal interoperability of decentralized digital trust infrastructure, including digital wallets and VCs. Any standard that helps ToIP achieve this goal is a step in the right direction, especially one that addresses the real, quantifiable market need for faster, easier, stronger digital identity assurance.
Furthermore, the need for higher levels of identity assurance is a signal that a digital trust ecosystem is mature enough to need governance tools and models such as the ToIP Foundation has been developing over the past three years. Policies that clearly specify the level of identity assurance required for a particular transaction—together with the digital wallets and credentials that can satisfy those policies—are the oil that can make the flow of commerce easier and faster for all participants.
The next step is for the OIDF to advance their suite of identity assurance specifications to the final approval stage. After this, market forces are expected to drive the development of a set of re-usable profiles of these standards that meet the needs of different digital trust ecosystems across many different industries and jurisdictions. At that point we should finally begin seeing the market traction for digital identity assurance, whether federated or decentralized, that has long been one of the holy grails of our industry.