The National Institute of Standards and Technology (NIST) recently released a draft report entitled Attribute Validation Services for Identity Management, which seeks to provide a comprehensive framework for agencies considering implementing Attribute Validation Services (AVS) services. 

AVS are critical for identity proofing, fraud prevention, and ensuring equal access to digital resources,  within  government services. They are also incorporated by a number of other sectors, such as banking and healthcare, which see the value they bring. NIST has, therefore, invited comments from external organizations to help ensure the framework is as robust as it can possibly be.

The OpenID Foundation commends NIST for its significant investment in this work, which strongly aligns with the OpenID Foundation’s own mission to promote open standards for secure, user-centric identity systems. 

Welcoming the opportunity to contribute, the OpenID Foundation collated input from its diverse membership, offering targeted suggestions and broader reflections to help refine the draft. Below, the feedback to NIST has been summarized into seven key themes, as well as additional areas for consideration.

1. Reassessing ‘user-controlled’ terminology in wallet-based architectures

NIST's report refers to User-Controlled Verification Architectures (UCVA) and asserts that they grant users greater control over their personal data. While UCVAs provide advantages over some API-based architectures, the term ‘user-controlled’ can misrepresent the reality. End users are not entirely autonomous; their control is influenced by credential issuers, wallet providers, and platform operators. 

The recommendation from the OpenID Foundation is for the use of language that is more representative. For example, ‘wallet-based architectures aim to enable user-centric data management.’ 

Additionally, there is much focus on UCVA architecture having the potential to overcome limitations around an individual’s access and control over their own information in a way that enables secure online and in-person data sharing, while preserving privacy and reducing fraud. The OpenID Foundation has recommended that the report acknowledge that secure, in-person, and online data sharing is not exclusive to UCVAs, citing OpenID Connect as an example.

2. Highlighting the value of shared signals

In its feedback, the OpenID Foundation has advocated for a section on shared signals, a critical mechanism for real-time notifications and lifecycle management in identity systems. These signals can be used in multiple scenarios, enabling proactive communication, such as notifying when a credential is revoked, an attribute is updated, or fraud is suspected. 

In fact, much work has already been done to develop standards that that would enrich AVS architectures, enhancing interoperability and real-time risk management. The OpenID Foundation recommends that AVS, and relying parties (RP), monitor the developments of such groups, like the OpenID Foundation’s Shared Signals Working Group, for specifications that will vastly benefit these processes.

3. Ensuring rigorous entity validation

A robust AVS ecosystem must ensure that requesting entities are not only legitimate, but are verifiably those entities. The OpenID Foundation suggests leveraging standards-based mechanisms to authenticate the legitimacy of Relying Parties (RPs). Additionally, considerations should be made for inclusivity, such as supporting QR code verification for individuals without digital wallets, as seen in systems like the UNHCR refugee QR codes.

4. Clarifying roles and governance

The report conflates roles and responsibilities of potential implementing entities. The OpenID Foundation suggests expanding the governance section to clarify:

• The importance of selecting interoperable standards.
• The role of certifying and maintaining conformance to these standards.

Trust frameworks must ensure interoperability, privacy, and security outcomes through protocol design, not solely through policy.

5. Addressing Metadata Risks and Management

Metadata plays a pivotal role in identity ecosystems, but the report underemphasizes its privacy and security implications. The OpenID Foundation recommends expanding guidance to include:

• Risks of metadata leakage, especially from issuance and presentation processes.
• Standards for metadata attributes that dictate how data quality and authorization metadata are managed.
• Mitigations against misuse of metadata by wallet providers or platform operators.

6. Facilitating cross-border interoperability

Although the report focuses on US-centric use cases, cross-border scenarios merit inclusion. For instance, in cases where US-issued mobile driver’s licenses (mDLs) might need verification by international banks or law enforcement. 

AVS that take into consideration trust frameworks and standards that facilitate interoperability with foreign entities, could prove extremely valuable. The OpenID Foundation has recommended that a separate section is included to cover cross-border interactions, the required trust, issuance and presentation needs for foreign attributes and identity documents.

7. Enhancing data retention and destruction policies

Data retention policies should balance agency requirements with individual rights. Even post-mortem data management demands thoughtful consideration. OIDF encourages NIST to monitor ongoing work in the DADE (Death and the Digital Estate) Community Group, which addresses some of these challenges.

Further Recommendations

The OpenID Foundation recommends some additional considerations to strengthen the AVS guidance.

Emerging standards and community work

The OpenID Foundation is keen for NIST to take into account several valuable initiatives that are underway and that could positively influence the evolution of AVS. They include 

• The Shared Signals Framework, set for finalization in Q1 2025, offering critical specifications for lifecycle management.
• OpenID for Verifiable Credential Issuance (OID4VCI), advancing towards finalization, and will standardize credential workflows.
• The DADE Community Group, which explores managing digital identities and assets posthumously.

Convergence across identity standards

NIST should anticipate potential conflicts among parallel identity standards developed by other agencies and private sectors, such as the Department of Homeland Security or the Transportation Security Administration wallet reviews, and the AAMVA’s mDL guidelines.

A coordinated approach should be undertaken to mitigate incompatibilities and foster streamlined adoption across federal, state, and private systems.

End-user experience design

The NIST report largely focuses on organizational perspectives. However, prioritizing user-centric designs can significantly improve public engagement with government services. Solutions should be intuitive, inclusive, and designed to accommodate diverse populations, including those without digital access.

Final Thoughts

We applaud NIST for acknowledging the contributions of our standards and specifications, such as OpenID Connect and the FAPI security profiles. Moving forward, we encourage NIST to:

• Deepen collaboration on Shared Signals and OpenID for Identity Assurance.
• Engage with ongoing efforts in OpenID Federation to refine AVS governance and interoperability frameworks.

By leveraging open standards and fostering collaboration, we can collectively advance identity management systems that are secure, equitable, and user-focused. The OpenID Foundation remains committed to supporting NIST and other stakeholders in achieving this vision.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy-preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.