ToIP invites the public to comment on their newly released document, Issuers Requirements Guide for Governance Framework of Verifiable Credentials.
The mission of the Trust over IP (ToIP) Foundation is to define a complete architecture for Internet-scale digital trust that combines cryptographic assurance at the machine layer with human accountability at the business, legal, and social layers. Part of that mission is to define generally accepted requirements for standard roles that play a critical part in accountability for digital trust.
Our Governance Stack Working Group has completed a new deliverable, the Issuer Requirements Guide for Governance Frameworks of Verifiable Credentials (PDF) and is soliciting public comment using our public review process and this GitHub link. While many schemes in the US, UK and Canada have focused on elements of identity credential issuance and verification, this is the first effort to define standard requirements for issuers of verifiable credential to ensure that their processes are transparent and consistent and meet the needs of relying parties and ecosystem governing bodies.
Verifiable credential ecosystems require both technical trust and human trust where the core requirements for the corresponding issuance processes are captured in this newly released document being circulated for public review and comment. Verifiable credentials are a type of digital representation of claims or attributes about a subject, which can be an individual, organization, or thing. These credentials are tamper-evident, cryptographically secure, and can be verified by relying parties without the need for a central authority.
The Governance requirements of an issuer in a verifiable credential ecosystem can be summarized as follows:
- Issuance of Credentials: The issuer is responsible for creating and issuing verifiable credentials to subjects based on certain claims or attributes. These credentials are digitally signed by the issuer using their private key, ensuring the authenticity and integrity of the information.
- Trust and Reputation: The issuer’s reputation and trustworthiness are crucial in the verifiable credential ecosystem. Relying parties (such as service providers or verifiers) rely on the credentials being issued by reputable and trusted issuers. The credibility of the issuer is established through various mechanisms, such as being a well-known organization, being part of a recognized authority, or holding themselves accountable to the requirements of a governing authority.
- Validation of Claims: Before issuing credentials, the issuer does its due diligence to validate the claims made in the credential. This validation process ensures that the information presented in the credential is accurate and can be trusted by relying parties.
- Verification of Issuer and Holder: Issued credentials that contain links to the issuer and/or holder should be engineered so they can be cryptographically verified.
- Privacy Considerations: Issuers need to handle personal data responsibly and in compliance with privacy regulations. They should only collect and use the minimum necessary data required to issue the credentials and should obtain explicit consent from the subjects.
- Revocation and Expiry: For credentials that require expiration or revocation, issuers must have mechanisms in place to revoke or expire credentials if the claims become invalid or if the credentials are compromised. This is essential to maintain the trustworthiness of the digital trust ecosystem.
- Interoperability: Issuers need to follow standardized formats and protocols to ensure that the issued credentials are interoperable and can be easily understood and verified by different relying parties.
- Auditability and Accountability: Issuers should keep records of issued credentials for audit purposes, lifecycle maintenance, including updates to claims, or re-issuance for any reason and revocation. This enables traceability and accountability in case of disputes or issues with the credentials.
- Transparency: The issuer should publicly disclose all the policies it follows in the process of claim and credential issuance and revocation. This disclosure should be included in a publicly available governance framework.
The ToIP Issuer Requirements Guide is intended to aid implementers conform to the ToIP Governance Metamodel Specification for issuers of verifiable credentials within an ecosystem governed by a governance framework that conforms to the ToIP Governance Metamodel Specification. We encourage you to read this landmark document and provide feedback using the ToIP Public Review Process by following this GitHub Link to submit comments within the public review and comment period ending on May 31, 2024. If you have any questions regarding this document, please contact Scott Perry at scott.perry@schellman.com.