W3C issues new technical draft for verifiable credentials standards
The World Wide Web Consortium’s (W3C) Verifiable Credentials Working Group this week issued its Candidate Recommendation Draft of specifications for the Verifiable Credentials Data Model v2.0 (VCDM 2.0) for the use of digital identification on the Web.
VCDM 2.0 introduces several enhancements, including processing clarifications, transitions into an tangible data model, media types, and data model simplifications while still maintaining the VCDM 1.1 baseline.
With support from the U.S. Department of Homeland Security’s Science and Technology Directorate (S&T) and U.S. Citizen and Immigration Service (USCIS), the W3C Working Group has been developing the online digital ID standards.
Jared Goodwin, Chief of the Document Management Division within the Office of Intake and Document Production at USCIS, said that with the support of S&T, USCIS, and many other like-minded partners, these standards describe how a secure, privacy respecting digital credentialing process can be implemented.
Part of the promise of the W3C standards is the ability to share only the data that’s necessary for a completing a secure digital transaction, Goodwin explained, noting that DHS’s Privacy Office is charged with “embedding and enforcing privacy protections and transparency in all DHS activities.” DHS was brought into the process to review the W3C Verifiable Credentials Data Model and Decentralized Identifiers framework and to advise on potential issues.
DHS S&T said in a statement last month that “part of the promise of the W3C standards is the ability to share only the data required for a transaction,” which it sees as “an important step towards putting privacy back in the hands of the people.”
“Beyond ensuring global interoperability, standards developed by the W3C undergo wide reviews that ensure that they incorporate security, privacy, accessibility, and internationalization,” said DHS Silicon Valley Innovation Program Managing Director Melissa Oh. “By helping implement these standards in our digital credentialing efforts, S&T, through SVIP, is helping to ensure that the technologies we use make a difference for people in how they secure their digital transactions and protect their privacy.”
“Going forward, the government wants to ensure individuals have agency and control over their digital interactions,” Goodwin said. “The user should be able to own their identity and decide when to share it, and we don’t want a system that has to reach back to an agency for verification.”
The Candidate Recommendation Draft does not imply endorsement by W3C and its members. A Candidate Recommendation Draft only integrates changes from the previous draft that the Working Group intends to include in a subsequent Candidate Recommendation Snapshot.
A Candidate Recommendation Snapshot is a document that satisfies the technical requirements established in the group’s charter or in subsequent requirements documents; has the consensus of group participants; has received public review; has received formal review from other W3C Groups; and is a specification that’s intended for final feedback from implementers.
The new draft “specification” may be updated, replaced, or rendered obsolete by other documents at any time, the W3C said.
W3C explained that it’s “currently difficult to express education qualifications, healthcare data, financial account details, and other sorts of third-party verified machine-readable personal information on the Web,” and that the “difficulty of expressing digital credentials on the Web makes it challenging to receive the same benefits through the Web that physical credentials provide us in the physical world.”
The specification set forth in the new Candidate Recommendation Draft “provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable, the W3C Working Group said.
The draft specification has been designed to ease the prototyping of new types of verifiable credential. W3C said developers can copy the template in the draft and paste it into common verifiable credential tooling to start issuing, holding, and verifying prototype credentials.
The W3C Working Group explained that “the ecosystem” that’s spelled out in the draft specification “is in contrast to a typical two-party, or federated identity provider, model. An identity provider, sometimes abbreviated as IdP, is a system for creating, maintaining, and managing identity information for holders, while providing authentication services to relying party applications within a federation or distributed network.”
In a federated identity model, the draft specification explains, “the holder is tightly bound to the identity provider,” thus the draft “specification does not use the ‘identity provider,’ ‘federated identity,’ or ‘relying party’ terminology unless comparing or mapping the concepts in the draft to other specifications.”
The new draft also “decouples the identity provider concept into two distinct concepts: the issuer and the holder.”
The draft’s “Ecosystem Overview” section “describes the roles of the core actors and the relationships between them in an ecosystem where verifiable credentials are expected to be useful.” The W3C Working Group said “a role is an abstraction that might be implemented in many different ways,” and that “separation of roles suggests likely interfaces and protocols for standardization.”
Enhancing privacy is a key design feature of the draft specification. “Therefore,” the draft says, “it is important for entities using this technology to be able to express only the portions of their personas that are appropriate for given situations. The expression of a subset of one’s persona is called a verifiable presentation. Examples of different personas include a person’s professional persona, their online gaming persona, their family persona, or an incognito persona.”
A verifiable presentation is created by a holder, can express data from multiple verifiable credentials, and can contain arbitrary additional data which are used to present claims to a verifier. It is also possible to present verifiable credentials directly.
Because a verifiable credential often contains personally identifiable information (PII), implementers are strongly advised to use mechanisms while storing and transporting verifiable credentials that protect the data from those who should not access it. Mechanisms that could be considered include Transport Layer Security (TLS) or other means of encrypting the data while in transit, as well as encryption or data access control mechanisms to protect the data in a verifiable credential while at rest.
In general, individuals are advised to assume that a verifiable credential, like most physical credentials, will leak personally identifiable information when shared. To combat this leakage, the verifiable credential, and the securing mechanism, need to be specifically designed to avoid correlation. Verifiable credentials that are specifically designed to prevent the leakage of personally identifiable information do exist. Individuals and implementers are urged to prefer these types of credentials over ones that are not designed to protect personally identifiable information.
Comments regarding the draft specification are welcome at any time and can be directly submitted via GitHub or by emailing to public-vc-comments@w3.org.
Article Topics
data protection | digital ID | digital identity | standards | verifiable credentials | W3C
Comments