DIF works toward standardized data scheme for age assurance credentials

Legislation and discussion on age assurance has exploded globally, with major regulatory shifts ongoing in the U.S., UK, EU and elsewhere. Pornography, alcohol, cannabis, gambling, vapes, social media: just about all of society’s favorite age-restricted vices are being regulated, with their peddlers forced to ask customers to verify their age before transacting online. The methods for age assurance are nearly as varied, from document checks to biometric facial age estimation.

It can all make for a puzzling milieu. The Decentralized Identity Foundation (DIF)’s credential working group is looking at how verified credentials and decentralized identity fit into the picture. Specifically, the group is collaborating on a standardized credential schema to establish what’s needed for proof of age. Among those involved in the effort are biometrics and age assurance firms Privado ID, Privately, Digital Bazaar and TruAge Solutions.

Crossmint’s Valerio Camaiaini, who is a co-chair of the working group, explains that, in the DIA context, a schema is a “data template” that specifies which attributes a credential should contain, so that it is manageable across different credential formats such as JSON-LD and VC-JWT.

The working group’s goal is to create an age assurance credential that is format-agnostic – per Privado ID Standards Architect Otto Mora, Camaiaini’s co-chair on the working group, a “standardized proof-of-age schema” to serve as a general purpose template for what data a credential should contain to allow for both age estimation and age verification.

“No matter what credential format you like or what age assurance method you like,” Mora says, “the idea is the data fields should remain the same and that there should be consistency.”

Age data, level of confidence, age assurance methods included

The data fields in question include data on both the user and the credential itself.

For age estimation, Mora says, “age range would be an object that would have both minimum and maximum age,” whereas the age verification use case would require a stated age value (date of birth). Age estimation also incorporates a “probability of correctness” by percent, which corresponds to a “level of confidence” field.

“A level of confidence is a concept introduced by one of the ISO standards out there for age verification, and we have aligned our proposed age verification with this ISO standard for age checks,” Mora says. Levels range from “asserted” to “basic” (90 percent confident) to “strict” (99.99 percent confident).

The credential schema lists the age assurance method – for instance, voice, facial scan, identity document scan and so on. And it contains other credential metadata such as an issuer identifier and expiration date.

The credential working group is also considering credential issuance patterns, comparing single-issuance for more advanced protocols that support advanced privacy techniques, to batch issuance that generates a separate key for each credential created – what Mora calls “burner credentials.”

Credential schema does not include user binding data

But equally important to what they are doing is what they’re not. Mora lists a few “explicit non-goals” that are not included in the implementation. These include user/holder binding, including local on-device biometrics and biometric hash data – “an implementation detail separate from the credential schema standard itself.”

Guardian and parent management are also not included, nor is police clearance or criminal background data, deemed beyond the scope of the proof-of-age credential format.

The schema’s job is to define the data fields needed for age verification or age estimation. But Mora notes that while the schema is neutral, regulatory jurisdictions are not; some, for instance, may contend that facial age estimation is non-compliant.

DIF has published a “very early draft” of the schema, but it remains a work in progress. The DIF working group is inviting submissions of sample schemas or suggestions for additional data fields; interested parties can contact Otto Mora at Privado ID. The deadline for expressions of interest is February 28, 2025.

Article Topics

age estimation  |  age verification  |  biometrics  |  data privacy  |  Decentralized Identity Foundation (DIF)  |  digital identity  |  industry  |  verifiable credentials