NZ fills in digital credential portal details in response to vendor questions

Details about the digital credential issuance platform New Zealand’s Department of Internal Affairs is currently running an RFP for have emerged from the questions and answers posted to the procurement page.

The chosen vendor or consortium needs not just to be able to supply the PKI solution, but also manage it. The DIA expects the full platform to be run as a managed service, which should be reflected in the hosting and environment fees submitted in response to the RFP.

The department expects two to four DIA administrative staff to use the platform, along with two or three per issuer, assuming tenant admins are supported. The portal is not expected to handle double-digit concurrent users at any time.

DIA responds to several questions on certificate authentication by emphasizing that the goal is to prevent “impersonation and replay attacks.”

“That might be that the responder uses OAuth2.0 with short-lived tokens which is then hardened via sender-constraints such as mTLS,” DIA Procurement explains. “However, mTLS may not be possible for some agencies, in which case DPoP (demonstrable proof of possession per RFC9449), would be acceptable in those situations. It will come down to what the responder’s auth API for the scenario is though. We would want short-lived access tokens with replay protection, key rotation, scopes and audience restrictions over TLS. In regards to Public APIs, TLS is expected to be used following the OID4VCI Standard.”

DIA believes there is a “possibility of one or two issuers on or near day one” of the portal’s launch, and while it notes that the number of agencies that will eventually issue credentials through the platform is unknown, there will be time to scale ahead of time as each agency is onboarded.

The successful bidder will be expected to work with the project team to complete security accreditation for the platform under the country’s new Digital Identity Trust Framework.

DIA also addresses how issuers will know if a user deletes a credential from their digital wallet and how public keys will be verified through a VICAL in the responses.

The question and answer portal closes August 21 at 5pm New Zealand time, and the RFP closes August 27.

Article Topics

digital identity  |  government purchasing  |  New Zealand  |  PKI  |  procurement  |  rfp  |  tender