Telefónica Tech launches self-sovereign identity tool based on verifiable credentials

Telefónica’s digital business unit, Telefónica Tech, has announced the launch of a self-sovereign identity product based on verifiable credentials. A press release says the tool aims to help companies and public organizations implement the EU’s new legal and technical framework for Self-Sovereign Identity (SSI), whose reference project is the EUDI Wallet.

The SSI model involves giving individuals complete control over the identity they present to digital services – in other words, the ability to provide minimum necessary data, in keeping with data minimization principles, in the form of a verifiable credential.

Telefonica Tech’s version uses QR codes to prompt identity verification or authentication. Stated use cases include digital credentials and certificates (for instance, civil registration or proof of residence, encrypted age verification, and access management in private, restricted or critical infrastructure premises.

The Spanish multinational’s digital business unit says its tool goes both ways. Per the release, “on the one hand, it allows digital credentials (which may be personal data, identifications, certifications, qualifications, etc.) to be managed and controlled securely and privately; and on the other, it provides organizations with tools to issue, validate and revoke credentials and attributes efficiently, ensuring interoperability and regulatory compliance.”

Elena Gil Lizasoain, director of AI and data at Telefónica Tech, says its self-sovereign identity product is “designed to help public administrations and private companies stay ahead of the new European framework and enable their employees, customers and citizens to maintain control over the personal information they share on the Internet. Our identity is a critical asset, and we must ensure absolute transparency throughout its life cycle by facilitating its transfer and use by third parties, but only when necessary.”

NIST lines up mdoc against looser W3C VC format

The National Institute of Standards and Technology (NIST)’s Cybersecurity Insights blog has a new article on “Getting to Know the Verifiable Digital Credential Ecosystem.” Authored by NIST’s Bill Fisher and Ryan Galluzzo and Spherical Cow Consulting’s Heather Flanagan, the post is the second in a series on Verifiable Digital Credentials (VDCs).

“The ability to use VDCs in a wide variety of use cases is a major reason why many are looking at the VDC ecosystem as technology that can change how we present identity and attributes (both in person and online),” the piece says. Variety, however, needs standards to keep everything tidy. NIST’s piece aims to explain the standards that “promise to make interoperability a reality and help the reader understand which standard may best fit individual use cases.”

The piece identifies two key standards helping to define the space: “ISO/IEC 18013-5, which underpins mobile driver’s licenses (mDLs) and related mobile documents (mdocs), and the World Wide Web Consortium’s (W3C) Verifiable Credentials (VC) credential formats.” It goes on to compare and contrast the mdoc and VC credential formats – the long and the short being that the mdoc framework, which is defined across the ISO 23220 and ISO 18013 series of documents and initiated to cover mobile IDs, is more tightly structured in terms of both the data and its presentation, whereas the VC format, created for a broader digital ecosystem of credentials, is “is intentionally flexible about how credentials are presented.”

Each format has its use cases, depending on the technical scenario. “In a perfect world, one standard might serve all use cases,” the authors say. “But digital identity is not one-size-fits-all. Different sectors, geographies, and technical environments have different needs. And because digital credentials often intersect with regulation, security, privacy, and user experience, organizations may need to support more than one standard.”

Digital Credential API shouldering too much blame

Co-author of the NIST blog, Heather Flanagan, has also published a piece on her Spherical Cow Consulting website, which goes into more detail on digital identity wallet standards and the Digital Credential API. Flanagan offers a different perspective on interoperability: “a complex web of digital identity wallet standards that include the layers of browsers, OS platforms, protocols, and wallets that must interoperate cleanly for anything to work at all.”

The wallet ecosystem includes browsers that “enforce security boundaries between websites and users,” operating systems that “manage device trust, hardware access, and application permissions,” wallets that specialize in credential storage and user experience, and protocols that define how information moves across the various components.

Flanagan’s main point is, don’t blame the DC API for problems with a network that has multiple layers. “The DC API connects a request from the browser to a wallet,” says Flanagan. It is only one layer in the wallet stack. “Everything else happens above or below it.”

“‘The DC API’ is increasingly used as shorthand for the entire credential-presentation ecosystem. It’s understandable and perhaps unavoidable. But it isn’t accurate.”

Resource charts all major identity and VC standards

Can it all come together? Christopher Goh, an international advisor on digital identity and verifiable credentials, raises the question in a LinkedIn post that also includes a resource giving an overview of all the major identity and VC standards.

“Will this year be the year of Digital ID and Verifiable Credential Convergence or will there be continued fragmentation?” Gho asks. “Are there better ways to provide seamless integration between protocols?” The resource has diagrammatic models for the OpenID Foundation, W3C, IETF, the FIDO Alliance, GlobalPlatform, ETSI, Cloud Signature Consortium, ITU-T, ISO and MOSIP.

“There doesn’t have to be a super protocol, in fact the competition is healthy,” Goh says. “What we need to figure out though, is how the customer and relying parties are not penalized for supporting this diversity.”

Article Topics

biometrics  |  digital identity  |  mDoc  |  NIST  |  self-sovereign identity  |  Spherical Cow Consulting  |  Telefónica Tech  |  verifiable credentials