(1)(b) Statement of Purpose
This TC aims to define a lightweight identity credential schema, based on the W3C Verifiable Credential (VC) standard, to enable individuals (VC subjects) to share their verified identity attestations across different platforms and services.  This work assumes the following operational pattern: a) an issuer issues a VC that asserts the VC subject has passed checks of a defined business process (such as Know Your Customer, or KYC); b) the VC subject can then present the assertion to a Relying Party (RP). The goal of explicitly defining this pattern as a reusable schema template is to encourage alignment among issuers, thereby, improving interoperability and portability for subjects and relying parties.  This pattern has been applied to a range of use cases including those requiring minimal personally identifiable information (PII), while also enabling composability when more personal data is required.  It is possible for a VC issuer to issue a credential with variable assurance levels. The assurance levels are a function of required checks that are performed based on some acceptance criteria as determined by an RP. The RP could be a regulated entity that must adhere to strict compliance rules. As such, the RP could restrict the acceptance of a VC to selected issuers that are deemed trustworthy to the RP. This can be implemented through a governance framework. The VC Schema can be used by an issuer and/or RP to quickly and securely identify assurance levels as presented in the VC.  Starting with the minimal PII side of the spectrum, examples include:
â A VC issuer issues a credential attesting that the VC subject has passed its KYC checks according to the United States jurisdiction, but does not include details of the checks (e.g., names, addresses, etc. are omitted ). A relying party may choose to accept this credential based on trust in the issuerâs processes.
â The following are structurally similar to above with the specific business process replaced, e.g.: a. The subject is an accredited investor according to a defined process; b. The subject has passed KYB (Know your Business) checks according to a defined process.  Beginning with this simple baseline, additional claims may be composed to fit use cases where more detail is required:
â The relying party requires multiple of the above type of credentials, e.g., a KYB and an Accredited Investor credential;
â The relying party requires some other identity assurance, e.g., in addition to a KYC credential, the RP also requires evidence that the credential subject is also not a resident of New York.  Note: Composable extensions may be issued in multiple ways (same issuer/VC/subject identifier; different ones [JS2] ) which result in different identity assurance considerations. These considerations will be described as informative (not normative) output of this TC.  Reuse of verified identity claims in this manner can promote efficiency in customer onboarding and reduce proliferation of sensitive personal data where it is not needed. This is in contrast to current customer onboarding processes, where individuals typically reshare identity attributes for each new organization with whom they interact, introducing delays and expense for both the customer and onboarding organization.  Note: These use cases are governance agreements among all parties (issuers, RPs, VC subjects), especially in cases where involved parties are regulated entities. These considerations vary widely and are assumed to be out of scope but will be described as informative (not normative) output of this TC.  Auxiliary goals of this TC include:
1. Demonstrate patterns for reusable identity credentials that do not exacerbate proliferation of personal data when it is not needed. TC output will include informative examples of VCs containing minimal PII which may be used to achieve useful end-to-end scenarios. 2. Providing clarity on how composability via stackable claims relates to selective disclosure or zero knowledge techniques: â Signature suites achieving such techniques require more diligence (standards maturity, library support, security testing) before they will be relied on at scale. â The approach described here enables credentials that, by design, minimize the sensitive information that is shared.Â
Any entity involved in issuance or consumption of verifiable credentials referring to a defined business process will benefit from this work. The stakeholders who will be impacted by this standard include:Â
â VC subjects and RPs: improve efficiency and security, while reducing cost in onboarding
â Issuers and verifiers: potential revenue sourceÂ
|