|General AreaGeneral area|
This document explores the need for data standards to enable interoperability of Digital IDs both in federations within an ID ecosystem, and across ID ecosystems. In this paper we focus on the data contained in a credential: the claims, evidence, proofing, and ID assurance, as opposed to the meta-data about the credential i.e., how it is securely transmitted and traced from one party to another.
We start by exploring the need for data standards at the ‘content data’ level:
- core claims about in individual.
- common evidence types and associated proofing techniques.
- communicating identity assurance.
In the production of this paper, we took a conscious scope decision to not try and cover standards for broader eligibility data, such as education, health, or employment information; standards for this type of information are required but should be defined by specialists in those use case areas.
There are many bodies who already provide part of the standards required to achieve interoperability such as ISO, ICAO, OIDF and W3C, but none of these cover the whole picture. Our analysis finds that there is a mixed bag of standards for the core claims about an individual and the associated evidence. In addition, the new OIDC for Identity Assurance standard covers standards for communicating proofing techniques and assurance levels, but does not set the standards as to how those processes are done; this is currently left to local ID Assurance Policies defined by each trust framework.
The paper goes into a great level of detail on how standards might be implemented from the data item level upwards. It reveals a layered requirement: there are many granular standards for individual data items of evidence, but as we work up to the whole data package, the parts need consistently assembling into a whole.
Throughout the paper we make a series of recommendations as to how data should be standardised and by whom to enable interoperability, a final summary of which can be found be found towards the end of the paper here. The key recommendations are:
- A single protocol independent data standard is created that allows core ID information to be communicated consistently regardless of the protocol (e.g., OIDC, Verifiable Credentials) used to securely exchange it. This should be based on the OIDC for Identity Assurance standard.
- Existing ISO and ICAO standards should be used for core ID Claims as far as possible.
- A per claim level of trust and period of validity construct should be considered.
- Where evidence specific standards exist for evidence types, they should be used for those pieces of evidence (e.g., passports, driving licenses.)
- Standards are required for proofing techniques that will enable different trust frameworks to assemble sets of proofed credentials as part of their individual assurance policies. Key proofing standards required are: Document Scanning (with different light options), Document OCR, Image Capture Liveness, Biometric Matching.
OIX’s next step will be to influence standards setters to adopt and progress the recommendations of this paper.