Credential/Identity information governance as per ToIP Layer 3 / Governance Stack
The 3rd layer of the ToIP focuses on the credential/identity governance frameworks needed to implement trust between holders, issuers and verifiers. Trust in this context relates to the specific legitimation of actors based upon digital credentials/identity to fulfil a role or a particular task. Trust is also understood as transitive trust[1]. This means that issuers (i. e. universities) as sources of credentials, holders (i. e. students) as requesters and verifiers (i. e. public libraries) following specific policies to verify authenticity and validity of credentials contribute to establish a relational, directional and contextual reliability basis as committed followers of specific rules and policies.
Credential/identity governance frameworks refer to the rules, policies, standards and practices that coordinate and shape credentials/identity trust in the global cyberspace. Digital credentials/ identity issuing and usage in cyberspace are not restricted by the traditional territorial national institutions, even if national policies play an important role in digital credentials/ identity.
Independently of the national territory, the involved actors should have all the information needed to make decisions based on the verifiable credentials proofs they are presented. Verifiable credentials[2] are issued by organisations (such as universities or governments) or individuals (both understood as issuers) to holders (entities, students registering at a university, for example) enabling them to fulfil a role or a task.
On top of the established transitive trust a governing authority ensures that the credentials are trusted by a large population of verifiers by developing and publishing the governance framework that documents the consensual rules and policies to achieve mutual trust objectives. This means that a governing authority facilitates the scaling of trust of verifiers. In the GEANT context, GEANT, as experienced and globally trusted operating authority in the education and research world would be the most suitable candidate to play this role. In any case, GEANT would not be a lonely governing authority, but one among many, since any set of stakeholders can potentially become a governing authority in the ToIP model.
Transformative aspects
In the current GEANT federated system, trust (reliability based on following specific rules and policies) is mediated between domains using servers. All parties must be integrated with that server. Whoever controls this server must be trusted by all the parties to the interaction.
In contrast, in the ToIP model, information governance frameworks (business, legal, and technical policies and rules under which the credentials/identity operate) rely in a peer-to-peer polycentric trust order - without intermediaries or server integration - that requires transnational cooperation amongst diverse actors such as online service providers, users, governments, international organizations, etc. Every peer conforms trust relationships directly with every other peer and determines its own policies for trusting another peer. The participating actors in ToIP will be much more diverse than in the GEANT federated system. Their interests will also be different to those restricted to education and research in the current GEANT global environment. Confidentiality and Data Privacy protection policies and rules may also differ among the actors in this diversified environment.
At the 3rd ToIP layer a Trust Task Protocol intended to communicate private data supports Confidentiality and Privacy[3]. The number of trust tasks protocols (such as human authentication, exchange of verifiable credentials, etc.) depends on the applications available in the 4th ToIP layer where users get directly “in touch” with the ToIP. The requirements necessary in the ToIP[4] base upon the use of persistent, discoverable, cryptographically verifiable identifiers for all parties and documents governing a digital trust ecosystem.
This aspect leads to another important transformative topic: the knowledge required from the involved actors. For example, the holders are required to manage themselves the verifying credentials which means among other things to know what is a verifiable credential, where are they stored and protected and what are their responsibilities for example regarding updates in the ToIP environment.
Moreover, the locus of governance power also changes in the ToIP model. Decentralized digital identities base upon a mutual verification of both parties in a connection (i. e. universities and researchers). The verifiable data registry is the locus of trust in this digital relation. This registry stores decentralized identifiers (DIDs), public keys and other cryptographic data registered by issuers enabling the identification of legitimate parties to trust. The power over building trust in distributed identities environments very much depend on those who own and rule the verifiable data registries. In the case of the education and research world, the universities and research organisations would play this role with an increasing powerful position.
Opportunities
The use of persistent, discoverable, cryptographically verifiable identifiers for all parties and documents governing a digital trust ecosystem might make it easier to bring together technology and the information governance framework within a digital trust ecosystem. For example:
- A verifiable credential issued by a university within the ecosystem can include a claim asserting the Decentralized Identifiers (DID) of the authoritative governance framework (i. e. from GEANT).
- A verifiable credential could include the DID of one or more trust registries (i. universities) to verify that the DID of the credential issuer is authorized to issue that particular type of credential under GEANT’s governance framework.
Risks
The transformative aspect mentioned above regarding the increasing request of knowledge and information in the ToIP environment may lead to blind acceptance of credentials or ignoring rules and even rejecting usage. Holders for example may feel overwhelmed by the information they need to know for managing their credentials.
Moreover, universities, due to their increasing powerful position in the ToIP environment mentioned above, could request an issuance price for high demanded credentials.
[1] https://trustoverip.org/wp-content/uploads/Introduction-to-ToIP-V2.0-2021-11-17.pdf Accessed 5.01.24.
[2] Based upon W3C data model v1.1, a verifiable credential is a set of tamper-evident claims and metadata that cryptographically prove who issued it. S.: https://www.w3.org/TR/vc-data-model Accessed 4.01.24.
[3] https://trustoverip.org/wp-content/uploads/ToIP-Technical-Architecture-Specification-V1.0-PR1-2022-11-14.pdf (P. 18). Accessed 5.01.24
[4] (primary document that must be assigned a DID and be retrievable via a DID URL, other documents which also need a DID URLs, versioning of DID URLs and documents, identification of all the governing parties, governing as well as administering authorities with DIDs) s.: https://trustoverip.org/wp-content/uploads/ToIP-Governance-Architecture-Specification-V1.0-2022-12-21.pdf Accessed 5.01.24
5 Comments
Peter Leijnse
Important considerations for credential governance are that there will not be a single governance model, and that the parties involved may depend on the type of credential. At one end there are the highly regulated PID and QEAA's (which will be a 'given'), at the other end there are diploma's, microcredentials, and other specific educational credentials (where the R&E community should have more flexibility and where the real use cases are). Opportunities for Géant (or NRENs) are of course in streamlining the educational issuance and verification process (by piggybacking on the existing federation trust), and of course in providing and supporting credential types that are related to educational identity or institutional identity (think 'eduID in a wallet'). Of course, for the research domain, similar considerations can be made ('membership of a research group'). Also think in benefits of reducing complexity (the less schemes there are the better) and supporting scenario's where direct user access (parallel to the Edugain route) would be better.
See also a paper I wrote last year, for additonal risks and considerations, mostly related to governance.
The need for sectoral ownership to steer developments of the European Digital Identity Wallet for the benefit of education (easychair.org)
Esther Ruiz Ben
Thank you
Christoph Graf
Thanks a lot for your comment and link to your paper. You highlight very nicely that there is some work for us to do with respect to sector governance. My presentation at DSC23 in Berlin went in a similar direction (but much more superficial). You find it here: https://idunion.org/wp-content/uploads/2023/12/Graf_Identitaeten-Bildung.pdf
Slides 16 and 17 show the role sectors should play in the "wallet-ecosystem" and is derived from an earlier blogpost I made in 2021 for DIDAS, the cross-sector SSI association in Switzerland also supporting the government in its E-ID undertakings).
Looking at the credential types you mention, we probably have to use different tracks. Diploma are highly regulated, while microcredentials will offer more leeway and be relevant for a larger set of organisations to issue them.
eduGAIN in particular could play a role in governing the educational affiliation information employing the same governing structures we set up for managing interfederation metadata. A year ago, I made a proposal to EBSI as partner in EBSI EA Wave 3, but never heard back from them. Will add it here, stay tuned...
Christoph Graf
Christoph Graf
This where EBSI published our proposed "Verifiable Educational ID": https://api-pilot.ebsi.eu/trusted-schemas-registry/v2/schemas/0x483879c9a3ec7da20699c1a7c9632ca3c6ef4b93f74c98bd78ac7d30d8fc1bf1 (I guess it is available linked to some nicer looking page with shorter URL, but was not successful at first)