PrivacyCDN
commented
2 years ago 21/12/08 - Consider adding Business Logic to use cases
Closed PrivacyCDN closed 2 years ago
PrivacyCDN
commented
2 years ago 21/12/08 - Consider adding Business Logic to use cases
PrivacyCDN
commented
2 years ago No further action by WG on this.
The following is proposed as a way of categorizing PEMC requirements based on the type of actor that is participating in mobile credential transactions. Using abstract use cases enables PEMC requirements to be grouped together for each of the 5 abstract actors identified below.
Some requirements, like ‘the entity will designate a person to be accountable for privacy’, will apply to all actors, where others, like ‘the issuing authority will maintain and secure a key registry for the credentials it issues to provide a root of trust’, will apply only to a specific actor.
The following diagram and descriptions provides more details for discussion by the WG
Mobile Credential Transactions
These are the data flows and interfaces for actual identity transactions such as those identified in ISO/IEC 18013-5
Abstract Use Cases
Issuance
This abstract use case occurs when a new or updated mobile credential is issued by the systems and processes operated by the Issuer entity. An instantiation of this use case would be the issuance of an 18013-5 compliant student ID by a University (the Issuing Authority)
Presentation
This abstract use case occurs when an individual holder of a mobile credential(s) presents the mobile credential(s) to a verifier. An example of an instantiated use case would be the presentation of a mobile credential for age verification at a venue or store.
Verification
This abstract use case occurs when an individual holder of a mobile credential(s) presents the mobile credential(s) to a verifier. An example of an instantiation of this use case would be verifying membership status for access to a facility like a gym - note that this might be a use case where the same entity is the issuing authority and the verifier.
Actors
Individual Credential Holder
The natural person whose privacy will be protected by meeting the requirements for Privacy Enhancing Mobile Credentials
Issuing Authority
The entity that is accountable for issuing the mobile credential. This will include, where appropriate, being responsible for cryptographic key issuance and maintenance for the credential. PEMC requirements for the Issuing Authority should address the Issuance Use Case.
Issuer Systems Providers and Operators
This is the entity or entities that are responsible to the Issuing Authority the systems or processes that they provide to or operate on behalf of the Issuing Authority for the Issuance Use Case. This will include entities that
Verifier Systems Providers and Operators
This is the entity or entities that are responsible to the Verifying Entity that the systems or processes that they provide to or operate on behalf of the Verifying Entity for the Verification Use Case. This will include entities that
mobile Credential Systems Providers and Operators
This is the entity or entities that are accountable to the mobile credential holder and/or data protection authorities that the systems or processes that they provide to or operate on behalf of the mobile credential holder for the Presentation Use Case. This will include entities that provide wallets, SDK’s, mDLs or other mobile credentials:
Note: The data flow identified as “Provision” between the Individual Credential Holder and the Issuing Authority is critical to identifying privacy requirements in that this represents the initial collection of personal data or personal information that will be used in the mobile credential transactions using the appropriate organizational authority or consent for that collection. That being said, this collection and data flow are out of scope of the PEMC WG.