Discuss Identity Anchoring Credential Data Model

[ashleythedeveloper]

In our UNTP meetings and through my discussions in related projects, it has become clear we need identity anchoring credentials.

This ticket aims to determine if we should develop a new data model for identity credentials or if the existing Conformity Credential model will suffice.

[PatStLouis]

What would you see as an Identity Anchoring Credential? Would a business registration VC fit this category for an organization's identity credential? If so, my current train of thought is do provide this as a conformityCredential with a governance.compliance topic. It would say here's the proof that I'm a legal entity and here's my legal identifier provided by my jurisdiction.

What is the goal of the Identity Anchoring Credential discussed? (I was not part of meetings but will start to attend in the following weeks)

Is it related to trust? Would trust registries be related to this?

[swcurran]

We’ve been discussing this in the extended BC Team and @onthebreeze suggested we look at doing a PR into the Identifiers section about the concept of an Identity Anchoring Credential. I think it is a bit premature to do a PR, but have done a bit of thinking about it and have these ideas. I’m far from a Registries expert (although I have been working with BC Registries for a while), so others with greater experience are encouraged to weigh in on this one.

• An Identity Anchoring Credential should be resolvable for at least all verifiable credential issuers in the ecosystem.
• Whatever identifier that can be used to identify the issuer of a verifiable credential must be one element of the credential. For the most part that is a DID. In UNTP, can it ONLY be a DID, or do we have to make it more generic/flexible (e.g. URI)?
• What else should the schema of the credential include?
  • We should definitely canvas for prior work in this area. The DID is novel in this effort (a self-created identifier — not one assigned to the entity), but legal entities are assigned many identifiers by many authorities. And I’m sure that other groups working on parallel initiatives are investigating binding a DID to a legal entity.
  • In addition to the DID, the credential has to include some other identifiers about the legal entity, but how far do we go?
  • I think the Legal Name MUST be included.
  • An example of other possible information. This is what is in OrgBook BC about Hudbay Minerals Inc., and this is what GLEIF says about Hudbay. Its home registration is the Government of Canada Registry (presumably there is a link to that somewhere). An entity may have other well-known identifiers (S&P, D&B, etc.) as well. There is a lot of complexity here. I suspect we need the ability to include several identifiers, and for each, there should probably be the identifier, a URL to the registration of that identifier (if any -- or should it be dynamically resolvable), and the registering jurisdiction (government) or entity (industry).
    • Is there a vocab for this already?
  • It could (but I don't think it should) include additional registration information (dates, entity types, addresses, etc.). Date of creation perhaps, but I think we would want to avoid frequently changing dates (expiry, last updated, etc.). Of course by definition a date of issuance of the Identity Anchoring Credential itself would be included (per the VCDM).
  • Revocation support required? Optional?
  • I think there should be some sort of "Level of Assurance" as to the identity proofing done by the Issuer of the Identity Anchoring Credential. That in turn requires governance, and the Identity Credential issuer publishing their Governance Framework. A claim in the verifiable credential that is a link to the governance framework for the level of assurance done is appropriate.
• While Identity Anchoring Credentials are needed about legal entities, In the context of the UNTP, they are also requird about Governments issuers. I'm not certain, but I suspect that is novel work -- Governments having DIDs, and some "authority" attesting to the binding of those DIDs to the issuing jurisdiction. Further, Governments will not have a single DID for the entire government, but likely a hierarchy of issuers -- perhaps leading to the UN. This may even get into legislation for some jurisdictions.
• Trust Registries fit in this model, where a Trust Registry is the issuer of the Identity Anchoring Credential, as well as holding a human/API searchable registry of members.

I also think that this new credential type needs to be covered in the Architecture section of the UNTP -- which also means updating the beautiful pictures. OK to leave that off for now, but I think it will ultimately be needed.

[onthebreeze]

First draft is here https://jargon.sh/user/unece/DigitalIdentityAnchor/v/working/artefacts/readme/render