w3c / did-use-cases

Decentralized Identifier Use Cases and Requirements v1.0
https://w3c.github.io/did-use-cases/
Other
53 stars 22 forks source link

Adds use case "Public authority identity credentials (eIDAS)" #112

Closed peacekeeper closed 3 years ago

peacekeeper commented 4 years ago

Also adds requirement "Legally-enabled identity".

Addresses https://github.com/w3c/did-use-cases/issues/102.


Preview | Diff

peacekeeper commented 4 years ago

Written by @ewagner70 with some small edits by myself.

agropper commented 4 years ago

happy to try, but can someone point me to the best way to see the proposal and comment. sorry, i'm still learning elementary github and respec

ewagner70 commented 4 years ago

@peacekeeper @agropper : just a question - did the PR go through?

jandrieu commented 4 years ago

Quick note: We are going to accept this, but we are going to add a bit of human story to anchor it to a specific person doing a specific thing. If you're curious what I mean, I have a few issues for other sections #107 #106 #105 #109 #110 that do something similar.

We'll take that on, but if you beat us to it, that'd be great too.

philarcher commented 3 years ago

I think we already have this use case, but by a different name. The Digital Permanent Residence card use case could be amended slightly to read as follows. This is in need of review by people familiar with eIDAS and ESSIF please - there is way too much guesswork in what I've proposed here, but you get the idea I hope. We have the human-centred story, we just need to bring in the European angle. Hence a flag for @peacekeeper. Thanks Markus.

Sam is a long term immigrant to the United States and is applying for Permanent Resident status from the Citizenship and Immigration Services (USCIS). His application includes multiple pieces of evidence including his record of citizenship in the country of his birth, Slovenia, his masters degree from the University of Ljubljana, and his credit history with the Unicredit Banka Slovenija. Each credential is made available using credentials compliant with the European Union's Electronic Identification, Authentication and trust Services regulation (eIDAS). However, thanks to the European Self-Sovereign Identity Framework (ESSIF), rather than submitting three separate credentials, Sam is able to simply provide his DID through which each credential is available as a service endpoint.

Since the credentials come from highly trusted sources through a highly trusted mechanism, Sam receives his receives notice of Permanent Resident status. Along with his notice is directions for downloading and using a digital version of his physical card, including a one-time activation code. After getting a digital wallet, he visits the USCIS website, signs in, and uses his activation code to get a digital credential. His wallet provides a DID to the website and demonstrates control over the DID to prove to USCIS that the identifier is under Sam's control. USCIS issues a newly minted digital credential with the subject identifier set to the provided DID.

Now, Sam can use that digital credential anywhere by demonstrating the same proof of control to provide a specific level of identity assurance, anchored in the cryptography of the proof-of-control ceremony. Verifiers of that credential can cryptographically verify both the authenticity and origin of the credential itself—it can be proven that it was issued by USCIS and unchanged since then—AND it can verify that the presenter of the credential still controls the identifier.

ewagner70 commented 3 years ago

@philarcher : in general, you're right, that the permanent residence card is a sub-sub-sub-case of the proposed KYC use case (as it not only comprises basic identification, but also due diligence with up to 50 additional different attributes) . I would recommend to

peacekeeper commented 3 years ago

@philarcher I think you have found an interesting way to combine these two use cases in a single story, but I would still argue that they are different use cases.

Besides this difference, there's also a subtle political aspect.. eIDAS/ESSIF is about empowering European citizens and allowing them to obtain digital sovereignty. Please don't get this the wrong way, but I have to mention that one reason (among several) why there is such strong interest in SSI and DIDs is the experience of mass surveillance by (primarily) the U.S. government and surveillance capitalist practices by (primarily) U.S.-based corporations such as Facebook and Google. If we now write a use case that says "ESSIF is good for making it easy for Europeans to immigrate to the U.S.", then that could be understood by some as disrespectful to what ESSIF is really meant for.

I understand this argument could be dismissed on the basis that the Use Cases document isn't concerned with such political opinions. But still I wanted to bring it up, since the messaging behind use cases matters too. And as I said in the beginning, I think that even when we leave the politics aside, the use cases still feel sufficiently different.

I'd be happy to work on improving this use case by adding a better human story element!

jandrieu commented 3 years ago

@philarcher I argee with @peacekeeper on this one. I think the value of specifically highlighting eIDAS integration in a European context is important.

@peacekeeper If you could take a stab at a human story, I'd be happy to iterate on it with you and get it pulled in.

philarcher commented 3 years ago

Points noted, thanks all. I've assigned this to Markus just to keep things going. If you can bash out a human story doe eIDEAS I'll delete this PR and create a new one from your words. Thank you.

peacekeeper commented 3 years ago

@philarcher and @jandrieu , per our discussion above, I completely re-wrote the use case to add a human story. Could you review again?