Estimated reading time: 6 minutes
By Nicole Roy, InCommon Director of Technology and Strategy
Consider these scenarios:
- A university is hosting a students-only dance marathon. Students need to prove that they are actively enrolled to get into the event.
- A researcher at the University of Colorado is on a grant to study the molecular biology of a species of tumbleweed and needs access to a facility at Colorado State University.
- An employer needs to verify a prospective employee’s college diploma and/or transcript.
While these use-cases are performed today using legacy methods spanning the gamut from use of plastic student ID cards, metal keys, and paper transcripts, which must be physically presented or used, to electronic methods, including shipping large documents around the network, none of the present electronic solutions puts the student, faculty, or staff member in a position to play a critical (and privacy-preserving) role in the decision making process.
As the landscape of electronic identity shifts away from highly centralized, federated web single-single-on infrastructures to a user-centric identity ecosystem, members of the InCommon and REFEDS community wanted to understand if, why, and how the research and education (R&E) identity and access management (IAM) ecosystem needs to grow and adapt to this new environment and set of expectations.
How Did the Community Members Move Forward?
Last year, the Internet2 Community Architecture Committee for Trust and Identity (CACTI) formed a Next-Generation Credentials Use Cases Working Group, chaired by Dan Taube of Illinois State University and Kevin Hickey of the University of Detroit-Mercy, to explore community use cases for what CACTI calls “Next-Generation Credentials.” (Read the working group’s final report.)
Twenty-nine community members came together and distilled 33 different use cases, which span the gamut of authentication, authorization, and representation of different attributes associated with the many personas a person may present or use within the context of research and education. The working group’s final report makes a series of recommendations for next steps, including the formation of a new “trust registries for next-generation credentials” working group, which is in the process of being chartered by CACTI. In the meantime, the group has developed a definition of next-generation credentials and identified four key characteristics for an ecosystem in which they are widely used.
What Are Next-Generation Credentials?
Next-generation credentials are emerging technology that empowers credential holders to choose what identity they assert, at what time, with what relying party/verifier, and what types of information they disclose. This type of user-centric identity ecosystem is known variously as “self-sovereign identity,” “verifiable credentials,” and “wallet-based credentials,” etc.
Further, a next-generation credential is a machine-verifiable method of conveying information about an entity (a natural person, system, organization, etc.), either self-asserted by that entity or attested about that entity from:
- An issuer, In the case of physical access to university spaces, this might be the facilities services group of a university
to
- A verifier, This might be a card reader on a door or a mobile device held by a public safety officer in the above example
by means of
- A wallet, which is a secure piece of software on a user’s phone or other computing device, capable of rich interactions and policy-based calculations and controlled disclosure of information on behalf of a user
controlled by
- A holder, in this case a person wanting to gain access to a sensitive physical space. This actor could be a person or a system.
Less formally stated, it is a bundle of attributes about a subject, such as birth certificate, driver’s license, campus ID card, door access list, source of role information about a project or job, professional certification, or academic degree or badge, which can be presented by the owner when required. The critical difference in a next-generation credential ecosystem is that the service provider no longer receives credentials from the issuer but from the user directly.
Further, a wallet is able to perform advanced privacy-preserving and secure activities based upon homomorphic encryption (encryption where the result can be computed without decrypting the data itself), such as telling a point of sale system that a person is “21 years of age or older” without revealing any other information about the person and where the wallet knows the person’s date of birth in an encrypted format.
What Are the Key Characteristics of a Next-Generation Credential Ecosystem?
Based on its definition of next-generation credentials, the group recognized that for them to reach their full potential the goals, design, and operation of a next-generation credential ecosystem must be transparent and consider four key characteristics:
- Interoperability – Next-generation credentials must be interoperable globally, and across sectors. Industry tends towards building non-interoperable ecosystems. CACTI should consider participating in existing efforts to standardize in this space as well as pushing for more standardization where it is lacking.
- The trust model – Next-generation credentials will likely require the adoption of a new trust model, and certainly a new trust infrastructure or infrastructures. A trust model is the framework which ensures that transactions can take place safely, securely and in a privacy-preserving manner, and enforces policy and legal requirements over the network of participants (verifiers and issuers).
- Revocability – Next-generation credentials must be revocable. That is, they must be able to be marked as invalid. Credentials may have a defined lifespan upon issuance or expire upon future conditions agreed upon by both issuer and holder. Revocation is also required in cases where events necessitate reissuance of credentials, and where individual data elements have been invalidated and need to be re-issued.
- User Experience – Next-generation credentials place a responsibility on users to verify and trust both issuers and verifiers. The user experience must allow for users to easily understand what they are being asked to disclose and by whom, for what purpose, with what scope and constraints, and then the verifier must flexibly react to a user’s bona fide and informed decisions to accommodate the user’s preferences and decisions.
Our work to understand this emerging ecosystem is just beginning, and we are closely following the work of colleagues in the European Union (which has a mandate to enable these technologies in each member state by 2026) and elsewhere. To learn more, read the group’s final report.
By Community, For Community
As noted in the charter of the Next-Generation Credentials Use Cases Working Group, “…we need to understand the use cases and drivers for adoption of these technologies, from the perspective of our diverse user communities: learners, teachers, researchers, administrators, [and] alumni, etc.”
“It is not possible for CACTI members, in isolation, to derive meaningful or all-encompassing use-cases without the strong participation of a larger community of practitioners and users.”
We encourage you to engage in our dialogue about this important topic. Read the working group’s final report and consider joining the upcoming working group as well.
About CACTI
The Community Architecture Committee for Trust and Identity (CACTI) is a standing architecture strategy group of community members chartered by Internet2’s Vice President for Trust and Identity. Margaret Cullen of Painless Security and Kevin Hickey from the University of Detroit-Mercy serve as the current chair and vice chair respectively. CACTI members include a broad representation from research and education. Minutes and additional information are available on the CACTI wiki.