By Nicole Roy, Internet2 and Kevin Hickey, University of Detroit-Mercy
Estimated reading time: 4 minutes
New InCommon Working Group Explores Next-Generation Credentials Trust Frameworks
The Internet2 Community Architecture Committee for Trust and Identity (CACTI) is continuing the work started last year with the community’s initial exploration of possible uses for what CACTI calls “next-generation credentials”: Credentials which exist within a new wallet-based ecosystem that positions users at the center of the digital identity landscape, empowering them with control and insight which they have not previously had over who, what, and when aspects of their digital identity are used.
Within this context, CACTI seeks to understand the role of a federation operator, like InCommon, in this new environment. To that end, CACTI has chartered a new “Next-Generation Credentials Trust Frameworks” working group (Join the group.). The new working group will begin with use cases collected last year as the foundation for further investigation of how a strong trust backbone comes into play in a next-generation credentials identity ecosystem.
Identifying Use Cases
Last year’s community working group collected use cases for “next-generation credentials” that highlighted some of the potential benefits the technology could offer to the research and education community.
- Students are issued a credential by their institution that asserts among other attributes, their status (e.g. full-time, part-time, graduated). The credential can be presented by the students autonomously anywhere their status must be proven, such as getting a student discount, releasing only current status.
- An institution issues a credential containing an academic transcript to the owner of the transcript. The holder of the credential can directly present it when required, to a potential employer for example, without the issuing institution or additional intermediary involvement, preserving the holder’s privacy of action.
- An institution’s registrar is asked to provide documents demonstrating the university’s compliance with federal regulations. The individual uses a credential issued by the institution that can be verified authentic, asserting the individual’s identity and status as University Registrar to authorize the submission.
- As a researcher, my institution issues me a credential that allows me to use the state’s HPC center for 1,000 CPU hours
- As a student, I ask my professor to create a credential about me that allows me to enroll in a specialized training program. The training center can validate the professor’s statement without having to trust email or similar.
- As a student, I would like to make self-assessments about my abilities and experiences and request that my professors and peers endorse me.
Understanding the Next-Gen Role of Federation Operators Like InCommon
While strong drivers, including enhanced privacy and security, user empowerment and experience, and new non-web-based modalities exist for the use of these new forms of identity, the basis for creating a strong trust backbone, which exists in today’s federated single sign-on services was not clear. CACTI seeks to understand the role of a federation operator, like InCommon, in this new environment. To that end, CACTI has chartered a new “Next-Generation Credentials Trust Frameworks” working group to help define a high-level architecture and technical requirements for a proof-of-concept deployment of next-generation credential technologies within the InCommon trust environment.
The group started meeting in July and has participation from the Americas, Europe, and Asia/Pacific regions. The group is working with GÉANT and the eduGAIN architecture team to understand the possibilities and requirements. The group is currently considering draft standards and profiles in the OpenID/OpenID Connect portfolio as well as exploring the potential need for and requirements of an educational wallet. If you have an interest in technology that is expected to play a significant role in the future of digital identity management, you are encouraged to join the working group by completing this form.
About CACTI
The Community Architecture Committee for Trust and Identity (CACTI) is a standing architecture strategy group of community members chartered by Internet2’s Vice President for Trust and Identity. Margaret Cullen of Painless Security and Kevin Hickey from the University of Detroit-Mercy serve as the current chair and vice chair respectively. CACTI members include a broad representation from research and education. Minutes and additional information are available on the CACTI wiki.