The partners in this project are Crossword Cybersecurity Ltd, Fraunhofer FHG and Spruce Systems, Inc.
Today identity theft is rife. The 5 month long Next Generation SSI Standards project, which ran from July-November 2022, has helped to strengthen the trustworthiness of the Internet by issuing people with standardised cryptographically verifiable credentials that allow relying parties to strongly identify them. Verifiable credentials remove the need for usernames and passwords, thereby significantly reducing the possibility of identity theft. Interworking tests have been carried out between Europe (Crossword Cybersecurity and Fraunhofer) and the USA (Spruce Inc.), as well as with JFF Plugfest Participants. We have used existing infrastructures wherever possible, such as the eIDAS trust lists, as well as the OpenID for Verifiable Credentials (OpenID4VCs) enhancements to the widely deployed OpenID Connect protocol suite, thereby increasing the likelihood of wide-scale adoption of SSI. The results of this project are publicly available here and at the NGI Atlantic web site.
Resources
Resources
Because the OIDC4VCs suite of protocols contains many different options and possibilities, we have defined some simple profiles for credential issued (OpenID4VCI) and credential presentation (OpenID4VPs). These profiles are being used in our interworking tests and test suites.
We have developed two test suites
POSTMAN tests that send simple request messages to issuers, wallets or verifiers, and expect a certain message in return.
OIDC Conformance tests that in addition will act on redirects e.g. a smartphone browser sends a message to a Verifier tester, and receives a redirect back to the smartphone wallet which then returns a verifiable presentation to the Verifier tester.
Protocol Details
We are using a profile of the OpenID4VCI protocol to request credentials from issuers, and a profile of the OpenID4VPs protocol for presenting credentials to verifiers.
Draft versions of the OpenID4VCI protocol and OpenID4VP protocol are available from the OpenID Foundation.
The verifiable credential and verifiable presentation profiles that we issued from our issuers and wallets are available here.
Project Overview
Experience has taught us that for wide user acceptance of any new technology, evolution is more successful than revolution, and building on existing infrastructures and standards is more successful than trying to replace them with completely new ones. The world has many examples of innovative technologies failing because they did not use the existing infrastructure and standards, e.g. electric cars initially failed because gas/petrol stations could not recharge them. So hybrid cars were invented.
Self Sovereign Identity (SSI) is a new paradigm, with new technologies and concepts, specifically: verifiable credentials (VCs) and decentralised identifiers (DIDs). In order to minimise the learning curves for new users and administrators, and improve user acceptance, we are building our SSI infrastructure on existing infrastructures wherever possible. This means that for trust infrastructures we are using X.509 PKI and ETSI Trust Lists (as specified by eIDAS), rather than blockchains, as this leverages the existing ubiquitously-adopted Internet trust infrastructure (as do COVID-19 certificates). Blockchains may eventually become the predominant trust infrastructure, but in order to kick start SSI, including the European Digital Identity Wallet, we believe that PKIs should be the initial trust infrastructure. The incorporation of trust federations into SSI, using ETSI Trust Lists and the DNS was designed and implemented in the eSSIF-Lab TRAIN project by our project partner Fraunhofer.
Given that OpenID Connect (OIDC) is a widely deployed and understood federated identity management system, we adopted the extensions that we are currently helping to specify (OIDC4VCI, OIDC4VPs and SIOPv2, collectively known as OIDC4VCs) as our transfer protocols for SSI identity management. This follows our principle of evolution rather than revolution.
Because the standards we have utilised (W3C Verifiable Credentials Data Model, Decentralised Identifiers and OIDC4VCs) are either new or still under development, there are many ambiguities, errors and omissions in them that need to be corrected. By independently implementing these (draft) standards in Europe and the USA, and performing interworking tests between the continents, helped us to identify many of these issues and to suggest corrections to the standards organisations. During the course of the project we recommended over a dozen changes to the draft OpenID4VC specifications.
Useful SSI functionalities that currently are not standardised
- the use of ETSI trust lists for scaling trustworthiness,
- the support for Levels of Assurance of user authentication,
- end to end encryption of confidential credentials,
- multiple signatures on credentials.
We implemented the first two of these additional functionalities during the project, and designed the last two but had insufficient time to implement them. We reported on our achievements to the standards bodies so that they can be considered for standardisation in due course.
Consequently the objectives of this project are:
- to perform interworking experiments between Europe and the USA,
- report our results to the relevant SDOs.
The interworking tests covered the following features:
- credential issuing and presentation using the latest OpenID4VCs drafts,
- using JWT proofed VCs, which are ambiguously specified in the current W3C VCDMv1.1, so we needed to resolve these ambiguities,
- using Fraunhofer’s TRAIN infrastructure for trust scalability,
- using eIDAS LoAs, when RPs require different LoAs before accepting VCs from users.
The value of this project to EU and US citizens, our end users, are the following:
- hastening SSI products to market that conform to internationally agreed standards,
- allowing digital wallets from one supplier to internetwork with credential issuers and credential verifiers from different suppliers, providing users with more choice,
- providing users with increased security and privacy when accessing services using their digital credentials compared to today’s federated identity management market, in which the identity providers learn far too much about their users’ use of the Internet.
Participate
Even though the project has officially finished, it is still not too late for you to join us and test your implementation against ours, or against our test infrastructures. If you would like to participate, please do not hesitate to contact us:
David Chadwick: d.w.chadwick@crosswordcybersecurity.com
Oliver Terbu: oliver.terbu@spruceid.com
We have created a table where others can enter the details of their implementations to allow n to n testing. If you would like to add your details please email us with them.
We have a test IdP web site running which will allow you to test any type of wallet by connecting to this web site with a browser. Enter the username “user” and password “password” to login.
We have a test RP web site running which will allow you to test any type of wallet by connecting to this web site with a browser. This web site will provide your wallet with a request for a vp_token, using the DIF Presentation Exchange v2 specification.
The Postman tests that send simple request messages to issuers, wallets or verifiers, and expect a certain message in return, are publicly available, so that you can test your own implementations yourself.
©2022- Crossword Cybersecurity