An overview of digital trust standards

Standards are essential to ushering in a new world of TrustTech — here are some of the most important ones to know.

‍

A lot of the value in digital identities and verifiable data is premised on the fact that they are generally accepted and highly interoperable. It should come as no surprise, then, that standards — which (in general) are designed to enable interoperability, scale, efficiency, and a level playing field — are core to TrustTech, underpinning the high-assurance relationships, transactions, and experiences that this technology brings to life.

‍

At MATTR, we aren’t just active participants in standards bodies, we’re enthusiastic leaders. Wherever possible, our products leverage and support existing standards; where gaps exist, we propose improvements or develop new specifications with the technical community.

‍

But for developers and wider organizations that aren’t immersed in it, the standards landscape — which spans the globe and has many entities and participants — can be intimidating. Our aim in this post is to provide an overview of some of the most noteworthy organizations and standards shaping the TrustTech space.

‍

Note: if you’re looking for details on standards supported in MATTR products, please click here; if you’re looking for information on standards that will potentially be supported in future releases, please click here.

‍

‍

SDOs and relevant standards

‍

Standards are created by Standards Development Organizations (SDOs). These organizations develop, publish, and disseminate technical standards for various industries and fields. Their work usually includes a blend of collaborative authoring of documents, working group meetings, interoperability events and face-to-face conferences and meetings.

‍

MATTR contributes to these organizations through:

‍

• Reviewing & editing: Collaborating on creating, updating, and maintaining standards documents

• Code sharing: Open sourcing our code supports the development community by building on top of our code (for example our work on BBS signatures that can be used to enhance privacy by enabling selective disclosure).

• Facilitation of and participation in interoperability events: Working with other vendors and different SDOs to test out capabilities and feasibility of emerging and existing standards.

• Implementation feedback: Using the standards in production enables us to provide hands-on experience feedback and recommendations

• Test reports: Results from ongoing testing can inform the standards community and highlight gaps

‍

Within the TrustTech orbit, we help develop and participate in standardization efforts with:

‍

• International Organization for Standardization (ISO)

• OpenID Foundation (OIDF)

• Internet Engineering Task Force (IETF)

• World Wide Web Consortium (W3C)

• Decentralized Identity Foundation (DIF)

‍

International Organization for Standardization (ISO)

‍

Dating back to 1946, in the optimism of a new era of global collaboration, the ISO was established to enable international standardisation. A true behemoth, the ISO is composed of over 170 national standards bodies and offers hundreds of different standards across a variety of domains.

‍

Within this vast collection we have implemented a number of standards and technical specifications as part of our mDocs credential format and mDL solution capabilities:

‍

• The 18013-5:2021 standard which standardises certain aspects in a Mobile Driver Licences (mDLs).

• The 18013-7:2024 technical specification which specifically addresses online presentation of mDLs.

• Parts 3 and 4 of the 23220 series, much of which is under development, generalizes the mDL standard to other Mobile Documents (mDocs).

‍

OpenID Foundation (OIDF)

‍

OpenID Foundation was founded in 2007 to specifically address standards for federated login technology. If you’ve ever used a "Login with Google/Facebook/Twitter" single sign-on (SSO) widget, you leveraged and benefitted from an OpenID-based protocol.

‍

Identity is a key contributor to trust, so identity standards are especially important to TrustTech.

In addition to supporting OpenID Connect (an interoperable authentication protocol based on the OAuth 2.0 framework) within the MATTR VII APIs, we have also implemented:

‍

• OpenID4VCI, which leverages the OpenID protocol to support issuance of verifiable credentials (implemented as part of our OpenID4VCI workflows for all credential formats).

• OpenID4VP, which defines a mechanism on top of OAuth2.0 that enables verifiers to request verifiable credentials and holders to present them (implemented as part of our mDocs online verification capabilities).

‍

Internet Engineering Task Force (IETF)

‍

The IETF was founded in 1986 and, following its mission to “make the Internet work better,” has grown into one of the premier internet SDOs.

‍

Among the long list of IETF standards, the following are especially pertinent in a TrustTech context:

‍

• Different standards that describes how to use JSON to represent different data elements:

• JWE (JSON Web Encryption), implemented as part of our secure messaging capabilities.

• JWK (JSON Web Key), implemented as part of our secure messaging capabilities as well as the OpenID4VCI workflow.

• JWS (JSON Web Signature), implemented as part of our secure messaging capabilities as well as the OpenID4VCI workflow.

• JWP (JSON Web Proof), an upcoming standard.

• JWT (JSON Web Token).

• HTTP Signatures, which enables secure exchange and verification of HTTP messages (implemented it as part of our Webhooks capability, so that webhooks subscribers can authenticate its source)

• OAuth2, which is a protocol for managing resources access between different applications and/or users (OAuth2 is the framework used by OID4VCP, implemented as part of our mDocs online verification capabilities).

‍

We are also actively contributing to or leading a handful of emerging standards:

‍

• OAuth Attestation-based Client Authentication, which extends OAuth2 by enhancing the security of interactions.

• OAuth Token Status List, which describes how to assess the status of tokens secured by JSON Object Signing and Encryption (JOSE) or CBOR Object Signing and Encryption (COSE).

• SD-JWT VC, which defines data structures and workflows for verifiable credentials whom payloads are structure using JSON Web Tokes (JWT).

• SD-JWT, which enables selective disclosure in payloads that are structured using JSON Web Signature (JWS).

• The BBS signature scheme which preserves user privacy by enabling selective disclosure.

‍

World Wide Web Consortium (W3C)

‍

The W3C was founded in 1994 to develop open web standards, with a specific focus on accessibility, internationalization, privacy, and security. Many of the foundational technologies used within web browsers are based on W3C standards, including HTML, CSS, WebAuthN, etc.

‍

The W3C includes community groups, which pre-incubate standards before they progress to a working group level for final standardisation — we participate in groups of both types.

‍

(Underscoring the hidden complexity of our interconnected world, at the time of writing there are more than 140 community groups and 43 open working groups!)

‍

The following W3C standards are particularly relevant within the TrustTech domain:

‍

• Digital Credentials API, which enables different applications to request, access and present digital credentials on behalf of a user as part of different online interactions. We believe this standard is of paramount importance in increasing adoption of verifiable credentials as part of online journeys.

• Decentralised Identifiers, which specifies the structure and usage of DIDs (implemented across our usage of DIDs to represent issuers, verifiers, and holders).

• Verifiable Credentials Data Model, which describes a data structure for representing verifiable credentials in a secure and interoperable way (implemented as part of our CWT and JSON credential formats).

• JSON-LD, which describes a general mechanism for publishing structured data on the internet using vocabularies like schema.org that can be connected together and interpreted by machines (implemented it as part of our JSON credential format).

• Verifiable Credentials Data Integrity, which describes mechanisms for using cryptography to verify digital credentials and ensure they have not been tampered with.

• Verifiable Presentation Request Specification, which defines a query protocol for requesting credentials from digital wallets (implemented as part of our JSON credential format presentation capabilities).

‍

Decentralized Identity Foundation (DIF)

‍

The DIF was founded in 2018 to develop the foundational elements needed to establish an open and interoperable ecosystem for decentralized identity.

‍

At the time of writing, the DIF has 10 working groups, with three being particularly relevant:

‍

• Secure data storage: Encrypted storage to protect users’ data in back-up use-cases

• Applied Cryptography: The application of cryptographic methods and principles, mainly to help protect user-data and prevent eavesdropping and data tampering — one of our main areas of involvement with the DIF is around the BBS signature suite (we’ve implemented BBS2020 to enable selective disclosure in our JSON credentials format).

• DIDComm Messaging: Establishing a secure messaging protocol that leverages modern cryptography without being bound to a specific vendor

‍

Turning our attention back to technical specifications, the most relevant ones are:

‍

• Presentation Exchange, which describes a way for verifiers to securely interact with holders when requesting and verifying verifiable presentations (we implement a profile of this standard in our mDocs online presentation capability as per ISO/IEC 18013-7:2024).

• DIDComm Messaging, the aim of which describes a messaging protocol on top of DIDs (we’ve implemented it across various messaging workflows including issuance offers and presentation requests).

• Well Known DID Configuration, which describes the data format required for proving the relationship between the controller of an origin and a DID via cryptographically verifiable signatures that are linked to a DID's key material (we’ve implemented it across our usage of DIDs to represent issuers, verifiers and holders).

‍

Wrapping up

‍

Standards are a core part of our work at MATTR, and we’re committed to leveraging and supporting existing standards — as well helping to develop new specifications as TrustTech evolves.

‍

This commitment ensures our solutions are — and will remain — at the cutting edge of technology, security, and compliance, allowing our customers to focus on solving problems that matter to them.

Please visit our Standards and Community page to learn about MATTR's open standards, open source contributions, and community projects that inform our product development.

‍

To learn more about what our standards-based solutions can do for you, please get in touch.