Creating a future-fit solution for digital trust with Credential Profiles
In part one of our series, Demystifying the EUDI ARF, we explained some of the key features of the European Digital Identity Architecture and Reference Framework (EUDI ARF) for digital wallets. We discussed a protocol for credential issuance suggested in the framework, OpenID for Verifiable Credential Issuance (OpenID4VCI), and how MATTR is using and building on this protocol in our products.
In this part, we will dive deeper into the standards that the EUDI ARF recommends for individual credentials and how MATTR is using our Credential Profiles to help customers like you navigate this ever-evolving standards landscape.
In part two we’ll discuss:
- Credential configurations within the EUDI ARF
- MATTR’s standards-based Credential Profiles
- Our Credential Profiles in the context of the EUDI ARF
- A look ahead at some of the work still to be done
Credential configurations in the EUDI ARF
As we discussed in part one, the EUDI ARF was tasked with making recommendations for a digital wallet that could meet varied needs. Some organisations would want to use the wallet for things like high-assurance personal identity credentials and driver’s licences, which have different requirements from credentials such as academic transcripts.
Additionally, many technologies have emerged that can generate a digital credential, each with pros and cons for different use cases.
As a refresher, the EUDI ARF defines two classes of data that are relevant to the EU ecosystem. These are Person Identification Data (PID) and Qualified Electronic Attestations of Attributes (QEAA). We can think of PIDs as “core identity documents”. The (QEAA) class encompasses a broader definition of credentials from both “trusted issuers” as well as “non-trusted issuers”.
The framework recommends that digital wallets support two types of credential configurations, which each map roughly to the two classes of data identified above:
- Type 1: For credentials where the relying party, or verifier, needs a high Level of Assurance (LoA), i.e., where PID is required to ensure authenticity.
- Type 2: Designed to enable flexibility and additional feature support for credentials that cannot be met by Type 1 configurations. This type would work best for cases where QEAA is enough to ensure validity, without the need for PID.
The EUDI ARF also lays out which technologies or standards these two types of configurations should be built upon. These standards have been developed collaboratively at global organisations and aligning wallets around them is a key to ensuring interoperability between wallets and credentials.
Introducing Credential Profiles
We talked in part one about MATTR’s involvement in international standards organisations and our commitment to a standards-first approach in our best-in-class products.
To simplify the complexity of the deep-tech layer and help customers to understand how different technologies may meet their use case requirements, we have created the concept of “Credential Profiles” for MATTR platforms. Credential Profiles combine information about people, organisations or things with a unique digital signature to produce a digitally verifiable credential that can be shared and stored securely.
Credential Profiles can be built on different architectural choices and technology stacks, like the ones we’ve discussed above. These choices depend on factors such as the type of data they need to include, the level of assurance required and the journeys and modes where credentials will be presented and shared.
We currently support two Credential Profiles on our platforms:
- Web Credentials: digital-first credentials that can include rich data beyond text, such as images. They can be bound to a subject to provide identity assurance and can include context with the data to allow for portability across institutions and jurisdictions. They can also be presented remotely in a digital channel.
- Compact Credentials: share authentic information embedded in a QR code. Compact Credentials work well when you want to be sure the information is authentic, but don’t need high identity assurance. They are also very important to support digital inclusion and can be printed on existing documents in a paper-based form.
This year, we are working on supporting a third credential profile – Mobile Credentials, based on the International Organization for Standardization (ISO) 18013-5 standard, that is noted in EUDI ARF. Mobile Credentials will provide high identity assurance for person-to-person presentations. While the format was born from digital driver’s licences, it has applications for other types of documents.
Some of these Credential Profiles broadly map to the types of configurations laid out in the EUDI ARF.
How can you use MATTR’s Credential Profiles with EUDI ARF recommendations?
Let’s break down how the standards we support through our Credential Profiles map to the two types of credential configurations in the EUDI ARF we discussed earlier.
Type 1
In the EUDI framework, Type 1 credentials must be supported by two types of formats or data models. The first is based on W3C Verifiable Credentials (VCs) and is the SD-JWT format, which is currently being drafted at IETF. The second is the ISO 18013-5 standard, sometimes referred to as mDoc/mDL. As we further develop MATTR’s platforms, we are supporting these formats in a couple of ways:
- The MATTR approach to Credential Profiles creates a path for our platforms to handle multiple credential formats – in the same user journey and wallet experience. We are actively building support for mDocs within our platforms to support the ISO 18013-5 standard.
- We are involved at IETF to help define the future of JOSE-based credential formats (like JWP and SD-JWT) and their relationship to existing and emerging JOSE standards including JWS and JWE. We are committed to working within the standards communities to provide implementation clarity and evaluate how these formats can show up in future MATTR Credential Profiles.
Type 2
The recommendation for Type 2 credentials takes a slightly different approach and provides multiple credential formats as options. The document suggests that the digital wallet solution mandates the use of at least one of the following credential format options: SD-JWT, mDoc/mDL (ISO 18013-5), and the JSON-LD/LDP variant of W3C VCs.
We have always been fans of the JSON-LD VC format at MATTR, and it was the very first credential profile we supported. This is the technology that powers our Web Credentials profile. As we expand our Credential Profile offering to include Mobile Credentials and the emerging JOSE-based format designed to enable selective disclosure, customers will have even more options for configuring credentials.
Read more about Credential Profiles and how they can power your verifiable data solution.
Looking ahead
The EUDI ARF draft, published last month, signals a directional intent that will, no doubt, undergo further refinement as we continue to see convergence around a common set of standards.
A few key considerations going forward include:
- The ongoing work at the Internet Engineering Task Force (IETF) to deliver a standards-based way to do selective disclosure leveraging approved cryptographic algorithms and standards (i.e. SD-JWT and JWP).
- The OpenID-based presentation protocol (OpenID4VP) continues to be developed at the OpenID Foundation (OIDF)) and there remain a number of challenges to clarify at the specification level.
- Approaches to cryptographic key storage. Powerful cryptographic schemes such as BBS present an innovative and forward-looking direction for credential systems, however, will be challenging to use with the current iteration of the framework. At MATTR, we are continuing to develop BBS as a world-class cryptographic primitive that enables the use of privacy-respecting proofs as well as using BBS keys with a JOSE-based format such as JWP for selective disclosure. We welcome consideration of such schemes in future iterations of the EUDI ARF.
Our standards work continues. We’re engaged at the OpenID Foundation to continue developing common issuance and verification protocols that can work across different MATTR Credential Profiles; we’re taking part in several working groups at IETF to advance cryptographic schemes and credential formats for selective disclosure; and we’re liaising with ISO working groups to develop protocols that can easily work with mDocs and mDLs as well as other formats in the market.
We are also heavily investing in the future of MATTR Credential Profiles with our product roadmap with an emphasis on simplicity and powerful functionality.
Sign up to our newsletter to receive ongoing updates from MATTR, or contact us to discuss how we can support you.