A major milestone
OpenID for Verifiable Credentials recently won an award at the 2024 European Identity and Cloud (EIC) conference for Future Technologies and Standards. It was a validation of the immense amount of work done over the last three years on the OID4VCI and OID4VP specs. While the work is not yet finished, I thought this is a good opportunity to reflect on the journey to date and where we go from here.
Standing on the shoulders of giants
There are no solo ventures in standards work and these specs are no different. While we have a committed, brilliant group of individuals involved in this effort, the foundation for this spec was laid long before this current effort began.
The conceptual development around OID4VCI specifically started back in 2017, where a few of us from the technical standards community started working on client bound assertions. Building cybersecurity related protocols is a massively complicated undertaking which requires a wealth of bright minds and concentrated expertise that can come from multiple sources.
We had all seen the rise of OIDC and OAuth into IAM industry standards. Developing protocols on top of or in proximity to these specifications, we were able to access solid, fundamental expertise. Developing good standards is all about people. Without strong input from a variety of seasoned experts, it's easy to develop blind spots. When it comes to identity, authentication, authorization, and standards-based technologies, it's hard to find a more mature community than the one surrounding the OIDC and OAuth protocols. Leveraging the previous work and existing expertise, we forged ahead, building on top of a solid foundation.
Watching and learning the OIDC and OAuth journey, one of the first unwritten philosophies driving much of this work emerged - re-use technology where possible, and only invent new things when required. When it came to OID4VCI, there was one key realization that I believe has helped forge consensus. It is the fact that verifiable credential issuance can be modelled as the process of delegated authorization:
- The party requesting authorization is the user's wallet
- The resource the wallet is requesting authorization to is the user's credential(s).
- The credential issuer is the party acting to authorize the wallet at the consent of the user.
It quickly became clear that building OID4VCI on top of OAuth2, which is an industry standard protocol for handling delegated authorization, was the wisest choice.
Keep the simple things simple and make the complex possible
The success of the working group to date can be attributed to a few key processes and decisions that were made early on.
The approach was to employ a big tent philosophy. At the outset, we deliberately embraced as many different communities and features as we could. This was necessary for experimentation and open discussion. Limiting these conversations at earlier stages could have resulted in a significant downstream effect, and we wanted to avoid the consequences of stifling discussion. Instead, we fostered an environment where we encouraged sharing of perspectives from many different communities, developing a more complete understanding of the problem space.
This ended up being a key factor for success because it served an important coalescing function. Through the working group collaboration, communities found a forum to share ideas and discovered opportunities for alignment. Cycles of innovation and an iterative approach led to the convergence of ideas and several new important protocol features emerged to accommodate diverse needs.
It is important to understand that the messy beginnings of standards discussions are only a phase. It is where you look to embrace all options and choices to create a forum for discussion. It is not the end state. It is how you build consensus and momentum.
That momentum led to another phase - continued simplification. This is where we are now. Often, we overestimate how much implementors understand regarding complex specifications. Our goal is safe, secure adoption with a view towards interoperability and stability. How we get there is to keep the simple things simple and make the complex possible. As we work towards a final spec, we are aiming to further simplify and ease adoption. More options are not always better and a robust, simple, interoperable spec that can be more easily implemented will always be a better choice than something that may have more features but is difficult, if not impossible, to implement and use.
Where do we go from here
While last week’s award was gratifying and solid validation of our work, the journey does not end here. There are still many checks, drafts, stabilization, testing, and feedback rounds that need to be conducted before we reach a final standard. That milestone is in sight, since there are a couple of key drivers pushing this along.
These protocols are slated to be included in the forthcoming eIDAS2 legislation. This legislation is an important milestone in the journey for digital credentials and these credentials need to be in place and stable as that legislation goes into effect.
Once the standards are finished, the certification will become critical. As legislation comes into effect in Europe and other jurisdictions, technology platforms must be certified to prove and validate they are standards compliant. This is a maturity milestone that must be in place before widespread adoption can take place.
Speaking of jurisdictions, many large governments are looking at credentials as a landscape of opportunity in terms of cross border interoperability. Immigration and travel can be stressful and time-consuming with respect to IDs and credentials. These verifiable credentials protocols and standards offer an interesting opportunity to realize some extremely critical use cases.
Beyond core standards, we look to credential profiles. As was done with FAPI in OIDC, profiles will need to be developed around core government credentials, an early example of this is HAIP.
It takes a community
Before signing off, I want to say thank you to the working group involved in this process. This could not have been possible without the tireless efforts of Torsten Lodderstedt, Kristina Yasuda, Oliver Terbu, Joseph Heenan, Paul Bastian, Mike Jones, John Bradley, Gail Hodges, Nat Sakamura, Brian Campbell and the whole OIDF DCP WG (OpenID Foundation Digital Credentials Protocols Working Group)!
This work can at times be contentious, slow, and frustrating – but is always rewarding. I am amazed and grateful for the spirited discussions in our sessions, during events, and at the dinners and drinks after. While this award and validation has been a huge milestone in the journey for this spec, the work does not stop here, and I look forward to where we can take this next!