Identity-BB Status for Tech Committee meeting w35

Link to presentation shared for that meeting: https://docs.google.com/presentation/d/1lSiEpoEw0Wipzqrv9hIOL9ivwiBU6y0O/edit?usp=sharing&ouid=105826287105655690616&rtpof=true&sd=true

Reminder

List of further enhancements to be done next quarter in IDBB specifications

Overview of end of year and next step key improvements on IDBB

 

  1. Verification / Identity Verification API

    • Integration of OpenID Connect (OIDC) for Identity Verification (Authentication)

    • Implementation of Biometric based authentication

  2. KYC / Attributes sharing

    • Leverage OIDC profile sharing capacity and use Verifiable Credentials as envelop to provide identity related services (ie personal ID attributes sharing, age verification)

    • Benefits

      • Support interoperability

      • Improve privacy by offering multiple services with data minimization approach

      • Reuse those services OIDC/VC as data exchange protocol/format for issuance of physical and digital credentials

      • Identification services responses (ie ID attributes sharing) always allow to verify information to issuer, it will leverage VC to systematicaly include the way to verify authenticity in data structure sent.

      • Build continuous chain of certified data

      • Allow asynchronous/offline use cases

      • Integrate consent mechanism in overall KYC process

  3. IDBB specific interfaces (API Gateway/GUI)

    • It has been identified the need to develop IDBB interface on top of IDBB candidates implementation:

    • A User Interface for individuals (select Identity provider (IDP), collect identity credential data, give consent, be informed of personal data usage) This UI would naturally run on individual User Interface.

    • An IDBB API Gateway for:

      • Managing multiple IDP (default IDP being fID)

      • Check/trigger collection of consent

      • Potentially be used for ID Mapping to solve tokens

      • Manage adaptation of candidates implementations of building blocks

    • Individual User Interface need to be inclusive and adapt to various context including low infrastructures/technologies ones.

  4. Management / ID Mapping

    • Offer publish and subscribe mechanism to allow notification of identity related events

    • Clarify and specify ID Mapping for privacy and open to federated and decentralized forms of Identity

    • Tokenization of identifiers: IDBB generate several sectorial identifiers for the same unique person

    • Use of Alias: Foreign existing identifiers can be linked to Unique Identity and later recognized

The below illustrate use of Gateway and UI in IDVBB

Illustration of form auto-filling flow involving UI and API Gateway.

Backlog (for 2023)

  • Notification API (to notify output is ready or a change in identity)

  • IDBB Gateway with Integration of consent

  • Identity management (to create, update an identity, manage ID Mapping, authorizations, ..)

  • Credential issuance leveraging KYC services

  • Auditable logs - transaction log, administrative changes log, performance log, security log

List of apis aligned to functionalities/services for IDBB

API

Service

Version

Description

Priority

Status

API

Service

Version

Description

Priority

Status

Identity Verification

VerifyIdentity ( ID Number )

Output: Authentication token ID

1.0 (Centralized ID only)

Authenticate identity which identifier was passed as parameter.

 

1

In Progress

 

VerifyIdentity ( ID Number [, IDP] )

Output: Authentication token ID

V1.1 (centralized, decentralized and federated)

Same as v1.0 but Identity can be verified using multiple trusted Identity Providers (IDP), when available IDBB Verify Identity will allow to choose IDP.

Default IDP is the Foundational ID (fID) in other the term the IDBB internal IDP.

IDBB, IDBB internal IDP and foreign IDP will use same OpenAPI based on OIDC

2

To be defined

KYC services

GetIdentityProfile ( ID Number, Profile ID, Consent Token ID )

Output: Profile as Verifiable Credential

V1.0

This API allows to collect a set of identity attributes preliminary defined in a profile.

A verifiable consent token (should be a VC) is to be passed to allow use of this service (this token is linked to indidivual ID, service and profile)

The output of this service is a verifiable credential

1

In Progress

 

GetIdentityProfile ( ID Number, Profile ID, Consent Token ID [, IDP] )

Output: Profile as Verifiable Credential

D IDP

V1.1 (more elaborated KYC)

Same as v1.0, but Profile can be more than attribute sharing for example the output of a computation.

ie for age verification, the profile can be ‘isMinor’ possible output can be ‘Yes' or 'No’ in order to avoid sharing unnecesarily the age.

The service can be delegated to a external IDP by specifying an IDP

2

To be defined

ID Mapping

To be defined

 

Identified services:

  • Mapping/Unmapping identifiers

  • Retrieving identifier from other identifier

2

To be defined

Notifications

To be defined

 

Identified services:

  • Subscribe to event (3rd party component can be notified of event happening on ID and collect related data thanks to next service below)

  • Collect event data

  • Notify event (3rd party can notify IDBB about an event and get a link to collect related data, ie birth event)

3

To be defined

Identity Management

To be defined

 

Identified services:

  • Enrollment

    • Enrolling an individual ID in one step

    • Enrolling an individual ID in multiple steps

  • ID Management

    • Update identity attributes

    • Declare identity stolen

    • Autorise acces to identity

    • Give consent (is it part of consent only ?)

    • Generate sectorial token

  • ID Mapping (will be included in this API)

4

To be defined

Credentials Management

To be defined

 

Identified services:

  • Issuing a credential

  • Following lifecycle of a credential issuance

  • Canceling a credential

  • Declaring a credential as lost or stolen

  • Renewing a credential

4

To be defined

Prioritized first API of IDBB to be targeted for testing. 

Priority 1 API/Services are targeted for coming 1-2 months, they will allow to dispose of necessary APIs for Demo and Sandbox.

Priority 2 API Services are targeted for coming quarter, they will allow to cover Federated and Decentralized identity, address various form of identity, cover more new capabilities for authentication, also asynchronous use cases (including offline).

Lower priority are targeted for next year, they will be priorized according to engaged country needs.

Note, we may identify quick-wins to be done to enable GovStack community to handle new APIs, ie v1.1 of KYC services could be a good candidate for that.

IDBB end of 2022 and next steps

Details of roadmap/priorities

WHAT

WHO

WHEN (Target)

WHAT

WHO

WHEN (Target)

OpenAPI priority 1 (Authentication)

Jaume, Sasi, Ramesh, OpenID Foundation member TBD

September

OpenAPI priority 1 (KYC)

Jaume, Sasi, Ramesh, OpenID Foundation member TBD

October

OpenAPI priority 2 (IDP, ID Mapping, Notification)

Jaume, Sasi, Ramesh, OpenID Foundation member TBD, Independent expert TBH

December

Specifications update to cover new topics : OIDC/W3C VC, Federated/Decentralized, ID Mapping, Notification, ID Management, Credentials, IDBB Gateway and UI

Note: TB restarted from GitBook format.

Jaume, Tech Lead TBH

December

Setup, migration to new repositories, tools and formats (JIRA, GitHub, GitBook, ..)

Jaume with WG, supporting resources for content non value added tasks. Need Taylor for GitHub. Need to hand-over to Tech Lead TBH when available.

From now (October ?)

Roadmap and tasks follow-up

Jaume, then Tech Lead hand-over on tasks FU

From now on

Support to IDBB Procurement Process evaluation, implementation follow-up and testing

Heavy workload coming !!

Jaume on evaluation and test strategy, Tech lead TBH on detailed test plan, implementation follow-up and testing

Evaluation up to September

October, start implementation and testing > need TL !

Demo and Sandbox setup maintenance and evolutions

Sasi/Ramesh on demo instance and openAPI

Sandbox under Tech Lead TBH responsibility

September for demo

Sandbox not before EOY

Community building and engagement.

Can we start when supporting environment will be ready enough, already on-boarding members as contributors or reviewers.

Jaume, support of GovStack community lead resource(s)

November

Resources needed for the above in ID workgroup (who/new, for what)

There is more than APIs definition to be done, those ones have been inserted below.

Summary:

  • Jaume’s available workload too low, need to increase bandwidth from September

  • Urgent need to welcome a Tech Lead for IDBB > Target October, TB supported by mutualized Tech team

  • Still need to count with a 2nd independent expert (selection process started, 2 possible candidates)

  • Need supporting resources for migration to community environment (GitXXX things)