Link to presentation shared for that meeting: https://docs.google.com/presentation/d/1lSiEpoEw0Wipzqrv9hIOL9ivwiBU6y0O/edit?usp=sharing&ouid=105826287105655690616&rtpof=true&sd=true
Reminder
List of further enhancements to be done next quarter in IDBB specifications
Verification / Identity Verification API
Integration of OpenID Connect (OIDC) for Identity Verification (Authentication)
Implementation of Biometric based authentication
KYC / Attributes sharing
Leverage OIDC profile sharing capacity and use Verifiable Credentials as envelop to provide identity related services (ie personal ID attributes sharing, age verification)
Benefits
Support interoperability
Improve privacy by offering multiple services with data minimization approach
Reuse those services OIDC/VC as data exchange protocol/format for issuance of physical and digital credentials
Identification services responses (ie ID attributes sharing) always allow to verify information to issuer, it will leverage VC to systematicaly include the way to verify authenticity in data structure sent.
Build continuous chain of certified data
Allow asynchronous/offline use cases
Integrate consent mechanism in overall KYC process
IDBB specific interfaces (API Gateway/GUI)
It has been identified the need to develop IDBB interface on top of IDBB candidates implementation:
A User Interface for individuals (select Identity provider (IDP), collect identity credential data, give consent, be informed of personal data usage) This UI would naturally run on individual User Interface.
An IDBB API Gateway for:
Managing multiple IDP (default IDP being fID)
Check/trigger collection of consent
Potentially be used for ID Mapping to solve tokens
Manage adaptation of candidates implementations of building blocks
Individual User Interface need to be inclusive and adapt to various context including low infrastructures/technologies ones.
Management / ID Mapping
Offer publish and subscribe mechanism to allow notification of identity related events
Clarify and specify ID Mapping for privacy and open to federated and decentralized forms of Identity
Tokenization of identifiers: IDBB generate several sectorial identifiers for the same unique person
Use of Alias: Foreign existing identifiers can be linked to Unique Identity and later recognized
The below illustrate use of Gateway and UI in IDVBB
Backlog (for 2023)
Notification API (to notify output is ready or a change in identity)
IDBB Gateway with Integration of consent
Identity management (to create, update an identity, manage ID Mapping, authorizations, ..)
Credential issuance leveraging KYC services
Auditable logs - transaction log, administrative changes log, performance log, security log
List of apis aligned to functionalities/services for IDBB
API | Service | Version | Description | Priority | Status |
---|---|---|---|---|---|
Identity Verification | VerifyIdentity ( ID Number ) Output: Authentication token ID | 1.0 (Centralized ID only) | Authenticate identity which identifier was passed as parameter. | 1 | In Progress |
VerifyIdentity ( ID Number [, IDP] ) Output: Authentication token ID | V1.1 (centralized, decentralized and federated) | Same as v1.0 but Identity can be verified using multiple trusted Identity Providers (IDP), when available IDBB Verify Identity will allow to choose IDP. Default IDP is the Foundational ID (fID) in other the term the IDBB internal IDP. IDBB, IDBB internal IDP and foreign IDP will use same OpenAPI based on OIDC | 2 | To be defined | |
KYC services | GetIdentityProfile ( ID Number, Profile ID, Consent Token ID ) Output: Profile as Verifiable Credential | V1.0 | This API allows to collect a set of identity attributes preliminary defined in a profile. A verifiable consent token (should be a VC) is to be passed to allow use of this service (this token is linked to indidivual ID, service and profile) The output of this service is a verifiable credential | 1 | In Progress |
GetIdentityProfile ( ID Number, Profile ID, Consent Token ID [, IDP] ) Output: Profile as Verifiable Credential D IDP | V1.1 (more elaborated KYC) | Same as v1.0, but Profile can be more than attribute sharing for example the output of a computation. ie for age verification, the profile can be ‘isMinor’ possible output can be ‘Yes' or 'No’ in order to avoid sharing unnecesarily the age. The service can be delegated to a external IDP by specifying an IDP | 4 | To be defined | |
ID Mapping | To be defined | Identified services:
| 2 | To be defined | |
Notifications | To be defined | Identified services:
| 2 | To be defined | |
Identity Management | To be defined | Identified services:
| 4 | To be defined | |
Credentials Management | To be defined | Identified services:
| 3 | To be defined |
Prioritized first API of IDBB to be targeted for testing.
Priority 1 API/Services are targeted for coming 1-2 months, they will allow to dispose of necessary APIs for Demo and Sandbox.
Priority 2 API Services are targeted for coming quarter, they will allow to cover Federated and Decentralized identity, address various form of identity, cover more new capabilities for authentication, also asynchronous use cases (including offline).
Lower priority are targeted for next year, they will be priorized according to engaged country needs.
Note, we may identify quick-wins to be done to enable GovStack community to handle new APIs, ie v1.1 of KYC services could be a good candidate for that.
Details of roadmap/priorities
WHAT | WHO | WHEN (Target) |
---|---|---|
OpenAPI priority 1 (Authentication) | Jaume, Sasi, Ramesh, OpenID Foundation member TBD | September |
OpenAPI priority 1 (KYC) | Jaume, Sasi, Ramesh, OpenID Foundation member TBD | October |
OpenAPI priority 2 (IDP, ID Mapping, Notification) | Jaume, Sasi, Ramesh, OpenID Foundation member TBD, Independent expert TBH | December |
Specifications update to cover new topics : OIDC/W3C VC, Federated/Decentralized, ID Mapping, Notification, ID Management, Credentials, IDBB Gateway and UI Note: TB restarted from GitBook format. | Jaume, Tech Lead TBH | December |
Setup, migration to new repositories, tools and formats (JIRA, GitHub, GitBook, ..) | Jaume with WG, supporting resources for content non value added tasks. Need Taylor for GitHub. Need to hand-over to Tech Lead TBH when available. | From now (October ?) |
Roadmap and tasks follow-up | Jaume, then Tech Lead hand-over on tasks FU | From now on |
Support to IDBB Procurement Process evaluation, implementation follow-up and testing Heavy workload coming !! | Jaume on evaluation and test strategy, Tech lead TBH on detailed test plan, implementation follow-up and testing | Evaluation up to September October, start implementation and testing > need TL ! |
Demo and Sandbox setup maintenance and evolutions | Sasi/Ramesh on demo instance and openAPI Sandbox under Tech Lead TBH responsibility | September for demo Sandbox not before EOY |
Community building and engagement. Can we start when supporting environment will be ready enough, already on-boarding members as contributors or reviewers. | Jaume, support of GovStack community lead resource(s) | November |
Resources needed for the above in ID workgroup (who/new, for what)
There is more than APIs definition to be done, those ones have been inserted below.
Summary:
Jaume’s available workload too low, need to increase bandwidth from September
Urgent need to welcome a Tech Lead for IDBB > Target October, TB supported by mutualized Tech team
Still need to count with a 2nd independent expert (selection process started, 2 possible candidates)
Need supporting resources for migration to community environment (GitXXX things)