Identity-BB Status for Tech Committee meeting w33

Owned by Jaume DUBOIS
Last updated: Aug 24, 2022
5 min read

Reminder

List of further enhancements to be done next quarter for your BB specifications

  • Verification / Identity Verification API

    • Integration of OpenID Connect (OIDC) for Identity Verification (Authentication)

  • KYC / Attributes sharing

    • Leverage OIDC profile sharing capacity and use Verifiable Credentials as envelop to provide identity related services.

    • Benefits

      • Support interoperability

      • Improve privacy by offering multiple services with data minimization approach

      • Reuse those services OIDC/VC as data exchange protocol/format for issuance of physical and digital credentials

      • Identification services responses (ie ID attributes sharing) always allow to verify information to issuer, it will leverage VC to systematicaly include the way to verify authenticity in data structure sent.

      • Build continuous chain of certified data

      • Allow asynchronous/offline use cases

      • Integrate consent mechanism in overall KYC process

  • Management / ID Mapping

    • Offer publish and subscribe mechanism to allow notification of identity related events

    • Clarify and specify ID Mapping for privacy and open to federated and decentralized forms of Identity

    • Tokenization of identifiers: IDBB generate several sectorial identifiers for the same unique person

    • Use of Alias: Foreign existing identifiers can be linked to Unique Identity and later recognized

  • IDBB specific interfaces (API Gateway/GUI)

    • It has been identified the need to develop IDBB interface on top of IDBB candidates implementation:

    • A User Interface for individuals (select Identity provider (IDP), collect identity credential, give consent, be informed of personal data usage) This UI would naturally run on individual User Interface.

    • An IDBB API Gateway for:

      • Managing multiple IDP (default IDP being fID)

      • Check/trigger collection of consent

      • Potentially be used for ID Mapping to solve tokens

      • Manage adaptation of candidates implementations of building blocks

    • Individual User Interface need to be inclusive and adapt to various context including low infrastructures/technologies ones.

Illustration of form auto-filling flow involving UI and API Gateway.

Backlog:

  • Notification API (to notify output is ready or a change in identity)

  • IDBB Gateway with Integration of consent

  • Identity management (to create, update an identity, manage ID Mapping, authorizations, ..)

  • Credential issuance

  • Auditable logs - transaction log, administrative changes log, performance log, security log

List of apis (defined/undefined) aligned to functionalities/services (defined / to be defined) currently in your BB

API

Service

Version

Description

Priority

Status

API

Service

Version

Description

Priority

Status

Identity Verification

VerifyIdentity ( ID Number [, IDP] )

Output: Authentication token ID

1.0 (Centralized ID only)

Authenticate identity which identifier was passed as parameter.

 

 

1

In Progress

 

 

V1.1 (centralized and federated)

Same as v1.0 but Identity can be verified using multiple trusted Identity Providers (IDP), when available IDBB Verify Identity will allow to choose IDP.

Default IDP is the Foundational ID (fID) in other the term the IDBB internal IDP.

IDBB, IDBB internal IDP and foreign IDP will use same OpenAPI based on OIDC

2

To be defined

KYC services

GetIdentityProfile ( ID Number, Profile ID, Consent Token ID )

Output: Profile as Verifiable Credential

V1.0

This API allows to collect a set of identity attributes preliminary defined in a profile.

A verifiable consent token (should be a VC) is to be passed to allow use of this service (this token is linked to indidivual ID, service and profile)

The output of this service is a verifiable credential

1

In Progress

 

 

V1.1 (more elaborated KYC)

Same as v1.0, but Profile can be more than attribute sharing but for example the output of a computation.

ie for age verification, the profile can be ‘isMinor’ possible output can be ‘Yes' or 'No’ in order to avoid sharing unnecesarily the age.

4

To be defined

ID Mapping

To be defined

 

Identified services:

  • Mapping/Unmapping identifiers

  • Retrieving identifier from other identifier

2

To be defined

Notifications

To be defined

 

Identified services:

  • Subscribe to event (3rd party component can be notified of event happening on ID and collect related data thanks to next service below)

  • Collect event data

  • Notify event (3rd party can notify IDBB about an event and get a link to collect related data, ie birth event)

2

To be defined

Identity Management

To be defined

 

Identified services:

  • Enrollment

    • Enrolling an individual ID in one step

    • Enrolling an individual ID in multiple steps

  • ID Management

    • Update identity attributes

    • Declare identity stolen

    • Autorise acces to identity

    • Give consent (is it part of consent only ?)

    • Generate sectorial token

  • ID Mapping (will be included in this API)

4

To be defined

Credentials

To be defined

 

Identified services:

  • Issuing a credential

  • Following lifecycle of a credential issuance

  • Canceling a credential

  • Declaring a credential as lost or stolen

  • Renewing a credential

3

To be defined

Prioritized first API in your BB to be targeted for testing. 

Priority 1 API/Services are targeted for coming 1-2 months, they will allow to dispose of necessary APIs for Demo and Sandbox.

Priority 2 API Services are targeted for coming quarter, they will allow to cover Federated and Decentralized identity, address various form of identity, cover more new capabilities for authentication, also asynchronous use cases (including offline).

Lower priority are targeted for next year, they will be priorized according to engaged country needs.

Note, we may identify quick-wins to be done to enable GovStack community to handle new APIs, ie v1.1 of KYC services could be a good candidate for that.

Resources needed for the above in your team (who/new, for what)

There is more than APIs definition to be done, those ones have been inserted below.

Summary:

  • Jaume’s available workload too low, need to increase bandwidth from September

  • Urgent need to welcome a Tech Lead for IDBB > Target October, TB supported by mutualized Tech team.

  • Still need to count with a 2nd independent expert

  • Need supporting resources for migration to community environment

WHAT

WHO

WHEN (Target)

WHAT

WHO

WHEN (Target)

OpenAPI priority 1 (Authentication, KYC)

Jaume, Sasi, Ramesh, OIf member TBD

September

OpenAPI priority 2 (IDP, ID Mapping, Notification)

Jaume, Sasi, Ramesh, OIf member TBD, Independent expert TBH

December

Specifications update to cover new topics : OIDC/W3C VC, Federated/Decentralized, ID Mapping, Notification, ID Management, Credentials > Restart from GitBook format.

Jaume

December

Setup, migration to new repositories, tools and formats (JIRA, GitHub, GitBook, ..)

Jaume with WG, supporting resources for content non value added tasks. Need Taylor for GitHub. Need to hand-over to Tech Lead when available.

From now (October ?)

Roadmap and tasks follow-up

Jaume, then Tech Lead hand-over on tasks FU

From now

Support to IDBB Procurement Process evaluation, implementation follow-up and testing

Heavy workload coming !!

Jaume on evaluation and test strategy, Tech lead on detailed test plan, implementation follow-up and testing

Evaluation up to September

October, start implementation and testing > need TL !

Demo and Sandbox setup maintenance and evolutions

Sasi/Ramesh on demo instance and openAPI

Sandbox under Tech Lead responsibility

September for demo

Sandbox not before EOY

Community building and engagement.

Can we start when supporting environment will be ready enough, already on-boarding members as contributors or reviewers.

Jaume, support of GovStack community lead resource(s)

September