owned this note
owned this note
Published
Linked with GitHub
# EEA Telecom Working Group: Identity Attestation Flows and Components for abstract API creation (Initial Examples)
## Abstract
In this document, we define a set of user flows and describe the associated Message Objects that support an agent centric approach to the request, issuance, presentation, verification, and revocation of interoperable attestations. Such attestations can then be used in for example identity access management, service access management, account management etc.
## 1 Introduction
In the digital world, an identity needs to be able to prove that some data is true to another entity that requests it. The attestations discussed here are the method of proof. The requester may be software, and the response may or may not require involvement of the individual/identity who the proof is being made against. These examples and flows depict how attestations are requested and resolved. We use Identity as it relates to the concept of decentralized identifiers (DIDs) and their associated document objects as per [the W3C specification](https://w3c-ccg.github.io/did-spec/), see details below.
## 2 Example Use Cases
We use examples here to give guidance/suggestions for how attestations can be used with real-world telecom examples. The overall use case is a person, Alice, who registers for an ISP provider account using a process that includes using an attestation she possesses to prove she holds the required proofs to the claims that are required to open an account such as a driver's license or a credit card. After the account opening, Alice requests an attestation from the ISP that she is now a customer of the ISP provider, and presents that attestation to another telecom provider to, for example, access a service or purchase a specially dicounted product.
#### Agents
We use the term “User Agent” (UA) to refer to an app on a smartphone or other device that has access to DID-linked keys and the power to do things on behalf of a DID owner (Alice). Similarly, we use the term “Enterprise Agent” (EA) to refer to the comparable component representing an Organization – e.g. an ISP provider. A UA and EA are conceptually the same, but while the UA is likely a personal device such as a laptop, a tablet or a phone, an EA is likely a service that processes requests based on business rules and data held in back-end systems. Note that an EA might need input from a specific member of the organization to complete the processing of a request. In that case, the EA might contact that user through that person’s User Agent (although there are many other possibilities).
#### Sites
In the examples below, “Sites” are assumed to be Web or Mobile Site – user interfaces that allow a user (Alice) to trigger the start of a process. Naturally, there are many other ways to trigger the start of such a process.
#### Decentralized IDs (DIDs), Documents and Attestations
Each of Alice's Decentralized Identifiers (DIDs) referenced in the scenarios are generated and held by her user agent (UA) and used for a specific purpose - for example her relationship with the ISP. Her DIDs are not necessarily correlated to any other identifiers that make up her identity. Per the [W3C DID Specification](https://w3c-ccg.github.io/did-spec/), a DID Document is associated with a DID that contains information about the public keys and service endpoints for that DID. Thus, given a DID and DID Document for another Identity, an entity has a mechanism to resolve and communicate with the Identity Owner of the DID. DIDs may be public and stored on a publicly available Distributed Ledger, with their associated DID Document found via a mechanism such as the [DIF Universal Resolver](https://github.com/decentralized-identity/universal-resolver), or may be pairwise private DIDs, where two Identities directly exchange DIDs/DID Documents using a message service.
An attestation is something (such as a [Verifiable Credential](https://www.w3.org/TR/verifiable-claims-data-model/)) issued by an entity to a holder (often the subject of the attestation). The holder can then prove to others that they hold the attestation.
#### Interface Guidelines
Some basic guidelines can be defined such as:
- Private keys are accessible only to Agents (User and Enterprise), thus any encrypting or signing of information must be done by an Agent.
- In general, services used by identities are addressable using the service pointers located in a DID Document, and Agents are addressed via user-aware services. The only exception is invocation of a User Agent through direct mechanisms such as a deep link on a mobile site, a QR code on a Web site scanned by a User Agent, or a Bluetooth/NFC data exchange.
### 2.1 Alice Links to an Entity
In order to communicate a request for attestation to an entity (in our examples, Alice to an ISP), a user will first need to establish a connection between her user agent and the entity she will interact with. This is necessary for all follow-on scenarios.
Alice wants to transact with the entities described in the scenarios with the intent to receive or exchange attestations. First and foremost, the entity must verify that Alice is the owner of the decentralized identifier she claims is in her control. In order to find Alice’s user agent, a service such as the Decentralizd Identity Foundation's (DIF) Universal Resolver (UR) has to exist to lookup Alice’s Decentralized Identifier (DID), and subsequently retrieve her DID Document Object (DDO). The keys located in Alice's DDO are used to authenticate Alice’s ownership or control of the DID and to determine access to Alice’s identity hub and user agent.
```sequence
participant Identity Lookup as UR
participant Entity EA as EH
participant Entity Site as ES
participant Alice UA as AUA
participant Alice DID Service as AH
AUA-->ES: 1 Initiates DID Linkage
ES-->AUA: 2 Prompts to disclose DID
AUA-->ES: 3 Discloses DID
ES-->EH: 4 Relay DID
EH-->UR: 5 Lookup DID
UR-->EH: 6 Return DDO
EH-->AH: 7 DID Auth Challenge
AH-->AUA: 8 DID Auth Challenge
AUA-->EH: 9 DID Auth Response
EH-->ES: 10 DID Auth Complete
```
1. Alice navigates to an entity’s website and clicks a link to initiate a DID linkage with the entity. The content received from clicking the link includes DID information about the Enitity that Alice should use for the relationship.
- Alice may have to use a DID Service such as the DIF Universal Resolver to access the DID Document associated with the DID.
2. The entity prompts Alice to disclose a DID that represents her digital identity.
- If the website was accessed via a laptop/desktop, the website typically displays a QR Code, and Alice uses her mobile wallet app to scan the QR. If the website was accessed via her mobile device, a protocol handler raises Alice's UA app.
3. Alice selects an existing DID or creates a new DID for this relationship and sends the DID to the Entity Site.
4. The Entity Site passes the DID to the Entity’s Enterprise Agent to initiate the DID Authentication (DID-Auth) response.
5. The EA uses the Universal Resolver (UR) to request retrieval of the DID Document that matches the provided DID.
6. The DID Document is returned to the EA.
7. The EA initiates the DID-Auth process by issuing a challenge to Alice’s Identity Hub.
8. Alice’s Hub passes the DID-Auth challenge to Alice’s User Agent for signing.
9. Alice’s User Agent proves her identity with a signed response to the DID-auth challenge.
10. The Entity's Identity Hub confirms the response and notifies the Entity Site of the successful establishment of a relationship such as a login.
#### 2.1.1 Two Factor Authentication (2FA) without a User Agent
A second identity linking scenario to consider is when Alice is registering with the site using a device that is not a UA, yet she still wants to use her UA to establish the connection. In this case, Alice discloses a DID connected to her UA to the site, the site contacts the UA and the mobile device containing the UA and displays a code for Alice to use. Alice enters the code into a form on the site, proving that she controls the DID.
```sequence
participant Identity Lookup as UR
participant Entity Site as ES
participant Alice Laptop as AD
participant Alice Mobile UA as AM
participant Alice DID Service as AH
AD-->ES: 1 Initiates DID Linkage
ES-->AD: 2 Prompts to disclose DID
AD-->ES: 3 Discloses DID
ES-->UR: 4 Lookup DID
UR-->ES: 5 Return DDO
ES-->AH: 6 DID-Auth challenge
AH-->AM: 7 Challenge code displayed
AD-->ES: 8 Enters challenge code
```
1. Alice navigates to an entity’s website and clicks a link to initiate a DID linkage with the entity.
2. The entity prompts for Alice to disclose a DID that represents her digital identity.
3. Alice selects an existing DID and sends the DID to the Entity Site.
4. The Entity's EA uses the DID Service to request retrieval of the DID Document that matches the provided DID.
5. The DID Document is returned to the Entity's EA.
6. The EA initiates the DID-Auth process by issuing a challenge to Alice’s DID Service.
7. Alice’s DID Service passes the DID-Auth challenge to Alice’s UA for signing.
8. Alice’s UA processes the challenge and displays a code expected by the Entity Site on the mobile device.
9. Alice enters the code on her laptop and the Entity Site confirms the response, resulting in a successful login.
### 2.2 New Account Opening for Alice
Alice is attempting to open an ISP account and her DID is not linked to the ISP. In this example, she must first link her DID to the DID of the ISP and then present proper proof of identity from another trusted source such as a bank or another telecom provider.
#### Assumptions
- Alice has an DID Service accessed via an application on her mobile device.
- Alice has a verified digital attestation for her identity from a trusted identity provider.
Alice performs a DID Authentication as described in section 2.1 to link her DID to the DID of the ISP. After this has been completed, Alice proceeds with the account opening process.
```sequence
participant ISP EA as CH
participant ISP Site as CS
participant Alice UA as AUA
participant Alice DID Service as AH
AUA-->CS: 1 Triggers registration attestation request
CS-->AH: 2 Message: PreconditionsAttestation (Proof of Identity)
AH-->AUA: 3 Prompts with preconditions
AUA-->CH: 4 Message: PresentAttestation (Identity Attestation)
CH-->AH: 5 Message: DeliverAttestation (Registered)
AH-->AUA: 6 Accepts Attestation?
AUA-->AH: 7 Stores approved attestation
```
1. Alice initiates a Registration request on the ISP site.
2. The ISP's EA determines that there are preconditions for Registration: she must prove she has a valid proof of identity. The ISP's EA initiates a request for presentation of the preconditions.
3. Alice is prompted by her UA to provide the preconditions.
4. Alice selects the correct attestation to use and her UA sends them back to the ISP's EA.
5. The ISP provider EA processes the preconditions and sends a Registered Account attestation to Alice's DID Service.
6. Alice accepts the request to accept/store the account attestation.
7. Alice’s DID service stores the account attestation and broadcasts it to her connected devices.
#### Referenced Action Objects
- PreconditionsAttestation
- PresentAttestation
- DeliverAttestation
### 2.3 Alice wants to reopen an account
Alice is attempting to open an ISP account and her DID is already linked to the ISP (old customer for example). In this example, she must prove that she previously has received appropriate account attestations.
#### Assumptions
- Alice is linked to the ISP via her DID.
- Alice has a DID Service accessed via an application on her mobile device.
- Alice has a verified digital attestation for her previous account with the ISP.
```sequence
participant ISP EA as CH
participant ISP Site as CS
participant Alice UA as AUA
participant Alice DID Service as AH
AUA-->CS: 1 Triggers registration attestation request
CS-->AH: 2 Message: PreconditionsAttestation (Proof of previous account)
AH-->AUA: 3 Prompts with preconditions
AUA-->CH: 4 Message: PresentAttestation (Old Account Attestation)
CH-->AH: 5 Message: DeliverAttestation (Registered)
AH-->AUA: 6 Accepts Attestation?
AUA-->AH: 7 Stores approved attestation
```
1. Alice initiates a Registration request on the ISP site.
2. The ISP's EA determines that there are preconditions for Registration: she must prove she has the proof for the old account. The ISP's EA initiates a request for presentation of the preconditions.
3. Alice is prompted by her UA to provide the preconditions.
4. Alice selects the correct attestation to use and her UA sends them back to the ISP's EA.
5. The ISP's EA processes the preconditions and sends a Registered Account attestation to Alice's DID Service.
6. Alice accepts the request to accept/store the reopened account attestation.
7. Alice’s DID service stores the reopened account attestation and broadcasts it to her connected devices.
#### Referenced Action Objects
- PreconditionsAttestation
- PresentAttestation
- DeliverAttestation
### 2.4 Alice accesses a Service or Benefit with Her ISP provider account attestation
Alice possesses an account attestation from her ISP, and she wants to buy a discounted smart phone from another telecom provider that is part of the her ISP's partner program.
#### Assumptions
- The provider site has linked Alice to her DID via DID Auth.
- Alice has a DID service accessible via an app on her mobile device.
- Alice possesses an account attestation from her ISP.
```sequence
participant Provider EA as LH
participant Provider Site as LS
participant Alice UA as AUA
participant Alice DID Service as AH
AUA-->LS: 1 Triggers access request
LS-->AH: 2 Message: RequestAccess
AH-->AUA: 3 Prompts to grant attestation access
AUA-->AH: 4 Generates access permission and keys
AH-->LH: 5 Message: GrantAccess
LH-->LS: 6 Notice of access granted
LS-->AH: 7 Message: RetrieveAttestation (ISP Account Proof)
LS-->LH: 8 Validate Attestation
LH-->AH: 9 Message: DeliverAttestation (Proof of Discount)
AH-->AUA: 10 Prompt of Discount Received
AUA-->LS: 11 Select & Request Smart Phone
LS-->AH: 12 Message: RequestAttestation (Proof of Discount)
AH-->LH: 13 Message: PresentAttestation (Proof of Discount)
LH-->LS: 14 Notice of Valid Discount
LS-->AUA: 15 Apply Discount to Smart Phone Price
```
1. Alice navigates to the provider site and initiates the flow to request access to a discounted smart phone.
2. The website sends a `RequestAccess` Message to Alice's DID Service.
3. Alice’s DID Service relays the request to Alice's UA, which prompts her to grant/deny access permission.
4. Alice grants permission to access her ISP's account attestations by pushing a signed permission object and DID-specific keys to her DID Service.
5. Alice’s DID Service stores the keys she generated for the provider site and relays a `GrantAccess` Message to the Provider EA to provide notice that its permission request has been granted.
6. The provider site is notified by its EA that the access permission has been granted to Alice's DID Service.
7. The provider site sends a `RetrieveAttestation` Message to Alice's DID Service which returns the ISP provider account attestation to the provider site.
8. The provider site requests that the EA validates the attestation.
9. The provider EA validates Alice's attestation and delivers the Discount attestation to Alice's DID Service through a `DeliverAttestation` Message.
10. Alice's DID service prompts Alice in her UA that the discount has been delivered.
11. Alice selects and requests a smart phone on the provider's website.
12. The provider's site sends a `RequestAttestation` Message to Alice's DID service to retrieve the discount attestation to be applied to the smart phone purchase.
13. Alice's DID Service sends a `PresentAttestation` message to the provider's EA.
14. The provider EA sends a notice of a valid attestation to the provider site.
15. The provider site applies the discount to the smart phone price.
Referenced Message Objects
- RequestAccess
- GrantAccess
- RetrieveAttestation
- RequestAttestation
- DeliverAttestation
- PresentAttestation
## 3 Message Objects
Identity Hub attestation handling relies on the passage and recognition of common Message types that DID Services, User Agents, and consuming apps/services understand. In order to ensure that the flows related to attestations are precise and maximally descriptive of their intent. These objects are extensions of the Schema.org Action object, the schema origin of which shall be schema.entethalliance.org. These objects are strictly a shared means of communicating and facilitating the various activities related to attestations; they do not infer or require a specific type of proof format or material be used within them.
The following is a description of the list of objects (more complete -- not included in the above limited examples) and examples that encompass their structure and properties:
### 3.1 RequestAttestation
The Holder requests an attestation from an Issuer.
- Type of attestation wanted
- List of tag strings to describe the attestation
- Detailed, human-readable description of the attestation being requested (mostly for UAs to display to users)
- Who is the attestation for?
- What format do you need it in?
- Enable passing of preconditions
- Option to set a deadline for issuance/fulfillment
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "RequestAttestation",
"identifier": UNIQUE_ID,
"for": ["did:foo:123-456"],
"format": CLAIM_FORMAT,
"expiration": EPOCH_TIME,
"description": "California Driver’s License",
"tags": ["license", "driving", "permit", "DL", "driver’s license"],
"preconditions": ARRAY_OF_PRECONDITION_PROOFS (optional)
}
```
### 3.2 DenyAttestation
In response to a request for an Attestation, a Verifier/Issuer informs a Holder that the attestation cannot be provided. This `Message` inherits from schema.org's `RejectAction`.
- Linked attestation action ID
- Reason for refusing the Request Attestation Action.
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "DenyAttestation",
"identifier": UNIQUE_ID,
"purpose": "We cannot open your account, you have presented insufficient proofs."
}
```
### 3.3 PreconditionsAttestation
In response to a request for an Attestation, a Verifier/Issuer informs a Holder a list of Pre-Conditions that must be met before the requested Attestation can be issued.
- Linked attestation action ID
- Specify set of preconditions, each with their own descriptors
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "PreconditionsAttestation",
"identifier": UNIQUE_ID,
"preconditions": ARRAY_OF_PRECONDITION_DESCRIPTORS
}
```
### 3.4 OfferAttestation
In response to a request for an Attestation that cannot be issued because that type is not available, provide to the Holder a list of attestations that ARE available.
- For each attestation type available to the requester:
- Type of attestation
- List of tag strings to describe the attestation
- Detailed, human-readable description of the attestation being requested (mostly for UAs to display to users)
- Formats available for the attestation
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "OfferAttestation",
"identifier": UNIQUE_ID,
"availableAttestations": ARRAY_OF_ATTESTATION_DESCRIPTORS
}
```
### 3.5 DeliverAttestation
Used by any party that delivers a finalized attestation to a target entity. This `Message` inherits from schema.org's `SendAction`.
- Linked attestation action ID
- Payload of the proof material
- Format of the proof material
- Time delivered
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "DeliverAttestation",
"identifier": "UNIQUE_ID",
"object": ATTESTATION_PAYLOAD,
"description": "California Driver’s License",
"tags": ["license", "driving", "permit", "DL", "driver’s license"]
}
```
### 3.6 PresentAttestation
This Action is the envelop used to present an attestation to an inspecting party.
- List of tag strings to describe the attestation
- Detailed, human-readable description of the attestation being requested (mostly for UAs and EAs to reason over and use in display)
- Format of the attestation payload
- The attestation payload
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "PresentAttestation",
"object": ATTESTATION_PAYLOAD,
"description": "ISP Account",
"tags": ["ISP_DID", "ISP_Name", "Customer_DID", "Account_Type", "Account_Status"]
}
```
### 3.7 SignAttestation
A party sends an Action to a target prompting them to sign the provided attestation payload. This `Message` inherits from schema.org's `EndorseAction`.
- Linked attestation action ID
- Payload of the proof material
- Format of the proof material
- Time delivered
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "SignAttestation",
"identifier": UNIQUE_ID,
"object": ATTESTATION_PAYLOAD,
"description": "ISP Account",
"tags": ["ISP_DID", "ISP_Name", "Customer_DID", "Account_Type", "Account_Status"]
}
```
### 3.8 RevokeAttestation
The party that previously supplied an attestation sends a notice to the attestation owner/holder that issuing party has revoked the attestation. This `Message` inherits from schema.org's `DeactivateAction`.
- Attestation ID
- Revocation code - array of revocation codes (look for an existing standard)
- Reason for revocation - array of human-readable descriptions of the reason, or URI
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "RevokeAttestation",
"identifier": UNIQUE_ID,
"object": ATTESTATION_PAYLOAD
{"description": "ISP Account",
"tags": ["ISP_DID", "ISP_Name", "Customer_DID", "Account_Type", "Account_Status"]}
"result": REVOCATION_RECORD,
"purpose": "Your account was revoked."
}
```
### 3.9 AmendAttestation
Used to update an attestation. Requires past ID, optionally including previous attestation. This `Message` inherits from schema.org's `ReplaceAction`.
- Attestation ID
- Change delta of some kind
- Reason for amendment - array of human-readable descriptions of the reason, or URI
```json
{
"@context": "http://schema.identity.foundation/",
"@type": "AmendAttestation",
"identifier": UNIQUE_ID,
"object": ATTESTATION_PAYLOAD
{"description": "ISP Account",
"tags": ["ISP_DID", "ISP_Name", "Customer_DID", "Account_Type", "Account_Status"]}
"purpose": "Your account has been reopened"
}
```
### 3.10 RequestAccess
Request permission for access to a DID's Identity Hub data. This `Message` inherits from schema.org's `AuthorizeAction`.
- Access Permission being requested
- Intended use of data being requested
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "RequestAccess",
"object": PERMISSION_OCAP,
"purpose": "Display and filtering on a professional network",
}
```
### 3.11 GrantAccess
The party that allows a permission sends a notice to the requesting party to let them know the permission has been granted. This `Message` inherits from schema.org's `AcceptAction`.
- Access Permission being requested
- Intended use of data being requested
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "GrantAccess",
"object": PERMISSION_OCAP
}
```
### 3.12 DenyAccess
The party evaluating the permission request does not grant the permission and sends the requesting party a notice of the denial. This `Message` inherits from schema.org's `RejectAction`.
- Access Permission being requested
- Intended use of data being requested
```json
{
"@context": "http://schema.identity.foundation/",
"@type": "DenyPermissionAction",
"object": PERMISSION_OCAP,
"purpose": "I do not want to allow you access at this time",
}
```
### 3.13 RetractAccess
The party that has previously issued a permission granting access sends a notice to the affected party to let them know the permission has been retracted. This `Message` inherits from schema.org's `DeleteAction`.
- Access Permission being retracted
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "RetractAccess",
"object": PERMISSION_OCAP,
"purpose": "I no longer want you to have access to my attestations",
}
```
### 3.14 RetrieveAttestations
Used by any party that has been granted permission access to a set of Attestations via the GrantPermissionAction to retrieve a set of Attestations.
```json
{
"@context": "http://schema.entethalliance.org/",
"@type": "RetrieveAttestations",
"identifier": "UNIQUE_ID",
"object": ATTESTATION_PAYLOAD,
{"description": "ISP Account",
"tags": ["ISP_DID", "ISP_Name", "Customer_DID", "Account_Type", "Account_Status"]}
}
```
## 4 Glossary
- **Decentralized Identifier**: Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, "self-sovereign" digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority.
- **DID**: Decentralized Identifier
- **DID Auth**: Authentication of an Identity by verifying the Identity's control of its DID
- **DID Document**: The control document that specifies keys, service endpoints, and other basic details about a DID.
- **DDO**: Abbreviation for a DID Document
- **EA**: Enterprise Agent: a HUB-aware service that integrates with an Enterprise’s backend systems and representatives to process HUB requests. Conceptually equivalent to a person’s UA, but for an organization.
- **UA**: Abbreviation for User Agent
- **Universal Resolver**: A mechanism of getting the DID Document associated with a DID across any (supported) DID implementation from the Decentralized Identity Foundation
- **UR**: Abbreviation for Universal Resolver
- **User Agent**: a smartphone-based digital wallet, browser
## 5 Technical & Spec Implications
- For the DID Service /permission spec: add optional timeout for access permissions