Identity proofing, levels of assurance and Trust Anchor due diligence prior to issuing a claim


#1

Hi All,

I’ve come from the old world of identity proofing in order to reach levels of identity assurance and then issue a credential and I’ve done some reading up on Sovrin in the last week or so. I think, although I could have this wrong, that the Trust Anchor is responsible for issuing a signed claim that asserts something about an identity subject. Prior to doing that though, the identity subject will need to firstly prove that they are the appropriate identity subject to be issued this claim.

My question is - how is it imagined that this will happen (is this falling back to identity proofing) and is it possible that some Trust Anchors will be issuing claims with varying levels of surety based on how thorough they have been in proving the identity subject? As a practical example, if I already have a physical birth certificate will I be expected to show up in person and go through a proofing process to receive the ‘digitized’ version, or will there me some remote proofing process the Trust Anchor will perform? Do levels of assurance still play a role in the proofing process, and if they don’t what’s the minimum standard required before a Trust Anchor can issue a signed claim?

Also given that I will likely have claims from various Trust Anchors, will the Trust Anchor, agent or wallet enforce some sort of consistency check to ensure that I’m not trying to aggregate claims that are actually for different identity subjects? If so how will this be done unless claims have a minimum set of information about the core identity?

Interested in hearing responses. I have some thoughts about how this could work but I wanted to see if a) this was actually an outstanding issue, b) there was already a solution for it that I hadn’t come across.


#2

TrustAnchors are not the only ones who can issue credentials. Anyone can become an Issuer. TrustAnchors are those authorized to create NYM’s on the ledger. As far as creating assurance about an Issuer, I believe this has not been completely defined yet but I can imagine a certificate authority could play a role here such as vetting the issuer and giving them a credential. As long as you trust the certificate authority then you can trust the Issuer is who they claim to be. This is very similar to the internet PKI but with credentials instead of certificates. I’m sure there are multiple ways this could be done. Certificate authorities have multiple types of certificates that have varying degrees of assurance. I imagine the vetting process can be similar.