Hi George

I note that the UK has some strange ideas about digital identity, which I have commented on in my reply to its recent call for comments on its Digital identity and attributes trust framework.

A digital identity is a set of digital identity attributes. An identifier is just one special type of identity attribute that on its own uniquely identifies the subject in a particular context. To separate attributes from digital identity is a strange conceptualisation to me. Any set of attributes can uniquely identify a subject in a particular context. Thus a digital driving license asserted by DVLA is a set of identity attributes, any subset of which might uniquely identify the subject amongst all other driving license holders. To say authenticator X is useful as a digital identity is also a strange statement to make. Do you mean identifier?

Kind regards

David

On 22/03/2021 12:43, George Lund wrote:
Seeing as DVLA got mentioned, it's maybe not too much of a shoe-horn to discuss a specific example of how driving license data might be helpful in a VC identity world...

(Noting that while a driving license is proof of a particular person's eligibility to drive, it is not properly in its own right a form of ID. And certainly it isn't a digital identity....)

A DVLA service that can issue a credential that says "I have checked and bound authenticator X to a driving license previously issued by us to subject A" is a very useful component in a distributed system, and those credentials form a useful _part_ of a digital identity. Several such checks can give us confidence in X being useful as a digital identity, if taken together they give us enough confidence that the user at the keyboard really is subject A.

If it turns out that credential was issued wrongly (eg due to fraud) then we do need to be able to revoke it, and VC's support that. But the credential can exist independently and it's up to relying parties to follow a policy on checking for revocation according to their risk profile.

It might very likely have been issued in such a way that people relying on that credential can only find out that a certain kind of document check has been performed. Those RPs might not even be able to tell that the user is legally allowed to drive, if the purpose for generating the credential was as part of creating a non-anonymous reusable identity rather than for driving checks.

However I'm not yet 100% clear how much we need the properties of DIDs in order to achieve this kind of use case (I suspect it is essential, but some comments in this thread make me wonder). Might be asking for some help about that :-)


(NB: I'm not speaking for DVLA (or any part of HMG) here, just discussing some possibilities.)

George




--
George Lund
Technical Architect
Digital Identity Programme
Government Digital Service