Re: NIST Draft on Digital Identity

Take a look at the Introduction and Scope text of the main document. SP
800-63 is about how a federal government organization can attain confidence
in a person’s actual identity and then how to gain confidence that a
returning user is the same user previously enrolled.
It’s not about centralized or decentralized models.

On Fri, Dec 16, 2022 at 9:30 AM Steve Capell <> wrote:

> Reading the table of contents you’d be forgiven for thinking that NIST
> have totally forgotten to include decentralised identity models
> Digging further into the document you can see in fig 1 page 12 there’s a
> diagram that has a bit of a flavour of decentralised models with the
> “credential service provider” (issuer?) that does “identity origins and
> enrolment” (issue Vc?) to an “applicant” (vc subject?) who then becomes a
> “subscriber” (to what?).  The “subscriber” then “authenticates” (presents
> vp?) to a “relying party” (verifier?) and gets redirected to a “verifier”
> (another verifier?) to become a “claimant” and then can continue identified
> and authenticated interactions with a relying party.  All three roles of
> “relying party”, “verifier”, “credential service provider” are wrapped in
> one box called “service provider functions”
> The diagram title is “non federated digital
> Identity model”.  Don’t see anything in there about subject self issued
> identifiers (dids).
> It looks like an attempt to include half the ideas of a proper
> decentralised identity architecture and stuff them into a slightly tweaked
> version of the federated identity model (ie a “federation” of centralised
> idps) that we all know and “love” ;)
> I don’t understand the intent of fearing up this hybrid that is neither
> decentralised or centralised  and labelling if “non-federated”?  Why do
> that? Why not fully recognise the reality of decentralised models, name it
> appropriately, draw it correctly, and include one of the most foundational
> ideas (the did)?
> I think somebody with some clout (Anil?) should suggest some corrections
> to NIST
> Steven Capell
> Mob: 0410 437854
> On 17 Dec 2022, at 3:17 am, Mike Prorock <> wrote:
> CCG,
> I would love to collect thoughtful feedback and review comments from
> members of the community on the the following:
> There are some strong implications in this doc, and it may set the stage
> for many years to come, so we should all take some time to review
> carefully, and comment in a professional, proactive, and positive way on
> areas we are individually subject matter experts in.  I would love feedback
> on the list as well for myself and the other Co-chairs as we review in
> depth additionally for any items that are highly positive in the draft(s)
> or areas of concern that could be refined to avoid future issues.
> thanks in advance!
> Mike Prorock
> CTO, Founder
> --
Andrew Hughes CISM CISSP
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
5043 Del Monte Ave,, Victoria, BC V8Y 1W9
Digital Identity | International Standards | Information Security

Received on Monday, 19 December 2022 01:17:28 UTC