Re: NIST Draft on Digital Identity

Maybe they don't see that a a valid use case.

Get Outlook for Android<>
From: Steve Capell <>
Sent: Sunday, December 18, 2022 5:47:42 PM
To: Andrew Hughes <>
Cc: Mike Prorock <>; W3C Credentials CG <>
Subject: Re: NIST Draft on Digital Identity

Ok thank you Andrew

With that specific scope, the criticisms are less valid

However, even for that scope, isn’t there a valid pattern where a person has their own did in their own wallet and has some kind of identity credential (eg a drivers license) issued to that did - then this user provides a VP to a completely different (government or non government) party to create an account with identity integrity and then continue with the service.  Im not entirely sure the NIST document reflects that model?

Steven Capell
Mob: 0410 437854

On 19 Dec 2022, at 12:17 pm, Andrew Hughes <> wrote:

Take a look at the Introduction and Scope text of the main document. SP 800-63 is about how a federal government organization can attain confidence in a person’s actual identity and then how to gain confidence that a returning user is the same user previously enrolled.
It’s not about centralized or decentralized models.

On Fri, Dec 16, 2022 at 9:30 AM Steve Capell <<>> wrote:
Reading the table of contents you’d be forgiven for thinking that NIST have totally forgotten to include decentralised identity models

Digging further into the document you can see in fig 1 page 12 there’s a diagram that has a bit of a flavour of decentralised models with the “credential service provider” (issuer?) that does “identity origins and enrolment” (issue Vc?) to an “applicant” (vc subject?) who then becomes a “subscriber” (to what?).  The “subscriber” then “authenticates” (presents vp?) to a “relying party” (verifier?) and gets redirected to a “verifier” (another verifier?) to become a “claimant” and then can continue identified and authenticated interactions with a relying party.  All three roles of “relying party”, “verifier”, “credential service provider” are wrapped in one box called “service provider functions”

The diagram title is “non federated digital
Identity model”.  Don’t see anything in there about subject self issued identifiers (dids).

It looks like an attempt to include half the ideas of a proper decentralised identity architecture and stuff them into a slightly tweaked version of the federated identity model (ie a “federation” of centralised idps) that we all know and “love” ;)

I don’t understand the intent of fearing up this hybrid that is neither decentralised or centralised  and labelling if “non-federated”?  Why do that? Why not fully recognise the reality of decentralised models, name it appropriately, draw it correctly, and include one of the most foundational ideas (the did)?

I think somebody with some clout (Anil?) should suggest some corrections to NIST

Steven Capell
Mob: 0410 437854

On 17 Dec 2022, at 3:17 am, Mike Prorock <<>> wrote:

I would love to collect thoughtful feedback and review comments from members of the community on the the following:

There are some strong implications in this doc, and it may set the stage for many years to come, so we should all take some time to review carefully, and comment in a professional, proactive, and positive way on areas we are individually subject matter experts in.  I would love feedback on the list as well for myself and the other Co-chairs as we review in depth additionally for any items that are highly positive in the draft(s) or areas of concern that could be refined to avoid future issues.

thanks in advance!

Mike Prorock
CTO, Founder

Andrew Hughes CISM CISSP
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
5043 Del Monte Ave,, Victoria, BC V8Y 1W9<>

Digital Identity | International Standards | Information Security

Received on Monday, 19 December 2022 01:53:15 UTC