Organizational Wallet
Key Features
Key features of Organizational Wallet applications
We believe that all application for managing digital credentials for organizations should contain certain key features.
1. Credential issuance
Organisations can digitally issue various types of credentials, such as professional certificates, workplace training and safety certificates, access badges, financial proofs, quality certifications for products and services, directly from their systems. This process involves creating a digital representation of the credential, signing it with the organisation’s cryptographic key to ensure authenticity, and then sending it to the recipient’s digital wallet.
-
Electronic Signing: The use of various DID methods and HSM-stored keys for the electronic signing of credentials guarantees the integrity and non-repudiation of these credentials.
-
Issuance via REST API: Provides organisations with the capability to issue or revoke credentials at scale through a RESTful API, enabling automated and efficient credential issuance or revocation directly from their systems through the organisational agent. This approach supports the dynamic generation of digital credentials, their authentication via cryptographic signatures, and the seamless distribution to recipients’ digital wallets, all facilitated programmatically to ensure scalability and adaptability to various organisational needs.
-
Revocation: Should a credential become invalid (for reasons such as revocation of a license or annulment of a certificate), the organisation can update the credential’s status to reflect this change. Revoked credentials are flagged in verification processes, ensuring that only current and valid credentials are accepted.
-
Automatic Sharing: Functionality for the automatic sharing (with prior consent) of certain public credential information, such as Chamber of Commerce number, address, email, VAT number, etc., streamlining the sharing process and enhancing transparency.
2. Credential management
Manage the credentials the organisation issues, including the design of credential schema definitions that outline the structure and requirements, the development of user interface forms for credential operations (creation, retrieval, update, deletion), and the establishment of lookup definitions for integration with Systems-of-Record or Line-of-Business systems to enable efficient data retrieval of credential data.
-
Monitoring and Lifecycle Management: Following issuance, organizations have the capability to monitor and manage these credentials effectively. This includes tracking their current status, updating information as necessary, and managing the lifecycle of each credential, such as renewals.
-
Presentation Definitions: Oversee the creation, update, and administration of Presentation Definitions within the DIF Presentation Exchange framework. This includes specifying the required credential information, detailing attributes and their proof mechanisms, and setting any necessary conditions or constraints to ensure that verification requests are precise, relevant, and secure.
-
Decentralized Identifiers (DIDs): Handling the creation, updating, and management of DIDs that anchor identities to the blockchain, enhancing security and trust in digital interactions.
-
Key Management: The secure management of public and private keys using Hardware Security Modules (HSMs), supporting regular key rotations, to maintain the highest levels of security and trustworthiness.
3. Verification
The initial and critical step in the verification process involves requesting the sharing of credential information by employing a standardised method.
-
Requesting Credential Information: This is facilitated through the use of either the DIF Presentation Exchange standard or possibly the newer OpenID OID4VP Query Language that is being drafted. The process is grounded in a standardised method, which specifies the exact information required.
-
Incoming Credential Verification: When a digital credentials is shared for verification (e.g., applying for a job, accessing a service), the organisation can instantly and automatically check the authenticity and validity of these credentials. This is done by verifying the digital signatures against the public keys of the issuers and checking the revocation status.
-
Process Integration: After verification the data must be passed on by the agent for further processing by a Line-of-Business system, such as HR management, client onboarding in CRMs, and access control systems.
-
Passwordless Logins: Enabling the verification of a known user’s credential for passwordless access to a organisation’s portal or application, effectively eliminating the need for traditional username and password login methods. By leveraging verified digital credentials, users can authenticate their identity and gain access to systems or portals, along with the appropriate authorizations therein, enhancing both security and user experience by simplifying the login process.
4. Storage
The organisation’s credentials must be stored in a secure, encrypted storage space with strict access controls. This ensures that sensitive information is protected against unauthorised access, theft, or leakage.
-
Data Protection: In addition to encryption, other data protection measures are often implemented, such as data minimization (only storing necessary information) and pseudonymization (ensuring that stored data cannot be directly linked to an individual without additional information).
-
Backup and Recovery: Implementing comprehensive backup and recovery strategies to safeguard the credentials against data loss due to technical failures or security breaches.
5. Interoperability
All organizational wallet application must ensure that the credentials they manage can be recognized and verified by other entities worldwide.
-
Standards Compliance: A organisational agent must adhere to international standards and frameworks for digital identities and credentials (such as W3C, DIF, and DIIP).
-
Technology Agnostic: The agent is designed to work across various technological platforms and devices, making credentials accessible and verifiable anywhere, regardless of the specific technology used by the credential holder or verifier.
-
Ecosystem Participation: Interoperability facilitates the organisation’s participation in broader digital credential ecosystems, allowing for more seamless exchanges of credentials across industries and sectors. This is particularly important in global or cross-sectoral contexts, where credentials need to be recognized and verified by a wide range of stakeholders.
User Management in Organisational Agents
User Management is critical functionality within organisational agent to ensure secure, efficient, and controlled operation.
-
User Accounts and Authentication: Creation and management of user accounts, ensuring individuals are authenticated and have access only to necessary functionalities based on their roles.
-
Group Management: Organising users into functional groups with specific permissions, facilitating easier management of access controls and role assignments based on departmental or functional lines.
-
Role Management (Role-Based Access Control): Defining roles within the organisation, each associated with a specific set of permissions (e.g., Credential Issuer, Verifier) to control who can issue, manage, verify, and revoke certain credentials.
-
Delegation of Authorization: Allowing certain roles or users to delegate specific tasks or permissions to others, enhancing operational flexibility and efficiency while maintaining a record for accountability and oversight.
-
Duties and Powers: Defining the duties associated with each role or group and delineating their powers, such as issuing, verifying, or revoking certain credentials, to ensure that these actions are authorised and not abused.