Community Review

This consultation is open to all InCommon, REFEDS, eduGAIN, industry and other community members. The consultation will be open from Thursday, February 8th, 2024 to Friday, March 8, 2024.

The final document will be posted once all the input has been processed and editing is complete.

Document for review/consultation


Dear InCommon Community Members,

At the link above, please find the community consultation draft for the final report of the Community Architecture Committee for Trust and Identity (CACTI) Next-Generation Credentials Working Group (NGCWG).

The consultation for this document is open from today, February 8, 2024, through the end of the day on Friday, March 8. It’s vital that we get your feedback, so please read on.

What do we mean by next-generation credentials?

“Next-generation credentials” is CACTI’s name for emerging technology that empowers credential holders to choose what identity they assert, at what time, with what relying party/verifier, and what types of information they disclose. This type of user-centric identity ecosystem is known variously as “self-sovereign identity,” “verifiable credentials,” “wallet-based credentials”, etc.

The NCGWG was a short-lived working group tasked with understanding what we as a community mean by “next-generation credentials”and determining the key use cases that will drive their adoption in R&E.  The NGCWG Report represents the first step in a larger CACTI effort to understand the emerging area of next-generation credentials, how they will impact the R&E Trust and Identity (T&I) landscape and how they will enable new T&I capabilities and services for the R&E sector.  We are also seeking to understand how/if next-generation credentials will impact existing InCommon T&I services, such as the InCommon Federation and eduroam. Finally, we are also seeking to understand the evolving relationship between next-generation credentials and the future state of browser-based privacy and security controls.

Some universities have already begun to deploy wallet-based University IDs.  As this practice grows, CACTI will be working, in concert with the rest of the R&E T&I community, to:

  • Ensure that the needs of the R&E sector are considered in the global standards bodies that are defining the technical standards for these next-generation credentials.
  • Work with other R&E technology organizations and R&E solution vendors to design, develop, and promote high-quality, interoperable next-generation credential solutions that meet the needs of the global R&E community.
  • Communicate with the R&E community about available technologies and trade-offs as your institutions begin to plan and execute your next-generation credential roadmaps.

How can you join the conversation about next-generation credentials?

To help us understand how best to work together in this space, we are eager to get your feedback on the use cases and conclusions in the linked report. Please provide feedback on the following, and any other items, in the linked community consultation wiki page.

  1. Did we miss any use cases that are important to your R&E institution? 
  2. If your institution is already working towards wallet-based student IDs or other next-generation credentials, which use cases are driving your efforts?  What solutions are you considering or deploying?
  3. Have you considered the need for your next-generation credentials to be compatible (or interchangeable) with the credentials used at other R&E institutions?  
  4. Within your organization, how do you see the use of next-generation credentials impacting or co-existing with your existing T&I services (such as the InCommon Federation or eduroam)?
  5. Do you agree with the next steps outlined in the conclusion section?  Are there additional things that InCommon could be doing to help you understand, evaluate, or adopt this new technology?

You can add your notes and comments to the table in the wiki. We look forward to your response as we navigate this exciting new technology area together!

Best Regards,

The Internet2 Community Architecture Committee for Trust & Identity (CACTI)

Current Text
Proposed Text / Query / Suggestion
+1 (add your name here if you agree with the proposal)
Action (please leave this column blank)

Students, faculty and staff often have very large numbers of groups and roles which need to be used for inter-institutional and intra-institutional authorization. These group memberships rely heavily on real-time revocation for security purposes, and the sheer number of groups often presents challenges to authorization at-scale, aka the “Kerberos PAC field problem”

In addition to concern re revocability of group memberships, membership in some groups should be confidential, eg, a group conferring management access to sensitive operational technology. Is there a form of audience restriction built-in to a credential and its verification process so that users are not solely responsible for maintaining this confidentiality? Similarly, an issuer may want to constrain where a user may show a credential it is the source of authority for.

Both of these concerns arise in research cyberinfrastructure environments, and in neither case is the user an appropriate locus of policy enforcement.

Tom Barton
Added use cases #32 and #33 in Appendix A to cover these, thanks!

See Also

  • No labels