The Importance of Digital Identity Wallet Standards

Businessman Hand Using smartphone to use a digital identity wallet.

The Importance of Digital Identity Wallet Standards

Digital identity wallets are too important to be treated as just an app, with only your favorite app store’s guidelines. I also think it’s too important to solely rely on a mess of government guidelines written with varying degrees of clarity.

We already have so many questions, like:

  • How much should a wallet know about the credentials it holds? How should it make queries to access only the required information?
  • How can users find out which credentials are stored in each wallet, and how should wallets communicate what they contain?
  • Should wallets be able to interoperate to help users find and share entire credentials or just specific details?

Answers in Regulation?

I wrote a post about the EU’s Digital Identity Architecture Reference Framework (ARF) a few months ago. The ARF is probably the best source of guidance right now, given its comprehensive approach and the level of collaboration involved. It outlines the expected behaviors of a digital identity wallet, with its development and use supported by the eIDAS 2.0 regulation.

“The ARF is an outline that provides the first blush of a framework for how digital wallets will work in the EU. The European Commission kicked off the work through a Commission Recommendation from June 2021 that urged Member States to develop common standards, technical specifications, and best practices in response to the eIDAS 2.0 regulation. EU Member States sent their experts to join a collaborative process to build the framework.” – The EU Digital Identity Architecture Reference Framework – How to Get There From Here

All that said, ARFs are not specifications. They describe a design, but the details of the implementation, such as what, when, and how different protocols must be used, are left open to interpretation. ARFs lay the groundwork for building specific technical standards, guiding more detailed development. Incredibly helpful, but not enough by itself to help ensure clarity and interoperability.

Answers in Open-Source Libraries

OK, so it’s good that there is a reference framework under development. For that matter, there is also at least one effort to build and share code libraries that will support the development of digital identity wallets: the Open Wallet Foundation.

From their website, “The OWF aims to set best practices for digital wallet technology through collaboration on standards-based OSS components that issuers, wallet providers and relying parties can use to bootstrap implementations that preserve user choice, security and privacy.”

They’ve also recently published a “Wallet Safety Guide” that provides guidelines to developers on safe ways to implement a wallet. The guide offers four areas of focus, or ‘pillars’: Privacy, Security, Supporting Functions, and Governance. It is an incredibly helpful guide and, when combined with the code libraries their members are developing and making available, takes developers one step closer to creating a wallet that is fit-for-purpose and safe for users.

But, similar to an ARF, these aren’t specifications. There are still low-level details that need clarity. Do we have the right protocols that allow all the components of a digital identity wallet to share, in a controlled manner, data about itself and the credentials it contains?

Answers in Specifications

But surely there must be something in the standards world that applies to wallets! Well, sort of. There are quite a few specifications about credentials and their properties (for example, OpenID for Verifiable Presentation that focuses on presenting identity data securely, or the W3C’s Verifiable Credentials Data Model that defines a standard for digital credentials, and of course the work in the IETF SPICE working group.) Some of these are approved standards, some are works in progress.

One of the works in progress is the Digital Credentials API within the W3C. This API aims to create a standardized way for web browsers, wallets, and verifiers to interact, ensuring data privacy during credential exchanges. Tim Cappalli, perhaps better known for his championing of passkeys, created a great diagram that shows what specific step in the process the DC API work is focused on. It also shows where other specifications need to exist for the other steps.

Do Standards Really Matter?

So, there are frameworks. There are open-source libraries. There are credential specs and work to standardize APIs. Why isn’t that enough? Digital identity wallets are part of such a new field, surely building experience this way is a good thing!

That’s a perspective that a lot of people have, and in most situations I would agree with them. Building standards without understanding real-world use cases is an annoying academic exercise that can waste a lot of time. In this case, however, we’re talking about testing out these new ideas in a way that involve personal data. A LOT of personal data. We’re not going to get it right the first time around. So what does that mean for all that personal data? It means a high-probability of exposing that personal data to entities that shouldn’t have it.

Wrap Up

At the end of the closing keynote panel at Authenticate 2024, Andi Hindle asked “Are wallets going to be successful? Are they the right path forward?” My answer was “The question is irrelevant.” Yes, that’s a cheeky way of putting it, but digital identity wallets are already here. They are already being implemented. They are not going to go away. And they are introducing new threat vectors that we are hoping regulations will protect us from.

That’s a great model … if everyone and everything wants to abide by the law and agrees to interpret it in the same way. But for a world where that ideal is perhaps not the most realistic, having technical specifications that allow or prevent behavior in a very predictable fashion sure would be nice.

Regulation, like the EU’s eIDAS 2.0, and open-source efforts such as the Open Wallet Foundation are important steps in guiding digital identity wallets. However, we need to complement these efforts with detailed technical standards that ensure wallets operate predictably and securely. This layered approach—combining regulation, open-source libraries, and technical standards—can create a safer ecosystem for users.

So let’s get moving.

Reach out if you want to learn more about navigating this process or need support with standards development. With my experience across various SDOs, I’m here to help guide you through the complexities of Internet standards development.

Previous Article
Next Article

Heather Flanagan

Principal, Spherical Cow Consulting Founder, The Writer's Comfort Zone Translator of Geek to Human

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Spherical Cow Consulting

Subscribe now to keep reading and get access to the full archive.

Continue reading