In the next few years, the soaring demand for customised verifiable credentials (VCs) means we’ll see the emergence of managed services to deliver them. How might these managed services work? There’s a solid precedent.
VCs are increasingly being used for everything from digitised vaccination certificates to records of educational achievements. As they come to be used for more applications at a variety of scales, economies of scale will make it inevitable that the management of the VCs themselves, and all the associated security measures, will be provided as a service.
There’s a clear precedent for this type of managed service: the magnetic stripe card industry.
All sorts of organisations use plastic card bureaus to produce a huge variety of customised licences, employee badges, membership cards, student cards, tickets, and so on.
All magnetic stripe cards work in a near-identical fashion, yet each one is distinct, clearly branded, and readily identified for its particular purpose without any special knowledge.
The plastic card could be the greatest user interface standard of all time. People all over the world are habituated to presenting plastic cards to other people to prove their bona fides, and to terminals for automatic recognition.
Plastic cards are most commonly read by terminals via the magnetic stripe, but several other electronic interfaces are available, including 1D and 2D bar codes, contactless radio frequency identification (RFID) and direct contact chip readers. Most customers have become comfortable with this range of interfaces, and they’ll switch between modes without much thought at all.
The card industry ecosystem is mature. The commercial bureaus can provide a wide variety of customised cards. They handle certified secure production and distribution of the cards. There are well-understood demarcations in liability between the bureaus and their customers, who are usually the sources of the credentials .
The plastic card paradigm has some powerful features which are instructive for the emerging VCs-as-a-service industry.
- A competitive market of card personalisation bureaus, providing custom production, magnetic stripe encoding, and card distribution and activation, all in commercial bundles which can be purchased by government agencies, banks, professional associations, universities, driver licence bureaus, and so on. On the rear of many plastic cards, the card manufacturer is indicated in fine print. It may well be that the same manufacturer produced your credit cards and government cards.
- The production process is highly technical but hidden entirely by the outsourcer. Consider for example the critical composition and quality of the ferrite powders that constitute the stripe. Those powders and the rolls of bulk stripes are provided by specialist upstream manufacturers. As with the secure printing of cheque books, prescription pads, and lottery tickets, the production of plastic cards entails strict controls over inventory, shipping, and personnel security. The facilities are generally audited and may even be subject to government licensing.
- Within the business model there was a built-in upgrade path for data carrier technology. Cards evolved over time, from mag stripe to microprocessor (i.e. smartcards) and to NFC (tap-and-go) with little or no change to the user experience, and no change at all to the user agreements.
- A highly uniform user experience. Most automatic teller machines, point of sale terminals, ticketing machines, and self-service kiosks work in nearly identical ways.
- Most importantly, plastic cards are not identities. Most cards are simply treated as evidence of specific memberships or other attributes.
While “digital identity” designers and policymakers often fret about “interoperability”, they usually mean equivalence. Yet that question just doesn’t come up with plastic card credentials. There is rarely any question of “equivalence” between the many different cards, even if they happen to be manufactured by the one bureau.
The possibility doesn’t even arise in one’s mind that a bank card could be equivalent to a student card, company ID badge, or sports club entry token.
Every issuer of the respective base credential is free to set its own membership rules. The gory details of those rules, including legal liabilities, are set out somewhere for verifiers to understand as they need. But it is no business of the card bureau. To a card bureau, a platinum card with a $100,000 limit is no different from the entry level credit card.
So the plastic card market shows us how to keep things simple.
Businesses use card bureau services in a mature and uncomplicated way. No one really thinks a plastic card is an “identity” (moreover the World Health Organisation has been clear that COVID certificates should not be treated as identities). Certain cards can be used as elements of identification in some scenarios but strict limits apply.
And even when a special card does conform identity, no one thinks of the card printer as an “identity provider”.
Organisations don’t wrap themselves up in a tangle of philosophical or legal issues when engaging card printers to provide credit cards, Medicare cards, employee badges, or sports club memberships. They simply send files of their members’ names and details to a bureau, and the bureau manufactures cards in bulk and sends them back, or in many cases also handles the distribution to the end users.
It’s a nice clean supply chain and outsourced service model. The responsibilities and liabilities are clear every step of the way. The same principles need to be replicated for cryptographic verifiable credentials as a service. The detailed custoization, production and distribution of these precise cryptographic bundles should be left to experts and the end-product procured in bulk.