...
Introductions
Presentation StMouy: Public consultation on FATF draft guidance on digital identity. After months of preparation FATF released guidance in digital identity. Important because it is the first time there is a concerted effort to discuss digital identity – financial regulations. No time left for comment (as of Friday) Areas of focus - where feedback is requested – typically deals with how – a good way to stimulate financial inclusion with digital identity. Proofing is difficult, in emerging and other countries. FATF looking at ways to lower requirements for identity proofing. Balance with higher requirements for authentication. Some of the questions raised by FATF relate to what sort of risks are involved, how to mitigate risks, and whether there is any tradeoff with authentication and collection monitoring processes.
...
Guidelines on what kinds of electronic documents. Needs to be unique document ID for the publisher. Must go through a partnership agreement authority. Requestor is entity providing service to citizen or any entity requiring documents (such as bank). As requestor, you can access digital locker, you will have access. Apart from that, digital locker service providers. Typically unique URI for documents. Can It can be owned by issuers or private players who store documents. Issuer maintains own secure storage model available. Simple, only one copy, what flows is the URI. One is the issued document for which the URI is stored in the digital locker. Centralized repository with a document. A lot of legacy documents users already have. Digital lockers can provide service to upload legacy and get 'signed' with a signing service, to share documents. Sign and upload, or from a certain date onward, issuer can issue electronic documents and publish a URI. If we talk about the India stack ecosystem. We are talking about multiple transformations.
Quick explanation on layers on video approximately minute 35.
Sign up, start with mobile, create an account, verify. When you sign in again, use the username password or identifier. Username always linked to Aadhaar. Access documents issued by government organizations. Linking Aadhaar is always recommended.
Question? Digital Locker issues documents on request, do they do that or confirm attributes? Once documents are released they could be tampered with?
Response = issuer issues document. For example, an electronic driver's license. Digital wallet interface, you see the document signed by transfer document, it is digitally signed by the issuer. If you see the interface it says three issued document, when I click on the URI. URI is transferred, not URI.
Question? Is there a selective disclosure? Is there a revocation? We understand this is a centralized model to a certain extent.
Response = the interface is centralized. The Digital Wallet never contains the document, only the URI. Once the document is requested from the issuer, it can check authentication. The document itself resides in repositories that can be controlled by owner or in a shared repository. The only thing compromised are the URIs.
Question? When I use that document in any context, does the issuing authority know?
Response = no. The only Digital Locker interface that you own has that list. Owners can see activity.
Question? If what you're sharing from the locker is the URI, they are requesting a document from the initial document. The initial issuer would know where you share the document.
Response = Example, submit the document to the passport office. Integrate into solution. Technically, every time I request a document, the issuer has no way to know of the requested document.
Question? Audit trail of a number of requests; not where the request came from?
Who is able to view the log?
Response = Activity log - the owner of a digital wallet. If there is a provider, operations team. Digital Locker Authority - regulatory government entity. Any entity who wants to be a Digital Locker Authority abides by rules of privacy (right now only government).
Question? Can documents be subpoena? Has not happened yet, maybe in future.
Question? Is it, for example, a pdf of driver's license or set of attributes?
Response = Appears as PDF, proposed XML or JSON. Most, as of now, are in PDF form so can be downloaded and shared with requestors? Signed PDF, according to ISO standard? Not sure on standard is a signed PDF with a valid signature.
Architecture is distributed. Multiple issuers. Multiple service providers. Own, outsource, etc. No single point where you collect and keep data. No central data storage. Strong recommendation Aadhaar strongly recommended. Because of authentication process assurance.
APIs – first meta APIs. List of all issuers registered with regulator. Issue providers. Certain document types. Get document lookup attributes. To search documents if not linked with Aadhaar number.