Canada and the European Union are working on ways of recognizing the use of digital credentials — including transactions conducted through digital wallets — for business and personal use.
Minister of Innovation, Science and Industry François-Philippe Champagne said this morning that after a series of technical workshops, the two jurisdictions have agreed to collaborate on digital credential research and innovation. Other countries may be asked to join the work.
Goals are to ensure trust in digital credentials is maintained and privacy is protected.
A digital credential is a portable digital record of a claim made by a business, an organization or an individual, the government said in a news release. It can be held in and shared through a digital wallet, serving as a digital representation of traditionally physical certificates or information, like driver’s licences, business permits, certificates of incorporation or airline tickets.
Digital credentials can be trusted by all entities in the economy and society as they rely upon cryptography to detect fraud and verify the authenticity and the issuer of the digital credential, says the workshops’ report.
There are already commonalities between Canada and the EU that could be built upon to advance the implementation of digital credentials, Ottawa notes. For example, there is some use of hyperledger-based solutions in both Canada and the EU, including Hyperledger Indy and Fabric, and the esatus digital wallet.
According to a background report also released today, a key finding from the technical workshops held earlier this year was that both Canada and the EU already have a variety of different Self-Sovereign Identity (SSI) and digital credential technologies in use in their jurisdictions, many of which are not interoperable with one another. In addition, different SSI and digital credential technologies and approaches are emerging in different economic sectors and at different levels of government, creating the risk of economic and jurisdictional technology silos.
As a result Canadian and EU experts recommended that both jurisdictions should work under the following common principles and approaches:
- Adhere to internationally recognized standards and best practices, such as the Verifiable Credential Data Model and Decentralized Identifiers (DIDs);
- Enable a baseline compatibility between Canada and the EU regarding digital credentials and digital trust services;
- Comply, at minimum, with the published and endorsed World Wide Web Consortium (W3C) test suites;
- Adopt an approach that is both ledger and feature-agnostic to prevent vendor lock-in.
“Transactions in the global economy and society rely upon trust, where each transacting party is confident that the other is who they claim to be, and that the information provided is true,” the report says in part. “How to ensure this trust in a digital world has become an increasingly important problem faced by governments and organizations around the globe, with massive implications on the health and vitality of the global economy.”
The workshops found there are two main gaps that exist for both Canada and the EU. First, there is a lack of standards for digital wallets, leading to a “wild west” atmosphere in the space, and endangering trust in the system and the potential for interoperability. In response, standards are currently being developed by both sides. The second key gap is with zero-knowledge proofs (ZKP), a new approach for sharing information without sharing personal data, that is also ahead of the current policy frameworks.
The workshop’s summary says ZKP, though desirable, continues to be an issue as it is not legally binding and could cause a challenge. “It is important to develop a deep understanding of this new approach before taking action to standardize it.” says the summary. “This deeper understanding will also help inform related policy development. For example, there is currently confusion about whether ZKP proofs could count as personal data, which would cause conflicts with the General Data Protection Regulation (GDPR).”
The workshops identified three risks that need to be addressed through the Canada and EU trust frameworks:
- Vendor lock-in, which means becoming dependent upon a specific vendor for products and services, without the ability to switch to another vendor without substantial cost and effort. This risk could be mitigated by relying upon open standards and technological interoperability.
- Ecosystem fragmentation, where different communities develop their own standards. Examples include emerging approaches for travel, educational and COVID credentials, all of which have momentum and are being developed largely in isolation from one another. While a healthy and diverse ecosystem of actors and initiatives is positive, the challenge comes in how to mitigate siloed approaches to ensure mutual recognition, scalability, and adoption beyond a specific context. There is a need to look at how to navigate a lack of control over these various ecosystems.
- Platform capture. As larger platform players move into the digital wallet and identity space, there is a risk that they could dominate the market and have an outsized influence on the standards. There is a need to establish an approach that balances the accommodation of consumer choice and healthy marketplaces with the mitigation of potential harm of private sector control of personal data and privacy.
Canada and the EU will continue co-operating on the development of digital credential standards and certifications. That will include joint proofs of concept and pilots for end-to-end digital credential use cases, leading ultimately to establishing mutual recognition for digital credentials and digital trust services through formal agreements.
Joni Brennan, president of the Digital Identification and Authentication Council of Canada (DIACC), a non-profit coalition of public and private sector leaders developing a Canadian framework for digital identification and authentication, said the group is pleased with the news.
“This effort builds on federal and provincial coordination to adopt the international smart health card industry standard for the issuance of vaccine proofs,” she said. “We are also pleased to see the focus on the international industry standards for verifiable credentials that are developing under the World Wide Web Consortium (W3C). These standards have the potential to be operationalized through the application of the Pan-Canadian Trust Framework that verifies information assurance and technical interoperability across complex ecosystems.”