Derived Credential

Full Title or Meme

A Credential that is derived from some other credential in order to use in a different environment.

Context

Credentials that were only provided in protected Smart Cards are now needed in other locations, like Smart Phones

Problems

• The is a constant churn in the devices that Users can carry with them.
• Many credentials have already been issued with yesterday's technology.
• The new technology cannot accommodate the older credential.
• The older technology will continue to exist along side the older technology.

Solutions

The US federal government relies on PIV Smart Cards^[1] to securely authenticate and identify employees and contractors when granting access to federal facilities and information systems for existing personal computer applications as well as for access control to buildings. That need is not going away so the existing PIV cards will continue to be issued. The Derived Credential specification has been issued (final on 2019-08-27) to help move this capability to small portable devices that cannot handle smart cards.^[2]

• 2024-11-15 Guidelines for Derived PIV Credentials and PIV Federation: SP 800-157r1 and SP 800-217 Available for Public Comment

Mobile Driver's License

mDLs are powerful because they bring government-issued identity into a digital format.

But in practice, most verifiers don’t need everything on your driver’s license.

A student bookstore doesn’t need your address, it only needs to know that you’re enrolled.

That’s where derived credentials come in.

They allow you to take verified data from a root credential like an mDL and create purpose-specific credentials:

• A student ID for campus services.
• An employee badge for workplace access.
• A travel pass or loyalty credential.

Andrew put it simply: if you don’t need to use the original credential with everything loaded into it, don’t.

Ryan added that the real benefit is eliminating unnecessary personal data entirely, only passing on what’s relevant for the transaction.

Derived credentials also make it possible to combine data from multiple credentials into one, enabling new use cases.

For example, a travel credential could draw on both a government-issued ID and a loyalty program credential, giving the verifier exactly what they need in a single, streamlined interaction.

This approach flips the model of identity sharing.

Instead of over-exposing sensitive details, derived credentials enable “less is more” identity verification: stronger assurance for the verifier, greater privacy for the user.

Looking ahead, Andrew revealed that the ISO 18013 Edition 2 will introduce support for revocation and zero-knowledge proofs, enhancements that will make derived credentials even more practical and privacy-preserving. Activate to view larger image,

References

1. ↑ NIST FIPS PUB 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
2. ↑ NIST SP 1800-12, Derived PIV Credentials, https://www.nccoe.nist.gov/projects/building-blocks/piv-credentials

Other Material

• See the wiki page PIV Card for more information about the source and direction of Personal Identity Verification (PIV) in the US Government.
• See the wiki page Derived Mobile Credential for a list of use cases where a user can create a specific set of attributes for a specific purpose from