Add Level of Assurance and Source of LoA Fields to identity Assertion container

[ScottSPerryCPA]

Not all stated identities are created equal. They vary regarding the degree of identity proofing techniques are applied prior to the issuance of an identity identifier. Identifiers on social media have no identity proofing. I assign an identifier to myself as long as no one else has used that identifier and no one will know that it is me. Other identifiers are issued at a stated level of assurance which carries a set of identity proofing requirements which may be audited as part of a conformance program tied to assure relying parties that that those identity proofing techniques have been consistently applied.

The identity world has three standards that include level of assurance tiers to communicate the degree of confidence one can assert over these identity proofing techniques:

• ISO/IEC TS 29003:2018 (https://www.iso.org/standard/62290.html)
• NIST 800-63 (current version is -4) https://pages.nist.gov/800-63-4/sp800-63.html
• eIDAS 2.0 (https://www.european-digital-identity-regulation.com/#:~:text=There%20is%20currently%20no%20obligation,minimum%20criteria%20and%20functional%20requirements.)

They are not necessarily consistent with each other.

Since the CAWG identity assertion wants the option to convey transparent information about the identity included in the identity assertion, it is critical to allow for communication of a stated level of assurance to be included in the identity manifest. Since there are many sources of this information and many different level schemes, the information conveyed on the manifest most be flexible enough to be a container from disparate sources. Therefore, we should include a flexible field for both the level (which should be alphanumeric to handle numeric levels (1, 2, 3 etc.) and qualitative levels (Low, Medium, High) and some flexible source field which indicates the scheme in which the LoA has been derived (e.g. ISO, NIST, EIDAS, etc.)

• [x ] I have read the CLA Document and I hereby sign the CLA.

---

[dbigsby]

Thanks for adding this, @ScottSPerryCPA .
A few points I'd like to see for this:

• Level of Assurance is at the level of an individual identity assertion, i.e., it is not an overall level of assurance (for the credentialSubject or the aggregation credential) but is specific to an item in the verifiedIdentities array
• Level of Assurance is optional part
• Level of Assurance can differ between items
• The Identity Aggregator indicate should how they determined that a given identity assertion has the stated level of assurance. This could be done via public documentation (e.g., a web page) or perhaps an attribute in the Level of Assurance data structure with a set of fixed values (e.g., "Assessed by Identity Aggregator", "Self-Asserted by Identity Provider". "Audit published by Identity Provider"). I suggest this attribute be required so the aggregator has to say something