Secure Patterns for Internet CrEdentials M. Prorock Internet-Draft B. Zundel Intended status: Informational Tradeverifyd Expires: 18 September 2025 17 March 2025 Use Cases for SPICE draft-ietf-spice-use-cases-01 Abstract This document describes various use cases related to credential exchange in a three party model (issuer, holder, verifier). These use cases aid in the identification of which Secure Patterns for Internet CrEdentials (SPICE) are most in need of specification or detailed documentation. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://brentzundel.github.io/draft-ietf-spice-use-cases/draft-ietf- spice-use-cases.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-spice-use- cases/. Discussion of this document takes place on the Secure Patterns for Internet CrEdentials Working Group mailing list (mailto:spice@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spice/. Subscribe at https://www.ietf.org/mailman/listinfo/spice/. Source for this draft and an issue tracker can be found at https://github.com/brentzundel/draft-ietf-spice-use-cases. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Prorock & Zundel Expires 18 September 2025 [Page 1] Internet-Draft Use Cases for SPICE March 2025 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 18 September 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. SPICE Common Patterns . . . . . . . . . . . . . . . . . . . . 3 4. SPICE Use Cases . . . . . . . . . . . . . . . . . . . . . . . 3 5. Use Case Discussion . . . . . . . . . . . . . . . . . . . . . 4 5.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.2. Microcredentials in Education . . . . . . . . . . . . . . 4 5.3. Physical Supply Chain Credentials . . . . . . . . . . . . 5 5.4. IoT, Control Systems, and Critical Infrastructure Credentials . . . . . . . . . . . . . . . . . . . . . . . 6 5.5. Credentials related to Authenticity and Provenance . . . 6 5.6. Offline exchange of credentials . . . . . . . . . . . . . 7 5.7. Embedding Credentials . . . . . . . . . . . . . . . . . . 7 5.8. Digital Wallets . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. Normative References . . . . . . . . . . . . . . . . . . . . 7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 Document History . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Prorock & Zundel Expires 18 September 2025 [Page 2] Internet-Draft Use Cases for SPICE March 2025 1. Introduction There is a need to more clearly document digital credentials that utilize the issuer-holder-verifier model across various work at IETF, ISO, W3C, and other SDOs. This need particularly arises in use cases for verifiable credentials that do not involve human-in-the-loop interactions, require strong identifiers for business entities, call for the benefits of CBOR encoding, or leverage the cryptographic agility properties of COSE. This document covers multiple use cases for verifiable credentials that help inform both the required architecture and components, as well as to frame needs for clearly defined message formats or supporting mechanisms. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. SPICE Common Patterns Within SPICE there are a few common patterns that continually arise: * Selective disclosure with CBOR based verifiable credentials * Cryptographic agility support via COSE, including support for PQC, and to permit use of the same signature algorithms with both selective disclosure as well as fully disclosed credentials * Strong and long-lived identities that may be correlated with public key material for verification and permit binding to DNS or existing x509 certificates, as well as providing ready access to public keys for verification utilizing HTTP 4. SPICE Use Cases There are several expanding use cases and common patterns that motivate the working group and broader community, including: * Microcredentials, particularly in education * Digitization of physical supply chain documents in multiple jurisdictions: - CBOR credentials Prorock & Zundel Expires 18 September 2025 [Page 3] Internet-Draft Use Cases for SPICE March 2025 - High-volume system-to-system exchange of credentials - Regulatory data and business-driven information * Credentials related to IoT, Control Systems, and Critical Infrastructure * Credentials related to authenticity and provenance, especially of digital media * Offline exchange (in person) of credentials that may have been internet issued * Embedding credentials in other data formats * Digital Wallet Initiatives 5. Use Case Discussion 5.1. Roles An "issuer", an entity (person, device, organization, or software agent) that constructs, secures, and shares digital credentials. A "holder", an entity (person, device, organization, or software agent) that stores issued credentials and controls their disclosure. A "verifier", an entity (person, device, organization, or software agent) that receives, verifies, and validates disclosed digital credentials. 5.2. Microcredentials in Education Microcredentials provide a flexible and verifiable way to recognize skills, achievements, and competencies in education. Unlike traditional degrees or certifications, microcredentials offer a modular and portable format that can be tailored to specific learning outcomes. They enable lifelong learning, career advancement, and industry-aligned skill validation while allowing learners to demonstrate their achievements in a verifiable and interoperable manner. Common use cases: * Microcredentials for industry-specific skills such as cloud computing, cybersecurity, or data analytics, enabling verifiable skills on job applications, LinkedIn profiles, or digital resumes. Prorock & Zundel Expires 18 September 2025 [Page 4] Internet-Draft Use Cases for SPICE March 2025 * Recognizing individual competencies as learners progress through a program, which allows institutions and employers to verify achievements more granularly. * Stackable microcredentials that allow learners to accumulate and combine microcredentials into a larger qualification. * Work-integrated learning and apprenticeships: skills and competencies gained through internships, apprenticeships, or on- the-job training, enabling employers to issue digital credentials for workplace learning experiences. * Recognition of informal learning, community-based education, or non-degree programs to support individuals without access to traditional higher education. 5.3. Physical Supply Chain Credentials Physical supply chains provide several unique scenarios and requirements for implementers of digital credentials. There is a strong movement toward digitization of physical supply chain documents which are typically exchanged on paper or scanned pdf form today using legacy approaches. Some steps have been taken towards digitatization of supply chain documents using XML, however this has proved problematic over native binary formats due to the complexity, size, and volumes of transmission often involved. Common use cases for physical supply chains include: * Regulatory data capture and exchange with governmental bodies * Requirements around capturing specific types of data including: - Inspection information - Permits - Compliance certification (both regulatory and private) - Traceability information, including change of control and geospatial coordinates * Providing the ability for 3rd parties to "certify" information about another actor in the supply chain. e.g., Vendor A is an approved supplier for Company X * Passing of data between multiple intermediaries, before being sent along to customs agencies or consignees. Prorock & Zundel Expires 18 September 2025 [Page 5] Internet-Draft Use Cases for SPICE March 2025 * Moving large amounts of signed data asyncronously, and bi- directionally over a network channel * Identifying actors in a supply chain and linking them with legal entity information 5.4. IoT, Control Systems, and Critical Infrastructure Credentials The deployment of digital credentials in constrained systems such as IoT, control systems, and critical infrastructure environments introduces challenges. These systems often operate in environments with strict security, latency, and interoperability requirements. Digital credentials play a role in ensuring secure device identity, access control, and trusted data exchange between interconnected systems. Common use cases include: - Device identity and authentication ensuring only authorized IoT devices can connect to a network or control system. - Restricting access to critical systems, such as industrial control systems, SCADA networks, and energy grid controllers, to only authorized personnel and devices. - Role-based access control (RBAC) and attribute-based access control (ABAC) policies using digital credentials. - Encrypted and authenticated data exchange between industrial sensors, actuators, and control systems. - Verifying software updates and firmware integrity using signed credentials to prevent unauthorized modifications. - Tamper- resistant logging and auditing: digitally signed operational logs and sensor data to enable post-incident forensic analysis. - Temporary access credentials for emergency personnel and automated response systems during critical incidents. 5.5. Credentials related to Authenticity and Provenance Due to a proliferation of AI-generated or modified content, there is an increased need to provide the ability to establish the provenance of digital materials. Questions of authenticity and the means of creation (human created, machine assited, machine created) also abound. In cases where an AI created the content, providing the model information related to the generation of that content is becoming increasingly important. Common use cases include: * Determining whether a received piece of media is human created, and that the content is authorized for certain uses. * Providing the ability to trace training materials for LLMs and similar models to output Prorock & Zundel Expires 18 September 2025 [Page 6] Internet-Draft Use Cases for SPICE March 2025 * Understanding if media was created by an authoritative or trustworthy source 5.6. Offline exchange of credentials Many real-world scenarios require credentials to be disclosed, verified, and validated without continuous or immediate access to online services. This can be due to network limitations, privacy concerns, or operational constraints in environments where connectivity is intermittent or unavailable. Some digital credential frameworks assume online verification mechanisms, which may not be suitable for offline-first environments where entities must verify credentials using locally-available data and cryptographic techniques. Common use cases include: * Identity verification in disconnected environments, such as remote regions, military operations, or disaster recovery efforts. * Travel and border security, where credentials such as visas, vaccination records, or national IDs must be verified in locations with limited or no network connectivity. * Access control in secure facilities, such as industrial sites, research labs, or private events. * Device authentication in air-gapped systems. * Peer-to-peer credential sharing. 5.7. Embedding Credentials TODO embedding credentials use case 5.8. Digital Wallets TODO digital wallet use case 6. Security Considerations TODO Security 7. IANA Considerations This document has no IANA actions. 8. Normative References Prorock & Zundel Expires 18 September 2025 [Page 7] Internet-Draft Use Cases for SPICE March 2025 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Acknowledgments TODO acknowledge. Document History -01 * Added offline use case * Added IoT use case * Added microcredentials use case * Changed author affiliations -00 * Initial individual draft Authors' Addresses Michael Prorock Tradeverifyd Email: mprorock@tradeverifyd.com Brent Zundel Tradeverifyd Email: brent.zundel@tradeverifyd.com Prorock & Zundel Expires 18 September 2025 [Page 8]