concept governance framework in category system administration
This is an excerpt from Manning's book Self-Sovereign Identity MEAP V08.
Our goal in every case will be to bring you specific examples of how SSI might be used so you can ground your understanding in how it can be applied in your own work, family, company, school, industry, city, or country. We also hope this book will open the discussion for other stakeholders and perspectives from society.
This layering of human trust on top of cryptographic trust is how SSI delivers the full power of verifiable credentials. But trusting in credentials from one issuer at a time doesn’t scale. This was the same problem faced in the early days of credit cards in the 1960s. Each major bank tried to issue its own brand of credit card, and merchants were overwhelmed—they couldn’t handle dozens of different credit cards from different banks.
So credit card adoption didn’t take off until banks got together and formed credit card networks—Visa and MasterCard being the two best known. Each of these is governed by a set of business, legal, and technical rules known as a governance framework (also known especially in the digital identity industry as a trust framework). The entity that creates and administers a governance framework is known as the governance authority.
A governance framework creates the second trust triangle shown in the lower half of figure 2.13. This illustrates how a governance framework can make a verifier’s job easier: when presented with proof of a credential from an issuer the verifier does not know, the verifier can request a second proof from the issuer (now acting as a holder/prover) proving that issuer is authorized under a governance framework the verifier trusts. This proof comes from another verifiable credential issued by the governance authority to the issuer. This approach of “recursive trust triangles” can work for any size trust community—even Internet-scale trust communities where verifiers do not directly know all the issuers (e.g., MasterCard and Visa).
Figure 2.13: Governance authorities and governance frameworks represent a second trust triangle that enables verifiers to determine the authorized issuers for a specific set of verifiable credentials.
Governance frameworks are the “flip side” of a verifiable credential—they specify the policies and procedures that issuers must follow to issue that specific credential. In some cases they will also specify the terms and conditions to which holders must agree to obtain them. And when verifiers are paying issuers for the value of the credential, a governance framework can also specify liability policies, insurance requirements, and other legal and business variables that verifiers can factor into their trust decisions.