Skip to main content

5.1. Passport Model

5.1. Passport Model

The Passport Model is so named because of its resemblance to how nations issue passports to their citizens. The nature of the Evidence that an individual needs to provide to its local authority is specific to the country involved. The citizen retains control of the resulting passport document and presents it to other entities when it needs to assert a citizenship or identity Claim, such as at an airport immigration desk. The passport is considered sufficient because it vouches for the citizenship and identity Claims and it is issued by a trusted authority.

Thus, in this immigration desk analogy, the citizen is the Attester, the passport-issuing agency is a Verifier, and the passport application and identifying information (e.g., birth certificate) is the Evidence. The passport is an Attestation Result and the immigration desk is a Relying Party.

In this model, an Attester conveys Evidence to a Verifier that compares the Evidence against its appraisal policy. The Verifier then gives back an Attestation Result that the Attester treats as opaque data.

The Attester does not consume the Attestation Result, but it might cache it. The Attester can then present the Attestation Result (and possibly additional Claims) to a Relying Party, which then compares this information against its own appraisal policy. The Attester may also present the same Attestation Result to other Relying Parties.

There are three ways in which the process may fail:

  • First, the Verifier may not issue a positive Attestation Result due to the Evidence not passing the Appraisal Policy for Evidence.
  • The second way in which the process may fail is when the Attestation Result is examined by the Relying Party, and based upon the Appraisal Policy for Attestation Results, the result does not comply with the policy.
  • The third way is when the Verifier is unreachable or unavailable.

As with any other information needed by the Relying Party to make an authorization decision, an Attestation Result can be carried in a resource access protocol between the Attester and Relying Party. In this model, the details of the resource access protocol constrain the serialization format of the Attestation Result. On the other hand, the format of the Evidence is only constrained by the Attester-Verifier remote attestation protocol. This implies that interoperability and standardization is more relevant for Attestation Results than it is for Evidence.

    .------------.
    |            | Compare Evidence
    |  Verifier  | against appraisal policy
    |            |
    '--------+---'
        ^    |
Evidence |    | Attestation
        |    | Result
        |    v
    .---+--------.              .-------------.
    |            +------------->|             | Compare Attestation
    |  Attester  | Attestation  |   Relying   | Result against
    |            | Result       |    Party    | appraisal policy
    '------------'              '-------------'

                    Figure 5: Passport Model
Last updated on