Verifiable Credentials, a new terminology proposed by W3C, is one of the main building blocks of the Self-sovereign Identity Ecosystem. This article will provide an explanation of its definition and mechanism.
Physical credentials
The term credentials are not so unfamiliar. In fact, physical credentials have become an inseparable aspect of our daily lives, which are expressed through licenses, credit cards, college degrees, and the list goes on.
More specifically, credentials refer to any (tamper-proof) set of information that some authority declares true about the credential's subject. By using credentials, the subjects can prove to others (who trust the authority) critical facts, such as a passport issued by a country's government establishing your status as a citizen, a pilot's license certifying that you are qualified to fly a plane, etc.
To qualify as a credential, the claims regarding the subject must be verifiable in some way. One of them is through an integrated proof of validity (such as a watermark, hologram, or other distinctive printing feature). Verifying the credential is also possible by directly contacting the authority that issued it. However, human verification can be complex and time-consuming, which is one of the reasons why there is a global black market for forged credentials.
Verifiable Credentials
Verifiable Credentials (VCs) are also known as digital credentials. Their main selling point is that they can automatically be verified in a matter of seconds or even milliseconds, thanks to the power of cryptography and the internet.
- Does the data in the credential follow the standard format?
- Is there a valid digital signature from the issuer (which establishes the credential's origin and ensures that it has not been tampered with)?
- Is the credential still valid in the sense that it hasn't expired or been revoked?
- Does the credential give cryptographic confirmation that the bearer of the credential is indeed the subject mentioned?
These critical questions related to verifiable credentials will be deeply explained in the following parts.
The Ecosystem
In the Verifiable Credential ecosystem, there are three entities to consider:
- Issuer: is the entity that issues the credential
- Holder: is the entity that the credential is issued
- Verifier: is the entity that confirms whether the credential matches the VC's established requirements.
These VCs must follow the W3C Verifiable Credentials Data Model in terms of implementation. That is a set of specifications and verifiable documentation that enables the verification and sharing of credentials via the internet.
Issuer
An issuer is an entity that has the authority to issue a credential. These issuers can be Government agencies, healthcare facilities, banks & financial institutions, schools & and universities, and maybe even companies that give evidence of employment. In addition, individuals can also be issuers—a properly equipped sensor, for example, could issue a digitally signed credential regarding a sensor reading.
Holder
A holder is an entity that requests VCs from issuers, stores them, and shows proofs of claims from one or more credentials to verifiers when asked (and approved by the holder). Although most of us think of holders as individuals, they can also be businesses employing corporate wallets or entities in the Internet of Things concept (IoT).
Verifier
A verifier is an entity that verifies a credential to guarantee that it was issued by a competent issuer, that it is tamper-proof, and that it is still valid (not expired or revoked). Verifiers might be a person, a company, or anything else that wants to establish credibility about the subjects of credentials. Verifiers request proofs from holders of one or many claims from one or many VCs. If the holder accepts, the holder responds with proof created from their VCs, which the verifier can verify later.
Workflow
Having the role of the three entities explained, let's continue with the workflow of Verifiable Credentials.
The issuer creates a digitally signed VC and sends it to the holder. Next, the holder creates a verifiable presentation (explained in detail below) from the VCs in his/her possession in a certain format that conforms to the W3C specifications and sends it to the verifier. For verifications, as long as the verifier has enough level of trust assurance in the issuer, his/her can make a decision whether the holder meets some requirements or not. Another scenario is that the holder is the one who initiates the process. In this situation, the holder asks the issuer for information and then sends it to the verifier for verification. Similarly, the verifier can make a request for data from the holder, who then contact the issuer to have it sent.
In many business transactions, both parties request information from each other. As a result, both parties act as holders and verifiers in a single transaction. Let's take a look at the process a consumer goes through to buy a holiday trip from a travel company:
- The customer wants to know if the travel company has bankruptcy insurance.
- The travel site wants to make sure the customer is over the age of 18.
- The travel site distributes the tickets to the customer after payment is received.
- After the trip, the customer verifies whether they are satisfied with the travel company.
Each of these bits of information can be sent as a VC with the issuing party's digital signature. The process is illustrated below:
Verifiable Presentation
A verifiable presentation is a collection of credentials that you want to share with someone who can verify them. Let's look at an example to help you understand.
Assume a prospective employer requests specific information for a background check:
- Date of your birth
- A proof that you have no criminal record
- Your university degree
- Information about previous jobs
- Drug test results
Each of these certificates is now provided by a separate organization. As a result, the owner (a potential employee) of these credentials can put them all in his/her digital wallet and combine them to produce a verifiable presentation for the verifier.
There are numerous benefits to making a verifiable presentation, including:
- Using zero-knowledge proofs, the holder will be able to disclose only the information that the verifier requires. So, for example, you can prove that you are older than 18 without telling your exact age
- Allows you to share your VCs with different verifiers by combining them in whatever way you wish
- Enables the customer to maintain multiple personas, such as an online gaming persona, a professional persona, and more
- The verifiable presentation is also verifiable, tamper-proof, and authentic since it is made up of VCs.
The three components of verifiable presentations are as follows:
- First, metadata provides brief information about the presentation
- Different VCs
- Proofs, which are digital signatures of the holders and issuers, are used to validate the authenticity of the verifiable presentation.
Overall, the owner of credentials creates a verifiable presentation, which is a straightforward manner of gathering and collating several VCs to show the holder's claims to a verifier.
Use cases
Let's look at some of the use cases where VCs can be applied now that you know what they are.
- Travelers' visa validity
- Certificates of health, for example, COVID-19 tests
- Tickets for flights
- Documents issued by the government, such as passports and driver's licenses
- Checking credit ratings before applying for a loan
- Presenting required credentials to open a bank account or set up payments
- Sharing residency status to participate in applicable government programs and more.
That is by no means an entire list; instead, it serves as an example of what you may accomplish with this new and interesting technology.
References
[1] What are Verifiable Credentials (VCs), Demystified, academy.affinidi.com, accessed 29th, September 2022.
[2] Verifiable Credentials Data Model v1.1, www.w3.org, accessed 29th, September 2022.
[3] Alex Preukschat Drummond Reed, Self-Sovereign Identity, accessed 29th, September 2022.