paint-brush
Understanding the Verifiable Credentials (VCs)by@mickeymaler
1,996 reads
1,996 reads

Understanding the Verifiable Credentials (VCs)

by Mickey MalerApril 28th, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Verifiable Credentials (VC) are a digital version of our regular plastic ID cards, documents, or diplomas, issued to us by a specific issuer. They are issued and cryptographically signed documents, intended to be understood by computers rather than people. The public key is stored in a blockchain, and upon request, it is handed over in the form of a decentralized identifier document (DID document) to a Verifier. By doing so, the verification party does not come into any direct contact with blockchain.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Understanding the Verifiable Credentials (VCs)
Mickey Maler HackerNoon profile picture

Article three - An introductory dive into VCs (verifiable credentials)

Verifiable Credentials heavily utilize Decentralized Identifiers to identify people, organizations, and things and to achieve a number of security and privacy-protecting guarantees. They are issued and cryptographically signed documents, intended to be understood by computers rather than people.

Prerequisites

Introduction

Most people nowadays use many forms of identity tokens - for instance, to verify their citizenship, their ability to drive a car, or membership in a gym. Today, these tokens assume the form of plastic cards. Sometimes, these cards can also be gathered in a phone app. However, this still has major drawbacks. The validity of the cards often depends on the issuer, and you cannot use them for other purposes, or in other places. What’s more, the validity is one-sided - the issuer can always revoke the token, and you lose all benefits at any time since you are not in direct control of these credentials.

But consider this: instead of a wallet full of plastic cards, most of which you can use under very specific circumstances and in specific locations, you would have a set of digital credentials, which would work both as your ID, your biometric info, university degree diploma, your club memberships, and more. Today, we often use our email address as a unified credential of sorts, but these are arbitrary and easily breached.

Fortunately, thanks to the blockchain, a far better alternative is on the horizon. Due to the current regulation made against decentralized finance (DeFi), all users on established DeFi platforms will soon need to be identified. This can be achieved by issuing a “virtual ID card with multiple uses”, in the form of Verifiable Credentials (VC).

Verifiable credentials

Verifiable Credentials (VC) are a digital version of our regular plastic identification cards, documents, or diplomas, issued to us by a specific issuer. A University diploma or a student ID card could be an example of such a VC that creates a verifiable link between the university and you, where the university acts as the issuer. Each instance of VC is kept off-chain, stored on a user device or possibly in the cloud, but always under its control.VC often includes standard user information such as Name, Address, a degree, and also the Decentralized Identifier DID of the Issuer.

DID is a new globally unique identifier format that is:

  • Resolvable with high availability
  • Cryptographically verifiable
  • Typically associated with cryptographic material, such as public keys and service endpoints.

The issuer of a VC signs it with their private key. The signing process declares they issued it. . The public key is stored in a blockchain, and upon request, it is handed over in the form of a decentralized identifier document (DID document) to a Verifier. A DID document is a tiny JSON file that a blockchain company hands over to the company requesting the verification. By doing so, the verification party does not come into any direct contact with blockchain.

To date, the community around Verifiable Credentials has not extensively explored use-cases related to crypto-wallets.

When you present your VC to somebody for verification, a terminal that wants to handle this verification looks up the DID of the issuer (usually on a blockchain) to find the public key in the DID Document. It could be possible for the owner of a wallet address to ask an issuer to issue a VC to them with their wallet address in it - along with identity proofing information like their name, date of birth, etc. 

On the LTO Network blockchain, the Identity node is handling a process of providing the information in the form of a DID document. The identity node will give information on a DID on LTO Network in the form of a DID document. The DID document contains the public key, which is required to verify the address owner's signature. The blockchain address, which is a part of the DID part on any VC, is generated from the public key using a hashing function. Hashing is a one-way function; it's not possible to extract the public key from an address. That way, the user's privacy is respected, and the identity can still be verified.

VC summarization

A user identifier that is:

    • In digital form
    • A property of its owner that is stored in a wallet
    • Representing user ID, diploma, and many others

The current challenges

Currently, however, there is no standard mechanism for issuing universally acceptable digital cards or credentials but that's what the Verifiable Credential standard is attempting to be. Therefore, we need Verifiable credentials anchored to link secrets that individuals can own, independent of any entity, organization, or institution. These days, we use email addresses and phone numbers as identifiers to access websites and apps, but our access to these identifiers and our personal information is at the mercy of service providers, who can revoke them at any time. Decentralized Identifiers that are created by people can contain persistent end-points listed they control and can update without dependence on a service provider.

Secondly, there are no universally accepted standards for expressing, exchanging, and verifying digital credentials across organizational boundaries. With Verifiable Credentials, this all is about to change in the near future and LTO Network will play its role in it.

VC benefits over classical plastic federated identifiers

The vast majority of these globally unique identifiers are not under our control. They are issued by external authorities that decide who or what they identify and when they can be revoked. They are useful only in certain contexts and recognized only by certain bodies, not of our choosing. They might disappear or cease to be valid with the failure of an organization. They might unnecessarily reveal personal information. In many cases, they can be fraudulently replicated and asserted by a malicious third party, which is more commonly known as "identity theft".Since the generation and assertion of Decentralized Identifiers is entity-controlled, each entity can have as many DIDs as necessary to maintain their desired separation of identities, personas, and interactions. The use of these identifiers can be scoped appropriately to different contexts. They support interactions with other people, institutions, or systems that require entities to identify themselves, or things they control, while providing control over how much personal or private data should be revealed, all without depending on a central authority to guarantee the continued existence of the identifier. Within the community working on Verifiable Credentials, they are leveraging cryptography to create a way for individuals to prove multiple credentials from multiple verifiers were issued to them via a blinded link secret that they are all anchored to (this is not a DID on a blockchain).

* Read the complete list of Design Goals here.


User-oriented description with an example

A new form of digital identity based on emerging standards such as Verifiable Credentials and Decentralized Identifiers can enable such digital credentials to work everywhere, which also means in DeFi, be also more trustworthy while still respecting user's privacy. Everything starts with a new digital wallet that empowers its owner to own and control credentials. This wallet can be represented by a mobile phone application. Since it is not tied to any one organization, authoritative sources can confidently issue standards-based credentials to a user. When a user presents these credentials, websites, apps, and dApps can check that they are valid, for example, with a bank where the user is registered and authenticated as a customer, and then grant access accordingly. While this process may be more straightforward, how do we know it's trustworthy?

It is thanks to the DIDs that leverage proven cryptographic systems.  DIDs connect a real-world identity to an associated public address and hold the information about the public key. Note that DIDs contain no personal information. Afterwards, the user can present their digital Verifiable Credentials in communications with another bank, use them in a real estate office, or any other vendors. The credentials would in turn prove the user’s identity, the association with a specific bank, and also an available claim for money stored in the bank that could be used for a property purchase. Similarly, a student can present their digital student ID, Verifiable Credentials, in a bookstore that provides a 20% discount to students. Before granting a discount to the student, the bookstore can confirm by checking the distributed ledger for proof that the university issued the card to this student, and also confirm whether the card is still valid. Since this is a challenge-response verification, the bookstore needs to communicate with the app of the student. This operation is solved using a protocol called DIDComm that can operate on any number of transport mechanisms including Bluetooth or NFC. When using QR codes, to connect their phone with the bookstore system, the student’s app would scan a QR code of the bookstore and send the verifiable presentation afterward. With a solution like this, we could all digitally present and authenticate a set of verifiable credentials, just like we are doing with physical cards.

VC as the JSON or JSON-LD file

VCs are human and computer-readable entities, written as simple JSON files. The example below uses two types of identifiers. The first identifier is for the verifiable credentials and uses an HTTP-based Uniform Resource Locator (URL). The second identifier is for the subject of the verifiable credentials (the thing the claims are about) and uses DID.

Example - Bachelor of Science and Arts diploma
------------------------------------------------------------------------------------------------------------{

// set the context, which establishes the special terms a user will use, such as ‘issuer’

// @context literally states what type of JSON we are dealing with - Credentials

"@context": [

"https://www.w3.org/2018/credentials/v1",

"https://www.w3.org/2018/credentials/examples/v1"

],

// specify the identifier for the credential

"id": "http://example.edu/credentials/3732",

"type": ["VerifiableCredential", "UniversityDegreeCredential"],

// the identity that issued the credential - a university of some sort

"issuer": "https://example.edu/issuers/565049",

// when the credential was issued

"issuanceDate": "2010-01-01T19:73:24Z",

// claims about the subject of the credential

"credentialSubject": {

"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",

"degree": {

"type": "BachelorDegree",

"name": "Bachelor of Science and Arts"

}

},

"proof": {  }

}
-----------------------------------------------------------------------------------------------------------

Integration

Cybersecurity-oriented providers of digital wallets, such as Sphereon from the Netherlands, could allow users to create their wallets and integrate them for the target solution.

Combination of public event chain and private settlement chain, such as LTO Network hybrid blockchain, creates a cornerstone for building up a blockchain solution for VC and DID, on the top of which companies and industries could create trust networks, like for example, a hierarchal chain of trust or trust endorsement model called web of trust.

The last piece to this puzzle would be a provider of tamperproof blockchain oracles, such as ChainLink, which would keep the data updated.

Associations can be used to specify a relationship between accounts on LTO Network. By using associations with cross-chain DIDs, relationships between accounts on different blockchains, such as Bitcoin, Ethereum, NEO, can be established on LTO Network. LTO Network is partnering with Chainlink to make this information available for smart contracts through its decentralized oracle network. For example, an organization could add associations to establish an account belonging to an accredited partner. In this example, the accredited partners are allowed to certify businesses. With the use of Chainlink, it's possible to create a smart contract that can only be used by these certified businesses.

Why is Blockchain a good solution?

Traditionally, electronic security focuses on authorization, authentication, and access control. These mechanics are intended to keep unauthorized users from accessing or modifying data. However, when it comes to authorized access, either on the application or system level, it does not provide any protection. Blockchain enables tamper resistance for data through distribution over many systems that are run and managed by independent parties. This is ensured by the architecture of the blockchain, where every piece of data has thousands of globally distributed copies. A potential attacker intent on breaching the certificate would have to compromise the majority of the data distribution at the same time, which is extremely hard, expensive, and with a well-designed blockchain almost impossible.

Final thoughts

Verifiable credentials do not depend on DIDs and DIDs do not depend on verifiable credentials. However, it is expected that many verifiable credentials will use DIDs and that software libraries implementing this specification will probably need to resolve DIDs. DID-based URLs are used for expressing identifiers associated with issuers, credential status lists, cryptographic keys, and other machine-readable information associated with them.

Additional reading