Verifiable credentials

Last updated
The holder of a verifiable credential operates in a triangle of trust, mediating between issuer and verifier. The issuer and holder trust each other, the holder trusts the verifier, and the verifier trusts the issuer. Any role in the triangle can be played by a person, an institution, or an IoT device. VC triangle of Trust.svg
The holder of a verifiable credential operates in a triangle of trust, mediating between issuer and verifier. The issuer and holder trust each other, the holder trusts the verifier, and the verifier trusts the issuer. Any role in the triangle can be played by a person, an institution, or an IoT device.

Verifiable credentials (VCs) are digital credentials which follow the relevant World Wide Web Consortium open standards. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account. They have numerous advantages over physical credentials, most notably that they're digitally signed, which makes them tamper-resistant and instantaneously verifiable. [1] [2]

Contents

Verifiable credentials can be issued by anyone, about anything, and can be presented to and verified by everyone. The entity that generates the credential is called the Issuer. The credential is then given to the Holder who stores it for later use. The Holder can then prove something about themselves by presenting their credentials to a Verifier.

Trust model

The holder of a verifiable credential operates in a triangle of trust, [3] mediating between issuer and verifier.

Any role in the triangle can be played by a person, an institution, or a machine.

Note that because verifiable credentials can be created by anyone, the verifier decides if they trust the issuer.

Decentralization

The VC model places the holder of a credential at the center of the identity ecosystem, giving individuals control of their identity attributes. The W3C VC model parallels physical credentials: the user holds cards and can present them to anyone at any time without informing or requiring the permission of the card issuer. Such a model is decentralized and gives much more autonomy and privacy to the participants. This contrasts with the federated identity management (FIM) model, as adopted by SAML and OpenID Connect, which place the identity provider (IdP) in the central role as the dispenser of identity attributes and the determiner of which Service Providers (SPs) it will give them to. In the federated model, the IdP knows every SP that the user visits.

Verifiable Credentials Data Model 1.0

The data model for verifiable credentials is a World Wide Web Consortium (W3C) Recommendation, "Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web", published 19 November 2019. [4]

Composition

Verifiable Credentials may be expressed using JSON and is typically composed of:

{"verifiableCredential":{"@context":["https://www.w3.org/2018/credentials/v1","https://www.w3.org/2018/credentials/examples/v1"],"id":"0892f680-6aeb-11eb-9bcf-f10d8993fde7","type":["VerifiableCredential","UniversityDegreeCredential"],"issuer":{"id":"did:example:76e12ec712ebc6f1c221ebfeb1f","name":"Acme University"},"issuanceDate":"2021-05-11T23:09:06.803Z","credentialSubject":{"id":"did:example:ebfeb1f712ebc6f1c276e12ec21","degree":{"type":"BachelorDegree","name":"Bachelor of Science"}},"proof":{"type":"Ed25519Signature2018","created":"2021-05-17T15:25:26Z","jws":"eyJhbGciOiJFZERTQYjY0Il19..nlcAA","proofPurpose":"assertionMethod","verificationMethod":"https://pathToIssuerPublicKey"}}}

Aliases

The VC context, defined using the @context JSON property, is a JSON-LD construct that allows user friendly terms to be used for JSON properties. According to the VC data model, the value of many properties must be a URI. Whilst these are globally unambiguous, (important for a global data model), they are not user-friendly. Consequently, the @context property allows short-form, user-friendly aliases to be defined for each URI. This makes it much easier, and more user-friendly, to specify VCs. An example is given below.

{"@context":["https://www.w3.org/2018/credentials/v1","https://www.w3.org/2018/credentials/examples/v1"],"id":"http://example.edu/credentials/3732","type":["VerifiableCredential","UniversityDegreeCredential"],"issuer":"https://example.edu/issuers/14","issuanceDate":"2010-01-01T19:23:24Z","expirationDate":"2020-01-01T19:23:24Z","credentialSubject":{"id":"did:example:ebfeb1f712ebc6f1c276e12ec21","degree":{"type":"BachelorDegree","name":"Bachelor of Science and Arts"}},"proof":{}}

W3C VCs are extensible. Any new property can be added to VCs, as determined by the issuer. Standard properties have been defined specifically as extension points. These include the following:

Subject

The holder of a VC does not always have to be the subject of the credential. It is expected that most users will hold their own VCs, i.e., the holder and the subject will be the same entity. This need not always be the case. For example, when the VC subject is an infant, and the VC is a birth certificate, the holder may be one or both parents. [5]

Proofs

No proof mechanism is standardized but the data model is flexible enough to support various existing cryptographic mechanisms, such as digital signatures. Proof mechanisms that are in use include: JSON Web Tokens with JSON Web Signatures, JSON-LD proofs, and zero-knowledge proofs using schemes such as IBM's anonymous credentials.

Transport

Various protocols are specified for carrying VCs from the issuer/IdP to the holder, and the holder to the verifier. Examples include:

None of these protocols has become standardized. Many people who are experimenting with VCs use HTTPS to carry VCs between the various parties.

Criticisms and concerns

The security of verifiable credentials in the context of COVID-19 vaccination and test certificates has been questioned. [9] [10] Verifiable credentials have also been subject to usability concerns. [11]

Some have likened anyone being able to issue a verifiable credential being like a shop clerk deciding if they should accept an out-of-state license as proof of age when purchasing alcohol.

See also

Related Research Articles

The Resource Description Framework (RDF) is a World Wide Web Consortium (W3C) standard originally designed as a data model for metadata. It has come to be used as a general method for description and exchange of graph data. RDF provides a variety of syntax notations and data serialization formats, with Turtle currently being the most widely used notation.

A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

WebID is a method for internet services and members to know who they are communicating with. The WebID specifications define a set of editor's drafts to prepare the process of standardization for identity, identification and authentication on HTTP-based networks. WebID-based protocols offer a new way to log into internet services. Instead of using a password, for example, the member refers to another web address which can vouch for it. WebID is not a specific service or product.

Multimodal Architecture and Interfaces is an open standard developed by the World Wide Web Consortium since 2005. It was published as a Recommendation of the W3C on October 25, 2012. The document is a technical report specifying a multimodal system architecture and its generic interfaces to facilitate integration and multimodal interaction management in a computer system. It has been developed by the W3C's Multimodal Interaction Working Group.

JSON-LD is a method of encoding linked data using JSON. One goal for JSON-LD was to require as little effort as possible from developers to transform their existing JSON to JSON-LD. JSON-LD allows data to be serialized in a way that is similar to traditional JSON. It was initially developed by the JSON for Linking Data Community Group before being transferred to the RDF Working Group for review, improvement, and standardization, and is currently maintained by the JSON-LD Working Group. JSON-LD is a World Wide Web Consortium Recommendation.

Hyperledger is an umbrella project of open source blockchains and related tools that the Linux Foundation started in December 2015. IBM, Intel, and SAP Ariba have contributed to support the collaborative development of blockchain-based distributed ledgers. It was renamed the Hyperledger Foundation in October 2021.

Linked Data Notifications (LDN) is a W3C Recommendation that describes a communications protocol based on HTTP, URI, and RDF on how servers (receivers) can receive messages pushed to them by applications (senders), as well as how other applications (consumers) may retrieve those messages. Any web resource can advertise a receiving endpoint (inbox) for notification messages. Messages are expressed in RDF, and can contain arbitrary data.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

In computer security, macaroons are authorization credentials that support decentralized delegation between principals.

<span class="mw-page-title-main">Thing Description</span>

The Thing Description (TD) (or W3C WoT Thing Description (TD)) is a royalty-free, open information model with a JSON based representation format for the Internet of Things (IoT). A TD provides a unified way to describe the capabilities of an IoT device or service with its offered data model and functions, protocol usage, and further metadata. Using Thing Descriptions help reduce the complexity of integrating IoT devices and their capabilities into IoT applications.

<span class="mw-page-title-main">Decentralized identifier</span> Verifiable digital identity technology

Decentralized identifiers (DIDs) are a type of globally unique identifier that enables an entity to be identified in a manner that is verifiable, persistent, and does not require the use of a centralized registry. DIDs enable a new model of decentralized digital identity that is often referred to as self-sovereign identity or decentralized identity. They are an important component of decentralized web applications.

<span class="mw-page-title-main">Self-sovereign identity</span> Type of digital identity

Self-sovereign identity (SSI) is an approach to digital identity that gives individuals control over the information they use to prove who they are to websites, services, and applications across the web. Without SSI, individuals with persistent accounts (identities) across the internet must rely on a number of large identity providers, such as Facebook and Google, that have control of the information associated with their identity. If a user chooses not to use a large identity provider, then they have to create new accounts with each service provider, which fragments their web experiences. Self-sovereign identity offers a way to avoid these two undesirable alternatives. In a self-sovereign identity system, the user accesses services in a streamlined and secure manner, while maintaining control over the information associated with their identity.

Proof of personhood (PoP) is a means of resisting malicious attacks on peer to peer networks, particularly, attacks that utilize multiple fake identities, otherwise known as a Sybil attack. Decentralized online platforms are particularly vulnerable to such attacks by their very nature, as notionally democratic and responsive to large voting blocks. In PoP, each unique human participant obtains one equal unit of voting power, and any associated rewards.

References

  1. "An Introduction to Verifiable Credentials". verifiablecredential.io.[ dead link ]
  2. "What are Verifiable Credentials? | Decentralized Identity Developer Docs". didproject.azurewebsites.net.
  3. "A Gentle Introduction to Verifiable Credentials". www.evernym.com.[ dead link ]
  4. "Verifiable Credentials Data Model 1.0". www.w3.org. Retrieved 2019-11-05.
  5. "On Guardianship In Self-Sovereign Identity" (PDF). www.sovrin.org. Retrieved 2021-11-05.
  6. Khateev, Nikita. "Aries RFC 0036: Issue Credential Protocol 1.0". Github - Hyperledger Aries Project. Hyperledger. Retrieved 5 November 2019.
  7. Khateev, Nikita. "Aries RFC 0037: Present Proof Protocol 1.0". Github - Hyperledger Aries Project. Hyperledger. Retrieved 5 November 2019.
  8. Chadwick, David W.; Laborde, Romain; Oglaza, Arnaud; Venant, Remi; Wazan, Ahmad Samer; Nijjar, Manreet (2019-12-31). "Improved Identity Management with Verifiable Credentials and FIDO". IEEE Communications Standards Magazine. 3 (4): 14–20. doi:10.1109/MCOMSTD.001.1900020. ISSN   2471-2825. S2CID   212706653.
  9. "By embracing blockchain, a California bill takes the wrong step forward". blog.mozilla.org. 6 August 2020.
  10. Halpin, Harry (2020). "Vision: A Critique of Immunity Passports and W3C Decentralized Identifiers". arXiv: 2012.00136 [cs.CR].
  11. Brunner, Clemens; Gallersdörfer, Ulrich; Knirsch, Fabian; Engel, Dominik; Matthes, Florian (2020). "DID and VC:Untangling Decentralized Identifiers and Verifiable Credentials for the Web of Trust". 2020 the 3rd International Conference on Blockchain Technology and Applications. pp. 61–66. doi:10.1145/3446983.3446992. ISBN   9781450388962. S2CID   232291138.