Understanding the Verifiable Credentials
// Article three - An introductory dive into VCs
Verifiable Credentials heavily utilize Decentralized Identifiers to identify people, organizations, and things and to achieve a number of security and privacy-protecting guarantees. They are issued and cryptographically signed documents, intended to be understood by computers rather than people.
Prerequisites
Introduction
Most people nowadays use many forms of identity tokens - for instance, to verify their citizenship, their ability to drive a car, or membership in a gym. Today, these tokens assume the form of plastic cards. Sometimes, these cards can also be gathered in a phone app. However, this still has major drawbacks.The validity of the cards often depends on the issuer, and you cannot use them for other purposes, or in other places. What’s more, the validity is one-sided - the issuer can always revoke the token, and you lose all benefits at any time since you are not in direct control of these credentials.
But consider this: instead of a wallet full of plastic cards, most of which you can use under very specific circumstances and in specific locations, you would have a set of digital credentials, which would work both as your ID, your biometric info, university degree diploma, your club memberships, and more.
Today, we often use our email address as a unified credential of sorts, but these are arbitrary and easily breached. Fortunately, thanks to the blockchain, a far better alternative is on the horizon.
Due to the current regulation made against decentralized finance (DeFi), all users on established DeFi platforms will soon need to be identified. This can be achieved by issuing a “virtual ID card with multiple uses”, in the form of Verifiable Credentials (VC).
Verifiable credentials
Verifiable Credentials (VC) are a digital version of our regular plastic identification cards, documents, or diplomas, issued to us by a specific issuer. A University diploma or a student ID card could be an example of such a VC that creates a verifiable link between the university and you, where the university acts as the issuer. Each instance of VC is kept off-chain, stored on a user device or possibly in the cloud, but always under its control.
VC includes standard user information such as Name and Address, and also the Decentralized identifier (DID) - the purpose of which is to connect a real-world identity to a user's public address, its public key, verifiable on any blockchain. DID is a new globally unique identifier format that is:
- Resolvable with high availability
- Cryptographically verifiable
- Typically associated with cryptographic material, such as public keys and service endpoints.
A user signs their VC with their private key. The signing process declares that only the owner of the associated key pair can use the VC.
The same key is stored in a blockchain, and upon request, it is handed over in the form of a decentralized identifier document (DID document). A DID document is a tiny JSON file that a blockchain company hands over to the company requesting the verification. By doing so, the verification party does not come into any direct contact with blockchain.
When you present your VC to somebody for verification, a terminal that wants to handle this verification sends a request to a company that is responsible for storing user public key information on a blockchain. The company then provides the requested information in the form of the DID document, and the resolved public address from the VC is compared to its associated public key.
On the LTO Network blockchain, the Identity node is handling a process of providing the information in the form of a DID document. The identity node will give information on a DID on LTO Network in the form of a DID document. The DID document contains the public key, which is required to verify the address owner's signature. The blockchain address, which is a part of the DID part on any VC, is generated from the public key using a hashing function. Hashing is a one-way function; it's not possible to extract the public key from an address. That way, the user's privacy is respected, and the identity can still be verified.
VC summarization
A user identifier that is:
- In digital form
- Able of communication with decentralized ledger
- A property of its owner that is stored in a wallet
- Contains the DID data string that pairs the user’s public address with a user’s public key stored on a blockchain
- Representing user ID, diploma, and many others
The current challenges
Currently, however, there is no standard mechanism for issuing universally acceptable digital cards or credentials. Therefore, we need Verifiable credentials with Decentralized identifiers that individuals can own, independent of any entity, organization, or institution.
These days, we use email addresses and phone numbers as identifiers to access websites and apps, but our access to these identifiers and our personal information is at the mercy of service providers, who can revoke them at any time. Secondly, there are no universally accepted standards for expressing, exchanging, and verifying digital credentials across organizational boundaries.
This is all about to change in the near future and LTO Network will play its role in it.
VC benefits over classical plastic federal identifiers
The vast majority of these globally unique identifiers are not under our control. They are issued by external authorities that decide who or what they identify and when they can be revoked. They are useful only in certain contexts and recognized only by certain bodies, not of our choosing. They might disappear or cease to be valid with the failure of an organization. They might unnecessarily reveal personal information. In many cases, they can be fraudulently replicated and asserted by a malicious third party, which is more commonly known as "identity theft".
Since the generation and assertion of Decentralized Identifiers is entity-controlled, each entity can have as many DIDs as necessary to maintain their desired separation of identities, personas, and interactions. The use of these identifiers can be scoped appropriately to different contexts. They support interactions with other people, institutions, or systems that require entities to identify themselves, or things they control, while providing control over how much personal or private data should be revealed, all without depending on a central authority to guarantee the continued existence of the identifier.
* Read the complete list of Design Goals here.
User-oriented description with an example
A new form of digital identity based on emerging standards such as Verifiable Credentials and Decentralized Identifiers can enable such digital credentials to work everywhere, which also means in DeFi, be also more trustworthy while still respecting user's privacy.
Everything starts with a new digital wallet that empowers its owner to own and control credentials. This wallet can be represented by a mobile phone application. Since it is not tied to any one organization, authoritative sources can confidently issue standards-based credentials to a user. When a user presents these credentials, websites, apps, and dApps can check that they are valid, for example, with a bank where the user is registered and authenticated as a customer, and then grant access accordingly.
While this process may be more straightforward, how do we know it's trustworthy?
It is thanks to the DIDs that leverage proven cryptographic systems. DIDs connect a real-world identity to an associated public address and hold the information about the public key. Note that DIDs contain no personal information.
Afterwards, the user can present their digital Verifiable Credentials in communications with another bank, use them in a real estate office, or any other vendors. The credentials would in turn prove the user’s identity, the association with a specific bank, and also an available claim for money stored in the bank that could be used for a property purchase.
Similarly, a student can present their digital student ID, Verifiable Credentials, in a bookstore that provides a 20% discount to students. Before granting a discount to the student, the bookstore can confirm by checking the distributed ledger for proof that the university issued the card to this student, and also confirm whether the card is still valid. Since this is a challenge-response verification, the bookstore needs to communicate with the app of the student. This operation is solved using Bluetooth or NFC. When using QR codes, to connect their phone with the bookstore system, the student’s app would scan a QR code of the bookstore and send the verifiable credential afterward.
With a solution like this, we could all digitally present and authenticate a set of verifiable credentials, just like we are doing with physical cards. The VC can also easily be revoked by its owner with a simple click, just as we would put the physical card back in our wallet or tear it into pieces. The process of revoking a VC can be temporary, or it can be permanent.
VC as the JSON file
VCs are human and computer-readable entities, written as simple JSON files.
The example below uses two types of identifiers. The first identifier is for the verifiable credentials and uses an HTTP-based Uniform Resource Locator (URL). The second identifier is for the subject of the verifiable credentials (the thing the claims are about) and uses DID.
.Example - Bachelor of Science and Arts diploma
------------------------------------------------------------------------------------------------------------
{
// set the context, which establishes the special terms a user will use, such as ‘issuer’
// @context literally states what type of JSON we are dealing with - Credentials
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
// specify the identifier for the credential
"id": "http://example.edu/credentials/3732",
"type": ["VerifiableCredential", "UniversityDegreeCredential"],
// the identity that issued the credential - a university of some sort
"issuer": "https://example.edu/issuers/565049",
// when the credential was issued
"issuanceDate": "2010-01-01T19:73:24Z",
// claims about the subject of the credential
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
},
"proof": { }
}
-----------------------------------------------------------------------------------------------------------
Integration
Cybersecurity-oriented providers of digital wallets, such as Sphereon from the Netherlands, could allow users to create their wallets and integrate them for the target solution. Combination of public event chain and private settlement chain, such as LTO Network hybrid blockchain, creates a cornerstone for building up a blockchain solution for VC and DID, on the top of which companies and industries could create trust networks, like for example, a hierarchal chain of trust or trust endorsement model called web of trust.The last piece to this puzzle would be a provider of tamperproof blockchain oracles, such as ChainLink, which would keep the data updated. Associations can be used to specify a relationship between accounts on LTO Network. By using associations with cross-chain DIDs, relationships between accounts on different blockchains, such as Bitcoin, Ethereum, NEO, can be established on LTO Network. LTO Network is partnering with Chainlink to make this information available for smart contracts through its decentralized oracle network. For example, an organization could add associations to establish an account belonging to an accredited partner. In this example, the accredited partners are allowed to certify businesses. With the use of Chainlink, it's possible to create a smart contract that can only be used by these certified businesses.
Why is Blockchain a good solution?
Traditionally, electronic security focuses on authorization, authentication, and access control. These mechanics are intended to keep unauthorized users from accessing or modifying data. However, when it comes to authorized access, either on the application or system level, it does not provide any protection. Blockchain enables tamper resistance for data through distribution over many systems that are run and managed by independent parties. This is ensured by the architecture of the blockchain, where every piece of data has thousands of globally distributed copies. A potential attacker intent on breaching the certificate would have to compromise the majority of the data distribution at the same time, which is extremely hard, expensive, and with a well-designed blockchain almost impossible.
Final thoughts
Verifiable credentials do not depend on DIDs and DIDs do not depend on verifiable credentials. However, it is expected that many verifiable credentials will use DIDs and that software libraries implementing this specification will probably need to resolve DIDs. DID-based URLs are used for expressing identifiers associated with subjects, issuers, holders, credential status lists, cryptographic keys, and other machine-readable information associated with a verifiable credential.