Verifiable Credentials - Your Digital Proof
Building upon the technical skill needed for future articles, in the last post, we have explored Decentralized ID that is the base on which we will be building additional capabilities.
In the first post of Identity Framework, I have touched on some aspects of the Verifiable Credentials with different roles of Issuers, Subjects/Holders and Verifiers interacting using processes that allow creating, presenting, requesting and verifying digital credentials.
Physical World Credentials
The society we live in is aware and recognizes the driving license asserting driving capability, university degree asserting education qualification, passports asserting the citizenship while crossing the borders, employment ID asserting the privileges and access rights entitled to an employee etc.
These physical credentials are printed on plastic, metal or paper and embedded in a chip that displays/stores the subject details with properties or attributes. As humans, we can recognize them quickly and know where and which situation we can use them.
There are specific issues and limitations of physical credentials including
can be faked,
can be stolen,
can be damaged,
Holders can misuse or take benefit of subjects’ credentials,
Reveal a lot of information about a subject then needed.
Core Data Model
The direct digitization of physical credentials is not usable because the credentials problems worsen in the digital world (easily copiable/transferable). Therefore, W3C has developed verifiable credentials specification 1.0 to build a core data model to address the above issues. The following sections outline the core concept, such as claim, credentials and presentations.
Claim
A claim is a statement about a subject and expressed using a subject-property-value relationship.
Individual claims can be merged to express a graph of information about a subject. These claims need to be combined with cryptographic proof to make them trustworthy.
Verifiable Credentials
A credential is a set of one or more tamper-evident claims made by the same entity. Credentials may have an identifier and metadata properties that are signed by the issuer using cryptography. The following is a layout of a verifiable credential.
The credentials are structured using a JSON format that is human-readable; however, the machine cannot read or understand the meaning behind those strings and numbers. The JSON keys are given meaning by defining schema information and embedding it as a reference in the context property (context of the machine conversation) in the JSON object. The whole JSON object is later encoded using JSON-Linked Data (JSON-LD) to store, present and verify the credential. Below is an example of how it looks.
Elaborating on interesting items:
A list of contexts with the main credential context and the AlumniCredential context,
The first id is a URL pointing to a unique id associated with the alumni credential, and the second id belongs to the subject of the credential,
The specification specifies two proof mechanisms but leaves it to the implementors for a choice.
External proof - JWT (JSON Web Token) / JWS(JSON Web Signature)
Embedded proof - Proof is included in data as Linked Data
A thing to keep in mind that some of these specs are still under draft and not approved yet.
Verifiable Presentations
Privacy has been key concerned for any physical or digital credentials, and so it is the key design feature of this specification. Therefore, it is crucial for entities to express only the portions of their persona while interacting with other entities.
The verifiable presentation expresses data from one or more verifiable credentials and is packaged in such a way that the authorship of the data is verifiable.
The data in a presentation is often about the same subject but might have been issued by multiple issuers. The aggregation of this information typically expresses an aspect of a person, organization or entity. The verifiable presentation also follows the same JSON/JSON-LD structure, and a simple example is given below.
In the above example, the credential is directly included in the verifiable presentation. In contrast, in some zero-knowledge cryptography schemes, the holders of the claims can indirectly prove a claim from verifiable credentials without revealing those secrets.
Data Schemas
The context property in verifiable credentials does not enforce data structure/syntax, nor enables the definition of arbitrary encodings. Therefore, data schemas are added to enforce a specific structure on a given collection of data using property credentialSchema. There are at least two types of schemas considered
Data Verification Schemas
It verifies that the structure and contents of a verifiable credential confirm a published schema.
"credentialSchema": { "id": "https://example.org/examples/degree.json", "type": "JsonSchemaValidator2018" },Data Encoding Schemas
It is used to map the contexts of a verifiable credential to an alternative format, such as a binary format (ZKP)
"credentialSchema": { "id": "https://example.org/examples/degree.zkp", "type": "ZkpExampleSchema2018" },
The verifiable credential model goes to an extent describing subject evidence, termsOfUse, refreshService, zero-knowledge proof, disputes (out of date address, a false claim by the issuer), etc.; however, we will not go into those details for now.
Spectrum of Privacy
It is essential to recognize the spectrum of privacy ranging from pseudonymous to strongly identifiable while creating verifiable presentations.
There are several laws in Canada that relate to privacy rights, and there are several factors (institution types - federal/provincial, private sector, cross boundaries, etc.) that determine which laws apply and who oversees them.
Personal information is data about an “identifiable individual.” It is information that, on its own or combined with other pieces of data, can identify you as an individual.
Canada has two federal privacy laws (provinces have their Privacy laws too):
Privacy Act (how the federal government handles personal info)
Personal Information Protection and Electronic Documents Act PIPEDA (how businesses handle personal info)
The Privacy Commission of Canada has combined this info into a collective meaning for personal information, and it lists
Identifying numbers (social insurance number, driver’s license)
race, national or ethnic origin,
religion,
age, marital status,
medical, education or employment history,
financial information,
DNA,
views or opinions about you as an employee
When a subject/holder requests a service (Service Endpoint) based on verifiable credentials, the service typically will request an assertion to authenticate the user, and it will only succeed if the requestor possesses the private keys. However, to avoid floating personal information in the wild, the organization requesting information about customers, vendors or employees using verifiable credentials must respect these privacy acts and guidelines. At the same time, the holder of the verifiable credentials must be careful to choose which information to share.
A privacy act validation project:
The credentialSchema enforces the requiered fields and properties of a given schema. If this schema is related to the personal information, an automated software tool can be developed that validates that information against a given jurisdiction or privacy laws and help an organization keep in check to adhere to the federal or provincial privacy acts while collecting data from users.
Summary
We understand the issues and limitation of the physical credentials now and are able to get a firm grasp on the verifiable credential data model and learn about
Claim
Verifiable Credentials
Verifiable Presentation
Data Schemas
In the last section, we explored some of the privacy laws present in Canada and what constitutes a piece of personal information.
People have learned when to share Social Insurance Number (SIN) in Canada and Social Security Number in the USA when an organization (public or private sector) requests them. Likewise, verifiable credentials and presentations are a new addition in the knowledge/possessions and care must be taken before sharing them.
All content free now. Subscribe by email so that you do not miss any article.
This post and the information contained herein is provided for informational and discussion purposes only.