Solving the Principal-Agent problem: Proxy Issuance with Verifiable Credentials

Affinidi Pte. Ltd.
5 min readJul 12, 2021

In today’s society, everyone has experienced the need to rely on third party agents to handle matters for us. For instance, you may authorise lawyers and real estate agents to act on your behalf when buying a beachfront villa (lucky you!). When travelling to Mongolia, you may also authorise a local travel agent to book a yurt for your stargazing trip.

However, it is difficult to authenticate whether a third party agent has the proper authorisation, or will only conduct themselves within the instructions given to them. Trust has always been an issue — relying on an agent comes with risks — forgery of signatures, overuse of authority, and uncertainty about an agent’s real authority are classic risks that we are all familiar with.

One way to overcome these problems is for the person or entity seeking to authorise a proxy (for the purpose of this article, let’s call them “Principal”) to use verifiable credentials to appoint verifiable proxies. This is called “proxy issuance”

How Verifiable Credentials are Used for Proxy Issuance?

In proxy issuance, the issuer is an entity (individual/organization) that authorizes another person or entity to act on its behalf by issuing a verifiable credential (VC) to that person or entity (called the “holder”). The holder is the party who has the authority to act on behalf of the issuer. The verifier is the entity that checks the validity and legality of the holder to act on behalf of the issuer.

Let’s understand the workflow here.

  • Firstly, the issuer (Principal) and the holder (agent) create a unique set of private-public key pairs. The issuer generates a VC, digitally signs using its private key, and encrypts the data using the holder’s public key.
  • This VC is sent to the holder who can decrypt it using his or her private key.
  • Next, the holder can choose to save the VC in a digital identity wallet.
  • When needed, the holder compiles a set of VCs like date of birth, government ID, etc, along with the proxy authorization, into a verifiable presentation that is digitally signed with the holder’s private key and encrypted using the verifier’s public key.
  • The verifier can decrypt [the verifiable presentation] using its private key and validates the digital signature of both the issuer and the holder using their respective public keys to ensure the authenticity of the issuer and the holder. Once verified, the holder becomes eligible to act, and disclose limited and pre-approved information, on behalf of the issuer.

Here is a real-world example.

  • John is an American individual who has traveled to Singapore and is unable to return to the US in time for a board meeting.
  • He decides to authorize his brother Sam to vote on his behalf, and issues a verifiable credential for this authorization
  • On the day of the board meeting, Sam creates a verifiable presentation with John’s authorization VC and his identity proof. The same is verified by the board chair who approves the proxy. Finally, Sam casts a vote on John’s behalf.

In this example, John is the issuer, Sam is the holder, and the board chair is the verifier.

Here’s how a possible VC could look like. This VC was generated from Affinidi’s VC Generator app.

{
"type": "MetaCredentialPersonV1",
"data": {
"@type": [
"Person",
"PersonE",
"MetaPerson"
],
"name": "Bob Belcher",
"receivedCredentials": {
"@type": [
"Role",
"ReceivedCredentialRole"
],
"startDate": "start",
"endDate": "end",
"aggregatorDID": "did:elem:...",
"typesSome": [
"type 1"
],
"typesAll": [
"type 2"
],
"typesNot": [
"type 3"
],
"contextsSome": [
"context 1"
],
"contextsAll": [
"context 2"
],
"contextsNot": [
"context 3"
],
"issuerDIDIn": [
"did 1"
],
"issuerDIDNotIn": [
"did 2"
],
"receivedCredentials": [
"vc 1",
"vc 2"
]
}
},
"holderDid": ""
}

Benefits of Using Verifiable Credentials for Proxy Issuance

The big question is, should you use verifiable credentials for proxy issuance?

Yes, because it addresses many of the problems that come with the traditional principal-agent problem.

Let’s take a look at the benefits that come with using verifiable credentials for issuing proxies.

Reduces Forgery

One of the biggest problems with appointing agents the traditional way is forgery. An agent can easily forge a principal’s signature. Verifying parties may simply choose to rely on the signature presented to them. Any additional authentication methods may require the verifying party to contact the principal — which may not be possible, or time and cost intensive.

VCs overcome this problem with digital signatures that are secured by Public Key Infrastructure, where a pair of private and public keys are used to ensure that the verifiable credential was issued by the principal to the agent, and not by a person purporting to act as the principal.

Creates Trustable Data

Many times, verifying entities like banks and financial institutions do not have trust in the proxy appointment process and may not trust agents for important transactions. This causes inconvenience to both the issuer and the verifier, as the issuer may not be able to travel personally to meet the verifying entity.

VCs may overcome this impediment by creating a reliable way to verify that a proxy has been validly appointed, through the process of securing the credential with the digital signature of both the issuer and the holder, so the verifier can be assured of the authenticity of the proxy’s credentials.

Quick and Easy

Sharing and authenticating VCs are quick and easy, and take less than a couple of minutes to verify. Since the VCs are machine-readable data, they can be read quickly by the verifying authority’s machine and verified almost instantaneously.

There are no more long wait times and background checks with VC-based appointment of proxies.

Overall, using VCs for proxy issuance is easy, , promotes trust, and follows the Self-Sovereign Identity (SSI) principles of control over one’s data and selective disclosure.

Here’s an example of a VC-based proxy issuance implementation that was submitted for Affinidi’s PoCathon 2021.

Affinidi provides building blocks for an open and interoperable Self-Sovereign Identity ecosystem. Reach out to us on Discord or email us if you want to build VC-based applications using our tech stack.

Follow us on LinkedIn, Facebook, or Twitter. You can also join our mailing list to stay on top of interesting developments in this space.

The information materials contained in this article is for general information and educational purposes only. It is not intended to constitute legal or other professional advice.

--

--

Affinidi Pte. Ltd.

Reclaim your data, Reclaim your Identity, Reclaim Yourself