What are Verifiable Credentials (VCs), Demystified.
Digital signatures to safeguard your Personal Identifiable Information (PII) online
When you think of the word “verifiable credentials”, what’s the first thing that comes to your mind?
Possibly a driver’s license, passport, Social Security Number, a university degree, or anything that identifies or belongs only to you.
Generally speaking, a credential is a piece of information that identifies a particular entity or verifies that a person has a specific attribute, qualification, or claim. For example, passports are proof of your identity while a university degree is a claim you possess.
In the physical world, someone can verify documents by examining them, but how do you do it in the digital world?
Well, that’s where verifiable credentials come in.
What are Verifiable Credentials?
At the most basic level, verifiable credentials, or VC in short, are tamper-evident credentials that can be verified cryptographically.
There are three essential components of verifiable credentials, and they are:
- It is machine verifiable
- It is secure and tamper-evident
- Has been issued by a competent authority.
Moving on, let’s take a look at how VCs work.
The Verifiable Credentials Ecosystem
There are three entities in a verifiable credential ecosystem and they are:
- Issuer
- Holder
- Verifier
The issuer is the entity that is issuing the credential, the holder is the entity about whom the credential is issued, and the verifier is an entity that verifies if the credential meets the established criteria of a VC.
From an implementation standpoint, these VCs must adhere to the W3C Verifiable Credentials Data Model. This is a set of specifications and verifiable documentation that allow credentials to be verified and shared on the web.
Let’s talk a bit more about these entities.
Issuer
An issuer is an entity that is authorized to issue a credential. These issuers are typically government organizations, healthcare centers, banks and financial institutions, schools and universities, and possibly even organizations that provide proof of employment.
These entities use a combination of methods such as digital signatures and custom schemas to prove that they are competent to issue a credential.
Holder
A holder is someone who is the owner of the credential and has complete control over how it can be managed, with whom these credentials can be shared, or revoked. Holders are typically individuals or organizations.
Since the holder is the owner of the credential, the onus is on this entity to create a verifiable presentation, which is the compilation of data sent by one or more issuers in a machine-verifiable format that adheres to the existing standards.
Verifier
A verifier is an entity that verifies a credential and ensures that it comes from a competent issuer, is tamper-evident, and is still relevant (not expired or revoked). A verifier takes the verifiable presentation from the holder to determine its authenticity.
Example of Verifiable Credentials
Let’s look at an example to better understand these entities and their relationship.
Say, a healthcare center certifies that a particular individual has taken the COVID-19 vaccination and this information is verified by a machine for its authenticity.
Here, the issuer is the healthcare provider, the holder is the individual who has vaccinated, and a verifier is a machine that checks the verifiable presentation for its authenticity. Once verified, the holder is free to share it with anyone he/she wishes.
Verifiable Credentials Workflow
Now that we know the role of the three entities, let’s briefly talk about the workflow.
The issuer digitally signs a document and sends it to the holder. Next, the holder creates a verifiable presentation in a certain format that conforms to the W3C specifications and sends it to the verifier for verifications.
Current commercial deployments of the W3C Verifiable Credentials model also utilize Decentralized Identifiers (DIDs). DIDs can be used to identify various entities in the VC ecosystem such as issuers, holders, and verifiers.
Finally, the verifier checks the presentation against the specifications to verify the three aspects — competent authority, validity, and tamper-evident characteristic of the credential. If all three conditions are met, the credentials are deemed verified, and the verifiable presentation is sent back to the holder.
In another possible workflow, the holder can initiate the proceedings. Let’s say, the holder is an individual who wants to travel, but the airline stipulates only individuals who are vaccinated against COVID-19. In this case, the holder requests information from the issuer and sends it to the verifier for verification. Once verified, the holder can send the credentials to the airline company.
Likewise, the verifier can also initiate a request to get some data from the holder, and in turn, the holder reaches out to the issuer to send it.
As you can see, trust is the central aspect of VCs, and handling this aspect well is key to the success of any VC-based system. Though we will talk about the different aspects of a VC, here’s a simple image to give you an idea of what a VC is and how it establishes trust.
Another key aspect is that many entities work towards the common goal of using the existing data collectively. They use commonly-agreed tools and data standards to handle the data on hand, thereby laying the foundation for a common data registry.
Verifiable Presentation — A Secure Way to Share your Credentials
A verifiable presentation is the collation of credentials that you want to share with a verifier.
Let’s understand this with an example.
Let’s say, your potential employer requests specific information for a background check such as,
- Your date of birth
- A proof that there are no criminal records against you
- University degree
- Past employment details
- Results of a drug test
Now, each of these credentials is issued by a different entity. So, the owner (future employee) of these credentials can collect all of these in his or her digital wallet and combine them to create a verifiable presentation for the verifier.
There are many advantages to creating a verifiable presentation and they are:
- Tells the verifier only what it requires.
- Makes your VCs portable as you can combine them in any way you want for sharing with different verifiers
- Facilitates the implementation of the principle of zero-knowledge proofs
- Helps the owner to maintain different personas such as an online gaming persona, professional persona, and more.
- Since the verifiable presentation is a compilation of VCs, it is verifiable, tamper-evident, and authentic.
Components of a Verifiable Presentation
Verifiable presentations can be broadly divided into three components:
- Presentation metadata that gives brief information about the presentation. Some possible information here could include the type of data which is a verifiable presentation, instructions on whether it can be archived, etc.
- Different VCs
- Proofs, which are digital signatures of the holder and issuers to validate the authenticity of the claims.
In all, a verifiable presentation is created by the owner of credentials and is a simple way of compiling and collating different VCs to prove the holder’s claims to a verifier.
Verifiable Credentials Use Cases
Now that you have an idea of VCs, let’s take a look at some of the use cases where they can be implemented.
- Visa validity of travelers
- Healthcare certificates, especially COVID-19 tests
- Airline tickets
- Secure transfer of government-issued documents like passports and driver’s licenses
- Checking credit scores for loan applications
- Credentials for opening a bank account or setting up payments
- Sharing residency status for appropriate government schemes, and more
This is nowhere an exhaustive list, rather it gives you an idea of what you can do with this young and exciting technology. Here are some use cases for your perusal.
Affinidi provides building blocks for an open and interoperable Self-Sovereign Identity ecosystem. Check out our open source developer resources for more information.
