What is the Trust Triangle?
Self-sovereign identity (SSI) is an emerging philosophy that puts you in complete control over your data. In this framework, you get to store your data and share it with just the entities you want.
This relatively new concept of digital identity management has three essential pillars and they are the issuer, the holder, and the verifier. Together, these three pillars or entities constitute what’s called the trust triangle.
Let’s start with understanding what these three pillars are.
Who are Issuers?
An issuer is an entity that is authorized to issue a credential. These issuers are typically government organizations, healthcare centers, banks and financial institutions, schools and universities, and possibly even organizations and startups that verify a piece of information and issue a credential attesting that information.
For example, the Department of Motor Vehicles is an issuer that is authorized to issue a driver’s license credential that contains the license number of an individual. Similarly, SafeTravel is a startup company that verifies whether an individual has taken his or her COVID vaccination and accordingly, issues a credential to attest it.
Who are Holders?
A holder is the owner of the credential and has complete control over how it can be managed, with whom these credentials can be shared, or revoked. Holders can be individuals or organizations.
Since the holder is the owner of the credential, this entity can create a verifiable presentation consisting of one or more verifiable credentials, and this presentation is shared with verifiers who will use this information to authenticate the user or validate the shared information.
Who are Verifiers?
A verifier is an entity that verifies a credential and ensures that it comes from a competent issuer, is tamper-evident, and is still relevant (not expired or revoked). A verifier takes the verifiable presentation from the holder to determine its authenticity.
Verifiers are entities that need specific information about a holder for authentication, so its services can be offered to the holder. A good example is an alcohol store that has to verify the age of the buyer before selling alcohol to him or her.
Why are they Called the Trust Triangle?
The relationship between the issuers, holders, and verifiers is called the trust triangle simply because you need an element of trust among these entities for them to work together. Also, this term is typically used to convey human relationships in the digital world.
When an issuer issues a credential, the holder is willing to trust the issuer. The same applies to the verifiable presentation shared by the holder to the verifier and when the verifier verifies the issuer’s credential.
While this does not mean that there is a legal partnership or understanding between the entities involved, it does mean that each of the entities is willing to examine the credibility of the other, and this implicit trust is what constitutes this term.
Real-world Examples
Here are some real-world examples of how the issuer, holder, and verifier come together to create a transaction.
Employment
Some companies like GoodWorker verify the profiles of workers and issue employment credentials to authenticate their past employment. Thus, they are the issuers.
The holders are the workers themselves on whom the credential is issued while verifiers are those to whom the holder shares the credential issued by the issuer.
Opening a Bank Account
Verifiable credentials can come in handy for opening a bank account. Here, the issuer can be a startup company that collates all the government-issued documents and stores them in the form of a verifiable credential. A good example would be DigiLocker from the Government of India that provides access to authentic digital documents to citizen’s digital document wallets.
The holder is an individual/company/entity looking to open a bank account while the verifier is the bank where the holder wants to open an account.
Verifying Age at a Bar
Another example is when a holder shares a date of birth verifiable credential with the bar manager to prove that he is over 18 years of age.
Here, the issuer is a government entity or a startup that has verified the holder’s records while the verifier is the restaurant manager.
As you can see, there is an element of trust involved in the relationship between all three parties.
Here are more use cases and PoCs for you to understand the relationship between an issuer, holder, and a verifier.
Affinidi provides building blocks for an open and interoperable Self-Sovereign Identity ecosystem. Reach out to us on Discord or email us if you want to build VC-based applications using our tech stack.
Follow us on LinkedIn, Facebook, or Twitter. You can also join our mailing list to stay on top of interesting developments in this space.
The information materials contained in this article are for general information and educational purposes only. It is not intended to constitute legal or other professional advice.
