In the last few guides, we have discussed about several topics: from digital identity models, to the emergence of Self Sovereign Identity (SSI), and one of the first pillars, DIDs.
As already addressed, the concept of Self Sovereign Identity is based on three main “pillars”:
- Decentralised Identifiers (DID)
- Verifiable Credentials
- Blockchain technology
This guide has the objective of analysing and explaining the second of the three pillars, namely Verifiable Credentials.
The English term should not scare us: the concept behind Verifiable Credentials is understandable to everyone, and certainly one of the great innovations in current models of digital identity and certification.
Verifiable Credentials are a way of representing the attributes that we all associate with our identity. In general, attributes can be of any kind: a health certificate, for example, certifying whether or not I have a disease, or even simply a certificate issued by any body!
These attributes, in the context of identity, are called ‘credentials‘. In the context of Self Sovereign Identity, Credentials are called Verifiable Credentials.
Think of the “physical” credentials we all hold and use today: our ID card, our driving licence, our birth certificate, rather than our degree hanging on the wall. We are all used to holding these credentials in a physical way: in our wallet, rather than in a drawer. When we are asked for them (e.g. a passport at the airport), we can present them, and the person reading them can verify their veracity (e.g. by checking that the passport has been issued by a competent authority).
They are thus a way of representing certificates that we are used to knowing as ‘physical’ in a totally digital way.
Verifiable Credentials are by nature a radical innovation: a citizen is able to store any attribute relating to him in his smartphone, in a totally digital way. Although digital certificates have existed for many years, Verifiable Credentials are structured differently, with features that make them secure, unchangeable, and independently verifiable. How is this possible? Verifiable Credentials can be thought of as ‘objects’ that a user receives from an issuer, who signs them digitally. Just as in the case of a physical certificate, once a user has received a Verifiable Credential, he is able to manage it independently and display it whenever he wants (just like a card in our wallets, signed by the issuer and then in our sole possession).
Verifiable Credentials can be held directly within one’s smartphones, and can be displayed for verification, recreating the ‘physical’ model within the digital world.
In this way, through Verifiable Credentials, citizens and users are able to interact with the digital world: it is also possible to create a decentralised system of trust within a world where, until now, digital data has never really been able to come into the total possession of users.
Verifiable Credentials: the workflow and actors
The scheme followed for issuing and managing Verifiable Credentials allows users to be completely independent in managing them: this enables the self-sovereignty of data held by citizens.
This enables the self-sovereignty of the data held by citizens. They therefore fall entirely within the components that enable Self-Sovereign Identity. An example workflow describing the issuance and management of Verifiable Credentials is as follows:
Within the scheme shown above, as can be seen, there are mainly three roles in issuing, managing and exchanging Verifiable Credentials:
- An issuer of credentials: an issuer can be any entity, from a ministry for example, to a family member. The credentials that can be issued are of any type, and offer different levels of security depending on who the issuer of that credential is. The issuer sends credentials directly to the user, also called the Holder.
- A user (Holder) receives digitally signed credentials from one or more Issuers. Once the credential is sent to the Holder, the latter is able to manage this credential completely autonomously: it can in fact present it to those who request it, without the issuer ever being involved. And it is for this reason that Verifiable Credentials replicate the world of physical credentials, in a digital environment!
- A Verifier can be any entity responsible for ‘verifying’ the Credentials shown to it by a user. The Credential contains all the data needed to verify it, such as who the Issuer is, who the Credential is registered to, and whether or not it has been modified over time.
- Blockchain technology (or the Verifiable Data Registry) is used to check the validity of the credential held by the Holder.
Verifiable Credentials: a practical example
Let’s now try to imagine the scheme from the perspective of real use.
A credential that most of us use on a daily basis (holding and displaying it) is the driving licence.
Assuming that the issuance of licences can be carried out by issuing Verifiable Credentials, the workflow of the solution could be as follows:
Following the workflow shown above, in this case the functioning of the system could be as follows:
- A citizen takes the driving test, and is in possession of a digital wallet (i.e. crypto wallet) that is based on Self Sovereign Identity standards.
- After passing the driving test, the DMV will issue a Verifiable Credential via its system, which represents the driving licence. The Verifiable Credential defines the holder’s name, the validity of the licence, and other useful information.
- The citizen then receives the licence and holds it in the form of a Verifiable Credential in his digital wallet.
- A policeman stops the citizen for a check: the citizen can show his driving licence in the form of Verifiable Credential. The policeman can use the cryptographic properties of the credential to verify its owner, and by checking the blockchain can check that the credential is still valid.
In the example shown above, the citizen was able to show his own attribute to a Verifier, in a totally privacy preserving manner.
Verifiable Credentials are able to enable what is known as selective disclosure: it is possible for a Holder to show only the data needed by the Verifier, without having to show all the data contained in the Verifiable Credential.
An example? A citizen who is stopped by a policeman is potentially able to prove to the verifier that he has a driver’s licence without even showing his name. This is due to the cryptographic properties of the Verifiable Credential.
What does the future hold?
The topic of Verifiable Credential will be covered at length in our blog including guides that aim to explain in more technical terms how they work and how they are composed.
Surely Verifiable Credentials are one of the biggest recent innovations in digital identity, and are a way through which it is possible to enable even greater self-sovereignty over user data.
The concept of Verifiable Credentials is currently being standardised by a Working Group led by the W3C, one of the most important entities in the digital world. The work on Verifiable Credentials can be viewed at this link https://www.w3.org/TR/vc-data-model/, while we wait for them to finally become part of our everyday lives, where our diplomas, driving licences and other digital credentials will finally be in our complete possession.