What are W3C Verifiable Credentials?

What are W3C Verifiable Credentials?

As the name suggests, Verifiable Credentials are cryptographically-secured identities that a user can carry in his/her digital wallet all the time and present to someone whenever required. These digital credentials can be presented to the organizations who can then verify them. 

Introduction

These days we are hearing stories of people’s physical id cards and digital identities getting stolen and misused and we are hearing these more often now. In this big bad world, you never know, in these times, who is using your identity without your knowledge or who is forging his/her educational certificates or licenses to get a job or license he does not deserve.

And then there is a growing fear of social media websites storing our data and then using it in the way they want for their businesses. Each day, we log our credentials into one of these sites without knowing how the companies are going to use them (and most probably without our prior permission). This makes a common user at the mercy of a few centralized authorities.

That’s where the concept of W3C Verifiable Credentials comes into the picture. These credentials give their owner control of what to share and with whom to share. So, in the case of verifiable credentials (aka VCs), the holder of a credential becomes its controller instead of some third-party or centralized authority or some social media website.  Let us study this concept in detail. 

More About Them

When credentials can be expressed in a cryptographic way to enhance their security and can be verified on blockchain by others, they are termed W3C Verifiable Credentials. Such credentials conform to the standards set down by W3C which is a community that lays down guidelines for everything related to identity.

Verifiable Credentials form part of the Self-Sovereign Identity (SSI) which is based on the concept that a user must be the real owner of his identity and must be able to share with others only the information that he intends to and hides all other information. So, in the world of Identity, the holder of the identity must the king and not any other authority or organization.

Actors and Components of a Verifiable Credential on Blockchain

The three main actors that form the “trust triangle” of the Verifiable Credential are listed below:

• Issuer: An entity that issues Verifiable Credentials to a subject (user). The subject can be a human or an animal or even a thing! In the case of animals or objects, the VCs are issued to their owners. 
  
• Identity Holder: The subject to whom VCs are issued and who holds these credentials in his wallet. 
  
• Verifier: An entity that verifies the Verifiable Credentials presented by a Holder. The Verifier checks the authenticity of the credential that a holder holds in his wallet. 

The three characters form a triangle of trust with one another, i.e. one entity has to trust the other for the credential ecosystem to run seamlessly. 

Apart from the trust triangle actors, several components that form part of this ecosystem are:

• Wallet: The wallet holds the credential for a holder who receives them from an Issuer and presents them to the Verifier.
  
• Holder’s Agent: It can be the Holder’s wallet software that communicates with an Issuer or a Verifier.
  
• Verifiable Data Registry: A type of database that holds all the data related to Verifiable Credentials. It may include revoked credentials (credentials that have either expired or are invalid or are lost), a list of schemas that define the structure of the credentials, and public keys of the Issuer. 
  

How Does the Trust Triangle Work? 

As stated earlier, for the Verifiable Credentials system to work smoothly, the participants must trust one another. A Verifier must have the trust that the Issuer that has issued the credential is an authentic entity and not the fake one.

Though a Verifier doesn’t need to trust an Issuer necessarily, yet to ease the task for a Verifier, the list of authentic issuers is included in the Verifiable Data Registry. The Verifier should be able to validate that an Issuer has indeed the authority to make the statements and issue the same to the subject/holder. While verifying the VCs from holders, therefore, Verifier can validate if a particular Issuer is among the list of known issuers listed in the registry. 

A Subject (or Identity Holder), like a Verifier, must also be able to trust that the credentials that s/he has received are indeed valid and authentic. Also, as an issuer can revoke invalid or expired credentials, the Holder as well as the Verifier must trust this ability of the Issuer to work accurately. 

Concept of Decentralized Identifiers (DID)

You might be confused by all these mumbo-jumbo terms. Let me clarify it for you. Consider this example. A is an Issuer and B is a Subject. A issues a statement to B that proves that B is above 18 years of age. This statement is called a Verifiable Credential. B keeps that credential in his digital wallet. But how will A and B communicate? In the decentralized world, they cannot do so by calling each other by their real names (names of people or organizations). In the world of VCs, this is done by identities. These identities are Decentralized Identifiers (DIDs).

A DID is made up of public and private key pairs (to keep it secure). Now, if issuer A wants to send a VC to user B, the Issuer does it by using his/her DID; it signs the credential with its identifier. When Verifier C also comes into the picture, it can validate that A is a valid Issuer because A had signed the credential with its public key. 

In the real world, we are known by our identities such as our emails, national Ids, phone numbers, license numbers, etc. While these are easy to use and help us to identify ourselves online (when we log into social media sites or govt. registered sites), they carry a drawback. You never know what is going to become of the email or the phone number that you entered: whether they would be used as per policies laid down by these sites or would be used for some ulterior motives by the owners of these websites, no one can be sure about that.

In the world of Verifiable Credentials, the subjects use a unique identifier that the user can use to cryptographically prove that he is the real owner and controller of this identity. 

Each DID is made of private-public key pair. Let’s see what are these keys:

Private Keys: These are private to the entity that owns them. It is a string of alphabets and numbers that the user of the wallet must keep hidden from anyone else in the world. Private keys are used by the entities that are the masters of some data or they have permission to share the data with others. 

Public Keys: These keys are known to everyone and are used to send data and receive data (for example, issuer A can send credentials to user B who receives it. Public keys can be shared amongst entities, unlike private keys. 

As stated earlier, DIDs are formed by the combination of these private-public key pairs; the owner of a DID can safely say that he/she is the complete owner of his DID. 

Structure of a DID

A DID is a text string that can be broken down into three parts:

A. Scheme Identifier or “did”

B. DID Method: Specifies which operations to use to create, read, update, and delete a DID document

C. DID Method-Specific Identifier

Structure of a DID Document:

A DID text string gets resolved to a DID Document, which contains the public keys and a set of API endpoints used to interact with the Subject (see image below).

The structure of a Verifiable Credential consists of an array of VCs and a Signature Proof that an Identity Holder can present to a Verifier for having his/her VC verified.

As you can see in the diagram above, a VC contains the metadata about the credential (who issued it, when would it expire, what is the public key for the Issuer, the credential itself (what has been issued from an Issuer A to an Identity Holder B (like a statement that B is above 18 years of age), and Proof (proof produced by B in his wallet that proves that his age is above 18; proof also contains the signature of B ). This proof is then verified by the Verifier to validate the authenticity of the credential presented by the Identity Holder. 

Verifiable Credentials Blockchain

So, what is the role of blockchain in all this? It is the public keys of the DIDs of the Issuer and the Holder of the VCs that get stored on the blockchain along with the proof prepared by the holder for his/her Verifiable Credentials. The Verifiable Credentials that carry the personal details of the user (his age, educational qualification, driving license, etc) are kept off from the blockchain. This way the personal details of the user are secured from anyone else’s reach. 

Why Verifiable Credentials and DIDs?

The biggest advantage of this SSI-based model is that the Holder or the Subject of the Identity can share with others only the information that he intends to. For example, when he needs to present a VC regarding his age, he can share only his age proof without letting his other details like his actual date of birth, his address, or any other details that he wants to hide from others. Holder’s wallet prepares proof of his age without revealing anything else about Holder. So when this “zero-knowledge” proof is presented to the Verifier, the Verifier cannot know anything else than analyzing the proof of age presented to it. It cannot even know the Holder’s actual date of birth.

This way, the Holder’s privacy is kept intact. What could be a more secretive way of sharing information with others?

Verifiable Credential Issuance and Verification Process

Now that you are aware of the underlying terms and technology for a Verifiable Credential, let us see how the process takes place from the beginning to the end. Let us understand with a scenario: Holder requires a Verifiable Credential of his age so that he can vote for his favorite candidate in the elections. 

1. The Holder with the digital wallet creates his/her DID in the wallet. 
   
2. The Holder shares this DID with an Issuer which is a government authority that issues National IDs with the age of the user on the ID.
   
3. The Issuer uses Holder’s DID to connect to his/her wallet; signs Verifiable Credential with its (Issuer’s) private key and assigns it to the Holder.
   
4. The Holder stores the VC in his wallet.
   
5. The Holder approaches the Verifier (the agency holding elections) to vote for his favorite candidate. Meanwhile, the Verifier has already prepared its policy regarding acceptance of only those Verifiable Credentials that have been issued from reputed Issuers (the trusted ones). 
   
6. The Verifier sends its policy to the wallet agent of the Holder; the policy verifies if the Holder carries the valid Verifiable Credential. Generally, the Verifier sends a QR code to the Holder’s wallet. The Holder scans this QR code and is prompted to present the VCs. The agent presents the VCs to the Verifier.
   
7. The Verifier makes a set of verifications: VCs have been issued from a tested issuer, the VCs are signed with an authentic signature, credentials are not revoked or expired, and several other verifications as laid down in its policy. 
   
8. The Verifier will also agree to the conditions laid down by the holder.
   
9. The VCs are now verified and the Holder proceeds for voting. 
   

Verifiable Credential Use Cases

Verifiable Credentials, in today’s world, can find innumerable use cases. One of these is for voting which you have already gone through in the previous section. Now, we shall read about a few more that could find real use in the modern world. 

1. Health Care: A diagnostic centre, after carrying out the required tests, can issue a medical record to the patient’s wallet. The patient can then show this record to a medical Practitioner to seek medical advice on his condition. 
   
2. Education: An educational institute issues a VC in form of a degree to the student who then presents this record to a job employer. The employer, post successful interview sessions, verifies the degree and gives him the job. 
   
3. Bank: The government, as an Issuer, issues you the passport credentials (that carry your address and your face ID). You approach a bank to open a new account. So, you show your passport credentials stored in your digital wallet on your mobile to the bank personnel. After verifying that the credential came from the government, the bank trusts that your information is authentic. The bank personnel, in turn, opens an account for you and transfers this account credential to your wallet. 
   
4. Finance: You approach a fintech and request it to issue a credit score so that you can apply for a loan. The fintech makes the necessary background checks on you and then issues a Verifiable Credential (which is a credit score) to your wallet. You, then, approach a financial organization to apply for a loan, The Institute after verifying your credit score grants you the loan. 

Advantages of Verifiable Credentials

By now, you must have got an idea of how important a Verifiable Credential is for the participants in the ecosystem. Let us have a look over a few of these again:

1. Cryptographically Verifiable: The VCs can be verified using protocols based on cryptography, thus rendering them with a layer of security.
   
2. User has full control: The user, unlike present scenarios, has full control over with whom to share their credentials and how much to share. This eliminates the need for any centralized authority who can pester him/her for using them as per some pre-determined rules laid down by that authority. The full sovereignty goes to the credential user only.
   
3. Beneficial for Issuers and Verifiers: For both of these, the Issuance (for Issuers) and Verification (for Verifiers) becomes a quick and easy process. This saves a lot of time on both sides. 
   
4. As the user’s sensitive data is never published on the blockchain, the user’s privacy is ensured.
5. Verifiable Credentials are tamper-resistant as they are created using cryptography.
   
6. Verifiers can trust the Issuers and this makes the verification process easy and more accurate. 
   
7. VCs are lightweight; one can carry them in their mobile wallet all the time, with no issues that are encountered with physical certificates: the threat of getting stolen or destroyed or misused by third parties is eliminated to a great extent. No matter where you go if you mobile with VCs in the wallet app, you can present them to the concerned people whenever required. More than one VC can be stored in the wallet apps. 

By now, you must have got an idea of what are verifiable credentials. Follow these links to know about other cryptocurrency topics:

Read More Topics

Lingose Gamefi

Best Crypto ETFs

Crypto Hedge Fund

ZK Rollup Coins

Disclaimer

This article is for informational purposes only. We do not promote, in any form, any companies or blockchain technology firms or web3 job portals mentioned herein. The content of this article is based on the information available up to the knowledge. You should be aware that before applying to a firm, you must do your own due diligence (DYOR).