Overview of Credentials
Filling in details on web forms is time-consuming, error-prone, and easy to abuse from a privacy standpoint.
Now, through VCs, which have become a fully open W3C standard, users can convert today's physical VCs into digital VCs and carry them on their phones, tablets, laptops, and other devices, using them online with just a point and a click.
Verifiable Credentials Data Model v1.1
This section introduces some basic concepts for the specification, in preparation for Section 5. Advanced Concepts later in the document. When two software systems need to exchange data, they need to use terminology that both systems understand. As an anal
www.w3.org
Attribute
VC Components
(not yet a standard,..)
Issuer
The entity that issues a VC to the user. In most cases the user is the subject, but in some cases that is not so. For example, if the subject is a pet cat and the VC is a vaccination certificate, the issuer issues the VC to the cat's owner.
Subject
The entity whose attributes are stored in the VC. The subject can be anything that has identity — a person, an organization, something human-made, something natural, something logical, etc.
Holder
The entity that currently holds the VC and presents it to the verifier. In most cases the subject and the holder are the same, but as we saw with the prescription and the cat example above, that is not always the case.
Verifier
The entity that receives the VC from the holder and provides a benefit (service) to the subject.
Wallet
The entity that stores the holder's VCs. In most cases the wallet is integrated into the holder's agent, but the model also allows for remote wallets such as cloud-storage wallets.
Holder's agent
Software that interacts with the VC ecosystem on behalf of the holder. This may be an app loaded on a phone or a program that runs on a laptop.
Verifiable data registry
Conceptually, an internet-accessible store containing all the essential data and metadata that supports the operation of the VC ecosystem.
Examples of the kinds of data and metadata that can be stored in a verifiable registry
-> The issuer's public key
-> A schema or ontology for every attribute a VC can contain; the revocation list of revoked VCs
-> The subject attributes that the issuer claims authority over
VC Architecture
| Today | Going forward |
| Federated identity management system Federated Identity Management, FIM architecture IDP-ecosystem-centric |
Message-based protocol DIDComm Peer-to-peer (P2P) communication between users without going through a central party User (holder)-centric |
| The user first connects to the service provider, then is redirected to the IDP to log in. After that, they are redirected back to the service provider, which receives the user's ID attributes that the IDP forwards. | In a VC architecture there are no web-based redirections within the defined federation. The user as a holder receives a VC from an issuer and uses it independently with any verifier that accepts it. |
Standardization
The data model types defined by the W3C Verifiable Claims Working Group Verifiable Claims Working Group
- A data model definition for VCs
- A data model for the VC, which is the credential the issuer provides to the holder
- Verifiable presentation (VP) data model — a collection of credentials the holder can present to a verifier
- A syntactic representation of the data model (serialization, a representation that both humans and computers can read)
-> A way to present (or represent) the data model using JSON-LD (JSON Linked Data) syntax
-> A way to present (or represent) that data model using JWT (JSON Web Tokens) syntax
VC Properties
The structure of a basic VC, showing the metadata components, claim components, and proof components.
A set of claims.
A VC may optionally be included by the holder in a VP.
refreshService : designed to have a limited lifetime.
- id: a URL where a refresher can obtain a freshened VC
- type: the type of refresh service, controlling other properties that need to be included in the refreshService property.
Dispute : the DisputeCredential property
- Used when the issuer holds outdated information about the subject, when in that process a legitimate subject wants a previous VC revoked, or when the issuer is slow to respond.
Inclusion of a Terms-of-Use URL
Setting an assurance level for the claims inside the VC
- the evidence property
- level of assurance, LDA (4 levels)
VP Properties
A verifiable presentation (VP) is one way for a holder to combine multiple VCs and send them to a verifier.
A collection of VCs.
Differences from a VC
- There is no issuer property.
- The id property is optional. It is only needed when the holder later wants to make this VP uniquely identifiable
Extensibility and Schemas
- VC is an open model
- Uses JSON-LD syntax and the built-in @context extension mechanism
- A globally unique entity identifier — designating an Object Identifier (OID) label
In VC encoding, include @context for the VC, what type of VC it is, and what schema the VC uses.
Zero-knowledge proof, ZKP
A class of cryptographic algorithms or protocols intended to allow proving knowledge of a particular secret value, such as a password, without revealing the secret itself.
How it works (it can do one or more of the following)
-> Provide verification of claims in a VC without the issuer being involved or needing to know who the verifier is (i.e., a digital signature)
-> Provide verification of claims in a VC while protecting the holder's privacy
-> Allow selective disclosure of certain claims in a VC without revealing the content or even the existence of other claims
-> Allow a derived claim (over 18) to be presented to the verifier instead of providing the full claim (date of birth)
Some such algorithms
zk-SNARK : a proof architecture that lets you prove ownership of certain knowledge — such as a secret key — without revealing the knowledge and without interacting
zk-SNARK
Gain an edge over the crypto market with professional grade data, tools, and research.
messari.io
zk-STARKS : zk-SNARKs are all a type of non-interactive ZKP; the proof size is larger and verification takes longer
STARK - Starkware
STARK is a proof system. It uses cutting-edge cryptography to provide polylogarithmic verification resources and proof size.
starkware.co
BULLET-PROOF ENCRYPTION : short non-interactive zero-knowledge proofs that require no trusted setup. Bulletproofs can be used to convince a verifier that an encrypted plaintext is well formed.
Bulletproofs | Stanford Applied Crypto Group
Bulletproofs are short non-interactive zero-knowledge proofs that require no trusted setup. A bulletproof can be used to convince a verifier that an encrypted plaintext is well formed. For example, prove that an encrypted number is in a given range, withou
crypto.stanford.edu
Ring signatures : a type of digital signature that can be performed by any member of a group of users, each of whom has a key
Ring Signatures And Anonymisation
A demo of the methods involved in this article is here.
medium.com
Protocols and Deployment
The NASCAR problem
A common phenomenon in today's web and apps where the login page of a website ends up listing many login options — Facebook login, Google login, LinkedIn login, and so on.
Case 1) Digital Bazaar
- A Credential Handler API 1.0 for websites is in progress
Credential Handler API 1.0
An invoked credential handler may or may not need to display information about itself or request user input. Some examples of potential credential handler display include: A credential handler that requires visual display and user interaction, may call ope
w3c-ccg.github.io
- A video demo of this process
Case 2) FIDO (Fast Identity Online) : a user authentication framework proposed to address the problems of passwords
- In this ecosystem the VC is kept on the user's phone and is linked to a FIDO key used for pairwise authentication with the verifier.
FIDO Alliance - Open Authentication Standards More Secure than Passwords
FIDO Alliance is focused on providing open and free authentication standards to help reduce the world's reliance on passwords, using UAF, U2F and FIDO2.
fidoalliance.org
https://www.aladin.co.kr/shop/wproduct.aspx?ItemId=290964757
마스터링 자기주권신원
자기주권신원을 통해 디지털 방식으로 서명된 자격증명을 발급받은 후, 개인의 디지털 지갑에 저장하여 온라인에서 신원을 안전하게 증명하는 방법을 다룬다. 블록체인에서 영감을 받은 이 패
www.aladin.co.kr
