Verifiable credentials (VCs) are an

open standard An open standard is a standard that is openly accessible and usable by anyone. It is also a prerequisite to use open license, non-discrimination and extensibility. Typically, anybody can participate in the development. There is no single definition ...

for digital credentials. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account. They have numerous advantages over physical credentials, most notably that they're digitally signed, which makes them tamper-resistant and instantaneously verifiable. The security of verifiable credentials has been questioned. Verifiable credentials have also been subject to usability concerns. Verifiable credentials can be issued by anyone, about anything, and can be presented to and verified by everyone. The entity that generates the credential is called the ''Issuer''. The credential is then given to the ''Holder'' who stores it for later use. The Holder can then prove something about themselves by presenting their credentials to a ''Verifier''.

Trust Model

The holder of a verifiable credential sits at the center of a triangle of trust, mediating between issuer and verifier. * The issuer trusts the holder * The holder trusts the verifier * The verifier trusts the issuer Any role in the triangle can be played by a person, an institution, or an IoT device. Note that because verifiable credentials can be created by anyone, the person or entity verifying the credential decides if they trust the entity that issued it. It is like a shop clerk deciding if they should accept an out-of-state license as proof of age when purchasing alcohol.

Decentralization

The VC model places the holder of a credential at the center of the identity ecosystem, giving individuals control of their identity attributes. The

W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...

VC model parallels physical credentials: the user holds cards and can present them to anyone at any time without informing or requiring the permission of the card issuer. Such a model is decentralized and gives much more autonomy and privacy to the participants. This contrasts with the federated identity management (FIM) model, as adopted by

SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based ...

and

OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...

, which place the

identity provider An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. ...

(IdP) in the central role as the dispenser of identity attributes and the determiner of which

Service Providers A service provider (SP) is an organization that provides services, such as consulting, legal, real estate, communications, storage, and processing services, to other organizations. Although a service provider can be a sub-unit of the organization t ...

(SPs) it will give them to. In the federated model, the IdP knows every SP that the user visits.

Verifiable Credentials Data Model 1.0

The data model for verifiable credentials is a World Wide Web Consortium (W3C) Recommendation, "Verifiable Credentials Data Model 1.0 - Expressing verifiable information on the Web", published 19 November 2019.

Composition

Verifiable Credentials may be expressed using

JSON JSON (JavaScript Object Notation, pronounced ; also ) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other ser ...

and is typically composed of: * Context * Issuer * Issue timestamp * Expiry timestamp * Type * Subject * Subject identity attributes * Cryptographic proof to ensure the integrity and authenticity of the VC "verifiableCredential":

Aliases

The VC context, defined using the @context

property, is a

JSON-LD JSON-LD (JavaScript Object Notation for Linked Data) is a method of encoding linked data using JSON. One goal for JSON-LD was to require as little effort as possible from developers to transform their existing JSON to JSON-LD. JSON-LD allows data ...

construct that allows user friendly terms to be used for

properties. According to the VC data model, the value of many properties must be a

URI Uri may refer to: Places * Canton of Uri, a canton in Switzerland * Úri, a village and commune in Hungary * Uri, Iran, a village in East Azerbaijan Province * Uri, Jammu and Kashmir, a town in India * Uri (island), an island off Malakula Islan ...

. Whilst these are globally unambiguous, (important for a global data model), they are not user-friendly. Consequently, the @context property allows short-form, user-friendly aliases to be defined for each

. This makes it much easier, and more user-friendly, to specify VCs. An example is given below. W3C VCs are extensible. Any new property can be added to VCs, as determined by the issuer. Standard properties have been defined specifically as extension points. These include the following: * terms of use - restrictions placed on the use of the VC by the issuer * schema - defines VC contents * evidence - information collected by issuer about the subject and/or attributes before issuing the VC * status - pointers to where a verifier can discover the status of a VC (e.g., whether it has been revoked).

Subject

The holder of a VC does not always have to be the subject of the credential. It is expected that most users will hold their own VCs, i.e., the holder and the subject will be the same entity. This need not always be the case. For example, when the VC subject is an infant, and the VC is a birth certificate, the holder may be one or both parents.

Proofs

No proof mechanism is standardized but the data model is flexible enough to support various existing cryptographic mechanisms, such as

digital signatures A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...

. Proof mechanisms that are in use include:

JSON Web Token JSON Web Token (JWT, pronounced , same as the word "jot") is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signe ...

s with

JSON Web Signature A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard () for signing arbitrary data. This is used as the basis for a variety of web-based technologies including JSON Web Token. Purpose JWS is a way to ensure integrity of informati ...

proofs, and

zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...

s using schemes such as IBM's anonymous credentials.

Transport

Various protocols are specified for carrying VCs from the issuer/IdP to the holder, and the holder to the verifier. Examples include: * Aries RFC 0036: Issue Credential Protocol 1.0., and Aries

RFC RFC may refer to: Computing * Request for Comments, a memorandum on Internet standards * Request for change, change management * Remote Function Call, in SAP computer systems * Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...

0037: Present Proof Protocol 1.0 * David W Chadwick, Romain Laborde, Arnaud Oglaza, Remi Venant, Samer Wazan, Manreet Nijjar "Improved Identity Management with Verifiable Credentials and FIDO",

IEEE The Institute of Electrical and Electronics Engineers (IEEE) is a 501(c)(3) professional association for electronic engineering and electrical engineering (and associated disciplines) with its corporate office in New York City and its operation ...

Communications Standards Magazine Vol 3, Issue 4, Dec 2019, Pages 14–20 None of these protocols has become standardized. Many people who are experimenting with VCs use

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

to carry VCs between the various parties.

References

{{Reflist World Wide Web Consortium