verifiable credentials

Enterprise 2023-08-18 22:56:42 views: null

The essence of decentralized identity is to transfer the practicality and portability of physical identity credentials to our digital devices, that is, verifiable credentials (Verifiable Credential) .

1 What is a Verifiable Credential?

Verifiable credentials, let's start with the English meaning, what exactly does Credential mean? Let's look at the definition given by Youdao Dictionary:

Obviously refers to the certificates we carry with us to prove our identity, such as: driver's license, ID card, etc.;

But credentials can be extended to any set of information, so long as some authority claims to be true about the subject of those credentials. for example:

  • Birth certificate issued by the hospital, which can prove the holder's birth time, place and parents;

  • A degree certificate issued by the university attesting to your degree;

  • A passport proving that you are a legal citizen of the country;

  • A full pilot's license certifying that you are authorized to fly an aircraft;

Of course, the certificates we exemplified are all based on people, and pets can also be used as the main body. The pet hospital can issue a verifiable certificate on pet vaccination.

Each credential contains a set of claims about the subject of the credential. These claims are made by a single authority, known as the issuer of the certificate in verifiable certificates, and the entity (individual, organization, thing) of the certificate certificate is called the holder of the certificate.

Claims in credentials can say anything about the subject, such as attributes (age, height, weight, etc.), relationships (father, mother, employer, citizenship, or other), rights (medical benefits, library privileges, membership rewards, legal rights, etc.).

To be considered a credential, the claims in the credential must be verifiable in some way. This means that the verifier can determine the following:

  • who issued the certificate;

  • Has not been tampered with since posting;

  • The certificate has not expired or been revoked.

In some physical vouchers, this is usually achieved by:

(1) Some proof of authenticity embedded directly in the credential (such as a watermark, hologram or other special printing features) or by declaring an expiration date.

(2) It can also be done by checking directly with the issuer that the certificate is valid, accurate and up-to-date.

But this manual verification process can be difficult and time-consuming. This is also an important reason why there is a black market for fake credentials worldwide .

This brings us to a fundamental VC advantage: Using cryptography and the internet (and standard protocols), they can be digitally verified in seconds or even milliseconds.

This verification process answers four questions:

  • Does the credential contain the data required by the verifier in the standard format required by the verifier?

  • Does it contain a valid digital signature from the issuer (thus establishing its origin and not being tampered with in transit)?

  • Is the credential still valid - i.e. not expired or revoked?

  • If applicable, does the certificate (or its signature) provide cryptographic proof that the certificate holder is the subject of the certificate?

With the above questions in mind, let's take a look at W3C's verifiable credential data model.

2. W3C Verifiable Credentials Data Model

The W3C DID working group proposes a simple and effective reference model for verifiable digital certificates


The corresponding Chinese flow chart is:

There are three main user roles in this model.

1. Certificate Issuer

The person issuing the certificate can be an individual or an institution. The certificate issuer actually issues a certificate to the public key of the person who will hold the certificate, and uses its own private key to carry out digital signature. In this way, when the certificate holder presents the certificate, he also needs to use a digital signature method to prove that he is indeed the owner of the public key of the certificate issuer (this is a very common digital signature verification method).

The certificate is digitally signed by the certificate issuer. Therefore, anyone can instantly verify whether the certificate is valid by using the digital signature verification method. Any tampering with the certificate will cause the digital signature to become invalid . Since the holder's public key needs to be known when the certificate is issued, in general, the certificate holder first applies to the issuer, and provides its own public key and the digital signature certificate that owns the public key when applying, and issues the certificate. Other evidence and data that people need. The issuer will verify the data, and after confirming that it is correct, a certificate can be generated and sent to the certificate holder. This process is actually very close to the process of applying for a passport in real life. When you apply for a passport, you first need to provide some materials that can prove your identity, such as ID card, and the information required by the passport, such as photos and occupations, so that the government department will print a passport that belongs only to you and issue it to you.

2. Certificate Holder

After applying for a certificate through the above process, the certificate holder needs to be responsible for keeping his own certificate. Usually these certificates exist in digital form and can be downloaded and saved. Some advanced digital wallet systems have complete digital certificate storage and management functions .

In most cases, the responsibility for keeping the certificate lies with the certificate holder, and the certificate issuer can decide whether to keep a copy of the issued certificate.

If the certificate holder loses the certificate or the private key used to prove his identity, he can only apply for a new certificate again. When a certificate needs to be verified, the certificate holder is responsible for providing a digital certificate and providing a digital signature to prove that he owns the public key of the certificate issuer.

Take the passport as an example to understand the above process: when you receive the passport, you are responsible for keeping the passport; when you need to use the passport, such as when applying for a visa from another country, you need to show the passport.

3. The certificate verifier.

The verifier of the certificate only needs to use the digital signature algorithm to verify the identity of the certificate holder. Verifying the correctness of the digital certificate can basically determine the authenticity of the certificate and the legitimacy of the certificate.

Usually the certificate also contains some meaningful information, such as the validity period, which is also the basis for judging the authenticity of the certificate.

Also take the passport as an example to understand: your passport has a series of information about you, including your photo, name, etc. When you apply for a visa from another country, the visa office of the embassy or consulate of the other country is the verifier.

Like other digital certificates, truly practical verifiable digital certificates are nested, that is, a digital certificate may often need to reference or even contain other digital certificates.

Verifiable digital certificates can be nested and included to form a verification chain

This sounds a little confusing at first, but still take passports and visas as examples: in fact, passports and visas are both a kind of certificate. When the visa office issues you a new certificate of visa, you will first need to verify your passport certificate, and then the visa certificate. The certificate usually contains your personal information and passport information. When you use a visa to enter the country, the immigration department will not only verify your visa, but also verify your passport. Only when they pass the verification and the information matches can they be released.

trust triangle

There is a trust triangle relationship between the certificate holder, the issuer and the verifier.

Note that the trust triangle only describes one aspect of a business transaction. In many business transactions, both parties request information from each other. So in a single transaction, both parties play the role of holder and verifier . In addition, many business transactions result in the issuance of new vouchers from one party to the other, or even two new vouchers, one in each direction.

1. The consumer wants to verify that the travel company has bankruptcy insurance.

2. The travel site wants to verify that the consumer is 18 or older.

3. After payment, the travel website sends the ticket to the consumer.

4. After the trip, consumers confirm that they are satisfied customers of the travel company.

Each of these pieces of information can be transmitted as a VC with a digital signature from the issuer. It shows how both parties intermittently execute all role triangles in a trust.

3. Scenario Example: Application for Verifiable Credentials

The following scenario shows how Alice first obtains government ID credentials, then employment credentials from her employer (IBM), and finally applies for a bank account.

1. Alice contacts a government identity agency, which asks for proof of her identity. This assumes that Alice already has a mobile wallet and credentials that some government ID agency will accept, such as a student ID.

2. Alice receives her government ID credential. Once the government ID agency verifies Alice's proofs and confirms that they meet the government's policy for issuing ID credentials, the credential is issued to Alice's edge agent.

3. Alice contacts her employer, who requests proof of her government ID credentials. This step is usually performed as part of the new employee's onboarding to Alice (a legal requirement in some jurisdictions). Employers can save money digitally.

4. Alice has received her employment certificate. Once the employer's entry policy is satisfied, the employer issues Alice her new employment certificate.

5. Alice establishes a connection with the bank where she wants to open a new account. Note that Alice can do this by scanning a QR code anywhere she might encounter a bank invitation: on a bus, on the subway, in a newspaper ad, in an email, on the bank's website, or elsewhere.

That's all for today, next time I will follow W3C's verifiable credential data model analysis.

Guess you like

Origin blog.csdn.net/koudan567/article/details/125130399
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com