Hi, I’m Michael Burchill and you might remember me from such rants as “Putting math problems on Facebook hurts everyone” and “If you want my data at least buy me lunch first!". Today I want to talk about a topic that is receiving some discussion in non-technical circles and way too much discussion in technical circles: Verifiable Credentials (VCs).
In its simplest form, a Verifiable Credential is a document that can be reliably traced back to its source and validated as genuine.
Yes, it’s a thing and you want this thing. It’s a good thing for you and for the companies and institutions you deal with.
This is where things start to get interesting. Before getting into the technical details, and I will get there, let’s review a scenario. Let’s say you’re a business or homeowner who has just experienced a fire due to a malfunctioning gas stove. The stove in question was repaired several times in the past and under the terms of your insurance, these repairs must be performed by a certified technician.
Wouldn’t it be useful to provide immutable proof to the insurance company that could immediately show that this work was performed by a technician whose credentials were in good standing? Proof that anyone could validate? This would remove some of the burdens and costs that come with insurance fraud. Burdens that are passed on to customers every day. As a result:
• The customer gets paid sooner.
• The insurance company has greater confidence in the claim.
In a VC world, people, assets and organizations have a Decentralized Identifier (DID). A DID is a unique identifier not containing any personally identifiable information. They are publicly available and owned by the person, asset, or company. So based on the above scenario here are some DIDs that would exist:
• The training provider that certified the gas appliance technician.
• The certified gas technician and his role at the company.
• The repair company who employs the technician.
DIDs are then used to digitally sign a claim about a person, asset, or company. The issuer digitally signs the document using their DID. These signatures cannot be tampered with, and, as a result, the claims can be trusted immediately.
So now I can quickly verify that:
• The Gas Technician License was signed by a recognized institution that trains gas technicians.
• The Gas Technician's License was in good standing at the time of repair.
The how is the most important part. As part of the standards around Verifiable Credentials there are the concepts of Expiry, Revocation, Resolution & Verification.
Expiry - When a Verifiable Credential is issued, its expiry date can be set. Once this date has passed, the credential will need to be re-issued or it can no longer be used.
Revocation - The Verifiable Credential can be revoked by the central authority (the organization that issued the credential) and once this is done, it can no longer be used.
Resolution - The DIDs in the Verifiable Credential must be resolvable. Using a very similar method to how the World Wide Web uses the address www.credivera.com to find the world's most useful and inventive company, VC Wallets are able to “resolve” the DID that is supplied with a credential. If they cannot resolve the DID, the credential is immediately rejected because the signing DID is not what and where the credential says it is. I don’t want to get technical here, but some DID methods use DNS (The internet standard method of mapping names to devices) and some do things like write to a blockchain where the DID can also be quickly referenced.
Verification - Checking the Verifiable Credential for validity. Once the DID has been verified, the credential can be examined for expected outcomes such as ‘has the credential expired’. These verifications are built right into the web standard, making them compatible with modern software systems and giving the reader instant confirmations of the expiry dates or whether or not the credential has been revoked. Links to the reference standards can be found at the bottom of this blog.
Now, with all this information, the receipt or invoice the customer gets from RepairCo would be part of a Verifiable Presentation. The presentation is a collection of Verifiable Credentials. If you were to receive a paper receipt, like the one below, you could scan the included QR code and it would take you to the Verifiable Presentation.
That invoice and presentation could look like the example below.
There are a couple of important things to note here:
1. The QR Code is just a link to the Verifiable Presentation. There is no data in the QR Code, so it therefore cannot be meaningfully counterfeited.
2. The basic validity checks associated with these Credentials and Documents are built into the standard. When compatible software views these Credentials, rejection or acceptance is automated.
As a workforce identity solution, Credivera verifies a worker's ability to perform their job. These verifications include background checks, education, training, certifications and memberships. What is unique to Credivera is that all those checks are live and able to provide a status in real time. Credivera digital credentials are for high-risk workers, across construction, manufacturing, energy and transportation.
I hope this helped to you learn a bit about Verifiable Credentials and Documents. We’ve become so good at creating information that we now need a way to validate its authenticity.
Though we do have a long way to go with Verifiable Credentials, I recommend embracing them as a solid way forward even at this stage in the game. I have no doubt that we’ll be arguing about standards and which one is best for years to come. Where adoption is concerned, keep your standards open and your expectations of a first-generation solution realistic and you should see extraordinary gains.
I’ll keep using this blog to advise, rant and complain.
About the author: A good intentioned curmudgeon with an extensive background in IAM spanning almost two decades. Michael is passionate about solutions that work and make the complexities of a connected world manageable and secure.