Skip to main content

Fundamentals of Verifiable Credentials

Overview

A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with the relevant authority to do so. Because credentials are typically issued by authorities that hold the public's trust, credentials are often used to support proof of an individual's qualification or competence for a given subject.

Credentials in the real world

In the physical world, a credential might consist of:

  • Information related to identifying the subject of the credential (for example, a photo, name, or identification number)
  • Information related to the issuing authority (for example, a city government, national agency, or certification body)
  • Information related to the type of credential this is (for example, a Dutch passport, an American driving license, or a health insurance card)
  • Information related to specific attributes or properties being asserted by the issuing authority about the subject (for example, nationality, the classes of vehicle entitled to drive, or date of birth)
  • Evidence related to how the credential was derived
  • Information related to constraints on the credential (for example, expiration date or terms of use)

A verifiable credential can represent all of the same information that a physical credential represents. The addition of technologies, such as digital signatures, makes verifiable credentials more tamper-evident and more trustworthy than their physical counterparts.

Why are Verifiable Credentials Needed?

It is currently difficult to express education qualifications, healthcare data, financial account details, and other third-party verified machine-readable personal information on the Web. The difficulty of expressing digital credentials on the Web makes it challenging to receive the same benefits through the Web that physical credentials provide us in the physical world.

The VC specification provides a standard way to express credentials on the Web in a cryptographically secure way, privacy respecting, and machine-verifiable.

Emerging Standard

Verifiable credentials allow for the digital proofing of user claims data through public-private cryptography, privacy-preserving, and semantic disambiguation techniques.

The VCs Data Model, defined at the W3C, is a universal data format that lets any entity express anything about another entity. It provides a common mechanism for the interoperable implementation of digital credentials that are cryptographically secure, tamper-evident, privacy respecting, and machine-verifiable.

A common standardized data model enables standardized credential packaging, cryptographic signing, and proof expression. This creates a VC ecosystem with interoperable credentials, allowing credentials to be processed and understood across and between disparate systems.

Ecosystem Overview

Here is a brief introduction to the key actors and their roles and relationships in an ecosystem where verifiable credentials could be used.

Holder

A holder is a role an entity might perform by possessing one or more verifiable credentials and generating verifiable presentations from them.

Example holders include students, employees, and customers.

Issuer

An issuer is a role an entity performs by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder. Example issuers include corporations, non-profit organizations, trade associations, governments, and individuals.

Subject

A subject is an entity about which claims are made. Example subjects include human beings, animals, and things. In many cases, the holder of a verifiable credential is the subject, but in certain cases, it is not. For example, a parent (the holder) might hold the verifiable credentials of a child (the subject), or a pet owner (the holder) might hold the verifiable credentials of their pet (the subject).

Verifier

A verifier is a role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation, for processing. Example verifiers include employers, security personnel, and websites.

Verifiable Data Registry

A verifiable data registry is a role a system might perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which might be required to use verifiable credentials. Some configurations might require correlatable identifiers for subjects. Examples of verifiable data registries include trusted databases, decentralized databases, government ID databases, and distributed ledgers. Often there is more than one type of verifiable data registry utilized in an ecosystem.

The figure represents an example ecosystem to ground the concepts presented in this section of the 1Kosmos documentation.

Issuing and Verifying Credentials

There are four roles supported by verifiable credentials: Issuer, Verifier, Subject, and Holder.

Issuer

The entity that creates a claim and associates it with a particular subject.

Verifier

The entity verifying a claim about a given subject.

Subject

The entity about whom a claim is issued.

Holder

A role an entity may perform by possessing one or more verifiable credentials. A holder is usually, but not always, the subject of the verifiable credentials that they are holding. Holders store their credentials in credential repositories.

Tasks

Users of verifiable credentials have common needs across domains. Examples of tasks that issuing authorities, holders of a credential, and verifiers of a claim might perform are:

  • Issuing a claim
  • Asserting a claim
  • Verify a claim
  • Storing or moving a claim
  • Retrieving a claim
  • Revoking a claim