I recently co-authored a white paper about verifiable credentials, with the founder and CEO of the exciting Australian start-up, Verified Orchestration.

“Back to the Future — Revolutionising Digital ID with new technology and centuries old governance” (PDF) looks at how verifiable credentials enable whole ecosystems to digitise their established governance structures, contexts and rules, as well as their transactions.

This blog is a lightly edited extract from our full paper.

Photo credit: Sean Bernard, Flickr (Creative Commons Licence). 

Verifiable Credentials are new again

Verifiable Credentials have been around for a long time. You have more than likely used Verifiable Credentials without knowing it. They are commonplace, embedded in mobile phones, payment cards, e-passports, smart phones and smart watches.

The mobile phone SIM is an early example and provides a perfect explainer. The Subscriber Identification Module is both a special purpose integrated circuit and an administrative record. The SIM holds an official copy of your account information and your unique international subscriber number, all of which is digitally signed by your phone company.

The SIM also holds a unique cryptographic key which is used by the handset to digitally sign (in simple terms, “mark”) the start and stop of every call you make. This signature is verifiable by network operators globally and allows them to know which subscriber is making which call from what location, anywhere in the world.

The global cell phone network could not function without Verifiable Credentials.

The same goes for global credit card payments. The EMV chip card system replaced magnetic stripe cards long ago, which we were vulnerable to skimming and counterfeiting. Instead of a magnetic stripe card storing and passively transferring cardholder data to a terminal, the chip card carries a Verifiable Credential holding the cardholder data, a cardholder key, and the signature (i.e. endorsement) of the bank which issued the card. Every payment made with the chip card is signed (marked) by the cardholder key, rendering it tamper resistant and globally reconcilable.

Verifiable Credentials are a technology that puts instrumental pieces of information about individuals into the hands of those individuals and empowers them to present that information directly, purposefully and securely.

Verifiable Credentials are decentralised in that the information they carry is valid on its face and can be presented directly, peer to peer, without intermediation.

Verifiable Credentials and the identity problem

While Verifiable Credentials have been used for decades, they have been reenergised lately to help solve digital identity. SIMs and EMV cards are highly specialised, dedicated to singular applications, with proprietary standards overseen by industry associations, and bound to physical chips. Today, Verifiable Credentials are being standardised by several global working groups, with a view to extended use cases and applications.

Why the shift to Verifiable Credentials? The way we handle most identity information online has historically followed a distinctly centralised pattern. Instead of putting identity information in the hands the holder, we tend to keep ostensibly official copies in different servers where it sits waiting to be exercised on the holder’s behalf.

To put their digital identity to use, the holder has to activate it on the server somehow (usually by quoting a plaintext username and password) triggering a cascade of actions in their name. Internet banking, online shopping, remote workflows, e-health, e-government travel booking, ticketing and so on all follow the same pattern.

Centralised identity management is odd compared with regular credentials. Imagine if we handled driver’s licenses in the same way as current online identity: the motor vehicle registry would ask you to give your license back to them, and in its place issue you a username and password to access it and release it whenever you happen to need it.

The online world has followed this unreal pattern ever since the “Identity Metasystem” was published in 2006, promoting the canonical arrangement where a Subject and a Relying Party deal with each other via a third-party Identity Provider.

The three-party model is entirely reasonable with respect to the way authoritative information about parties is sourced, however the Identity Metasystem also dictated that most interactions would draw down identity information in real time. That’s the odd part of digital identity.

The new wave of interest in Verifiable Credentials crystalised in July 2018 when the World Wide Web consortium (W3C) released the Verifiable Credentials Data Model 1.0 with the byline Expressing verifiable information on the Web.

[For some reason, subsequent iterations of the W3C VC Data Model dropped the mention of “verifiable information”. I thought that was the best thing in the specification.]

Back to the future

Verifiable Credentials are a revolutionary digital technology, placing cryptographic keys under the sole control of the credential holder, making credentials highly resistant to theft, counterfeiting or takeover. The new wave of standards now allows customised Verifiable Credentials to be securely carried in mobile digital wallets and used in a range of business applications to reliably prove endorsed facts and figures in their specific contexts.

By decentralising the presentation of credentials, and conserving the established local rules that govern how they are issued and consumed, cryptographically Verifiable Credentials are far less disturbing to business processes than general purpose digital identities and the centralised presentation flows entailed by the Identity Metasystem.