On Verifiable Credentials

Wallet with payment cards and cash

The second of four reflections after Kate Carruthers and I spoke on her Data Revolution podcast.

We started with data sharing and then ventured onto how verifiable credentials have a bigger purpose than identity.

Kate asked me to break down this very cool technology.

Driven by privacy

One of the drivers for verifiable credentials is privacy and data minimisation. While discussing data sharing, Kate questioned how can we trust the many parties to whom we give our data?

The first and foremost privacy protection is to give them as little data as possible. That is, disclosure minimisation. I don’t want to tell a liquor store anything more than my credit card number, my delivery address and the fact that I’m over 18.

And the liquor store should want to know much more than that. While there are widespread habits in business to collect as much data about customers as possible, as Kate said on the podcast, it is dawning on managers that “if you think about data as an asset, you’ve also got to think about it as a liability”.

So the question should be, what exactly does one party need to know about another? Can we arrange for just the right data to be disclosed — nothing less and nothing more? Verifiable credentials are a powerful technology and design pattern for doing just this.

The term verifiable credential integrates several layers of protection.

A. Machine readable

We all know what credentials are in real life. Think of a university credential, passport or licence to drive a car.

Verifiable credentials are firstly about digitizing those things in a reliable, high-quality way, so they can be used in automated digital processes. Instead of taking scans or copying down numbers, a verifiable credential captures metadata that make the credential valid and authoritative.

Who issued the credential? When was it issued? What were the issuance rules, and the terms and conditions for use? What is the context in which the credential is meaningful?

Take an accountant for instance: what is their scope of practice? Where were they qualified? Where are they licensed to work?

It’s fairly straightforward to wrap up all of that detail into a digital document, formatted to be machine readable. The metadata enables business logic to work out if a credential is fit for purpose in a given application.

B. Provenance

The next layer of protection proves where the credential came from — because the meaning and authority of most credentials come from the issuer.

A verifiable credential is digitally signed by the issuer, so you know exactly where it came from and also that is hasn’t been tampered with or counterfeited.

C. Proof of possession (control)

The final layer of protection for a full function verifiable credential comes from carrying it in a particular sort of end-user wallet.

It is generally important when accepting a credential (especially online, where the presenting party is remote from the accepting party) to be sure that the credential was in the right hands at the time. A verifiable credential wallet will digitally sign the presentation to provide what’s often called “proof of possession”.

Mobile credential wallets are typically locked by a biometric or PIN. If a credential is presented with a verifiable wallet signature, then we can be reasonably sure that the wallet was unlocked by the proper person — namely the holder of the credential.

Everyday digital credentials

This might all sound theoretical, but we’ve been using this technology for 10 or 15 years in chip cards, and we’ve been using it for the last three years in mobile phone wallets. The UX is completely seamless.

Under the covers, when you click-to-pay using your smart phone, the mobile payment app reaches inside the secure element (or “enclave” chip) of your phone, accesses cardholder data and an associated private key— which has been previously loaded on the phone with your consent and with the consent of the bank —digitally signs the payment on your behalf, and sends it off to the merchant.

The merchant receives a cryptographically secure parcel of transaction data and metadata. The parcel includes the credit card number signed by the bank, plus another signature to prove the transaction come from an approved smart phone.

Therefore, many consumers are already using the perfect technology for personal data protection: mobile wallets and digital credentials. These tools are ready to be scaled out to make consumers and businesses safe against identity fraud in the wake of data breaches. No new digital IDs are required; we could carry digitized versions of all those existing government IDs such that they are completely useless to data thieves.

Further reading: Proofs and evidence

Readers may have spotted that there are other assumptions at work in my account of verifiable credential issuance and presentation.

For one, it is assumed that a virtual credit card was provisioned to the correct phone and that the phone has remained in the proper person’s control. Provisioning a virtual cards — as anyone who has done it will know — is itself a multilayered process, controlled by the bank, usually through its banking app, with tight authentication. It’s critical that the bank gets this right.

And “proof” of possession is a relative concept.  Strictly speaking, it’s a matter of evidence.

The assumption about who is really in control at the time of a mobile phone payment is the same sort of assumption made when anyone uses a regular PIN-controlled card at an ATM or POS terminal. Does a PIN really prove who was using the card? Well, no it doesn’t, but there are sufficient controls around this pattern of behaviours for the global banking industry to be satisfied that billions of dollars of card transactions every day are secure enough.

Further reading: The criticality of data signing

It is useful to describe the digital signature as a type of metadata.

A digital signature is a data value computed by applying a unique private key to a record, document or transaction. The digital signature is data pertaining to the signed data; it is about that signed data, so it is metadata.

The purpose of a digital signature is to convey important properties of the signed data, such as the involvement or consent of the signatory in making a transaction, the originality of the signed data, and/or the association of the data with the wallet device. A digital signature thus provides proof of certain facts.

So the pattern of facts and proofs — which is common in digital identity discourse — is a matter of data and metadata.

Recall that data signing is at the core of smart phone pay. To pay by credit card, all a cardholder need do is present a credit card number in a way that assures the payment system that it was really the legitimate customer in control of the presentation.

Swiping a magnetic stripe card in a terminal no longer provides much assurance that the true cardholder was in control, thanks to skimming and carding. And so the payment system upgraded to chip cards.

Now smart phone pay uses the chip card’s data signing trick to assure e-commerce merchants that it is not a dog using the card over the internet, but much more likely to be the true holder of the phone and the credit card.

This is exactly the same pattern that we need for presenting any important data, especially the official government issued data universally used in identification.

If we used mobile wallets to present verified data to registration forms and login screens, then we would not be vulnerable to impersonation after data breaches.

Lockstep’s Data Verification Platform is a scheme to rationalise and organise data flows between data originators such as government and the risk owners who rely on accurate data to guide decisions. Join us in conversation.

If you’d like to follow the development of the Data Verification Platform model, please subscribe for email updates.​