Every day we use numerous documents, files, cards to share information about ourselves and our belongings. These documents, files, cards, and passes have a single purpose: to provide us with some service or benefit in return. We wouldn't possess them in the first place if this weren't the case!
But as with any physical object, these are not immune to the wear of time; neither can we protect them from being stolen or forged. And with the world going digital, typing out each and every detail referring to the physical document is not enough. No wonder we have now shifted to digital documents in the form of scanned pdfs and images. But can we really trust these digital documents, at least as much as we trust physical documents? Clearly, with the rising number of fake documents and reported crimes related to these (check out the blog on fake credentials), we have grown increasingly critical of every document presented to us.
As an improvement over these digital documents, we now have verifiable credentials.
So, what are verifiable credentials?
We break down this terminology into two parts. Firstly, 'credential'.
Credentials are everyday documents (including cards and passes as before) that we use to avail services and benefits in return.
And now secondly, what are 'verifiable' credentials?
Verifiable credentials or VCs are a set of claims made by an issuer for a holder such that they are cryptographically verifiable, secure and preserve privacy.
A VC can be used just like our regular credentials. They can be used to prove the following properties:
Who issued the credential, i.e., the issuer
To whom was the credential issued, i.e., the holder
The credentials have not been tampered with
The credential is still valid, i.e., it has not been revoked by the issuer yet
Components of a VC
Firstly, there are the claims, or the information filled in by the issuer, in this case information related to class of vehicles the license holder is authorized to drive and the validity. These claims include fields COV, LMV and MCWG. These claims are basically the information that we actually use in our day to day lives.
Next, we have information such as the issuer's name, name of the document etc., on this credential. All of this can be categorized under metadata. Metadata also includes a unique identifier (say, a string of numbers and alphabets uniquely denoting an entity). Also, it contains the date on which the credential was issued. To sum up, metadata doesn't contain any claims but properties of the credential itself.
Finally, this digital credential also contains a digital signature that testifies that the issuer indeed issued this credential.
And finally, how do we incorporate VCs in our day to day lives?
Let's say you wish to apply for a passport. You visit the passport office. You don't have any physical proofs of your address or identity. Fortunately, your VCs are stored in your mobile wallet (an application storing the VCs). The passport office trusts the issuer of the address proof, and identity proof (say issued by the government) and hence are willing to accept VCs issued by them. They verify the VCs and, after processing your application, issue a new VC, the passport, to your wallet.
Here, we see that the address proof was issued by the government (the issuer) to you (the holder) and verified by the passport office (the verifier). The proofs contained claims about you (the subject).
Say, now you wish to collect a medical report on behalf of your sibling. Your sibling issues you a VC stating your (the subject) relationship to them (the issuer for this VC is your sibling) as well as the permission to receive the medical reports on their behalf. Moreover, your sibling also shares with you (the holder) the hospital slip containing information about him (the subject) required to retrieve the medical reports as a VC. You share both of these VCs with the hospital to collect the medical report. Here, we see that the subject of the VC may not necessarily be the same as the holder.
Extending this idea of the subject being disjoint from the holder of the VC, we can also issue VCs with the subject being non-living or non-human entities such as vehicle information, pet information and so on. Moreover, even data transmitted by IoT devices can be packaged as a VC and issued to a wallet.
More on VCs and the ecosystem
Now that we know how the VCs work, we look at some necessary conditions for this ecosystem to function.
First and foremost, VCs can only add value to the workflow when the verifier trusts the issuer and the shared credential fulfils all the requirements put forward by the verifier and the holder to exchange services.
Secondly, an important aspect is the verifiability of the credentials. A verifiable data registry holds all essential data as well as the metadata required for this ecosystem to function. This data can include a list of revoked VCs, the issuer's public identifier etc. A verifiable data registry can be centralized or decentralized. In theory, the nature of the data registry would not make any difference, but practically, a decentralized verifiable data registry provides multiple benefits over a centralized registry. Owing to the fact that a centralized registry is the only source of trust available, any unwanted interference due to external factors or even insider attacks would render this ecosystem useless. On the other hand, a decentralized verifiable data registry would effectively curb any discrepancies arising due to such factors.
Now that we have taken a good look at what they are and what they contain, we now ask, why do we need VCs?
VCs allow unlimited flexibility; no middleman is responsible for your identity. In our present world, we have multiple identity providers, all of them providing an easy way out (Login with XYZ) in our day to day lives. Do we trust these middlemen with high-risk transactions such as banking? Maybe not. In the real world, we have notaries who act as an impartial witness while authenticating a legal document or a transaction. Using VCs would do away with these middlemen (tracking your usage of the credential) and notaries, irrespective of the nature of the transaction.
Verification of documents is not an easy job. While contacting the issuer to get the document verified is a tedious task, most of us are left with little to no choice but to do so. VCs eliminate the need to involve the issuer in the workflow once the credential has been issued. The authenticity of the VC is checked using the verifiable data registry. Hence, it provides an easier way out for all of the players involved. The verifier and the issuer save efforts and resources. Moreover, the holder can enjoy a high degree of confidentiality and avail services without revealing their usage of the VCs to the issuer.
Lastly, VCs are portable and can be used anywhere anytime. Moreover, they are resistant to physical wear and tear. Since they are cryptographically signed, they cannot be forged to replace an original. VCs follow the W3C Verifiable Credentials standard so that they can be used anywhere across the world.
As we strive for a better and more secure world, we inevitably have to switch to better technologies. The switch must not be a change due to a breach or a scandal but must be adopted as a natural course of action for a better and more secure world. And not surprisingly, VCs facilitate this switch.
What would a world with VCs look like?
No longer would anyone complain of long queues in banks. All verification procedures would employ VCs. Know Your Customer procedure can be done directly by sharing VCs with the verifier. Mortgage applications would take less time as different documents can now be issued and verified using VCs. Educational documents (including degrees and transcripts) would be issued as VCs directly to the student's mobile wallet. Be it insurance, bills, degrees, employment proof, land ownership documents or identity cards, all of it in the form of Verifiable Credentials!