The 101 series: Verifiable Credentials
Updated: Mar 2
[For people looking to skip all the drama and see how VCs work, please jump here]
VCs and me
Around Jan 2021, while the world was learning zoom etiquettes and living with foggy specs over masks, I was exposed to the world of VCs. Not (evil?) Venture Capitals, but Verifiable Credentials.
As usual, I started by consulting my trusted friend Wikipedia, and found...
"Verifiable credentials (VCs) are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or a license, as well as new things that have no physical equivalent, such as ownership of a bank account."
Sounded amazing! And quite unnecessary. I was managing quite fine with a JPEG of my passport page, thank you. But I was in discussions for a role at a firm that deals with VCs (Affinidi), so I needed to find out more.
The 5 stages of research
I found a couple of other links that were more idiot-proof to my liking, especially the one from Affinidi. As a skeptic with a byte sized ego, I went through the 5 stages of grief while conducting my research
Looking back, I realize that I could / should do my bit to guide other lost souls who embark on a similar journey. So here's my story, starting with...
Denial: No one cares about VCs!
I'd never heard of VCs, neither had any of my friends. Given the elite circles I move in, I was inclined to dismiss as irrelevant.
But I decided to give it a chance.
Turns out the idea of Verifiable Credentials IS relatively recent (ha!) - it was recommended by this organization called W3C in Nov 2019 in the form of a geek-friendly data model. The recommendation was sufficiently long and comprehensive to scare any noobs away and leave the deserving ones to explore.
But the recommending organization W3C itself was 27 years old (as of 2022), established by none other than Sir Tim Berners-Lee (of created the internet fame). Long story short, the mission of W3C is to standardize things (protocols) about the internet, so that it's easy to build and access things on the web. Their whole point is the network effect: more the people who use the web, the more useful it'll be.
So when I found that W3C was talking VCs, it seemed like my time might not be entirely wasted. Then when I found that entities like the IBM, Microsoft, Linux Foundation Public Health & Salesforce are talking about VCs, I had to admit there might be something to it.
While questioning the eliteness of my circles, I moved on to...
Anger: Useless heap of esoteric mumbo jumbo!
Sir Tim Berners-Lee's one of the good guys in my book - he refused to patent the first browser and server after creating them in 1989. So when he's talks about the web going bad, and the internet becoming a place you cannot trust, I listen.
But then again, that's just another visionary lamenting on the loss of idealism. Doesn't mean trust on the internet affects you or me, does it?
Having recently moved countries, I can say it does. Here are some of things I had to deal with while moving:
Verifying educational qualifications: Thanks to fake certificates being a dozen a dime in developing countries, degrees to be attested by ministries that have a million better things to do. Finally you end up with a process that takes weeks and creates a bunch of well-fed intermediary agents.
Accessing medical records: Ditto for medical records. Most recent examples are COVID tests, where country A re-tests citizens of country B when they arrive from A to B. Fraud test certificates are even easier to get than fraud degrees (I'm told).
Creating a bank account: The "easy" online process asks for a bunch of documents, declarations and certificates. My Employment Pass was in process and I was staying in a temporary accommodation, neither of which helped. After 3 branch visits to resolve circular dependencies, the bank finally took mercy and let me open an account.
Applying for credit cards: Repeat 3 above, but now with a different bank.
Why are these processes so tedious? Do banks love making customers jump through hoops to create an account? Probably, but that's not the (only) reason. The reason is simple - because you cannot trust things on the net. Remember what Lincoln said?
A certificate image can be easily doctored, medical records can be faked, files can be altered. Most of the processes I listed out above have been hardened over the ages, with built in redundancies. The system has become more resilient at the cost of convenience.
But is the compromise necessary? Is there no way to combine convenience with security?
With VCs, there might be, thanks to cryptography & some complex math. Even if you're not be a bitcoin fan, you better believe in cryptography - it's what keeps secure web browsing, ATM withdrawals and email running!
VCs are machine readable by design - information can be combined into a single QR code. They also allow you to confirm the "issuer" of a VC - as in the entity that certified the "claim". For example, if the US govt issued you a driver's license as a VC, an agency in Singapore can check the authenticity of that VC in seconds, without going back to ask the US Govt. or looking for attestations. More on this later.
So trust on the internet does affect you and me. If VCs can solve it, they'd be more than esoteric mumbo jumbo. But then again...
Bargaining: Maybe they're just a fad.
If they're a fad, it's a(nother) fad drawing some serious bucks! VCs are closely related to the concept of digital identity and the space has exploded with startups like ID.me, Alloy & Incode drawing interest from across the globe.
Of course there's always dumb money - investment's not always a great indicator of future potential. If it was, I wouldn't be writing posts like these.
A better indication is current and future adoption. Here comes another aspect where the pandemic has turned things around, but this time for the better. A big pain point for countries has been around verifying vaccine certificates. The fact that fake test certificates are available at less than the cost of a taxi ride to a center had caused many a country to think twice before reopening their borders. The fear was that the same could happen with vaccination certificates.
Or so most countries thought. The US turned out to be much more trusting, as was pointed out in this skit and the folllowing meme around CDC cards:
But most others including EU, India & Singapore used VCs. The EU DCCs, DIVOC certs and W3C vaccine certs issued by these and many other countries are nothing but VCs!
There's a minor difference though (they're not decentralized as VCs ideally should be) and it hasn't solved the problem of fake certificates completely. But the basic VC properties of tamper proofing, machine readability & issuer check are preserved - making this an unprecedented validation at scale for VCs!
COVID's not entirely gone, but the logical extension for tech like EU DCCs would be to support medical records beyond COVID. And then there's the metaverse trying to make all physical interactions passé. Coupled with the fact that other industries (finance, gaming) have probably taken notice of the tech and it's capabilities, it's hard to imagine VCs going away anytime soon.
So VCs might be more than a fad. But that acknowledgement merely pushed me into...
Depression: Help! They're too complicated!
Now let's address the T-Rex in the room - what the hell are VCs? How do they work?
I could tell you VCs aren't complicated - but that'd be a lie. Unless you know all about cryptography and blockchain already. I'll assume you don't (since I don't) and present an oversimplified picture.
What are VCs?
Think of all the documents you use in the physical world to prove who or are or what you did - your driving license, your passport, your employment ID, even the coveted degree your mom framed on the wall.
Now think of their digital equivalents. Images of these documents? Easy to fake - I could make myself a fake Nobel prize certificate within minutes. Your Google / Facebook ID? Doesn't work with everything (phew!). Your Linkedin testimonials? Don't even get me started!
Point is, there isn't really a good enough substitute in the digital world. Which is the reason bank applications need to be screened for document tampering and compared against multiple databases before you're cleared for an account. All this takes time, effort and money.
An analogy that's been flogged to death is the wallet analogy - you can think of a mobile app as a digital wallet and VCs as digital "identity cards" in the wallet. Just like you show an ID when requested by, say a bouncer at a club, you can show you digital ID on demand in the internet.
Who're the parties involved?
When you've been dealing with VCs for as long as two weeks, three terms you hear very often are issuer, holder (or prover) and verifier. Simply put,
Issuer is the entity that gave you the credential (driving license, COVID vaccine certificate, Linkedin endorsement you traded with a friend)
Holder is the person who the credential is meant for (you, your delighted friend)
Verifier is anyone who wants to verify the certificate (traffic police, an airline, unsuspecting recruiter).
How does it all work?
Kinda like email. If you're not sure how encryption in email works, take a look at this. If you already know, let's move on.
Most of your email communication is encrypted by default. This encryption and secure transmission of data works using something called Public Key Infrastructure (PKI). VCs use the same concept of PKI to preserve privacy and security.
The only difference is, instead of checking public keys from Certificate Authorities, VCs fetch the public keys from a different trusted source - like a blockchain or a secure website. Read more details of the comparison here.
Coming back to our Issuers, Holders and Verifiers, a VC
Is issued by an Issuer. It contains three things:
A location where the Issuer's public keys can be found. Like a URL https://... or a blockchain location (called DID).
The data (or meat) of the credential - could be anything like a degree, a medical record or just kudos for being a swell guy!
A digital signature of the issuer. The signature is "made" from the credential content & the issuer's public key. If either of them are changed later, you can find out from the signature.
Is issued to a holder / prover. Holder is the one trying to make a "claim" called a Verifiable Presentation (VP).
The claim might contain all or some of the information in the credential. For example, if the credential is an MBA, you can generate a VP saying you're a MBA without exposing your grades, specialization or college. Unless you REALLY want to (looking at you, IIM people).
This's an example of zero-knowledge proof. Sharing only essential information, nothing more, nothing less. Apparently it's got some people quite stoked.
Is verified by a Verifier
Verifier looks at a claim presented by a Holder, checks the following
If the holder is the right one
If the issuer is the right / acceptable one
If the claim is NOT revoked
The VP creation and verification usually happens via a QR code in a few secs.
Here's what the flow looks:
And that's it. That's how VCs & VPs work! Simple!
Ok maybe I skipped a few details. So here's some more for our eagle-eyed viewers:
How does holder H know that a credential came from Issuer I?
By looking at the signature in the credential. How does that work? Again, math!
How does Verifier V know the credential came from Issuer I?
Same, by looking at the signature in the credential?
How does Verifier V know the credential belongs to holder H?
Generally by checking the details in the credential, in case of a vaccination certificate for example. Alternatively, the holder H could "sign" the VP using her private key. When Verifier V is able to decrypt the VP using H's public keys (assuming they're shared), V knows the VP came from H.
How does Holder H know Verifier V is the one requesting the check?
Paranoid, are we? Good! Anyway this's easy too - holder H uses Verifier V's public keys to encrypt the VP. Now only verifier V can decrypt it using their private key.
Now we know what VCs are and how they work. So we move on to...
Acceptance: Ok fine, what happens now?
You go back to browsing the net. And hope that VCs become useful so that all you've learnt now is relevant.
But how useful can VCs be? In theory, very. The internet's pretty much the wild west at the moment. Spreading misinformation is a piece of cake. Thankfully I found this amazing solution!
VCs offer the promise to make the (digital) world a better place (just like every ride hailing and grocery delivery company). Quoting this article from Forbes:
Verifiable credentials could make it easy to spot bots, unmask trolls and trace the origins of claims...When consumers stop worrying about theft and deception, they’ll be more willing to participate in online ecosystems...When trust is rebuilt, I believe the internet can become a place of creativity instead of caution.
If you're paranoid about privacy, VCs could be your best friends. They enable selective disclosure of information, with this concept called Zero Knowledge Proof (ZKP). Which's a total misnomer btw - there's definitely >0 knowledge involved there.
Not a lot of people know what VCs are, including most who use them. Quoting the same article:
"...the verifiable credential space is very young. The W3C just came out with standards for verifiable credentials in the past year or so...So, a barrier to entry for companies in this space, including my own, will be consumer education on how to implement verifiable credentials."
Then again there are many (including my employers) who're betting big on VCs.
Personally I believe VCs are here to stay, but the idea will probably undergo a lot of evolution. As we've seen with COVID vaccine certificates, a lot of VC features are optional and might not be harnessed at scale, at least not immediately. But I think the magic'll happen once VCs are linked to biometrics, which might not be too far off!
In case you didn't notice, I have a vested interest in wanting VCs to work. But so should you - they might just make our lives easier!