Have you ever wondered whether you could digitize your identity? Well, your “official” identity that is. Everyone has a series of documents or certificates issued by official bodies, attesting to their identity, qualifications and skills in relation to administrative bodies, the state, or any other type of institution.
Collectively, these documents are increasingly referred to as “credentials”, since they may be used in a great variety of contexts. They might include, for example, an identity card, a driving license, a health or social security number, a diploma, university degree or training certificate, or even your CV. All data that remains the property of the individual subject, but may be useful in any type of interaction with public bodies, or any other type of body that is given permission to verify any claims or presentations made by that subject.
Adding to the challenge of digitizing such documents, for practical reasons, is that of guaranteeing the absolute authenticity of these digital versions, or “digital credentials” as they are called. Due to the very real risks of fraud and cyber hacking, being able to securely store and verify any such type of data has become critical, and has led to the development of an open international standard specification for the presentation of verifiable digital credentials that will be secured with a cryptographic key or signature.
BCdiploma is here to explain to you everything about this standard, which will allow the data of digital identity documents to be securely stored and verified, while maintaining the privacy of the end-user of the service.
The challenge of digitizing identity documents
The increasing digitization of identification documents: towards a digital identity
Today, more and more identity documents and training certificates exist in a digitized form.
For example, in France, a new biometric identity card, including a QR code and electronic chip, was introduced on August 2, 2021, in order to provide access to proofs of a fully digital version of one’s identity documents. These digital IDs, or “DIDs” are the new frontier in tokens of identity proof.
Several universities have also begun to issue digital certificates for the completion of courses. And you can now display a Open Badge, testifying to your qualification, on your LinkedIn profile, to show off your personal skills, and share them and their proofs with just a single click.
Digitalized identity documents (dIDs) have several advantages:
- Easier storage;
- Faster access;
- Better security against loss or theft;
- Proof of revocation in case the need arises.
Nevertheless, a simple digitization model can present various problems. With the development of tools such as Photoshop, digital credentials presented as a file, note, image, pdf or other such a token have become much easier to tamper with in ways that are difficult to detect. And revocation of a credential issued in this way is impossible to implement. Indeed, a digitalized image of a signature or other such identifiers is no longer enough, documents will now need to be signed with a cryptographic key, to be trusted as a real time token of proof beyond any attempt of forgery.
The need for verifiability in order to combat theft, fraud, and forgeries
According to a study by Onfido in France, over 200,000 people were victims of identity fraud in 2020, up 29% on 2019, due in part to the Covid-19 pandemic (in French). The study also reported that in 70% of cases of fraud, information in official documents was either wrong or had been tampered with.
While fraud and the forgery of supporting documents have mainly concerned documents required for banking services, diploma fraud is also widespread, and on the rise, with as many as 68% of job applicant CVs in France reported to be misleading in some way. In 29% of the cases of fraud, an applicant presented a different diploma from the one they had actually achieved as a student at university. While such a practice is becoming more and more common, recruiters rarely have the reflex to check the authenticity of diplomas, and their reported data and associated claims.
Whether we are talking about proving one’s identity or qualifications, how then can the authenticity of information be verified? New technologies are now making it possible to use digital credentials as a service to combat identity theft, forgery and fraud via a third party. These new technologies are at the origin of the international verifiable credential standard.
Verifiable Credentials: a digital, decentralized, and secure identity
What is a verifiable credential?
A “verifiable credential” is a document that presents information, while allowing that information to be checked against official records. The verifiable credential is a digital version of the credential that is verifiable through technology employed as a service to guarantee its authenticity.
The open source W3C Verifiable Credentials Data Model standard specifies how to generate verifiable credentials (VCs) that are:
- Secured by cryptography;
- Respectful of privacy;
- Machine verifiable.
Technologies used to meet these criteria include digital signatures and the blockchain. The blockchain is secure technology for storing and transmitting data in a decentralized way, ensuring that all users will have access to an encrypted data register, and that all modifications will be perfectly traceable.
How do verifiable credentials work to guarantee a verifiable identity in a decentralized way?
Three types of actors allow verifiable credentials (VCs) to work:
- The issuer is the official, recognized organization that issues the verifiable credential to the holder.
- The holder can generate URL links, QR codes and other digital media, and share them with any party that wants to verify the credentials.
- The verifier can verify the authenticity, validity and conformity of the information, which remains the property of the holder.
The holder has complete control over their own verifiable credentials (VCs), and, therefore, over their identity and digital identity documents, or “dIDs). The holder can decide which data to share, with whom and whenever they want. Although each credential is issued by an official body, and may be verified by another party, all credentials belong exclusively to the holder, whether they are kept in a wallet, app or web-app. It is this well-defined distribution of roles, among these three actors, that guarantees verifiable credentials (VCs) have a decentralized and secure nature.
The three actors make up what is called a “triangle of trust”. In technical terms, each role may be played either a person, an institution, a web server, or an Internet of Things (IoT) device. This means that, in principal, anyone can make the presentation of a verifiable credential to any other person. The issuer does not necessarily have to be a type of institution, university or public body. An analogy is a bank issuing a physical credit card. The bank, or issuer, assigns the user, or holder, property of the card, which can then be used in any shop where the shop itself, the verifier, has to decide whether or not to trust the issuer.
The triangle of trust works because the verifier does not have to trust the holder user alone. On the presentation of a card, it can verify its validity in real time, by forwarding a request to the specific issuer, to check any identifiers of the user, and any case of revocation of their rights to use the card.
In the context of a digitalized service, the method of presentation of the issued credential may be an app, web-app, website or cryptographic wallet, where claims of any specific property, such as a university diploma, can be offered to the verifier, to check on their own account via the third-party, that is, the issuer. The claims of the student holder of the diploma are, therefore, instantly subject to proof.
How does the W3C Verifiable Credentials Data Model work on a technical level ?
The attributes can take on names such as:
- degree ;
- … and so on.
A JSON file can then be made into a JSON Web Token, or JWT. This JWT is a JSON file to which an encryption signature has been added, secured by private secret or a public and private key pair. This JWT is therefore a way of securing the proofs of the claims made in the JSON file, and encoded as attributes, such as verifiableCredential, credentialSubject, and so on.
The presentation of a JWT, enables a holder to encrypt the JSON data of the credential using the intended receiver’s public key, and then the receiver to read that data, and the values of attributes such as verifiableCredential and credentialSubject, using their own private key. Likewise the receiver, in this context also the verifier, can request confirmation of the credentials validity from the issuing party and receive, in return, a JWT that can again be decrypted by private key.
How is the privacy of the holder of the credential maintained?
Let us take up the analogy of a credit card for a moment once again. When you arrive at the payment desk of a store, they know absolutely nothing about you until you present your card. They then have no means to know how much you have in your bank account. All they can do is note public identifiers such as the name on the card and the signature on the back, before proceeding with the request to the issuer for confirmation of the rights of use. This request is made across a phone line, using an encrypted connection. In the case of any revocation of the card by the issuer, the payment simply doesn’t go through. The card them remains the property of the user, who is free to leave the store with the card in hand.
Similarly, in the context of former student making presentations or claims to a potential employer about the specific subject they studied at university, the recruiter has no prior knowledge of the candidate. However, the recruiter, as a verifier, if given permission to do so, may go on to check with the university, or issuer of a degree certificate or similar document or credential, whether the presentations made by the job applicant are true or not. That is they can note, whether the student has, in fact, studied that specific subject at that specific institution.
The decision to share that information lies with the student. For example, instead of a PIN code the student has a digital signature or key that allows them to give permission to the recruiter. They are under no obligations to make presentations about their studies to anyone. But, if they have, in fact, studied the subject at university, and need proof of such, they can use a simple type of web token, such as a JWT, to do so.
An example of verifiable credentials: BCdiploma’s 100% blockchain certificates
BCdiploma has created the first verifiable, tamper-proof and lasting digital diplomas and certifications based on blockchain technology. These certifications comply with the international W3C Verifiable Credentials Data Model specification, since, by nature, the blockchain guarantees the authenticity and security of all the data it contains.
How is the data contained in BCdiploma digital certificates verified ? Example of a 100% blockchain digital diploma:
- The identity of the diploma issuer, such as a school or training organization, is verified using a patented system;
- The digital diploma presents the various pieces of identification information stored on the blockchain, such as first, surname, school, type of diploma, and a timestamp;
- In digitalized form, it can be shared via a URL link, QR code, electronic wallet, or directly on social media;
- Recruiters can instantly verify the authenticity of the specific diploma by opening the virtual document in an app or on the web.
In this context, in addition to enabling the digitization of diplomas, via Open Badges and blockchain certifications, for example, BCdiploma’s R&D team is contributing to the specification of the open source standards of tomorrow, such as the W3C Verifiable Credentials Data Model, through various projects carried out in partnership with institutional players, including:
- The European Blockchain Services Infrastructure (EBSI), working towards the specification of a European ecosystem that will enable the automated exchange and presentation of issued verifiable credentials (VCs);
- The Next Generation Internet (NGI) European Self-Sovereign Identity Framework (eSSIF) Lab, working to create an online wallet for digital identities (dIDs) that will allow the sharing and signing of any specific type of official certificate;
- The Bridge Blockchain Health Card project, with CEREMA, in France, that will create a decentralized and secure storage platform for data from the inventory of civil engineering structures in municipalities participating in the National Bridges Program.