Credentials are statements about an entity, such as properties that the entity possesses or capabilities that they have (like drivers licences, passports, or a person's age). Verifiable Credentials (VCs) are statements (eg. Alice has a drivers licence) that can be cryptographically verified by a third party, either online or in person. Additionally, the holder of the VC decides what is shared and who it is shared with.
There are several types of actors that play different roles in a verifiable credential system. We'll start with a common example of how things work in the world today using physical credentials and centralized databases, and outline the roles that various entities play in the Verifiable Credential system.
A government (the Issuer) issues a passport asserting citizenship (the Verifiable Credential) to Alice (the Subject and Holder), and writes the information to a database (the Verifiable Data Registry). When crossing the border, Alice (the Holder) presents her passport to a border agent (the Verifier) who can verify that Alice (the Subject) is indeed a citizen.
Subject: An entity about which claims are made – Alice (the Subject) is a citizen of this country.
Holder: An entity which possesses verifiable credentials – Alice (the Holder) possesses the passport (the VC).
Issuer: An entity which asserts claims about a subject – The governing body (the Issuer), which is trusted, issues Alice a passport.
Verifier: An entity which check's if the VC a holder presents is legitimate – The border agent (the Verifier) trusts the government (the Issuer) which issued Alice her passport, and validates that Alice (the Subject) is a citizen.
See the Verifiable Credentials Data Model 1.0 Specification for more information.
Verifiable Credentials in IOTA
In the IOTA Identity framework, instead of a physical passport being given to Alice with the passport information being written into a centralized database owned by the government, Alice receives a digital verifiable credential, and the information required for verification in the future is written to the Tangle.
At a high level, the creation and verification of a VC on IOTA works as follows:
The first step is to create a verifiable credential which requires the subject (Alice) and issuer (the government) to have DIDs published to the Tangle, and a set of statements being asserted (that Alice has a passport). The issuer signs the credential with their private key and publishes the public key to the Tangle.
Once the issuer is confident that the credential satisfies its expectation (after validating the credential's properties), the credential is stored and transmitted to the subject in a secure manner (off-chain).
Validation is performed by looking up the issuer's public key on the Tangle, the holder proving ownership of their DID to the verifier (evidence), and validating that the credential has indeed been signed by the issuing party.
The remaining chapters in this section explore creation, verification, and revocation of VCs in more detail.