Verifiable Credentials
Verifiable credentials (VCs) are digital statements that can be cryptographically proven, like a digital passport, and are used within systems to assert certain properties or capabilities of an entity.
In the IOTA Identity framework, this is managed with decentralized identifiers (DIDs) on the Tangle. Subjects and issuers use their DIDs for the creation and verification of credentials.
Credentials are statements about an entity, such as properties that the entity possesses or capabilities that they have, like a driver's license, passports, or a person's age. Verifiable credentials (VCs) are statements (e.g., Alice has a driver's license) that can be cryptographically verified by a third party, either online or in person. Additionally, the holder of the VC decides what is shared and who it is shared with.
There are several types of actors that play different roles in a Verifiable Credential system. We'll start with a common example of how things work in the world today using physical credentials and centralized databases, and outline the roles that various entities play in the Verifiable Credential system.
Example - Passport Issuance
A government (the issuer) issues a passport asserting citizenship (the Verifiable Credential) to Alice (the subject and Holder), and writes the information to a database (the Verifiable Data Registry). When crossing the border, Alice (the Holder) presents her passport to a border agent (the Verifier), who can verify that Alice (the subject) is indeed a citizen.
Subject: An entity about which claims are made – in this example, that Alice (the subject) is a citizen of this country.
Holder: Any entity with a verifiable credential – Alice (the Holder) possesses the passport (the VC).
Issuer: An entity which asserts claims about a subject – The governing body (the issuer), which is trusted, issues Alice a passport.
Verifier: An entity which checks if the VC a holder presents is legitimate – The border agent (the Verifier) trusts the government (the issuer) which issued Alice her passport and validates that Alice (the subject) is a citizen.
See the Verifiable Credentials Data Model 1.0 Specification for more information.
Verifiable Credentials in IOTA
In the IOTA Identity framework, instead of a physical passport being given to Alice and its information written into a centralized database owned by the government, Alice receives a digital verifiable credential, and the information required for verification in the future is written to the Tangle.
At a high level, the creation and verification of a VC on IOTA works as follows:
The first step is to create a verifiable credential that requires the subject (Alice) and issuer (the government) to have DIDs published on the Tangle and a set of statements being asserted (that Alice has a passport). The issuer signs the credential with their private key and publishes the public key to the Tangle.
Once the issuer is confident that the credential satisfies its expectations, the credential is stored and transmitted to the subject in a secure manner (off-chain).
Validation is performed by looking up the issuer's public key on the Tangle, the holder proving ownership of their DID to the verifier (evidence), and validating that the issuing party has indeed signed the credential.