A verifiable credential (VC) can represent all information that a physical credential represents, such as a passport or university degree. However, by allowing other parties to cryptographically verify the authorship and integrity of the claims, verifiable credentials can be seen as more tamper-evident and more trustworthy than their physical counterparts.
In the IOTA Identity Framework you can create a Verifiable Credential with the following properties:
- Context: list of JSON-LD context URIs. Includes
- Types: list of types describing the credential. Includes
- Subject: the claims of the issuer; a set of objects that contain one or more properties that are each related to a subject.
- Issuer: the identifier of the issuer, typically their DID.
- ID: optional URI identifier for the credential.
- Issuance Date: optional timestamp for expressing the date and time when a credential becomes valid.
- Expiration Date: optional timestamp for expressing the date and time when a credential ceases to be valid.
- Status: optional information used to determine the current status of a credential, i.e. whether or not it has been revoked.
- Schema: optional list of objects specifying the schema that the data must conform to.
- Refresh Service: optional link to a service where the recipient may refresh the included credentials.
- Evidence: optional list of objects that can be used by the issuer to provide the verifier with additional supporting information in a verifiable credential.
- Non-Transferable: optional flag that indicates that a verifiable credential must only be encapsulated in a verifiable presentation whose proof was issued by the credential subject.
After creation, the issuer signs the verifiable credential using one of their private keys, embedding the digital signature in its proof section. This is what allows verifiers to independently validate the credential using the corresponding public key from the issuer's DID Document.
A digital signature on a verifiable credential both provides data integrity and proves the DID of the issuer. The proof section embedded in a credential may also include additional metadata.
The following metadata properties can be configured by the framework and are optional and omitted by default:
- Created: timestamp of when the credential was signed, recommended.
- Expires: timestamp after which the signature is no longer considered valid. Implementers should prefer to set the dedicated Expiration Date property on credentials instead.
- Proof Purpose: indicates the purpose of the signature.
Most verifiable credentials should be signed with the assertion method proof purpose to clearly indicate that the signature is asserting a claim and restrict it to valid verification methods. Whereas a proof may be attached to a verifiable presentation for authentication purposes.
Other metadata fields such as
domain may be included, however they are more pertinent for verifiable presentations.
Verifiers should ensure certain properties of a credential are valid when receiving one or more in a verifiable presentation. Both issuers and holders may also wish to validate their credentials, particularly directly after creating or receiving one. Validation may be performed at any point in time and can be a useful way of checking whether a credential has expired or been revoked.
The IOTA Identity Framework supports the following checks during credential validation:
- Semantic structure: ensures the credential adheres to the specification.
- Proof: verifies the signature against the DID Document of the issuer.
- Optional validations: additional checks on credential properties and the signature can be configured by specifying Validation Options.
These options specify conditions that specific properties in a credential must satisfy.
- Expiry Date: check that the
expirationDateproperty, if present, is not before a specific datetime. Defaults to the current datetime if unset.
- Issuance Date: check that that
issuanceDateproperty, if present, is not after a specific datetime. Defaults to the current datetime if unset.
- Verifier Options: validates aspects of the credential signature and its metadata, see Proof Options.
Sharing Verifiable Credentials
A verifiable presentation is the recommended data format for sharing one or more verifiable credentials, as it provides cryptographic means of proving the DID of the holder presenting them, and for enforcing subject-holder relationships. See the Verifiable Presentations page for further detail.
The following code exemplifies how an issuer can create, sign, and validate a verifiable credential. In this example, the issuer signs a UniversityDegreeCredential with Alice's name and DID. This Verifiable Credential can be verified by anyone, allowing Alice to take control of it and share it with anyone.