From birth, we are given elements that identify us. They distinguish us from others, they allow us to be recognized by everyone. In particular, we are given a first name, a surname, a date and a place of birth. This set of data is first collected in order to register people in the vital record. This early identification allows us to stand out from the crowd.
Our identity is at the very center of our daily lives. Whether it is a simple library card, our driving license or our passport, a whole range of elements, documents and proofs exist which attest to our identity and enable us to be recognized and identified on a daily basis. By extension, identity also includes our personality: in fact, even without vital records, each person could be identified by his or her background, tastes, choices and behavior.
Article 4 of the General Data Protection Regulation (GDPR) defines personal data as « any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ».
Under that definition, personal data is all those that relate to any identifiable person. Thus, even in the absence of a formal document such as an identity card or an identifier, a simple set of clues that could identify an individual is enough for data attached to a person’s profile to be considered as personal. According to the RGPD, identity is therefore not limited to people vital records, but includes elements that even include their psychology.
While in the “real” world identifying a person is easy (e.g. to gain access to a library, we can present a card with written information and a photo that allows us to be easily identified), it is different on the Internet where identity is established through profiling, rather than actual identification. The data that is currently being absorbed into databases is as much behavioral data as it is personal data under the GDPR. This is a very broad definition of personal data, which goes beyond mere identity data.
Our identity solution consists of the SDI, a decentralized identifier (you can find our articles on this subject on our blog), and Verifiable Credentials. We are going to focus on them today.
Verifiable credentials (VCs) are the digital equivalent of the identifying information and certifications that surround a person. For example, a driving license or a diploma: these are elements that are part of our identity, and that can be used to prove various pieces of information (in the example, being able to drive a certain type of vehicle, or the completion of an education or certification). Thus, VCs are useful in the digital world to prove information claimed by the user to third parties. This is information that cannot be tampered with and that can be proven cryptographically.
A W3C working group (1) has established the premises of VC and what they’ll be in the future at the web scale. In November 2019, the result of their work has been accepted into the recommendation stage within the W3C (2)
There are several roles related to these Verifiable Credentials:
- Holder: any person, organization or object that has Verifiable Credentials and can generate Verifiable Presentations from them for transmission to anyone who needs to verify them.
- DID Subject: this is the entity about which a VC request is made. Most of the time, this role is confused with that of the holder: the holder is then the one to whom the information to be checked is linked. But this is not always the case. For example, a parent may own the VC related to his or her child. In this case, the holder is the child’s parent and the DID subject is the child. This can also apply to objects, pets, and so on.
- Issuer: any entity capable of issuing Verifiable Credentials to holders.
- Verifier: any entity that needs Verifiable Presentations to authenticate personal data of the DID subjects.
These roles are organized around the following diagram:
We can see that in this ecosystem example that we rely on a verifiable database. The role of this database is to make the system more fluid. The databases may be centralized or decentralized. XSL Labs uses the blockchain to store non-sensitive information and thus guarantee its integrity.
At the center of this diagram are the VC holders. They request VC from issuers so that they can prove their claims to verifiers.
The W3C’s working group considers that privacy and data security are at the core of the Verifiable Credentials ecosystem.
It is therefore essential that users only have to provide the minimum amount of information required in any given situation. The idea is to be able to create Verifiable Presentations that contain only the necessary information.
These verifiable presentations combine data derived from one or several VC in order to share it with a specific verifier.
For example, a person seeking employment may be required to provide proof of his or her professional experience, education and qualifications. A Verifiable Presentation can bring together these informations from various existing VCs and be send to the verifier (in this case a recruiter). The verifier can then be certain that the applicant’s claims are true, and can verify that the information comes from trusted issuers, without getting access to the content of the Verifiable Credentials themselves. In some cases, zero-knowledge proof (3) can be used to prove claims without having to reveal the Verifiable Credential: a VC relating to a date of birth can be used to prove a minimum age for example.
All these components follow specific technical standards described in the W3C’s recommendation and which we detailed (4) in our technical document. The importance of compliance with these standards is crucial, as this will ensure the interoperability of future systems.
Therefore, the ecosystem of Verifiable Credentials allows entities to acquire credentials containing attributes, to become holders of them and to choose whether or not to share them with any entity that requests them.
For such a system to work, and in order to ensure end-to-end trust, digital signatures are added by issuers, so that verifiers can check the validity of the information transmitted and that it comes from a trusted issuer.
This is where the public keys of the decentralized identifiers of the VC issuers, holders and verifiers come in. Publicly available keys linked to decentralized identifiers such as our SDI ensure that any verifier can be certain of the veracity of the information and its issuer.
Beyond the W3C recommendation, security is crucial to the Verifiable Credentials ecosystem.
This involves ensuring the integrity of the data and information transmitted. This is achieved through the hashing of Verifiable Credentials (VC traces on the blockchain), which ensure that the content of a Verifiable Credential or a Verifiable Presentation has not been tampered with.
Verifiable Credentials are therefore at the core of the XSL Labs ecosystem. They enable the SDI holders’ digital identity to be established and built and they guarantee trusted interactions between SDI holders while also respecting their privacy and the security of their data. The development of the XSL Labs ecosystem is a response to the increasing of digital uses and to the evolution of regulations designed to protect individuals and their data.