In my previous post I started our vision for the Factom Protocol and where I believe the protocol should be headed. This is the 2nd part of multiple posts, as I would like to take the time for the less technical inclined people to get the full vision.
Please note that parts of the vision will be mentioned during every single post, but the last story will be about the complete vision.
In this series of posts I will be talking about identities, verifiable credentials, zero knowledge proofs, tokenization, smart contracts, stable coins, IoT and general data proofs and how that all fits together in one single platform where the user can model their own data as well.
In the first post I already talked about Identities, Decentralized Identifiers (DIDs), Privacy, Decentralized Key Management Systems and authentication.
This post will expand upon Verifiable Credentials. I promise that the next posts will have other subjects 😉
The best way to introduce the concept of verifiable credentials is to again quote the W3C Verifiable Claims working group:
A verifiable claim is a qualification, achievement, quality, or piece of information about an entity’s background such as a name, government ID, payment provider, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an entity which establish its existence and uniqueness.
What the above doesn’t state is that it is about digital claims. The world around us is rapidly becoming more and more digital. Yet for whatever reason we trust analogue/paper processes more than digital processes. Probably because digital information is so easily manipulated. Hacks, conscious manipulation, deep fakes, photoshopped images are some of the examples everybody knows about.
How do we create trust currently?
We start by trusting central authorities. We have the state issue driver licenses, passports, identity cards, visa, social security numbers. Tax authorities providing income and tax data both for natural persons as well as businesses. We have the chamber of commerce providing incorporation data about businesses and people associated with it. Employers providing proofs about employment and wages, to name a few.
If you are lucky this data is provided in some digital form as well, but most of the times it is not. Even if it is provided in a digital form it rarely is interchangeable. We are stuck with information scattered across paper most of the time. What happens when you want to get a mortgage? You go through this whole Know Your Customer (KYC) process, where they gather all kinds of information about yourself and your potential partner. Information is being scanned, archived, duplicated into backend systems. That is after you have gathered everything and handed it over to the mortgage provider.
Have you ever wondered why we trust most of that information? Simply because it is printed on official paper and with easy access to the entity that provided the information in the form of phone numbers and e-mail addresses. In some circumstance of course there are security features incorporated in the document(s) itself. Passports are the best example of documents with security features obviously.
Have you ever wondered how many entities have made copies of this type of information? Or how many entities still have that data on file about you? Or in how many systems that is stored? How is it secured? How many people have accessed the information? Is it even secure, or might it have been hacked? Ok let’s not get you paranoid now 😉
Verifiable Claims to the rescue
I talked about cross ledger (blockchain) decentralized identifiers (DIDs) in my previous article. A way to have digital self-created and managed identities for people, pets, devices and organizations that are universal resolvable like web browser URLs. What if I could make some digital claim using a DID attached to me, like for instance my date of birth and some claims you can derive from that, like my age and whether I am over 18 or not?
How would you trust these claims if I issued the claims myself using an identity (DID) I also created myself in the first place? Well how do wo do that currently? I go to my city hall to get my passport, drivers license or ID card that proves my data of birth. Simply because they are the only authorized party that can provide me the document. What if they could digitally sign the claim about my data of birth, as well as the derivative claims? If my city would also have a DID it means they could use it to sign the claim.
Since anybody could verify the DID and signature of the city as well, you can trust that claim is valid. Of course I want to be able to store the claims about myself as well as selectively disclose what claims to present to the person wanting to do the verification; the Inspector/Verifier. The process itself is a bit more complex, but the picture below shows the process.
Example: Combining DID auth and Verifiable Credentials
Let’s say I want to visit a website that has an age restriction, where you need to be at least 21 years old (no do not ask what type of site this example is about). How to get in without revealing my actual age or date of birth?
First if the site would support WebAuthn or DID-auth I could use my DIDs on Factom to prove I am in control of the identity and by a challenge response system using my private key attached to an authenticator app or web browser I would get in without ever using an insecure password.
Next the website asks for the proof I am over 21 years old. In my credentials repository I might have stored multiple credentials issued by multiple issuers that would satisfy this requirement. My browser or application asks which credential I would like to present/use. I choose one and the website will check the credential in the background and let me in. All of this in a seamless way without disclosing too much information. All the website knows now is that I am allowed to login and are over 21 years of age, which has been asserted by a party the website trusts. They do not know my real age let alone my date of birth. I am in control of disclosure of that information. That is what selective disclosure is about.
Passport less travel?
“People are never going to trust that and not use passports anymore. Let alone authorities allowing you to not use a physically passport during travel”.
Well, news flash: I live in the Netherlands and my country has a world first. As an experiment it will become possible in 2020 to travel between Amsterdam, The Netherlands and Canada without a passport. Simply by means of a smartphone app that loads information about your passport into a secure vault. Three guesses what type of technology is involved in making that happen. All mainstream media have reported about it.
Some examples (in Dutch):
And in English:
Zero-knowledge is a transformative technology, with applications ranging from on-chain scalability and anonymous voting to preservation of sensitive information in B2B data exchanges — Valentin Ganev
Zero-knowledge is a really really hard mathematical problem, so it also really hard to explain. This article is way too short to start trying to explain it in a comprehensible way, so I am not even going to try. If you are interested in the concept I suggest to read for example one of the links below. A zero-knowledge proof is where a prover (P) can prove that he knows information i to a verifier (V) without communicating any other information to V other than the fact that P knows i.
A zero-knowledge proof satisfies the following three properties:
- Completeness is the high-probabilistic chance that if P is telling the truth, V will eventually be convinced that P is telling the truth.
- Soundness is the fact that P can only convince V if P is telling the truth.
- Zero-knowledgeness is that V doesn’t learn anything about P’s secret knowledge (solution).
Offchain personal data storage — Identity Hubs
As mentioned above a public blockchain should never be used to store personal identity data. Simply because you cannot delete if from the blockchain. This would be a GDPR nightmare in the making. Simple encryption also is not really a good idea, as the encryption scheme might be broken in 10–20 years time.
You want to have a different solution for secure storage of personal data and information. Identity Hubs coined by the Decentralized Identity Foundation are that solution.
Identity Hubs are personal datastores that are off-chain and that typically contain personal data. They allow you to store sensitive data, like identity information, official documents, photos etc. in a way where you are in full control of disclosure. Nobody without explicit permission will be able to access any data stored in your Identity Hub. You are able to share subsets of data with other people, apps, organizations and at the same time retain a record of usage. Important to note is that one person or organization is not limited to one identity hub. You can have multiple independent hubs.
Relationship to DIDs?
Up until now I only talked about DIDs in the context of identities and authentication. I also explained you can see it as URLs. But there is more to DIDs. They allow you to do service discovery. Meaning they will allow you to interact with additional systems, symply by looking up information in the DID document on the blockchain. You can best compare it with a phonebook. If you know what you are looking for (the start location), you are able to lookup additional data. Identity hubs can be resolved using the DIDs. DIDs will also be used for authorization and access to the data, including revoking access.
Inversion of control
Something which is common for developers, but here I am talking about the fact that the user will be in control about data. It is stored in your own Identity Hubs. These hubs can be located on your personal devices, or in trusted cloud environments like Microsoft Azure (ok no jokes about trust now). Whenever a website would like to have access to certain data it accesses your Identity Hub and only gets the particular item it is allowed to fetch, instead of them having all the data stored in their databases.
DIDs coming full circle
Below is a picture courtesy of Microsoft. It nicely explain how DIDs can be used to access identity data, verifiable credentials (DID attestations), authentication for people, organizations, apps and devices and off chain storage of data. I happens that Factom is a really nice protocol suited to make that happen in the near future.
Next posts will be about other technologies like tokenization, stable coins, smart contracts, IoT. We will leave the world of DIDs mostly behind us, although these technologies each also have some relation to DIDs.