Organisational
Credentials

An Organisational Wallet enables organisations to securely issue, verify and manage Verifiable Credentials!

An organisational wallet — or more accurate an ‘organisational agent’ — extends the concept of personal wallets to the needs of organisations, enabling corporates, public institutions, and government bodies to securely manage the credentials that they issue, or receive and need to verify.

Unlike personal wallet apps — which are designed to be used by individuals — an organisation has specific requirements that an organisational agent has to provide.

From a legal vantage, organisations are independent entities by law, vested with the capability and even obligations to autonomously act, transact, and possess assets.

This legal autonomy underscores the critical necessity for an organisational wallet: an application to manage and safeguard their digital assets, credentials, and identities. Such a tool is not merely an option but a fundamental requirement to uphold their legal independence.

An organisational agent is crucial for enabling a structured delegation of duties and responsibilities, ensuring that individuals across various roles and with diverse mandates can effectively engage and utilize it.

Together with organisations such as the Chamber of Commerce, Tax Authority, Unifiedpost, and the Dutch Blockchain Coalition, and others, our team is working hard to build a feature-rich organisational agent application for corporates, public institutions, and governments bodies.

When we talk about digital credentials, the terms “wallet” and “agent” are often used interchangeably, yet they serve distinct roles in the ecosystem. To clarify:

• Wallets are digital repositories that securely store verifiable credentials or other digital assets. Think of them as the digital equivalent of a physical wallet holding your identity documents, certifications, and access cards.
  Wallets also provide the user interface through which individuals and organisations interact with their credentials, manage them, and present them when required.

• Agents, on the other hand, act on behalf of the wallet’s owner to communicate, negotiate, and transact with other entities within the digital credential system. Agents facilitate the secure exchange of credentials between wallets, handle the complexities of cryptographic operations (like issuing, signing and verification), and ensure the integrity and confidentiality of the data exchanged.

So, while a wallet focuses on storage and the usage of credentials, an agent is the active component that operates within the network, executing tasks, making connections, and performing verifications.

1. Issuance

• Issuance: Organisations can digitally issue various types of credentials, such as professional certificates, workplace training and safety certificates, access badges, financial proofs, quality certifications for products and services, directly from their systems. This process involves creating a digital representation of the credential, signing it with the organisation’s cryptographic key to ensure authenticity, and then sending it to the recipient’s digital wallet.
• Revocation: Should a credential become invalid (for reasons such as revocation of a license or annulment of a certificate), the organisation can update the credential’s status to reflect this change. Revoked credentials are flagged in verification processes, ensuring that only current and valid credentials are accepted.
• Electronic Signing: The use of various DID methods and HSM-stored keys for the electronic signing of credentials guarantees the integrity and non-repudiation of these credentials.
• Issuance via REST API: Provides organisations with the capability to issue or revoke credentials at scale through a RESTful API, enabling automated and efficient credential issuance or revocation directly from their systems through the organisational agent. This approach supports the dynamic generation of digital credentials, their authentication via cryptographic signatures, and the seamless distribution to recipients’ digital wallets, all facilitated programmatically to ensure scalability and adaptability to various organisational needs.
• Automatic Sharing: Functionality for the automatic sharing (with prior consent) of certain public credential information, such as Chamber of Commerce number, address, email, VAT number, etc., streamlining the sharing process and enhancing transparency.

2. Management

• Credential Management: Manage the credentials the organisation issues, including the design of credential schema definitions that outline the structure and requirements, the development of user interface forms for credential operations (creation, retrieval, update, deletion), and the establishment of lookup definitions for integration with Systems-of-Record or Line-of-Business systems to enable efficient data retrieval of credential data.
• Monitoring and Lifecycle Management: Following issuance, organizations have the capability to monitor and manage these credentials effectively. This includes tracking their current status, updating information as necessary, and managing the lifecycle of each credential, such as renewals.
• Presentation Definitions: Oversee the creation, update, and administration of Presentation Definitions within the DIF Presentation Exchange framework. This includes specifying the required credential information, detailing attributes and their proof mechanisms, and setting any necessary conditions or constraints to ensure that verification requests are precise, relevant, and secure.
• Decentralized Identifiers (DIDs): Handling the creation, updating, and management of DIDs that anchor identities to the blockchain, enhancing security and trust in digital interactions.
• Key Management: The secure management of public and private keys using Hardware Security Modules (HSMs), supporting regular key rotations, to maintain the highest levels of security and trustworthiness.

3. Verification

• Requesting Credential Information: The initial and critical step in the verification process involves requesting the sharing of credential information. This is facilitated through the use of the DIF Presentation Exchange, employing a standardised method for credentials to be requested and shared. The process is grounded in a Presentation Definition, which specifies the exact information required.
• Incoming Credential Verification: When a digital credentials is shared for verification (e.g., applying for a job, accessing a service), the organisation can instantly and automatically check the authenticity and validity of these credentials. This is done by verifying the digital signatures against the public keys of the issuers and checking the revocation status.
• Process Integration: After verification the data must be passed on by the agent for further processing by a Line-of-Business system, such as HR management, client onboarding in CRMs, and access control systems.
• Passwordless Logins: Enabling the verification of a known user’s credential for passwordless access to a organisation’s portal or application, effectively eliminating the need for traditional username and password login methods. By leveraging verified digital credentials, users can authenticate their identity and gain access to systems or portals, along with the appropriate authorizations therein, enhancing both security and user experience by simplifying the login process.

4. Storage

• Secure Storage: The organisation’s credentials must be stored in a secure, encrypted storage space with strict access controls. This ensures that sensitive information is protected against unauthorised access, theft, or leakage.
• Data Protection: In addition to encryption, other data protection measures are often implemented, such as data minimization (only storing necessary information) and pseudonymization (ensuring that stored data cannot be directly linked to an individual without additional information).
• Backup and Recovery: Implementing comprehensive backup and recovery strategies to safeguard the credentials against data loss due to technical failures or security breaches.

5. Interoperability

• Standards Compliance: A organisational agent must adhere to international standards and frameworks for digital identities and credentials (such as W3C, DIF, and DIIP). Compliance with standards ensure that the credentials they manage can be recognized and verified by other entities worldwide.
• Technology Agnostic: The agent is designed to work across various technological platforms and devices, making credentials accessible and verifiable anywhere, regardless of the specific technology used by the credential holder or verifier.
• Ecosystem Participation: Interoperability facilitates the organisation’s participation in broader digital credential ecosystems, allowing for more seamless exchanges of credentials across industries and sectors. This is particularly important in global or cross-sectoral contexts, where credentials need to be recognized and verified by a wide range of stakeholders.

User Management is critical functionality within organisational agent to ensure secure, efficient, and controlled operation.

• User Accounts and Authentication: Creation and management of user accounts, ensuring individuals are authenticated and have access only to necessary functionalities based on their roles.
• Group Management: Organising users into functional groups with specific permissions, facilitating easier management of access controls and role assignments based on departmental or functional lines.
• Role Management (Role-Based Access Control): Defining roles within the organisation, each associated with a specific set of permissions (e.g., Credential Issuer, Verifier) to control who can issue, manage, verify, and revoke certain credentials.
• Delegation of Authorization: Allowing certain roles or users to delegate specific tasks or permissions to others, enhancing operational flexibility and efficiency while maintaining a record for accountability and oversight.
• Duties and Powers: Defining the duties associated with each role or group and delineating their powers, such as issuing, verifying, or revoking certain credentials, to ensure that these actions are authorised and not abused.