We all carry around things that are specific to us: our driver’s license, our passport, and our membership cards to name a few. Additionally, we often store a number of other artifacts specific to us for varying lengths of time. These could be really important things like our birth certificate or diploma or more ephemeral items like a boarding pass. All of these things prove something about us. That is to say that they are tied to our identity.
To keep things consistent, let’s refer to these items as credentials. Credentials differ from another class of items: assets. Assets are things like money, a piece of art, a car, or a house. The main difference between these items is that credentials relate to an owner that never changes whereas assets are designed to change owners. Another way to put this is that credentials are tied to an identity and assets are not. Now of course it can get slightly more complicated in the real world with some assets requiring the registration of the owner to create a sort of hybrid item. But typically this is only the case when a credential is being layered onto an asset in a regulated context like car title, for instance.
Why Verifiable Credentials?
Verifiable Credentials (often times abbreviated “VCs”) are a W3C standard that helps make all of the real world credentials mentioned earlier into digital, interoperable files so that we can use them all across the internet and store them on our devices and on servers. The great thing about Verifiable Credentials is that they can be stored by anyone, anywhere and they won’t lose their integrity. We will get into the details about how this works a bit later, but first let’s start with an analogy.
At this point we are all familiar with cryptocurrencies like Ethereum and Bitcoin. These technologies were created to merge the physical properties of cash with the convenience of the internet. If you think back to some of the Crypto 101 presentations or articles you have probably come across, you’ll remember that transferring value online required intermediaries like banks and payment processors like Stripe. However, when using cash, there are no intermediaries. All you have to do is hand someone a dollar which is great for privacy, cost, and efficiency. Verifiable Credentials aim to do for documents what crypto did for cash. Verifiable Credentials can bring all those cards, papers, and certificates that we have to carry around or otherwise keep track of online without needing to introduce intermediaries!
At Disco, we allow you to use VCs as the core building block of your identity. Using DIDs, Disco users can create a Data Backpack. A Data Backpack is the user-owned container where a user receives and manages their VCs. As you navigate through the Metaverse you’ll carry this Disco Data Backpack with you and add Verifiable Credentials to it and as you do your identity and reputation will become more and more robust and you will be able to unlock increasingly valuable experiences. Verifiable Credentials will come to represent the fact that you are human and not a bot, that you are truly a fan of an artist, that you were present at some place at some time, that you meet a given regulation, or that you complete some course or curriculum. VCs can even represent very sensitive and consequential information such as medical records or citizenship status.
What is a VC?
At the end of the day, a Verifiable Credential is just a file (a JSON file to be exact). Because they are just a file they can be stored and transferred just like any other file. But VCs have a number of additional advantageous properties. They are:
Hard to fake
Easier to custody
Easier to replicate
Cheap to create, issue, and deliver
Peer to peer verifiable and validatable
Let’s take these one at a time.
Hard to Fake
When we say “hard to fake” we mean really hard to fake. Like an Ethereum transaction, credentials are cryptographically signed. This means that they are tamper-evident. If a credential has been signed, then if someone changed something in the file, the cryptography would break. This is where the “verifiable” part of verifiable credentials come from. Anyone who receives a file from someone else as a VC can check to see that the file hasn’t been altered at anypoint after it was originally created.
I’m sure we all know a friend or two who used their older sibling’s ID to get into a bar. This is a relatively trivial case of impersonation. However, online things can get far more serious. Digital identity theft resulted in $56 Billion in losses in 2020. One of the main features of Verifiable Credentials is that they are issued to a public key. As you might recall from the posts on DIDs, public keys are controlled by private keys that someone generates for themselves and keeps secret. By issuing VCs to public keys rather than a name, for instance, only the person with the corresponding private key can prove that the credential belongs to them. As long as your private key is safe, no one can use your VCs to impersonate you! It doesn’t even matter if they have the JSON files.
Can Be Easier To Custody
This one is pretty straightforward. VCs are just digital files. So, no need to carry around a wallet or keep a box of files in the attic. VCs can be stored on your phone, or in the case of Disco, stored on a (off-chain!) decentralized network.
Can Be Easier To Replicate
One of the things we all often worry about when custodying our credentials, physical or otherwise, is losing them. I’m sure we have all had the experience of losing a license or some other document we need. The same is true for digital files like VCs, but VCs have an advantage: easy replication. Since VCs are signed it means that it really doesn’t matter where your VCs are stored since they can’t be changed. This means that you can hedge against losing your VCs by storing copies in a number of different places such as on your device, in the cloud, etc.
Cheap to Create, Issue and Deliver
This one is really just the universal case of digital stuff vs physical stuff. Think about all the work that likely goes into creating and issuing you a license or passport. It takes weeks! VCs can be created, issued, and delivered to the user in minutes or even seconds without a human needing to be involved (in most cases).
Peer to Peer Verifiable and Validatable
This property is incredibly powerful and is what helps VCs play such a big role in the future of decentralized identity. Because a Verifiable Credential is cryptographically signed by the DID that created it and issued to the DID of the person or thing that the VC is about, anyone can verify and validate the VC easily. Think about this: without this property, if a stranger showed you a file that seemed to be a digital diploma, how would you know it was real? Even if it was a real diploma, how would you know it was their diploma? Well, one thing you could do is ask to see another form of identity and match the name on their diploma with the name on some other credential that you are familiar with, such as a driver’s license. And then you could call the University registrar to see if the person actually graduated from the college. That’s a lot of work!
This is related to the property above. When someone wants to validate that a credential someone is presenting to them is legit they often have to contact or otherwise have access to the issuer’s database. When this happens, the fact that the subject of the credential is using the credential with some other 3rd party is revealed to the issuer. This creates a big surveillance problem. But, since VCs can be disclosed, verified, and validated P2P, this privacy leakage doesn’t have to happen. Furthermore, since VCs are digital files we can do fancy cryptographic magic (zero-knowledge proofs!) on them. We will get into ZKPs in a later post!**
This too is related to the P2P quality of VCs. When someone needs to contact the issuer to verify or validate a credential, this creates a mechanism of control on behalf of the issuer. It allows the issuer to decline to verify or validate a credential and effectively censor the holder of that credential. Additionally, in cases where you need an authority to imbue a credential with legitimacy, such as with a notary, the authority could refuse which would result in the censoring of the issuer. VCs, since they rely on public key cryptography, circumvent this mechanism of control.
This is the final attribute and one that is near and dear to Disco’s heart. It is very related to the attribute of replicability. VCs allow the holders of those VCs to carry and use them wherever they want and in whatever system that adopts the Verifiable Credential standard. There are many different pieces of systems that can be more or less decentralized, such as the number of nodes, the distribution of assets or governance, etc. The quality of decentralization that we care most about at Disco is the ability for a user to take their data with them!
Verifiable Credentials are a key piece of how Disco and the wider decentralized identity industry works. And at this point, if you are one of our more Web3 savvy friends, you might be noticing some similarities between VCs and NFTs. We will cover that and more, such as how VCs actually work, how they can be set to expire, revocation, zero-knowledge proofs and what they look like at the code level, in a further post. In the meantime, check out the dance floor at www.disco.xyz!
Co-Founder / Head of Strategy