The message from the authors of the OpenID Foundation’s “OpenID for Verified Credentials white paper” white paper is clear, while it is early days, verified credentials (VC) are here, and they are here to stay. The authors explain that VCs are the head of a commercial, regulatory, technological, and social movement reshaping the personal data and identity exchange relationship dynamics between enterprises, governments, and individuals. Individuals will increasingly be in control of their digital identity and personal data—they will be able to choose the who, what, when, where, for how long their data is accessed, and for what purpose. Enterprises, organizations, and governments can issue verifiable credentials to individuals. Organizations being presented with a VC can take comfort that when an individual physically or digitally presents them with a VC to attest to their identity or make a claim about themselves–e.g., “I graduated from this school,” “I am over 21,” “I have skills for this job,” “I’m qualified for this loan,” “I’m authorized to access this service,” etc.,–that the information being presented is authentic, accurate, valid, and verifiable.

The Benefits of Verified Credentials

The speed at which verified credentials can be issued and verified is nothing but miraculous. During the webinar Jo Vercammen shared a verified credentials case study and showed how an enterprise reduced the time to onboard new employees from three days to thirty minutes, that’s a 94% reduction.

As one author pointed out, “it is still early days for VC deployments,” but the evidence is there that suggests that VCs can help enterprises, governments, and individuals to:

• Increase revenues
• Reduce costs
• Be more efficient
• Create a myriad of “better” onboarding and user experiences
• Mitigate the risk of all kinds of cybercrime
• and more

Torsten Lodderstedt points out that there are both philosophical and technical reasons for adopting verified credentials. He concurs with David Chadwick that the old centralized or federated methods of identity and personal data management have outgrown their technical and social usefulness. They are not fit for purpose in today’s digital age. The old paradigm exposes people to phishing attacks, forces them to share too much data with too many providers, and creates honeypots for cybercriminals to exploit. On the other hand, the new “VC” paradigm, as Kristina Yasuda points out, will bring numerous benefits.

• End User retains control over
  • when to disclose which credential to which Verifier
  • from which Credential Issuer to obtain what credential
• End Users can present
  • credentials to the Verifier without the credential issuer knowing, strengthening privacy protections for the End User
  • credentials to the Relying Parties who do not have a federated relationship with the Credential Issuer
  • multiple credentials issued by different credential issuers in a single presentation
• End Users control their relationship with the Verifiers independent of third-party identity providers’ decisions or lifespan
• Is consistent with physical credentials (e.g., driver’s license) use
• Is consistent with global trends to enable user consent-based policies and architectures, such as in the privacy legislation (GDPR, CCPA) and the Open Banking/Open Data movement.
• Implement verifiable credentials for audited tax returns and birth and marriage certificates ecosystem in a secure, interoperable, and trusted manner
• Reuse of some of the existing infrastructures provides a wide availability of code and libraries

So, exactly what is a Verified Credential and OpenID4VC?

Let’s start with what a VC is. Torsten, David, Kristin, Kenichi, and Jo all provide a unique lens as to what a verified credential is.

…the old centralized or federated methods of identity and personal data management have outgrown their technical and social usefulness. They are not fit for purpose in today’s digital age. The old paradigm exposes people to phishing attacks, forces them to share too much data with too many providers, and creates honeypots for cybercriminals to exploit.“ 

To put it simply, according to Torsten, a VC is a cryptographically, non-tamperable (a.k.a. “tamper-evident”), digital representation of a physical credential, e.g., a digitally verifiable driver’s license, passport, employee ID card, birth certificate, diploma, professional license or certificate, audited tax record, COVID vaccination status card, loyalty card, plane ticket, etc. A VC can contain and represent any collection of verifiable attributes about an individual or thing. Kenichi, a global leader in mobile driver’s license standards, points out that a mobile driver’s license has all the same properties as a digital driver’s license, meaning it can be used both on and offline as the credential’s details are securely embedded on an individuals device, like a Smartphone.

To put it in technical terms, a verified credential is a “digital statement,” a cryptographically signed digital certificate created by an Issuer (e.g., government, employer, bank, company) and issued to an individual (or a smart thing) or more precisely it is published and stored in the individual’s, a.k.a. the Holder’s, digital wallet (e.g., a secure Smartphone app). Only the Holder has the keys to unlock and use the credential. The individual can then present their VC to another entity, i.e., a Verifier (website, app, employer, government, bank, restaurant, bar, etc.), and assert a claim, i.e., that they have the right to board the plane, they are over 21, they graduated from a particular school, etc.

A fundamental property of VCs, unlike centralized or federated identity systems, and more like physical identity disclosure experiences, is that when a Holder is using a VC the Issuer is not made aware when the credential is used. Furthermore, with VCs the individual can practice what is called “selective disclosure.” For instance, when asked if they are over 21, in the old paradigm, they may have to share their driver’s license or passport, which includes their picture, ID number, address, and more sensitive data. When an individual is asked if they’re over 21 or qualified, the individual uses their “digital wallet” to access the VC and only presents the necessary information, in this case, to say “yes,” that they are over 21. Or if they are in a weight loss program to validate how much weight they lost or how much exercise they performed. No extraneous information is leaked. Moreover, there is no need for companies to store massive amounts of data on an individual; they can securely request and get it from the individual. As the use of VCs grows, companies will reduce their IT and data risks, improve trust with individuals, and individuals will be more secure and empowered.

Now, on to OpenID for Verified Credentials. The VC model explained above illustrates how the data within a verified credential is generated, stored, and used. The OpenID4VC white paper highlights two verified credential data models, the W3C Verified Credentials Data Model standard and the ISO Personal identification and mobile driver’s license (CDL) – IEC 18013-5 mDL4. The W3C VC standard is closely associated with the W3C Decentralized Identifier standard, a method for generating an identifier to be associated with a VC; other identifier models can be used with VCs.

It is important to note, as explained by Kaliya Young, “The Identity Woman,” that the W3C VCs “have broad expressive capacity and applicability that enable entries to attest to nearly any claim about an individual and for individuals to assert that claim.” At the same time, the ISO standard is purpose-built for the offline use of a mobile driver’s license. The OpenID4VC credentials whipper explains how the secure OpenID OAuth 2.0 protocols can be used to securely transmit any certificate, including VCs. In other words, OpenID4VCs is an agnostic credential protocol for VC exchange, not creation—Kristina uses the analogy of a train. OpenID4VC are like the standard train rails that any standards-compliant train car, i.e., a VC from any manufacturer, can use to get from point a to point b digitally.

The Key Takeaways

I encourage you to listen to the entire webinar; it is fantastic. After participating in this webinar, it is evident to me that VCs are really going to shake things up.

The key takeaways from our speakers are that:

• VCs are a new paradigm
• While it is early days, VCs are here, and their benefits are being proven
• People can use VCs to manage what they disclose and to whom, and when
• The OpenID for VC standard
  • will be familiar to most developers
  • will be familiar to regulators
  • is an inherently secure method for transmitted VCs and related credentials

Founder, CEO, Identity Praxis