What is schema in Active Directory?

A schema is a definition of objects and attributes used in Active Directory.

Why use cloud preview features?

The cloud vendor gives you the opportunity to move faster and benefit from things that are still being developed, for the price of possible additional problems, services not being finalized, and not having a full SLA on them.

What are Azure preview features?

In short, they're test services or functionalities which are still under development, and so: - features might not work as expected or can be changed - they might not be completely covered by support or SLA (even if you have it in place for other services) - they might not provide the same level of resilience, security or privacy protection as typical services - their delivery and pricing model might change in the future.

What are Verifiable Credentials and Decentralized Identifiers?

Item: Predica
Author: Tomasz Onyszko

Blog

Tomasz Onyszko CTO

8 MIN READ FEBRUARY 28, 2022

Digital identity on the Internet - what's new?

How can we fix identity on the Internet?

You and I, we have learned to live with identity on the Internet. We have accounts, logins, passwords, and learned to live with them and manage them. There are ways to simplify the process, mostly in the enterprises through protocols and the SSO approach.

Is login your identity? How does it express facts about you? How can you really prove who you are, what are your skills obtained at university, or which credentials you own?

Of course, you can upload pictures and PDFs to a website to process and prove facts about you. It is what KYC (Know Your Customer) is about. What’s the problem with this approach? You can’t control the data after you give it to another party and it is troublesome. Every company needs to figure out how to do it on its own.

What if we could create a mechanism to translate facts about identity, credentials, and other information into easily transferable and verifiable digital form? What if we would let people use them in the way they want and still be in control of this information?

The time comes to address these concerns and here enter Decentralized Identifiers (DIDs).

What is a Decentralized Identifier (DID)?

In the simplest terms, it’s digital information about you, in a specific form, which you can issue (via some organization or on their own), manage and store yourself, and use to prove facts about yourself to other parties.

DID is a format of data and a way to use it, but to make it practical, you can then use it to obtain so-called Verifiable Credentials (VC, more on those in a bit). They add credibility to your DID and deliver proof of various aspects of your identity. You’re not limited to just one DID, either. You can set up multiple identities if you want to – e.g. one official for employment, one for casual use (gaming accounts, gym memberships, etc.), one for tests or trials, or anything else.

If you’re new to this topic, you may wonder: if I can set up any amount of DIDs, how would anyone know who I am? How to prove it? And how will anyone know I’m not someone else? That’s where Verifiable Credentials come in.

What are Verifiable Credentials (VC)?

Verifiable Credentials are an authentication method that verifies the selected identity aspects of the holder. The selective nature of VCs is important because, unlike traditional credentials or accounts, Verifiable Credentials don’t need to store all personal or account information. This is all kept in your digital wallet. VCs only prove your specific rights with regards to the issuing service.

Source: Microsoft

Verifiable Credentials in the real world

Let’s say that you apply for work in a regulated industry, for example, healthcare. When you apply or join a company, you need to prove your credentials to do this work – proof of your MD studies, previous employment, or certificates for a given specialization.

You can of course bring a stack of papers to do it and make someone go through it. Stack of papers has validity – but it can be produced by anyone. In other words, if someone presents a diploma from university X, you put more trust towards the form of credentials (diploma) than the fact (university attendance).

What if a university could issue you with a diploma in a form of Verifiable Credentials (VC)? In the process of obtaining this VC, you would need to prove your identity, using for example your national ID schema (or a VC obtained from your government)

You can then use it digitally – by transmitting it from your wallet to the hospital website or HR department. It can be verified – the transaction is stored on a public ledger and signed by the private key of the university. To verify it, the hospital doesn’t have to integrate the data with any university system, all information needed for it is public.

It is how Verifiable Credentials work in practice at NHS in the UK.

What are other practical use cases? Let’s see:

Enterprises: verifying employment status for access to apps or benefits
Education: proving university credentials and diplomas (check out this case study from Keio University)
Healthcare: proving work credentials for things like access to sensitive information for patients online, placing orders/retrieving orders from pharmacies, access to medical documentation.
Insurance: getting access to sensitive information / claims, identification of customers and policy holders, access and proving the role of claims agents
Government: connection to national ID schemes, proving and transferring identity online
Enterprises/retail: frontline workers, external workers’ access to the work environment, identification.

It starts with a connection of the physical world and verification in it, and moves it to the digital realm, in a way which is easy to use, verify, and confirm in a trustless environment.

When it comes to DIDs used for everyday or professional use, they also begin with verification in the physical world.

Do we need Verifiable Credentials?

Life writes the best scenarios. The need for VCs has proven very practical in recent weeks, when refugees from Ukraine arrived in Poland, in many cases with no or incomplete documents. Verifiable Credentials could help solve this problem. Once issued, people can prove at any point in time that such a document was issued to them by the authority.

Such attempts were already made, but we still have a long way to go until the standard is accepted worldwide. If you want to read more about these use cases, here is the link.

How exactly those credentials can be verified? Here the term “Blockchain” comes into the picture.

Enjoying your read? Leave your email address to get the latest insights every two weeks.

What is blockchain?

It’s everywhere in the IT sphere right now. From Bitcoins to NFTs, everyone’s gone crazy for blockchain. And it seems the more you look into it, the more complex it gets.

But the underlying principle is actually not that complicated. It allows us to store data in a sequential and compound way. Blockchain has specific characteristics, which support some use cases:

It can be verified by untrusted parties
It allows permissionless (in the case of public ledgers) operations by untrusted parties
It is hard to be modified without noticing and modifications can be easily detected.

In the simplest terms: whenever you add a new component or information about something, the “block” containing that new data also features information about all the preexisting blocks that came before it, in a hashed (i.e. cryptographically protected) way.

The basic structure of blockchain

As a result, you can’t change any part of the chain without changing all the blocks that come afterward (which is not impossible but the amount of effort required makes it unfeasible).

If you prefer the video version of the explanation, you can watch it below:

Here’s a simplified video guide to blockchain

Now that we’re more or less clear on the general idea of blockchain, let’s see how it fits into the concept of Decentralized Identifiers.

How do Decentralized Identifiers work?

A Decentralized Identifier is – in the simplest terms – a collection of Verifiable Credentials that prove certain information about you. It can be anything – from your name or date of birth to college diplomas, qualifications, or employment status.

The basis of a Verifiable Credential is formed by 3 elements:

Metadata – basic information about the credentials, i.e. date of issue, date of expiry, public verification key, etc.
Claim(s) – i.e. what is the VC supposed to prove about you
Proof(s) – i.e. cryptographic evidence, such as a signature, to verify authenticity and authorship of the credential

As I wrote earlier, the first Verifiable Credential needs to be obtained in the physical world, by proving your identity in person, e.g. at an office or government entity. You can of course obtain it in the digital form, as long as there is correct identity verification infrastructure in place.

Then, you can use claims contained in that credential to obtain further VCs. As a result, each one will be connected to your core DID, stored in your personal wallet.

Sample DID chain

As all of your data is securely linked, you can derive individual pieces of data from each credential to present to other parties.

For example, when applying for a job, you could submit a presentation containing the piece of data from a VC that confirms your college degree, with another VC proving your work permit, with yet another VC that stores your qualifications.

The person who reviews the presentation can verify that the claims you’ve presented were indeed issued by a specific organization (e.g. university) for a specific person (you). It can be done without the need to contact the organizations, based on the ledger with transaction information and trust to the digital signatures.

Where does blockchain come in?

Blockchain forms the basis of your trusted ledger where the proof of transactions of issuing these credentials can be stored. Once the Verifiable Credentials are issued, the fact of this transaction can be connected to and stored on the ledger.

What is important: the ledger doesn’t contain the credentials. Those are kept private and you control them.

Transaction data can contain the information from your existing credentials (for example those issued in the physical world or with correct identity verification), information about the issuer, and something that connects the transaction with the issued credential.

When you present the credentials, the receiving party can verify that they were issued, when and by whom (the issuer), based on the data stored on the ledger.

The role of blockchain here is to be the trusted ledger, storing this information for everyone to be able to independently verify the credentials, in a trustless environment.

DIDs on blockchain (Source: Microsoft)

As end-user, you won’t need to deal with blockchain directly. Access to this information is provided by the identity layer like ION Network. It is the underlying technology that will keep your identity wallet secure and consistent over time.

What’s also important is that this technology is vendor-agnostic. It means that it doesn’t matter whether you’ll use Bitcoin, Azure, Amazon, or any other provider for your ledger. The information about transactions in theory might be stored on any ledger you trust. The data might be stored in secure storage of your choice.

Blockchain gives us a storage layer, meaning that it is hard to modify the entries. It provides us with a permissionless ledger to operate with some level of trust, in a not-trusted environment. There is no direct trust between the issuer and a validation party, but because we trust the ledger, the verification can take place.

Blockchain also validates your credentials on the issuer side. When you submit your VC, the recipient will be able to verify its authenticity by checking its public signature or key, submitted to blockchain by the VC issuer.

Want to see Verifiable Credentials in action? Book a free demo. I'm in!

The best way to learn is through experience

I’m a huge fan of learning through practice. As it is a new concept, the best way might be to experience it. Here’s a cool demo to see how Verifiable Credentials work from end-user perspective – Woodgrove VC demo.

Source: Microsoft

What you need is the latest version of Microsoft Authenticator on your phone and you are good to go. Give it a try – it is much simpler than reading about it.

DID, VC, OMG

That’s a lot of three-letter acronyms to digest. I know it. But it wouldn’t be IT without acronyms!

As you can see, although blockchain can help us with DIDs, it’s not really related to the topic of cryptocurrencies. Sure, they can be one way of verifying data integrity, but they’re not the only option.

Even if it is not directly related to cryptocurrencies, the underlying concepts of DIDs and Verifiable Credentials are a linchpin of the future of those markets. For example, they are a core concept in the tbDex, a Liquidity protocol (link to PDF) proposed by Square (now Block).

Will this technology change the world? I’m not sure yet. But it’s certainly a promising idea and I will keep watching it with great interest. For today, I will leave you with some key information on the technicalities of DIDs. If you’d like to discuss any of them further, just email me.

If you’d like to discuss one of the use cases in more details and see the demo of Verifiable Credentials, sign up for a free consultation through this website.