Verifiable Claims and Distributed Identifiers at W3C

It's always exciting to write about great work going on at W3C with potential to have a huge impact on humanity. One of the use cases in the Verifiable Claims work is to give stateless refugees a way to identify themselves safely. Other use cases in education, in government, in banking,  have potential to change the way business is done on the Web. So what's this stuff all about?

Really, the Verifiable Claims Working Group is developing a framework for signing and verifying credentials, such as, this person has a valid driving license and I am this person; or, I'm over eighteen years of age but I don't want to tell you my exact age; or, I'm a legal resident of such-and-such a region and have a right to enroll for this university course.

The model is fairly simple: you use an independent third party to hold “identity wallet” that contains your credentials. I think of this as a can-do box: you put things in it that you can do, and, when you tell them to, the third party releases a copy of a credential to another organization. So you go to rent a car and you instruct the can-do box to show the car rental company your driving licence.

Now, how does this preserve any privacy? First,, if you want, you don't actually have to use a third party to hold your can-do box: you can keep it on your own computer or on the cloud. You can also have as many different can-do boxes in as many places as you like. In addition, privacy legislation such as Europe's GDPR applies to all personal data and the penalties for violating the law are heavy. In the future, it's possible we'll also see encrypted credentials.

If a third party is holding your credentials, how do you tell it which one to show the car rental firm or the border immigration officer? This is where distributed identifiers have a role to play: you tell the can-do box to release the credential with a specific identifier. The organization keeping that box doens't need to know who you are, nor anything about the recipient, nor why you're releasing a copy of the credential. Just, send credential 137 to so-and-so from box 9015.  You are in control of what gets shared and with whom.

The  distributed identifiers draft (and the first draft of verifiable claims, or verifiable credentials) came out of the W3C Credentials Community Group, which continues active work today alongside the W3C Verifiable Claims Working Group.

What about trust? Well, the credentials are digitally signed by the issuer, so for example the Belgian government can confirm that a particular credential is one that they issued, and maybe supply a certificate to go with it, something that can also be shown to a human.

And because the framework is built on top of the Blockchain distributed resolution model (entirely separately from bitcoin of course), you can revoke credentials at any time without needing a complex public key infrastructure beyond what the underlying blockchain protocols already provide.

Verifiable credentials are generally exchanged today using a JSON-LD syntax, although there may also be an XML syntax in the future. There are implementations, building on top of platforms such as hyperledger,  so although the work is not yet a W3C Candidate Recommendation, it's already solving problems.  Government departments are considering these technologies for driving licences and for digital IDs for people around the world. The third-party verifiable credential model is also being used for delivery of educational content to just the right people, and more applications are emerging.

Why not join the work and share some of our excitement?