Let’s look at how Verifiable Credentials (VCs) for People work using the simple example of a driving license.
First, to set up VCs, the government office responsible for issuing driving licenses must tell the digital world about it. They do this by publishing some information to a public ledger, often based on blockchain technology. They basically say, “here’s the structure of a driving license VC, and we’re an organization that issues them”. They become an issuer.
(If you don’t know about distributed ledgers, all you need to know is that they’re typically extremely secure and tamperproof, and distributed across many places on the Internet rather than centralized in one place. Once something’s on the public ledger it’s there forever, and cannot be edited or removed.)
Now they’re set up, the government office wants to issue a driving license to a person. The driving license gets issued as a VC and sent to a person’s “digital wallet” on their cell phone. That person becomes the holder of the VC.
Later, the person goes to a place that needs to see and validate their driving license, such as a rental car agency. In this situation the agency is the verifier.
To start the verification process, the verifier asks the person—or, more accurately, asks the person’s digital wallet—to create and send a “proof” of their driving license VC. (That proof can contain some, or all, of the information from the driving license, which we’ll see later is a useful feature.)
Once the verifier has received the proof, the verifier then uses information on the public ledger to verify the proof. Specifically, the verifier checks that (a) the person’s driving license is real and not tampered with, (b) it was issued by the right issuer, and (c) that it hasn’t since been revoked.
If the VC is valid, the rental car agency can rent the car to the person. Done! The process is secure, contactless, and trustworthy.
Of course, the VC can be used multiple times, and also in multiple situations. Imagine that another time, the person wishes to buy some wine at the liquor store.
All the liquor store needs to check is that, here in British Columbia for example, the person is over 19. To do this, the person can use the Date of Birth in their driving license VC just to confirm they’re over 19—they don’t even have to share their actual Date of Birth with the liquor store. The proof of being over 19 is just as secure and tamper-proof as the Date of Birth itself.
This is where we start seeing VCs become extremely flexible and highly privacy-focused.
Now, in the future, the issuer of the driving license may revoke a person’s license. They do this by publishing anonymous information to the distributed ledger about the revoked license.
This means that when the person tries to use that license in the future to rent a car, the distributed ledger will confirm the license has been revoked.
However, the person could still be allowed to use the license to prove their age, because that part of the information is correct forever. This feature allows VCs to be combined and used in many flexible ways.
(Why use the distributed ledger at all? Why doesn’t the car rental agency just contact the government office to validate the driving license? The reason is that VC technology allows a person’s actions to be extremely private. For example, it is likely undesirable for an issuer to know about every single time (and place) when a holder presents their VC.)
Here’s how the whole VC ecosystem looks with issuers, holders and verifiers.
While this diagram shows government as issuers and business as verifiers—a common way for VCs to be used—it’s possible for any organization to be an issuer, verifier, or both.