Verifiable Credentials (VCs) are digital representations of everyday attributes of your identity. A VC is uniquely bound to an individual, who can use it to prove aspects of their identity, just like they would with a physical document.
VCs are standardized by several bodies, including the W3C. They can cater to all typical-use cases of physical credentials, including government-issued IDs, employment letters and academic degrees. They are tamper-evident by design, which means that any attempt to use a VC to make unauthorized access can be easily detected.
Verifiable credentials are a promising new technology that has the potential to revolutionize the way we share personal information. They are secure, trustworthy, standardized, interoperable and easy to use, making them a valuable tool for individuals and organizations alike.
A user (aka the subject or holder) initiates the process by requesting a credential from an issuer. The issuer generates a digital credential that includes information related to (but not limited to):
Then, the issuer signs the VC with its private key and sends it to the user. The user receives and stores the key in a digital wallet.
The subject visits a third-party application (or service) that supports VCs. The third-party application (aka verifier) will authenticate the subject using a verifiable presentation (VP). A verifiable presentation is a tamper-evident encoding of the credential generated using the subject’s private key.
However, the entire process of signing is abstracted away from the subject. All they have to do is use their digital wallet to present the right VC to the verifier. The wallet application will handle the VP generation.
The verifier retrieves the public keys of the subject and the issuer from a trusted source, known as the Verifiable Data Registry. It then uses cryptographic techniques to verify that:
We can see that this VC contained in a mobile phone wallet is showing various attributes of Ben, including his name and organizational email address. In addition, green is good: it signals that this VC is still valid according to the credential issuer.
A VC represents user attributes in the JSON or JSON-LD formats. These formats essentially organize all the necessary information in the form of key-value pairs. Let’s look at a sample VC and discuss its main components:
"type": ["VerifiableCredential", "UniversityCardCredential"],
"name": "Anna Jones",
"title": "Computer engineering",
"description": "Anna is a student of the computer engineering course",
"directedBy": "Example University",
"location": "United States",
The type of a VC is a JSON array that can contain multiple values. This allows for more granular control over the use case of the credential. For example, the value of type in our example VC is:
["VerifiableCredential", "UniversityCardCredential", "Student"]. This indicates that the credential is a university card that can be used by the student to enter the campus.
The proof section may contain one or more tamper-evident cryptographic proofs that are used to verify the credential. The type field of the proof section depicts how the proof was generated, including the algorithm used. In our example VC, the value of type is "Ed25519Signature2023", which indicates that the VC relies on Ed25519-based digital signatures for verification.
OpenID Connect for Verifiable Credentials is a group of three specifications that define APIs for issuance, presentation and authentication of VCs. The issuance specification details all the steps that an issuer must take to securely generate a verifiable credential (VC), as well as those that a wallet application must take to securely access, retrieve and store the VC.
Here are some key takeaways from the specification: