Photo of Terence Eden. He has a beard and is smiling.

How do you link Verifiable Credentials to a human?

· 20 comments · 700 words · Viewed ~455 times.

Verifiable Credentials are a brilliant standard to help... well... Verify Credentials. How do you know that someone has an MBA from Harvard? It's pretty easy to fake a degree certificate, or to change your name to George W. Bush, or simply lie. The same is true with any attestation - it's often hard to contact the issuer of a claim and check that it is genuine.

Verifiable Credentials aims to solve that. The standard describes a document which includes the claim (this person is an airline pilot), the person's identity (name, DOB, etc), the party making the claim (Name, ID, date of issuing), and a digital signature to tie it all together. (It is a lot more complicated than that, obviously.)

Let's take a look at the data inside COVID Vaccine "Passport". I've removed some of the metadata for simplicity, but you can read the full spec if you're interested.

 JSON {

   "ver": "1.0.0",

   "nam": {

     "fn": "Smith",

     "gn": "Jo",

   },

   "dob": "1984-02-29",

   "t": [

     {

       "tg": "840539006",

       "tt": "LP217198-3",

       "tr": "260415000",

       "ma": "1232",

       "sc": "2021-04-13T14:20:00+00:00",

       "dr": "2021-04-13T14:40:01+00:00",

       "tc": "GGD Fryslân, L-Heliconweg",

       "co": "NL",

       "is": "Ministry of VWS",

       "ci": "urn:uvci:01:NL:GGD/81AAH16AZ"

     }

   ]

},

"YR/yMsyE3AOysWLCXuDc/Rlu507gH0/wgok+P8dxJtCwy0ydsIE2J5MeMxbynynU3n//zgOKSTB20FN0Fs1bgQ=="

It tells you the person's name, date of birth, when they had the vaccine, which vaccine it is, who administered it, some administrative codes, and then gives it a digital signature which can be verified without needing an Internet connection. Nifty!

The same is broadly true with academic qualifications. It lists your names, birthday, university, level obtained. Or your employment history can be encoded with your employment dates, salary, references.

So you can show the above - encoded as a QR code - to anyone. They can scan it and verify that it is authentic! AWESOME!

Except...

How do you prove that you're the person mentioned in the credential?

You could show your passport or driving licence at the same time. Assuming you can afford either of those documents. But that still leaves the same problem. How do you prove that the passport belongs to you? Perhaps you grabbed it at the same time you stole the certificate.

Humans are not very good at recognising faces from photos. So comparing the picture of me in my passport (young! clean shaven! well lit!) with the person in front of you (old and tired! beardy! under a street lamp!) is always going to be error prone.

This isn't a problem which can be solved by adding more digital signatures. Even if I co-signed the credential with my private key - you have no way of linking that key to a corporeal human being.

A Verifiable Credential could also contain a hash of biometric data like a fingerprint, for example. But that leads to further problems. Are people comfortable giving away their biometrics to lots of different organisations? Do verifiers want the extra expense of getting fingerprint readers? That might work for an airport, but is probably prohibitive for a café. You could use proxies - did I see this person unlock their phone to present the claim - but these are weak ties at best.

To be clear, this problem isn't limited to vaccine certificates. It applies to any Verifiable Credential. Whether it is an academic qualification, a health certificate, employment status, or any other claim.

This isn't something which can be solved by putting a claim on a blockchain (lolsob) - it is a fundamental limitation of the fact that humans don't come with built in, irrevocable, digital signatures.

Share this post on…

20 thoughts on “How do you link Verifiable Credentials to a human?”

  6. Chris Thorpe says:

    I’m not sure why a cafe needs to biometrically verify my PHD from Harvard (more like gcse woodwork in my case). A simple contactless payment should suffice Not every ID verification needs to be 100% bulletproof. Where the balance of risk is higher, it’s probably better to rely on a combination of factors rather than a single factor. That might help make the happy path broader.

    Reply

    1. @edent says:

      The café may want to verify your vaccination status. Or want your age before selling you alcohol.

      Reply

      1. Chris Thorpe says:

        True - but even those verifications need not be to the same standard as validating a brain surgeon’s before they operate on the queen. @Paul Clarke made my point only more concisely. Also, credential validation is another area where zero trust should apply - assume they can be compromised and apply additional controls. For the brain, you might want to draw on their web of trust, ie get references

        Reply

      2. Pierre says:

        When selling alcohol, a vaccine passport might be a convenient alternative to asking people to pull down their face masks when checking ID. 😷
        It's a very niche problem but shows how reliant we are on scanning faces as a basic way of checking someone is who they say they are.

        Reply

    2. says:

      This is a good approach really, start from an understanding that no single factor can be perfect, but with two or three independent forms of identification you can be '90%' verifiable, and that's the best we can hope for.

      Reply

    1. @edent says:

      But, as I mentioned, that doesn't prove that the person carrying the device is the person who owns the device.

      Reply

      1. Chris Thorpe says:

        It doesn’t help that this discussion mixes aspects of identity, entitlement and authentication.

        Verified credentials are just attributes of an identity. The verification merely adds provenance to those attributes. It’s not intended to prove your ID or entitlement to use the credentials.

        Separate to that, there’s a need to authenticate the bearer of the identity. Strictly speaking, the authentication doesn’t prove they are who they say they are, it just proves they are entitled to grant access to their ID and particular attributes of it.

        For example, in an age verification scenario, you really don’t need to know more about me than I have a trusted ID, and my age is over the threshold. Privacy law says you shouldn’t ask for data beyond what’s needed for the use case. A properly set up ID system should allow me to give consent for you to access the ID attributes you need, and no others - in a similar way to when an app asks to use mic, camera, etc.

        I’m probably not explaining this well - it’s worth reading someone like David Birch of Consult Hyperion to get the real expert view on this. Suffice to say, it’s not easy but it’s doable

        The problem is exclusion. We have two classes of users. One class is equipped with powerful devices that can deliver a rich mix of authentication factors: knowledge; possession: and inherence. The other class don’t have smartphones, and we need not to exclude them

        Reply

        1. @edent says:

          While I agree that this conversation is confusing - I think that's in part because very little research has been done on what users want and how they expect to manage that.

          I disagree with your final point, the majority of people in the UK have smartphones. Ofcom statistics show >90% penetration at all social classes and ages groups. If people don't want smartphones, that's fine, but the overwhelming majority of people have access to them.

          Reply

          1. Chris Thorpe says:

            There’s a huge amount of research, though I agree not all of it is necessarily user-centric. Where the research is user-driven, much is locked away inside Apple and Google, who both fully intend to own the identity space, alongside payments. But there’s still a lot to learn from real world implementations in Estonia, the Nordics, Belgium, Holland, and the 1.3billion people in India who’ve been issued with an Aadhaar.

            I’m well aware of the level of UK smartphone penetration, though not all are good enough for robust ID. My point there is, introducing an ID system that knowingly excludes at least 10% of the population is not a great idea.

            Reply

  10. says:

    I think that's what PGP's web of trust was out to solve. I still think it's a pretty clever idea, but it requires one universal standard and a more user friendly implementation...

    Reply

  12. says:

    Another real world example of this problem popped up on my feed today: a mass outbreak of coronavirus at a nightclub in the Netherlands. https://www.tubantia.nl/enschede/teller-loopt-hard-op-al-165-besmettingen-na-clubavond-in-enschedese-disco~acd3b192/
    165 cases were traced back to this club night, which shouldn’t have happened considering people were asked to present a negative test on entry. There’s a suggestion some people might have swapped, shared, and exchanged QR codes to get in. So you had this situation where all the QR codes were valid and showed everyone was clear, but at least one person might have dodged identity verification. It’s an extreme example, but it shows that problem around proving that “the person carrying the device is the person who owns the device”.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">