This article was submitted by Fabien AP Petitcolas from Smals. Due to the relevant perspective and topicality of the topic, the editorial team publishes it in its entirety on ITdaily.

Physical certificates such as a driving license, university diplomas, the European Health Insurance Card (EHIC) or the A1 certificate for working abroad (PD A1) and, more generally, important “paper” documents have several disadvantages. They are vulnerable to loss, theft, damage or unauthorized copying and do not readily provide the ability to minimize data as required General Data Protection Regulation (GDPR) of the European Union.

Verifiable references (VC – “verifiable certificates”) are digital and cryptographically secured versions of physical certificates that can digitally prove something about an individual, such as their identity, an acquired qualification, a right or certain factual information, while retaining the disclosed information to a minimum is limited¹.

The verifiable references are defined as a series of one or more claims of an issuer. These can be done just like physical certificates verifiable references contain the following:

• Information identifying the subject (e.g. person, organization, object) of the verifiable references (e.g. name, photo, identification number)
• Information about the issuer of the certificate (e.g. government, authentic source, municipalities)
• Information on the type of certificate (e.g. insurance card, disability card, passport, identity card)
• Information about certain characteristics or characteristics that the publisher provides about the data subject (e.g. date of birth, entitlement to social security, nationality)
• Evidence of how the verifiable ID was created (e.g. renewal of a previous certificate, physical presence of a citizen in an administrative office)
• Information about the restrictions that apply to the verifiable ID (e.g. period of validity of the certificate)

The main actors of an architecture for verifiable references are described in Figure 1 and include:

• Theme: Entity about which claims are made (e.g. person, organization, animal, inanimate object).
• holder: the entity that currently owns the virtual asset and presents it to the controller. This can be the person concerned, but also another authorized natural or legal person.
• editor: Body that claims claims on one or more subjects through a verifiable ID on the basis of these entitlements (e.g. a body responsible for coordinating social security).
• Controller/auditor: an entity that verifiable references receives from the Owner through a Submission and in return provides services and benefits².
• E-wallet: Entity that represents this verifiable references a registrant, including the software that interacts with the ecosystem on behalf of the registrant.
• Verifiable data register: conceptually an Internet-accessible registry that contains all the essential data and metadata that allows other players to interact.

The owner of one verifiable ID can present it to an auditor who can verify the authenticity of the accreditation and the identity of the holder. The process of issuing a verifiable ID An issuer’s claim over a subject is linked to the subject’s identifier using cryptographic proof. Using this link it is possible to combine subsets of different attestations (see below). After the exhibition a verifiable ID are stored over time and offered for multiple purposes and in different ways.

Sharing identity attributes

Attribute disclosure generally raises confidentiality issues. This is the case for systems where an online identity provider creates access tokens on demand. In such systems, the identity provider can track the activities of its users or, worse, usurp their identities. This is also the case with systems that create offline tokens (e.g. X509), as they ask the user to reveal more attributes than strictly necessary and make online transactions linkable to different domains.

With the Selective disclosure technique (“Selective Disclosure”), owner of verifiable references They only present the information they want to show, while keeping the rest of their sensitive data private. This technique is particularly useful when a user needs to prove a certain claim but does not want to share all the information on their ID card, for example.

When a citizen is in a verification situation with a qualified auditor in the context of social security coordination, selective disclosure is not appropriate because services and benefits may not be provided if only part of the information is disclosed. On the other hand, for non-qualified auditors (e.g. companies wanting to verify certain elements of a social security document), selective disclosure may play a role.

Known cryptographic techniques

Related to Zero-knowledge evidence (“Zero knowledge proof” – ZKP) are privacy-preserving attribute-based certificates (privacy-preserving attribute-based credentials) or anonymized certificates (anonymous IDs) suggested as a promising technique for determination verifiable references. Successful implementations of this technique include IBM’s Identity Mixer and Microsoft’s U-Prove. Some of Idemix’s capabilities have also been used in the Dutch IRMA project for several years. This project has already enabled Dutch citizens to receive identification information with verified characteristics from a number of organizations, including the Dutch Civil Registry.

This technique gained more attention in the mid-2010s with the European ABC4Trust project and also after the advent of self-sovereign identity (SSI) concept. Self-sovereign identity is a model of digital identity in which a user has techniques to create, verify and (especially) own a digital identity that can be disclosed between trusted parties. This generally means that when a user submits an identity claim to a trusted party, the provided identity can be verified by them without direct intervention Identity Providerwhich has advantages for user privacy.

Anonymized attestations can express all the information contained in a physical ID, with the added advantage that they can be combined (see Figure 2) and reveal only the required attributes (selective disclosure) or even information derived from those attributes. A symbolic example is the date of birth: it can show just the age, just the age range (e.g. 50-60 years), or even just the fact that the person is over or under a certain age, etc., without specifying the date will provide exact date of birth.

Conclusions

Verifiable referenceswhich are currently being standardized by the World Wide Web Consortium enable the conversion of physical certificates into a digital format that can be stored in an electronic wallet such as B. can be saved European digital identity wallet (EUDIW). Their success depends on a “network effect” that could be brought about by the eIDAS 2.0 (Electronic Identification and Trust Services) regulation, which represents an important step in the development of interoperable digital identities in Europe for both the public and private sectors represents.

A technique for implementation verifiable references is done through anonymous attestation, developed since the early 2000s to provide secure authentication and identification while preserving privacy. The underlying cryptographic techniques – essential to operating countless scenarios based on verifiable identifiers – are well known, but the usability of the resulting technologies to end users, while crucial, is still largely uncharted territory.

This article is an individual contribution by Fabien AP Petitcolas, IT Research Consultant at Smals Research. This article was written under his own name and does not in any way reflect the views of Smals. Are you interested in working at Smals? Then take a look at the current extensive job offer.