By: Andres Olave
Part 3 in a three-part series on governance
In my previous article, I introduced the three questions on provenance that make for a reliable data exchange. They were:
- Is there proof that the credential came from the issuer?
- Is the issuer the expected real-world organization?
- Is the issuer an authoritative source?
The last question is a topic all on its own and handling it is one of the keys to what makes Velocity Network different from other Verifiable Credential ecosystems and can truly bring the revolution in career data that we all want.
Issuer Permissions
Issuer permissions are the mechanism that Velocity Network introduces to enable relying parties (and wallets) to determine if an issuer is an authoritative source for a particular credential. After requesting the ability to issue on the Network, the request is reviewed by Velocity Network to ensure that the issuing service parameters are within the remit of the organization’s business activities. If approved, the organization’s Velocity Network Accreditation Verifiable Credential (AVC) will be updated with their current set of permissions.
Restricting Credential Types to Certain Issuers
The issuers request the ability to issue one of three broad credential categories: career, identity or contact details (which are email or phone numbers). The issuers permitted categories (there may be more than one) are added to their AVC.
When the issuer issues the credential, it will contain a credential type which will fall into one of those broad categories that are classified by the Network.
The wallet and the relying party check the credential type against the permitted categories in the issuer’s AVC and verify that the received credential is within the issuing remit of the issuer.
This mechanism could be extended in the future to have finer grain permissioning.
Introducing Notary Issuers
Background screening is pervasive in the hiring practices of regulated industries, from healthcare to mining and, of course, in IT security. Creating a network of reliable data changes this industry from one servicing employers to one servicing employees. An employee can create a reliable CV of data by leveraging just one background screen and use it again and again when applying for work. A number of the most forward-looking background screening companies are members of Velocity Network and believe in that vision.
From a permissioning perspective, the main difference between these kinds of issuers is that they issue credentials for third-party employers, authorities, and educational institutions. We call this third-party issuing as coming from “Notaries.” These notary issuers stand in contrast to regular primary source issuers who issue credentials about achievements they directly control, such as an employer issuing employment or training credentials, or a state driving licensing authority issuing driver’s licenses.
With respect to identity credentials, the Identity Verification (IdV) industry includes members such as Yoti and Clear, which are considered to be Notary Issuers. Wallets that send OTP verification codes to validate email addresses and phone numbers are also notaries.
Notary issuers are, therefore, very powerful actors on the Network because they can issue credentials for any organization. To be a notary issuer requires receiving accreditation against a much tougher set of requirements than simply doing a KYB. Typically, you need either a government accreditation (e.g., UK GPG 45 or US NIST 800-63 for IdVs or PBSA for background screeners) or where governments don’t have a standard, there are now specific Velocity Network accreditation processes.
Once Velocity Network accredits the organizations for notary issuing a particular credential category, their AVC is reissued with the additional permission.
The Challenge of Supporting Primary-Source and Notary Issuing
Once the difference between primary-source and notary issuers is clearly understood, then a problem clearly presents itself. Taking the example of an employment credential, for the nominal case where the employer issues the credential, the “employer” claim in that credential is also the issuer claim used for performing the issuer checks. However, when the same employment credential is issued by a notary, the “employer” claim in that credential is most definitely not the same as the “issuer” claim.
Supporting primary-source and notary issuers, therefore, has led Velocity Network to distinguish permissions for notaries. Notaries are compensated for the stricter accreditation standards to be able to issue credentials for any employer, educator, or authority.
Velocity Network needs to address the threat that these rules are not followed by unscrupulous issuers. A career issuer may claim to issue credentials containing another employer or authority within the credential data. Velocity Network enforces additional rules for primary source issuers: that is, ACME Corp may only issue credentials for employees of ACME Corp, and not BETA Corp.
Restrict Primary Organization Claims to Certain Issuers
As we have outlined, the restricted claims are those that are used to convey who the employer is for employment credentials, which institution for an education credential, or which authority for licensing or assessments. In general, we call these claims “primary-organization claims.” The restricted claims have different names based on the credential type, and are tracked in the credential type registry maintained by Velocity Network. Incidentally, our first version used JSON-LD context, but unfortunately, JSON-LD permits publishers to protect their contexts, which reduces the flexibility of adding additional semantics to existing terms on existing credential types, such as 1EdTech’s Open Badge & CLR.
Using the Velocity Network credential type registry, relying parties can complete the final step of provenance checking and ensure that the primary-orgranization claim of any credential is restricted for primary-source Issuers. If the issuer is a notary issuer, then this check is skipped.
Conclusion
This series of articles introduced the three-party model and the problems that need to be solved if the individual receives and shares their own credentials. Velocity Network comprehensively addresses the questions that employers and educators have about credential provenance and data reliability. Across industries, including those that are government-regulated (e.g., banking or nursing) or self-regulating (e.g., security & software), Velocity Network addresses their real-world problems in live environments today while empowering the individual to not only consent to data sharing but own their data.
The Velocity Network Registry serves to control permissioning of both organizations and the credential types they can issue and is crucial in providing the governance required in building a decentralized network for reliable data exchange. The centralization of trust is the minimum required to create an effective market for credentials that employers and educators would actually use by enabling efficient verification and quality control. We already have clusters in India and Holland benefiting from these trusted credentials. Furthermore, Velocity Network enables a significant shift in the background screening industry by offering them an alternative business model around credential issuance for individuals. This is not just vapourware, it is happening in healthcare in Florida.
If you are interested in contributing to this revolutionary project and shaping the future of background screening, we encourage you to reach out and learn how you can get involved and support this transformative effort.