Why Can Credentials Be Trusted? 

By: Andres Olave
Part 2 in a series on governance 

The three-party data exchange model facilitates the individual’s ownership over their own data, but new problems arise: How can these credentials, provided by an unknown individual, be trusted by the relying party? In this article, I’ll discuss the trusted issuer checks we use at Velocity to ensure users on the Network only share and receive reliable credentials. 

Credentials Checks With Velocity

To ensure any data we provide can be trusted by relying parties, the participants in Velocity Network all agree to follow a standardized process for verifying credentials. This process ensures that the credentials meet the following criteria: 

1. Credentials must not have been tampered with
2. Credentials must still be valid, meaning they have not been revoked by the original issuer and have not expired
3. Credentials must be under the control of the credential owner
4. Credentials must come from a trusted issuer

Tamper Check

Velocity Network protocol is based on the W3C Decentralized Identifier (DID) and W3C Verifiable Credential (VC) V1.1 standards. Organizations on Velocity Network register public keys used during verification on DID documents (either DID:ION or DID:WEB methods are supported). Credentials are issued using the VC JWT format and are signed using ES256 or secp256k1 algorithms. Unlike most other methods, using and verifying a VC using JWT securely ensures that the credential has not been tampered with.

Velocity Network uses a pay-to-verify ledger. When the credential is issued, the issuer encrypts the public key required for tamper checking and securely stores it within the Velocity Network decentralized ledger. When a relying party wishes to verify a credential, they pay a small fee to retrieve and decrypt the public key from the ledger. Once in possession of the public key, the relying party may run the check tamper check, and will also receive an attestation from the issuer of the key.

Validity Check

There are two kinds of validity checks: expiry and revocation. Expiry can be checked by simply checking the W3C VCDM expiration timestamp. The revocation check method is based on the W3C Status List 2021 standard, using the Network blockchain to store the data. Storing data on the blockchain ensures that revocation checks are privacy-preserving and are able to be conducted in perpetuity, unlike web-based methods.

Ownership Check

The credential owner is the individual to whom the issuer issued the credential. The ownership check is performed using key binding. Key binding is a cryptographic method with three stages:

1. The individual securely discloses ownership of the key(s) to the issuer by sharing a “proof of key possession.”
2. The issuer embeds information on the keys used in the proof directly into the issued credentials. 
3. The relying party that receives the credential from the individual similarly requests a “proof of key possession” for the keys embedded into the credential. Only the individual controlling the keys from step 1 can create the required proof. 

The cryptography used means the individual can prove key possession without actually revealing the secret private key required to create these proofs.

Issuer Checks

If the credential has not been tampered with, the issuer attestation can be checked. Issuer checks are made up of the following four parts:

1. Credential’s Public Key Addition:
   The first step involves confirming whether the credential’s public key was indeed added by the credential’s issuer.
2. Registration on Velocity Network:
   Next, verification extends to confirming whether the issuer is registered on Velocity Network.
3. Permitted Credential Categories:
   It is then critical to determine if the issuer is authorized to issue the specific category of credential being presented.
4. Primary Source Issuer Validation:
   Finally, in cases where the issuer serves as a primary source, validation entails ensuring that the credential’s primary organization aligns with the issuer’s identity.

The following articles will go into further detail about these issuer checks, which really are the unique elements of Velocity Network and part of what makes Velocity Network credentials the most trusted for employers and educational institutions.