Back to Library

Verifiable Credential

Enables issuance, storage, and selective disclosure of cryptographically signed claims about entities.

Verifiable Credentials (VCs) establish a trusted digital identity layer by implementing cryptographically secure attestations about a subject's attributes. The mechanism involves three primary roles: issuers who create and sign credentials, holders who store and control their credentials, and verifiers who request and validate proof of specific attributes. The system allows holders to maintain control over their information by choosing which specific claims to reveal while maintaining the cryptographic guarantees of authenticity. Credentials typically containing claims about the subject, metadata about issuance and expiration, and the issuer's digital signature. Modern implementations often incorporate zero-knowledge proofs to enable selective disclosure, allowing users to prove specific attributes of the credential without revealing the underlying data.

Around the 2000s, discussions on decentralized identity and user-controlled credentials emerged in cryptography and identity management circles. Research on digital credentials, particularly in public key infrastructure (PKI) and X.509 certificates, played a key role in shaping VCs. In 2005, Kaliya Young, Phil Windley, and Doc Searls co-founded the Internet Identity Workshop (IIW), which influenced widely adopted identity standards. In 2016, Christopher Allen published The Path to Self-Sovereign Identity, which helped popularize VCs as a component of Self-Sovereign Identity (SSI). By 2019, the W3C introduced standards for VCs and Decentralized Identifiers (DIDs), providing a formal foundation for self-sovereign identity systems. While VCs do not require blockchain, blockchains can play a significant role by offering an open, immutable ledger that ensures credentials remain tamper-proof and verifiable without reliance on centralized authorities. Efforts to standardize blockchain-based VCs have included EIP-780, which proposed an on-chain claims registry for transparency, and EIP-1812, which focused on off-chain storage with on-chain verification.

Advantages

  • Cryptographic Verifiability: Claims can be verified without contacting the original issuer, reducing dependencies.
  • Portability: Credentials can be used across multiple platforms and services, creating an interoperable trust layer for digital interactions.
  • Reduced Data Duplication: Organizations can verify claims without storing sensitive data, minimizing breach risks.

Limitations & Risks

  • Recovery Complexity: Reliance on cryptographic keys creates significant user experience hurdles and recovery challenges if private keys are lost or compromised.
  • Issuer Trust: Verifiers must still establish trust in credential issuers, as the cryptographic guarantees only ensure authenticity, not accuracy of claims.
  • Privacy: Improper implementation of selective disclosure or correlation protection can lead to unintended information exposure.
  • Standards Fragmentation: Multiple competing technical approaches and implementation standards can limit interoperability and adoption across ecosystems.

Design Considerations While the W3C VCs standards provide a foundational framework, they do not fully specify all aspects of implementation. The following areas require additional design decisions:

  • Key Management: Establish secure methods for generating, storing, rotating, and recovering cryptographic keys for issuers, holders, and verifiers. Consider techniques like hierarchical deterministic keys for issuers managing multiple credential types and threshold signatures to prevent single points of failure.
  • Revocation Mechanisms: Implement privacy-preserving ways to revoke credentials while avoiding centralized control or requiring constant online verification. Approaches include cryptographic accumulators, status lists, and revocation registries.
  • Verification Protocols: Define trust models, verification depth, and proof requirements suitable for different risk contexts. This includes deciding whether to use selective disclosure, zero-knowledge proofs (ZKPs), or full credential validation, depending on the security and privacy needs of an application.
  • Interoperability: Ensure compatibility across different ledger systems, identity providers, and wallet implementations by defining credential serialization formats, transport protocols, and resolution mechanisms beyond W3C’s flexible standards.
  • Correlation Protection: Prevent unintended tracking and linkage of credentials across verifiers. Techniques include blinded credentials, ephemeral identifiers, unlinkable proofs, and minimal disclosure protocols.

Resources

Examples

Polygon ID

A self-sovereign identity solution built on the Polygon blockchain, leveraging zero-knowledge proofs (ZKPs) for private, decentralized identity verification. Users can prove identity attributes without revealing personal data. Polygon ID is the first project to implement the W3C Verifiable Credential Refresh chapter. Trusted entities (issuers) create and issue VCs, which are cryptographically signed and linked to a Decentralized Identifier (DID). Users store VCs in a non-custodial identity wallet and can selectively disclose specific attributes (e.g., age > 18) using ZKPs instead of exposing entire credentials.

Truvera

Provides a suite of tools and services for launching VCs on a blockchain. The Truvera API facilitates the issuance, verification, and revocation of VCs, along with DID management. Truvera Workspace offers a user-friendly platform for creating and managing DIDs, issuing VCs, and overseeing credential lifecycles. The Credential Wallet SDK & White-Label Solutions enable integration of credential management into existing applications or the deployment of a customizable wallet for securely storing and sharing VCs. Credential Schemas define the structure and attributes of VCs, ensuring consistency and compliance. The Trust Registry maintains an onchain list of authorized issuers and verifiers, ensuring that credentials are issued and validated by legitimate entities.