23J/ Credential Chaining - Verification of VCs in non-trivial Trust Networks (open discussion)

From IIW

Credential Chaining - Verification of VCs In Non-Trivial Trust Networks (Open Discussion)

Thursday 23J

Conveners: Sebastian Schmittner <sebastian.schmittner@eecc.de> ,
Robin Klemens <klemens@internet-sicherheit.de>

Notes-taker(s): Robin Klemens

Tags for the session - technology discussed/ideas considered:

Credential Chaining, Credential Delegation, Provenance Proof

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

First Part: Introduction

  • State of the art of chaining implemented in x.509 certificates

  • Differentiation in credential chaining:

    • Provenance

    • Delegation

Second part: Example of GS1 system in different flavors of credential chaining

  • Established system that is in production for many years

    • Hierarchical system

    • GS1 Global at the top, breaks down into national offices

[[File:./output/media/image7.png|624x698px]]

  • Goal: How can we model the hierarchical system with Verifiable Credentials?

Ask the issuer - walk the chain

  • You need to know what to ask for

  • In the proof request you also need all the attributes that are needed to complete the chain until the issuer

  • Challenges:

    • Privacy (exposing all entities along the chain)

    • How does an issuer know, that a request from a verifier should be answered?

[[File:./output/media/image5.png|624x580px]]

[[File:./output/media/image1.png|624x922px]]

Certificate Chain using references (VC IDs)

  • Closest to a classical certificate chain as such as x.509

  • Requires knowledge from the verifier side to complete the chain until the root attester

[[File:./output/media/image6.png|624x513px]]

Certificate Chain using embedding

  • Nested VCs yield a cert chain in a single document

  • All-in-approach. Verify the inner signature

  • Credentials could get quite big

  • Similar to Aries RFC 104

[[File:./output/media/image3.png|624x450px]]

Register of authorized issuers

  • Publish signed list of authorized issuers (somewhere)

  • Centralized registry

  • Could also be used for revocation

[[File:./output/media/image4.png|624x398px]]

Indy Version of Registers: Governance of CredDefs

  • How is allowed to write Credential Definitions

  • As a verifier you just need to verify the credential as before

  • The trust lies within the governance of the governance

  • Most centralized approach

[[File:./output/media/image2.png|624x377px]]

Open question

  • Should credential chaining be included in the next version of the verifiable credential model by W3C

  • Who is already working on credential chaining?

  • Which working groups are out there that we should join?

Call to Action

  • Currently, the Credential Chaining SIG works within IDunion

  • We want to make this an open and collaborative effort

  • Please, reach out to Sebastian and Robin if you want to participate. Also, we’d be glad to learn about similar efforts so we can figure out how we can join forces