Verifiable Claims: distributed proof of one or more capabilities
By Patrice Kerremans
What is it?
The official definition from the W3C Credentials Community Group is: A statement made by an entity about a subject; A verifiable claim is a claim that is effectively tamper-proof and whose authorship can be cryptographically verified. Multiple claims may be bundled together into a set of claims.
The (somewhat unspoken) fact is that claims can be distributed and do not require a centralized system, because their verification is a matter of cryptographically verifying them. That is, you don’t need a central server to be up-and-running and accessible at all times for you to be able to verify the claim. This makes the system very sturdy.
Also, the creation of claims is delegated to the issuers, making it even a more distributed system. What is it good for?
Other interesting examples include: proving you’re old enough to (buy a) drink, proving you have the required driver’s license when renting a car.
There’s a complete description of the use cases on the W3C github.
Who are the actors/players?
In order for this to work, you’ll need the following actors:
An entity that creates a verifiable claim, associates it with a particular subject, and transmits it to a holder. This can be -for example-
a bank (certifying account ownership), or
a doctor (certifying that you have a certain ailment), or
a government certifying your identity or your birth certificate
a school certifying you’ve successfully achieved a certain degree
An entity that is in control of one or more verifiable claims. This is typically the subject of the claims. But it can also be a third party that holds on to the claims on behalf of the subject.
A statement made by an entity about a subject and that is tamper-proof and whose authorship can be cryptographically verified. This means that
when someone fiddles with a claim, this can be detected; rendering the claim useless
but also that when someone tries to counterfeit one this is detectable; also rendering the claim useless
Say that you create a claim that you’ve obtained a degree at the University of Ghent (UoG). Since the claim won’t have been signed with the private (& secret) key of the UoG, the claims digital signature will be incorrect and others will detect this.
An entity that receives one or more verifiable claims for processing. Examples of inspector-verifiers include employers, security personnel, car rental services, and websites.
Mediates the creation and verification of subject identifiers. Examples of identifier registries include corporate employee databases, government ID databases, and distributed ledgers.
In the next post we’ll go into how to implement this…