Verifiable Credential

From MgmtWiki
Revision as of 17:30, 18 November 2021 by Tom (talk | contribs) (References)

Jump to: navigation, search

Full Title or Meme

The Verifiable Credentials Data Model 1.0 is a standard means fro create a collection of claims to move between trust domains or federations. But since is it a data model and not a data format or protocol, it cannot deliver on that goal.


  • The Verifiable Credential was the first of a series of proposed standards to enable Self-Sovereign Identity by enabling the packaging of user identity information that can be verified by the receiver.
  • The Verifiable Presentation is created in response to a request from a Verifier which is known here as a Relying Party.


The current behaviors of SameSite are:

Term Meaning or Behavior
claim An assertion made about a subject. (This can only be considered true if the term subject is interpreted very broadly.)
subject A thing about which claims are made.(Complete circulate - no real meaning at all.)
user agent A program, such as a browser or other Web client, that mediates the communication between holders, issuers, and verifiers. (This does not match DID core well at all.)
validation The assurance that a verifiable credential or a verifiable presentation meets the needs of a verifier and other dependent stakeholders.


The Verifiable Credential is a Swiss Army knife

The Swiss Army knife was designed for survival in the wild if it were the only tool available to you.

  • It was wildly popular and sold or copied throughout the world.
  • The Swiss Army knife is not used to fix a car our build a house if there are purpose-built tools available.

The Verifiable Credential spec was created to allow Verifiable Credentials to fill any identify function.

  • It is wildly popular among hackers who want to be able to create quick-and-dirly soltuions.
  • It is not designed to architect or build industrial scale identifier/attribute solutions.

User Control

User control is mentioned non normatively in the VC spec. It is not required, in fact this appears in the VC Spec. “Placing a refreshService property in a verifiable credential so that it is available to verifiers can remove control and consent from the holder and allow the verifiable credential to be issued directly to the verifier, thereby bypassing the holder.” The DID Core spec specifically declaims any definition of control leaving it up to the user and the method. For example this quote “Each DID document can express cryptographic material, verification methods, or services, which provide a set of mechanisms enabling a DID controller to prove control of the DID.” Most DID methods just enable proof of possession of a private key by the signing of any response at all. This is then incorrectly conflated with proof of control.



Version 1.1

Verifiable Credentials v1.1 has just been released[1] for public review and a W3C Advisory Committee vote[2]:

There are three (fairly boring but important and backwards compatible): substantive changes in this version of the specification:

  1. Update previous normative references that pointed to RFC3339 for datetime details to now normatively reference the datetime details described in XMLSCHEMA11-2 which more accurately reflects the usage in examples and libraries.
  2. Loosen the requirement to use URLs to use URIs in the id property of the credentialStatus and refreshService sections of the data model. Link normatively to the URI specification.
  3. Loosen normative statements in the zero-knowledge proofs section to enable compliance of new zero-knowledge proof schemes, such as BBS+, that have been created since the v1.0 specification was published as a Recommendation.

The W3C Advisory Committee vote is open until January 18th 2021, which also includes a patent exclusion period (to ensure the specification remains royalty free to view and implement).

The general public is invited to view and comment on the proposed corrections during this time period. Proposed corrections are marked up like so:

Searching for the text "PROPOSED CORRECTION" will show you all of the substantive changes in this version of the specification.

This publication is also a signal to the market that the Verifiable Credentials specification is under regular maintenance and is tracking the realities in the market as it evolves.


  • This was one of the highlights from XXXI Internet Identity workshop:(IIW) presentation by Timothy Ruff (