As the world accelerates with COVID-19 pandemic mitigation, countries are looking for strategies to safely restart their economies. Most ideas for rebooting the economy depend on immunity assurance by providing people with a safe worker certificate. The hypothesis is that safe worker certificate can provide verifiable assurance for people to return to work and participate in the economy. The safe worker certificate infrastructure also enables the foundation for future pandemic containment, by managing the full life cycle of a person’s immunity state (e.g. vulnerable, infected, immune) as well as advanced tracing/tracking capabilities (e.g. MIT Private Kit). However, these solutions require global-scale protocols and privacy-enhanced technologies to provide public health benefits across many jurisdictions without compromising individuals’ privacy:
“Technology will play an important role in “licensing” people to return to work, but each country will have to consider privacy issues in introducing such systems.”
[How to restart national economies during the coronavirus crisis, McKinsey & Company]
“Digital identity that allows certification of the user’s health status, similar to today’s payment acceptance mechanism, can create safe working environments and consumer experiences (restaurants, hotels, meetings) while protecting personal privacy.”
[Restarting the Economy and Avoiding Big Brother (draft), Massachusetts Institute of Technology]
The decentralized identity technology and verifiable claim exchange protocol can potentially help with how safe worker certificates are issued and verified. In addition, decentralized identity claim can be issued and verified using privacy-enhanced technologies such as zero-knowledge proof and multi-party computation.
Decentralized Identity and Verifiable Claims
A decentralized identity approach provides an alternative model (to centralized identity) that is based on a shared trust model as shown below. An entity creates its own digital identity with one core decentralized identifier (DID) and additional DIDs per relationship. Entities prove and register their proof of identity once on an identity trust fabric (ITF) that is common across multiple organizations that participate in the decentralized identity network.
These identities are directly controlled by the entity (controller) or its agent (holder/custodian) and exposed by a set of decentralized identity services. Organizations can trust the entity by verifying its credentials, using the relevant proofs on the identity trust fabric. The entity retains the control over how its DIDs and associated data can be shared/used by providing explicit consent for appropriate use cases.
Verifiable claims (or credentials) exchange (VCE) protocols implement trusted data exchange between different parties in a business process and therefore are the most important use case of decentralized identity. A claim is a statement about an entity (subject). A credential is a set of claims made by the same subject. Establishing standardized and interoperable verifiable claim (or credential) exchange ecosystems is a key step in enhancing data privacy, data quality and efficiency of data exchange. This includes sending and receiving digitally verifiable attributes or proof of attributes such as qualifications and achievements.
Safe Work Certificate Example
The following diagram shows how a safe worker credential can be issued (conceptually):
Issue safe worker credential:
- The public health authority onboards Alice first, and then both create pairwise-unique DIDs to connect.
- The public health authority creates and sends a credential offer to Alice upon verification of immunity and initiating the process.
- Alice retrieves the public health authority credential schema from the ledger, creates a credential request and return it.
- The public health authority creates the credential for Alice. The credential includes necessary attributes for immunity state as defined in the schema as well as the required cryptographic proof (digital signature) that Alice can use later when requested by the company.
- Alice now receives the credential and stores it in her wallet.
The following diagram shows how a safe worker credential can be verified (conceptually):
Verify safe worker credential:
- The company onboards Alice first, and then both create pairwise-unique DIDs to connect.
- The company creates a proof request, which lists the items and the conditions required that is the proof of immunity.
- Alice receives this proof request and creates a proof based on the credential she obtains from the public health authority. The proof contains information that meets the requirements of the company’s proof request.
- The company receives proof from Alice, reviews the information, evaluates the condition required and verifies that the credential is coming from the public health authority (using the public key in the related DID document on Identity Trust Fabric).
- The company accepts this proof.
Privacy Enhanced Verifiable Claims
Decentralized identity is also evolving to include privacy-oriented mechanisms that reduce excessive information sharing, such as zero-knowledge proofs (ZKPs). This privacy-preserving mechanism uses messaging protocols that enable entities to prove that information available is correct, without the requirement to transmit or share the underlying information. ZKPs has applicability in a wide range of verifiable claim exchange use cases, such as age, medical records, professional certifications, educational transcripts, proof of ownership and payment verification. These use cases usually involve a verifier asking a question and the user providing an answer (without sharing the underlying information), with a cryptographic proof of answer correctness. The proof is constructed based on an attribute or credential that is usually issued by another organization.
Decentralized identity and verifiable claims are making progress to address issues such as governance, scalability, user experience, interoperability, decentralized key management, privacy and security. We expect this trend to continue in the coming years to reasonably address core outstanding issues, even though early offerings may not be ideal. Decentralized identity requires careful business and technical planning. However, many security and risk management technical professionals are not fully familiar with the concept.
Specifications and Open Source Initiatives
Formalized standardization and open-source initiatives for decentralized identity and verifiable claims exchange are maturing to document and implement industrywide specifications such as:
- “Decentralized Identifiers (DIDs) v1.0,” World Wide Web Consortium (W3C)
- “Verifiable Credentials Data Model 1.0,” World Wide Web Consortium (W3C)
- “Verifiable Credentials Use Cases,” World Wide Web Consortium (W3C)
- “Decentralized Identity Foundation Homepage,” Decentralized Identity Foundation
- “Hyperledger/Indy-Node,” GitHub
- “Hyperledger/Aries,” GitHub
- “Hyperledger/Ursa,” GitHub
If you are interested to learn more, the following Gartner research reports provide further guidance (available to Gartner subscribers):
- Guidance for Decentralized Identity and Verifiable Claims (Published 24 January 2020 – ID G00392042)
- Guidance for Blockchain Solution Adoption (Published 24 March 2020 – ID G00463865)