Embracing the world of mDLs and ISO/IEC 18013-5 has been an exciting journey for me. The potential applications of this standard in enhancing people's daily lives while prioritizing data security and privacy amidst the constant stream of data breaches have truly captivated me. However, the recent introduction to the W3C VCs standard by my friend Leo has been a game-changer. This standard, with its profound significance, is set to revolutionize the future of digital credentials verification across in-person and e-commerce scenarios. In this blog, I aim to unravel this standard and share my insights with you.
Get ready to dive into the world of W3C VCs framework! By the time you finish reading this blog, you'll be a pro at understanding these key concepts:
Understanding the concept of W3C Verifiable Credentials and their application in various scenarios.
Exploring the key components of W3C Verifiable Credentials.
Learning about the process of W3C Verifiable Credentials, and how cryptographic techniques ensure privacy, security, and interoperability.
Understanding the features of W3C Verifiable Credentials.
Overview
Let's dive into this with a University (Issuer) example. Imagine the university issuing a verifiable credential, such as a degree or a skills certificate, and the Employer (Verifier) requesting the public key from the registry. The employer then uses this key to validate the credential in the W3C Verifiable Credentials process.
A university issues a W3C credential to a student.
The student, as the holder, keeps the digital credential issued by the university in a digital wallet on his phone.
The student applies for a job, and the employer needs to verify the credentials. The employer already has the university’s public key from a trusted DID registry (previously fetched online) or requests one once, which it can either cache or download for future verifications.
The registry provides the Issuer's public key back to the Verifier
The employer can cryptographically verify the credential offline without connecting to the university in real time. If the employer wants to check if the credential has been revoked, they need to connect to a revocation registry.
What are W3C VCs?
W3C Verifiable Credentials (VCs) are a framework designed to enable the secure exchange of digital credentials across various platforms and contexts, such as digital identities. It is broader than driver's licenses, encompassing use cases for educational certificates, employment records, health credentials, and more. The goal is to create a standard way to express and verify credentials digitally, ensuring privacy, security, and interoperability.
Key Components
Issuer: The entity that creates and issues the credential. This could be a government authority, educational institution, or any trusted body.
Holder: The individual or entity who owns the credential. The holder controls where and how the credential is shared.
Verifier: The party that needs to verify the credential's authenticity, such as a service provider or employer.
How Verifiable Credentials Work
Credential Issuance: The issuer creates a digital credential (e.g., a digital ID) in a tamper-proof format and assigns it to the holder. For instance, in the case of mDLs as VCs,
DMV generates the mDL in a digital format (usually JSON or JSON-LD), which contains the relevant information about the holder. This may include personal details like the holder's name, date of birth, and license number, as well as driving qualifications and the license's expiration date.
The mDL is digitally signed by the issuing authority's private key using cryptographic techniques.
Credential Storage: The holder can store the credential in a digital wallet or similar application, maintaining control over their data.
In the case of mDL, after the holder’s identity is verified and the request is approved, the mDL is sent to the holder’s digital wallet. This secure application stores digital credentials.
The wallet might be an app on the user’s smartphone, like Apple Wallet, Google Wallet, or a government-provided wallet app. The wallet is the holder's interface for managing and sharing their mDL.
The holder’s wallet stores the mDL securely, often using encryption. Only the holder can access and share the mDL with verifiers.
The W3C VC model emphasizes user control, meaning the holder decides when and how to share the credential. Depending on the verifier's request, they may share the full mDL or just parts of it (e.g., only sharing age information without revealing the entire license).
Credential Verification: When the holder needs to prove their identity or other attributes, they share the credential with a verifier. The verifier can cryptographically check whether the credential is valid and hasn’t been tampered with.
In the case of mDLs, the holder can share their mDL by generating a QR code, using NFC, or sending a secure digital link, depending on the verification method used by the verifier.
The presentation process can happen online (via a website or app) or offline (using QR codes or NFC).
The holder can present the mDL to verifiers, such as law enforcement, retailers, or banks when proof of identity or driving eligibility is needed.
Through selective disclosure, the holder can choose to share only specific pieces of information rather than the entire mDL.
The verifier checks the mDL by verifying the attached digital signature.
They do this by using cryptographic proofs to ensure that the mDL was indeed issued by the trusted authority (the DMV, for example) and that it hasn’t been tampered with.
To verify the signature, the verifier checks the issuer’s public key, typically stored in a public ledger or trusted registry. This ensures the mDL was signed by the legitimate issuer and that no unauthorized changes were made to the credential.
Since W3C VCs include cryptographic proofs, verification can happen offline without contacting the issuer in real time, making the process efficient.
VC Features
Decentralization
VCs are designed to work in a decentralized manner, where no central authority controls the credentials. The holder can choose how to share their data.
Privacy
VCs are privacy-preserving by design.
They can implement selective disclosure, meaning a holder can reveal only the necessary parts of their credential.
For example, to verify age, they don’t need to share their full date of birth.
The VC model also supports Zero-Knowledge Proofs (ZKPs), enhancing privacy by enabling verifiable statements without revealing sensitive underlying data.
Interoperability
While ISO/IEC 18013-5 is limited to driver's licenses, W3C VCs are designed for cross-domain interoperability.
The W3C VC standard is built using common web standards like JSON-LD and Linked Data, making it more interoperable across various digital platforms and services globally.
This is useful for verifiers who need to operate across borders or work with international systems, providing a consistent framework for verifying digital credentials. However, it is less prescriptive than ISO in terms of technical specifications for mDLs specifically.
Security
The credentials are digitally signed, ensuring that the verifier can trust them and that they cannot be altered by unauthorized parties.
Data Model
The VC model is highly flexible and can adapt to various use cases, not limited to any particular domain.
Credentials are JSON or JSON-LD objects containing information like the issuer, holder, claims, and cryptographic proof (e.g., digital signatures).
Support for versatile use cases
The W3C VC standard is not limited to mDLs and can handle various digital credentials, such as educational qualifications, health certificates, or work records.
Verifiers looking to streamline credential management across various domains can benefit from this versatility. They can use the same framework to handle not just driver's licenses but also other types of verifiable credentials.
Efficient Verification Without Internet Dependence
W3C VCs typically use cryptographic proofs and don’t require an online connection to a central authority for every verification event.
Once a credential is issued and digitally signed, verifiers can check its authenticity through cryptographic methods, even offline.
This reduces the need for network infrastructure or reliance on always-online verification, offering flexibility in various contexts.
The VC model's decentralized verification is quick and efficient for verifiers dealing with routine checks (e.g., verifying identity at events, businesses, or online services).
Cost-Effectiveness and Scalability
Lower Long-Term Costs: The W3C VC framework reduces the dependency on centralized infrastructure (e.g., servers for real-time issuer verification), potentially lowering verifier operational costs.
Especially for large-scale use cases (e.g., verifying thousands of credentials daily), the decentralized nature of VCs can reduce the overhead costs associated with ongoing verification processes.
Credential Revocation
In W3C VC, the holder has complete control over what data they share with verifiers.
If they no longer want to share their mDL with a specific verifier (for example, a business they previously gave access to), they can stop sharing the verifiable credential through their digital wallet.
Since the W3C model allows for on-demand, selective disclosure, the verifier can no longer access the data once the holder decides not to present the credential again.
In some implementations, verifiable credentials are time-bound or can require periodic re-verification from the holder. If the holder doesn’t authorize this, the credential becomes invalid, effectively revoking access without needing to communicate directly with the verifier.
If an mDL is revoked by the issuer (e.g., due to license suspension), the W3C VC framework supports revocation registries or status lists.
These are publicly accessible lists that verifiers can check to see whether a particular credential is still valid.
If the mDL has been revoked, the verifier is informed of the invalid status without contacting the holder.
Robust Fraud Risk Management
Public-key infrastructure (PKI) and Digital Signatures
A fraudster cannot issue a valid credential without access to a recognized and trusted issuer’s private key.
Verifiers can easily detect fake credentials by checking the digital signature against a list of trusted public keys.
If a trusted entity does not sign the credential, the verification process will fail.
Example: If a fraudster tries to issue a fake university degree using a fake W3C VC, the verifier will notice that the credential is not digitally signed by the real university’s public key and reject it.
Trusted Issuer Registries
Verifiers can rely on trusted issuer registries or decentralized identifier (DID) networks to confirm that the issuer is recognized and legitimate. These registries may be maintained by governments, industry consortia, or trusted institutions.
If an issuer is not on the trusted registry or has not been certified by a trusted authority, the verifier can easily flag the credential as potentially fraudulent.
Example: A government could maintain a registry of accredited universities and licensed healthcare providers. If a verifier checks the issuer’s public key and it isn’t in the government’s registry, the credential is deemed fake.
Decentralized Identifiers (DIDs)
W3C VC supports the use of Decentralized Identifiers (DIDs), which are cryptographically verifiable and controlled by the issuer. Issuers use their DIDs to sign credentials, and verifiers can resolve these DIDs on decentralized networks to confirm the issuer’s identity.
A fraudster cannot easily spoof a legitimate DID without access to the associated cryptographic keys, making it difficult to forge credentials.
Example: A university’s DID is published on a decentralized network. A verifier can check the university's DID and confirm that the issued credentials come from the legitimate source, rather than a fraudulent actor.
Revocation Mechanisms
Verifiable credentials can include revocation registries, which allow issuers to revoke a credential if it has been issued in error or compromised.
If a fraudster somehow manages to issue a credential, the legitimate issuer can use the revocation mechanism to invalidate the fake credential once detected.
Example: If a fraudulent credential is discovered, the legitimate issuer (e.g., a university or government agency) can mark it as revoked in the registry, making it invalid for future use by verifiers.
Credential Lifespan and Expiration Dates
W3C VCs can include expiration dates, which limits the time window during which a credential is valid.
Even if a fraudster manages to issue a fake credential, its usability will be limited to the duration of the validity period, making it easier to detect over time.
Example: A fake credential claiming to represent a valid professional certification can be caught once the expiration date passes, limiting its ability to be used indefinitely.
Summary
The W3C VC standard is a general-purpose framework for the issuance, exchange, and verification of any digital credential, not just mDLs. It provides a flexible format for representing credentials digitally and emphasizes decentralization, privacy, and selective disclosure.
It is broader than just driver's licenses, encompassing use cases for educational certificates, employment records, health credentials, and more.
W3C VC embraces a decentralized identity model, where the credential holder has full control over their credentials. They can choose when, where, and how to present their credential without necessarily relying on the issuer to verify the data in real-time.
The focus is on the individual being in control of their data, aligning with privacy-by-design principles and giving more autonomy to the holder.
The VC model also supports Zero-Knowledge Proofs (ZKPs), enhancing privacy by enabling verifiable statements without revealing any sensitive underlying data.
Broad applicability across a variety of domains, such as government-issued digital IDs, educational qualifications, health credentials, and employment certifications. An mDL could be one type of credential within this larger ecosystem.
Disclaimers
I truly appreciate your understanding that the content is based on my secondary research.
Although the blog contains detailed information on several concepts, I have deliberately presented the content at a high level to ensure that it is easily comprehensible to everyone without compromising its accuracy.
Your feedback is invaluable, so please do not hesitate to share your comments if you come across any inconsistencies in the content.
Additionally, the images featured in the blog are original and are the exclusive property of my company, Demystify Biometrics.
To ensure the information's accuracy and tone, AI-based tools have been utilized for research and content refinement. Your support and understanding mean a lot—thank you for being part of this journey.
A really good attempt at trying to decipher and compare the two standards approaches. Its been quite a political hot potato. I would suggest that an ISO 18013 and its derivative ISO 23220 can be and has been identified as an W3C VC. The base data model in a W3C VC can be used in the equivalent ISO mDoc and the authentication protocols and trust anchors are also available in ISO.
So whilst ISO 18013-5 in particular was developed initially in September 2021 for a mobile Driver Licence (mDL) mDoc there have been and there will be a growing number of other mDocs. This includes the newly released Photo ID, Mobile Vehicle Registration Certificate, eHealth Identity (MiCov) and others. W…