The Open Credential Network
An open, pluggable VC & VP protocol to enable interoperable & portable exchange, storage, and programmability of credentials.
The goal of the Internet of Education (IoE) Network is to design a pluggable Verifiable Credentials (VCs) and Verifiable Presentation (VP) protocol (VCP) inline with World Wide Web Consortium (W3C) international standards to enable interoperable and portable exchange, storage, and programmability of credentials.
Background
With the introduction of decentralized identifiers (DIDs), VCs and VPs, credentialing has begun a digital transformation. There now exists mechanisms for any individual in the world to issue a verifiable credential to anyone else, for that individual to verify and validate the credential, store it, and use it as proof with third parties in similarly verifiable ways.
With these mechanisms in place, protocols focused on supporting the exchange, usage, analysis, and programmability of VC/Ps through interoperable formats can be built.
Introduction
VCs have the capability to transform credentialing frameworks and models from static, transactional, and trust-based to dynamic, programmable, and trustless. This requires more than just DIDs and VCs. The systems and protocols in which these standards operate need careful consideration.
Initial use cases have focused on transitioning analog credentialing systems to digital, but that has led to closed, isolated verticals, and prevented the Cambrian explosion or network effect that has been seen in the more composable worlds of crypto and web3.
Building an open network for credential exchange and presentation allows for higher inclusivity leading to accelerated adoption and the emergence of new use cases.
The IoE Network is an open credential network, focused on building an interoperable protocol for the exchange, storage, and presentation of VCs.
Protocol Examples
Alice has completed an online course teaching skill X and taken an exam that measures what she’s learned.
She has earned herself a passing grade on the exam demonstrating understanding of skill X.
Upon completion, a skill credential capturing this is prepared by the course provider, Bob.
Bob uses Alice’s known DID, a course credential template, and his known DID to construct and sign a verifiable credential (VC).
Bob then uses an exchange mechanism agreed upon by him and Alice to send the VC.
Alice receives the VC.
Alice verifies the VC was signed by Bob by comparing the VC signature against the expected DID of Bob.
Alice validates the VC represents the correct skill credential by comparing the credential object against the expected credential template.
Alice confirms the VC is accurate and decides to store it in her preferred storage mechanism.
Goals
Support core protocol procedures – issue, exchange, store, present VC through a unified interface.
Open source and extendable – mechanisms for supporting various implementations of protocol procedures, including BYOI (bring your own implementation).
Open network – any agent can participate in the protocol, given minimal technical requirements.
Definitions
Credential—a set of one or more claims made by an issuer
Decentralized identifier—a portable URL-based identifier, also known as a DID, associated with an entity. These identifiers are most often used in a verifiable credential and are associated with subjects such that a verifiable credential itself can be easily ported from one repository to another without the need to reissue the credential. An example of a DID is did:example:123456abcdef.
Decentralized identifier document—also referred to as a DID document, this is a document that is accessible using a verifiable data registry and contains information related to a specific decentralized identifier, such as the associated repository and public key information.
Holder—A role an entity might perform by possessing one or more verifiable credentials and generating presentations from them. A holder is usually, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories.
Issuer—A role an entity can perform by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder.
Key material—the cryptographic secrets that compose a key.
Presentation—data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a specific verifier.
Protocol—official set of procedures for what actions to take in a certain situation
Relying Party—A role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation for processing.
Subject—A thing about which claims are made.
Triangle of Trust—three roles of the “trust triangle” which make credentials of any kind work: issuing the credential, holding it in a wallet, and verifying it when it's presented by the holder.
Verifiable credential—a tamper-evident credential that has authorship that can be cryptographically verified.
Verifiable presentation—tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification.
The Protocol
Overview
The protocol is an interoperable set of procedures that enables the exchange of VCs between network participants. This includes auxiliary procedures built to support exchange, such as constructing, signing, storing, retrieving, etc.
The diagram below captures the responsibilities of procedures and engagements of triangle of trust participants during typical exchange workflows.
Participants
Issuer
Subject
Holder
Relying Party
Core Procedures
List of core procedures plus suggested supplemental ones.
Supplemental Procedures
Select identifier– Construct or retrieve a DID document.
Request issuance– Construct a VC issuance request provided DID, credential identifier, and target.
Request presentation– Construct a VP issuance request provided DID, credential identifiers, and target.
Request exchange– Exchange requests given a request object and target identifier.
Credential templates– Retrieve a credential template provided a credential template identifier.
Query VCs– Given query parameters, query and return matching VCs.
Further Reading
This initial draft is meant to establish a conceptual understanding of the high-level design of the proposed IoE Network protocol. It should not be considered complete or final. It represents a proposed design for public comment. Future revisions will address incomplete elements and currently unforeseen issues or challenges. Next, a standards conformant, open source reference implementation and SDK for wallets will be developed, as well as a reference implementation.
Feedback
Our goal is to develop this as an open source project for the public good. Everyone is open and welcome to provide input on design decisions made.
Last updated