14. Verifiable Credentials or Verified Transactions?
We are heading towards verifiable credentials but verified transactions are more important!
Verifiable Credentials (VCs) will be forgotten and Verified Transactions (VTs) will be the norm. How’s that for stirring the pot! In this newsletter I’ll briefly discuss the technology basis for both, why Verifiable Credentials have limited use and are dangerous, and why Verified Transactions have many uses and will become the norm.
Technology Basis
It is all about public key cryptography (also called public/private key cryptography and asymmetric cryptography). You use it every time you use a browser - it is the basis for SSL secure communications between Internet browsers and servers. It works and it is proven.
Besides enabling secure communications, public key cryptography also supports the digital ‘signing’ of documents. That is, such documents can be signed digitally and can then be digitally verified. This tech has been around for a long time, it works, and it can be used to sign both VCs and VTs.
Verified Credentials
Let’s first look at VCs. These are slated to be the next big thing for Identity, but I maintain that VCs are limited to data sharing, and I maintain that VCs are dangerous when stolen or lost because they have real value.
Data sharing only – not a full Identity solution
The major limitation is that VCs are not a full Identity solution! Do you remember this:
VCs could clearly be part of the right-hand side. That is, they could act as a standardised way for sharing data with the added benefit that the receiver could trust the validity of the credential. This would have more applicability for decentralised solutions where trust needs to be established for every transaction, whereas networked solutions, with connected ‘already trusted’ parties, does not have the same need (i.e. if it is a trusted source the data should also be trusted).
But a VC does not do authentication. Think about a person holding a university degree in front of you. The name identifies them and the wax seal gives confidence that this is a valid degree. But is the person holding the degree the person named on the degree? There is no way to know. The hard bit of identity, authentication, is not covered at all. VCs are the same as a physical university degree – they are not an authentication solution.
Now, some clever person will likely respond suggesting that the credentials within the VC can be used to authenticate the holder of the credential. But putting your secret password or your biometrics into some document you share with all and sundry is clearly not a good idea. Keep the secrets as secrets.
So, VCs are only part of Identity and they are not the hard part of Identity! The hard part is, of course, authenticating yourself to someone who doesn’t know you, and VCs do nothing for that problem.
The cost of stolen credentials
Currently a fuss is made when credentials are stolen or inadvertently made public, but the fallout will be minor compared to that in a world of VCs.
We know that there are data breaches and I take such breaches seriously. But often the stolen data is commonly available! Does anybody remember the telephone box with name, address, and telephone number? Much of the data stolen is exactly this data. And so, the reason data breaches do not condemn all those affected to lives of purgatory is because the data is probably available anyway.
In a world of VCs all that changes. VCs will be lost and stolen due to leaky organizations and leaky digital wallets. This will not be an issue in a perfect world where authentication is done properly and identified person strongly verified against the identity in the VC.
But one can see the situations developing where nefarious individuals will attempt to use stolen VCs either through associating them with a similar name or by aggregating them to suggest a certain individual. And if the technology becomes ubiquitous people will test the boundaries.
The fundamental problem is that, because it is verifiable, the VC is valuable but it can be copied infinite times. It’s a bit like making millions of perfect copies of the physical university degree I mentioned above. Each one is ‘real’. What can then be trusted?
Are VCs fools gold?
We do not yet know, but VCs have more challenges than simply being implemented. By their very nature they can only be part of an Identity solution, but they are not an essential part, and when implemented they may create more problems that they solve.
Verified Transactions
Recent discussions in the Anti-Money Laundering / Countering the Financing of Terrorism / Know Your Customer / Customer Due Diligence (AML / CFT / KYC / CDD) world has highlighted to me that we live In a world of compliance, and how important cost effective compliance is now and will be in the future.
Part of that compliance is an audit function, and organizations I have discussed this with confirm that when audited they often fall back on physical records. In 2024! And, of course, many of the AML processes they execute are performed by third parties.
So why not record the organization requiring the AML process, the person who is the subject of the AML process, and the result, and sign it? That would seem to be a practical and useful application of public key cryptography.
Weighing it up
VCs are probably essential for the decentralized Identity movement. We have Decentralized identifiers (DIDs), Digital Wallets, and now VCs that presumably will work in unison.
But for any other Identity solution, VCs will not solve the basic Identity challenge of authentication, while adding another layer of complexity and possibly creating other long-term issues.
VTs could solve a current problem.
If you believe in the decentralized model you need to believe in VCs. If you believe in a networked model, you don’t need VCs and VTs are a real opportunity.
What do you think?
Regards
Alan