Introduction to Decentralized Identifiers and Verifiable Credentials for Web3 Commerce

1. Introduction

Much of the early enthusiasm about blockchain and distributed ledger technologies can be traced to its potential to vastly lower the cost of trust in complex economic ecosystems. This isn’t surprising, as trust — in institutions, markets, counterparties, identities, authorities, settlement, dispute mechanisms, etc. — is the necessary and fundamental ingredient for human cooperation, including all economic transactions. Much of human progress can be traced to improvements in trust technologies: state currencies, accounting, rule of law, escrows, and banking systems, for example, are all technologies that improved trust for multiparty cooperation that ushered in new waves of economic growth and progress.

In 2015, The Economist ran a cover story exploring this potential. Yet despite blockchain’s widely acknowledged potential, practical successes have been slower than expected. In hindsight, the delays were predictable, caused by the complete lack of protocols, standards, and agreed ways of communicating in distributed ecosystems. Recently, the World Wide Web Consortium (W3C) published many of the needed standards and protocols that underlay what has become known as Web3. Web3 supports a new wave of multiparty digital transformation that could reshape industries.

In the Web3 ecosystem, there is an urgent need for an efficient and user-friendly solution to safeguard user data privacy and effectively handle all identity-related management operations (identity management). W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) standard specifications are key to ushering in an era of secure and streamlined digital interactions complemented by robust privacy-preserving techniques.

2. Objective

In this blog, we provide a high-level explanation of W3C DIDs and VCs. After reading the blog, you’ll be able to answer the following questions:

1. What is digital identity, and what are the challenges associated with digital identity management?
2. What are DIDs & VCs?
3. How do DIDs and VCs unlock a self-sovereign digital identity (SSI) for Web3?
4. Why should we care about DIDs & VCs?
5. How and why were Citopia and the Integrated Trust Network (ITN) created?
6. How are DIDs and VCs used in Citopia and the ITN?

3. Understanding Digital Identity

What is Digital Identity?

Digital identity refers to the body of information about an entity (individual, organization, or device) that exists online. This information uniquely identifies a person or entity in digital contexts, encompassing personal data, online activity, and digital attributes such as usernames, passwords, and other credentials. Digital identities are crucial in enabling interactions and transactions in the digital world, providing a way to authenticate and authorize access to digital services and platforms.

Components of Digital Identity

An entity’s digital identity comprises two main components: (1) a set of identifiers and (2) data associated with those identifiers.

Figure 1 — Digital Identity

1. Identifiers: These are like online name tags. When you log into any digital service, you use something unique to you — like an email address or a username. This identifier, coupled with a password or other security measures, confirms that it’s really you. Today, individuals use identifiers issued by centralized authorities to verify their identities online — things like their email address, passport number, taxpayer ID, and more. For a device, this could be a serial number or IP address. For an organization, this could be an Employer Identification Number (EIN) or Company Registration Number.
2. Associated Data: Imagine this as the various doors your identifier can unlock. Once you’re logged in, you can access a range of functionalities and information specific to you. This data is diverse and includes:

— Your role or authority (Are you the owner of the account or just a user?)
— Personal details provided when creating the account (Date of birth, Social Security Number, home address, etc.)
— Account-specific information (Like your bank balance or transaction history in a banking app)

4. Challenges with Current Digital Identity Infrastructure

Digital identities today are predominantly controlled by centralized platforms or systems. This centralization presents several significant challenges:

Single Point of Failure: Centralized systems are vulnerable due to their reliance on a single control point. If an issue or disruption occurs at this central point, it can compromise the entire system’s functionality. This vulnerability makes such systems less resilient and more prone to outages or attacks.

Figure 2 — Centralized systems/platforms are at risk of Single Point of Failure

Low User Autonomy: In centralized frameworks, users often have limited control over their data. These systems typically provide minimal transparency regarding how user data (including identifiers and associated data) is stored, managed, or utilized. This lack of control and visibility raises serious privacy concerns.

Lack of Interoperability: Often, centralized systems are designed to function in isolation, making inter-system communication and verification challenging. This results in digital credentials that are not easily transferable or verifiable across different platforms, creating silos and inefficiencies.

Vulnerability to Attacks: Centralized databases are prime targets for cyberattacks. A breach in such a system can lead to widespread data exposure, risking identity theft, fraud, and other malicious activities.

Beyond Centralization: Broader Implications

Across every industry, there exist hundreds of thousands of service providers and governmental agencies, each with distinct databases, processes, and regulations for managing sensitive business and consumer data. Currently, automating multiparty business processes necessitates reliance on centralized systems. However, in vast and complex networks where trust incurs significant frictional costs, these centralized solutions lack the interoperability and security needed to verify data authenticity, maintain digital perimeters, and ensure compliance with cross-border regulations.

5. Introduction to Decentralized Identity Management

A New Era of Digital Identity

In contrast to these challenges, W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) standards are designed to help foster interoperability in a decentralized infrastructure. With respect to how digital identity is defined above, identifiers can now be implemented per W3C DID specifications, and any associated data can be processed in the form of W3C VCs and Verifiable Presentations (VPs). By embracing these standards, organizations can collaborate and exchange data more effectively, eliminating the need for costly and complex integrations. This shift not only addresses the vulnerabilities of centralized systems but also paves the way for a more secure, transparent, and user-empowered digital identity ecosystem.

Figure 3 — Decentralized Identity

How Decentralized Identity Works

Empowering with DIDs: Under the decentralized model, identifiers are no longer tied to a central authority. Instead, they are implemented per W3C DID specifications. This means that individuals or organizations can create and manage their own identifiers, fostering greater control and autonomy.

DIDs are:

• Globally unique: Each identifier is unique across the entire system. No two identities will have the same DID, ensuring distinct and unambiguous identification globally. This is like how no two individuals can have the same exact email address or social security number
• Persistent: Once assigned to an entity/individual, identifiers remain consistent and unaltered. Note: an entity/individual can update their identifiers — as in revoking old identifiers and creating new ones — at regular intervals for security reasons or business requirements
• Globally resolvable: Identifiers can be used to retrieve the associated identity information from anywhere in the world. Essentially, DIDs are linked to a DID document that contains the necessary data to authenticate and verify the identity. This document can be accessed globally
• Cryptographically verifiable: Identifiers are secured using public key encryption, a process that underpins the reliability and integrity of verifying digital identities. This method ensures that only the authorized individual can access or validate specific information. Importantly, this high level of security is achieved without requiring users to understand or manage the complex details of cryptographic operations. It operates seamlessly in the background, providing a trusted and secure framework for digital interactions
• Decentralized: Identifiers are controlled by their respective owners rather than by centralized authorities

Securing with VCs and VPs: Associated data, a critical component of digital identities, is handled through VCs and VPs. These tools allow for the secure and selective sharing of data. VCs are digital documents that attest to certain attributes or qualifications of a holder, while VPs are a way to present credentials in a secure and verifiable manner.

Transactions Using W3C DIDs and VCs

There are three primary roles involved in executing trusted, tamper-evident transactions within a decentralized identity system (Fig 4).

Issuer: An issuer is any entity — be it an individual, organization, or device — that issues credentials. They are responsible for asserting the claims made in the credentials and ensuring their validity

1. Example: A Motor Vehicle Authority (MVA) issuing a digital driver’s license VC to an individual
2. Example: An entity issuing a VC to another entity to indicate a debt or service obligation

Holder: A holder is the entity that possesses the VC, typically storing it in a digital wallet. The holder can present these credentials (VPs) when required for verification

1. Example: A person who holds a digital driver’s license VC issued by the MVA. Note: The issuer, like the MVA in this example, can also be a holder of the credential, maintaining a copy for record-keeping and verification purposes

Verifier: A verifier is any entity that checks or validates the authenticity of the VC. They ensure that the credential is both legitimate and still valid

1. Example: A car rental company requests to verify an individual’s current driver’s license before agreeing to rent out a car

Fig 4 — Roles Involved in the VC Ecosystem

Benefits of Decentralized Identity Systems

By utilizing DIDs and VCs, decentralized identity systems offer significant improvements over traditional, centralized models:

• Enhanced Security: With no central point of failure, decentralized systems are more resilient to attacks and system disruptions
• Increased Privacy and User Control: Users have greater control over their personal data, including how and when it is shared, thus enhancing privacy
• Interoperability: Decentralized identities are designed to be universally recognizable and verifiable, breaking down silos between different systems and platforms

6. How are DIDs and VCs used in MOBI Web3 Infrastructure (Citopia and ITN)?

MOBI’s Web3 Infrastructure is designed to facilitate tamper-evident, privacy-preserving applications using DIDs and VCs, and consists of two member-owned and -operated network layers: Citopia and the Integrated Trust Network (ITN).

The member-owned and operated ITN is a layer-two, protocol-agnostic network (digital infrastructure) built to provide trusted identity services for any digital transaction. It serves as a trusted registry for DIDs where ITN nodes create, update, and archive DIDs and anchor those DID changes on multiple DLT stacks both public and private.

Citopia is a member-owned and operated decentralized Web3 marketplace. In this marketplace ecosystem, stakeholders can securely and privately perform digital transactions across the Citopia ecosystem by leveraging ITN Core Services, VCs, and Citopia Self-Sovereign Digital Twins™ (SSDTs™). The Citopia ecosystem provides the necessary infrastructure for the Issuer-Holder-Verifier model, as shown in Figure 8.

Citopia and the ITN form a collaborative framework between two independent organizations — with neither containing complete information about any users or transactions — wherein participants can selectively disclose information for transactions at the edge. To prevent data correlation, transactions are processed as VCs on Citopia, while participants’ identifiers — DIDs — are anchored and verified on the ITN. An entity may create multiple DIDs for separate functions to further reduce the risk of data correlation. DIDs are the only things registered and stored on chains — all personal and competitive information is stored locally in the SSDT™ and remains under the owner’s control.

7. Demonstrating Decentralized Identity Management with Citopia and the ITN

Citopia and ITN were launched out of the MOBI consortium after the first pilot on MOBI Vehicle Identity (VID) in 2019 with BMW, Ford, GM, Groupe Renault, Honda, and VW. Members did not have networks like the ITN (to register DIDs for MOBI VIDs) or Citopia (for cross-industry interoperability & VCs issuance).

Since 2019, MOBI and its members have leveraged W3C DIDs and VCs in several additional pilots designed to demonstrate the efficacy of Citopia and the ITN in supporting trusted transactions with decentralized identity management. MOBI invites stakeholders across the globe to join these efforts as we collaborate to drive cross-industry adoption and scaling.

Automation of e-Registration and e-Titling (ongoing)

Citopia MaaS/Multimodal — Transit IDEA Project (completed March 2023)

Dealer Floorplan Audit Automation (Phase I completed February 2023)

EV Battery Track-and-Trace — Battery Birth Certificate (completed June 2022)

EU Commission — Vehicle Self-Reporting of CO2 Emissions (completed January 2022)

EV Reservation, Charging, and Payment (completed November 2021)

8. Adoption & Exploration

It’s worth emphasizing the notable strides taken in recent times toward the adoption and exploration of DIDs and VCs by stakeholders from both the public and private sectors, including various government bodies worldwide. Below are several examples of initiatives aimed at leveraging DIDs and VCs:

U.S. Department of Homeland Security (DHS): Preventing Forgery and Counterfeiting of Certificates and Licenses (Last Updated: 21 August 2023)

Digital Identification and Authentication Council of Canada (DIACC): Perspectives on the Adoption of Verifiable Credentials (Release Date: 9 May 2023)

Digital Identification and Authentication Council of Canada (DIACC): Universal Digital Identity Policy Principles to Maximize Benefits for People: A Shared European and Canadian Perspective (Release Date: 2 November 2022)

European Union Agency for Cybersecurity (ENISA): Digital Identity: Leveraging the SSI Concept to Build Trust (Publish Date: 20 January 2022)

ESSIF: The European self-sovereign identity framework (Publish Date: 2 February 2020)

U.S. Department of Homeland Security (DHS): DHS Awards $197K for Digital Credentials That Work Offline (Release Date: 14 January 2020)

U.S. Department of Homeland Security (DHS): DHS Awards 159K for Infrastructure to Prevent Credential Fraud (Release Date: 12 November 2019)

9. Conclusion

In this blog, our goal was to provide a comprehensive understanding of DIDs and VCs, emphasizing their critical benefits:

Empowering Self-Sovereign Identity in Web3: DIDs grant individuals control over their digital identities, enabling selective data disclosure, secure credential signing, and enhanced privacy.

Addressing Centralized Identity Challenges: Current identity systems are fraught with single points of failure, privacy concerns, and interoperability issues. DIDs and VCs offer a transformative shift away from these limitations.

Trust, Privacy, and Security: DIDs ensure global uniqueness, persistence, cryptographic verification, and decentralization. VCs provide tamper-evident, interoperable, and privacy-preserving digital credentials. Together, they lay the foundation for a secure, self-sovereign identity in Web3.

Government and Private Sector Adoption: Public and private sector stakeholders, including government bodies, are actively embracing DIDs and VCs, recognizing their potential to reshape diverse domains.

In an age where trust, privacy, and security hold paramount importance, DIDs and VCs are revolutionizing digital identity management and online interactions. Their ability to establish trust in a tamper-evident manner marks a profound shift in our digital landscape. These technologies offer a path toward a digital world where privacy, security, and user empowerment are at the forefront. By embracing DIDs and VCs, we collectively shape a future where digital interactions are characterized by trust, efficiency, and privacy.

Please look for future blogs on how we will be using DIDs and VCs in the MOBI Web3 Ecosystem.