Credential Exchange

A Verifiable Presentation is the data format used by a holder to present one or more Verifiable Credentials to a verifier. It is the package that is actually shared during an exchange. A VP:

• Bundles credentials: Can contain multiple VCs or derived data.
• Includes proof: Contains a cryptographic signature from the holder, proving they control the credentials.
• Enables selective disclosure: Allows the holder to reveal only specific claims from a credential (e.g., prove you are over 21 without revealing your exact birthdate).

Presentation Exchange is a specification that standardizes the request and submission process for Verifiable Presentations. It defines the format for a Presentation Definition (what a verifier asks for) and a Presentation Submission (how a holder responds). This protocol:

• Decouples requirements from format: A verifier can request "proof of age" without specifying a specific credential type.
• Enables rich policy: Supports complex logic (e.g., require credential A or credentials B and C).
• Reduces friction: Provides a clear, interoperable handshake between parties.

These standards define how issuers can revoke or suspend Verifiable Credentials after issuance, a critical requirement for real-world use. Common mechanisms include:

• Status List 2021: A W3C standard using bitstrings to encode revocation status for many credentials efficiently.
• Revocation Registries: Used in Hyperledger Indy/Aries, where a cryptographic accumulator (like a CL signature) is updated on a ledger.
• Smart Contract Registries: On blockchains like Ethereum, a registry contract maintains a mapping of credential IDs to their status. The choice impacts privacy, scalability, and ledger dependency.

Enables individuals to own and control their digital identities without relying on centralized authorities. Users store Verifiable Credentials in a personal digital wallet and present cryptographically signed proofs (e.g., a proof of age) without revealing the underlying document.

• Core Principle: Minimizes data exposure using zero-knowledge proofs.
• Example: Logging into a service by proving you are over 18, without disclosing your birth date or passport.

Replaces traditional username/password or API-key systems with cryptographically verifiable credentials. Permissions are granted based on attested attributes, not centralized user databases.

• Mechanism: A user presents a VC (e.g., a membership NFT or a KYC attestation) to access a gated service or smart contract.
• Application: Token-gated communities, exclusive content platforms, and enterprise software where access is tied to proven roles or qualifications.

Creates a portable, user-owned record of accomplishments, reviews, or trust scores that can be used across different platforms. This breaks data silos and allows reputation to be composable.

• Examples: A decentralized finance (DeFi) credit score, on-chain educational certificates, or contributor history from a DAO.
• Benefit: Users are not locked into a single platform and can leverage their established reputation elsewhere.

Provides an immutable, verifiable chain of custody and authenticity for physical and digital goods. Each step in a process (manufacture, shipment, sale) can be attested to with a VC.

• Key Feature: Creates tamper-evident audit trails.
• Use Case: Verifying the ethical sourcing of materials, the authenticity of luxury goods, or the ownership history of a digital asset.

Streamlines regulatory compliance (e.g., KYC/AML) by allowing users to obtain attested credentials from a trusted issuer and reuse them with multiple verifiers. This reduces redundant checks and protects user privacy.

• Process: A regulated exchange issues a zkKYC credential after verification. The user can then present a proof of this credential to other compliant services without resubmitting personal documents.

Enables the issuance and verification of professional licenses, diplomas, and certifications in a standardized, machine-readable format. These credentials are globally verifiable and resistant to forgery.

• Standard: Often built using the W3C Verifiable Credentials data model.
• Impact: Reduces administrative fraud, simplifies hiring processes, and allows for seamless credential transfer across borders and institutions.

A core privacy feature allowing users to reveal only specific attributes from a credential without exposing the entire document. This is achieved through zero-knowledge proofs (ZKPs) or BBS+ signatures. For example, proving you are over 21 from a driver's license without revealing your birth date, name, or address. This minimizes data leakage and adheres to the principle of data minimization.

The act of presenting a credential involves creating a verifiable presentation, which is a cryptographically signed package of proofs. Key proof types include:

• Zero-Knowledge Proof (ZKP): Proves a statement is true without revealing the underlying data.
• Signature Proof of Knowledge: Demonstrates possession of a valid credential signature.
• Predicate Proof: Proves attributes satisfy conditions (e.g., age >= 21). The security of the exchange hinges on the cryptographic soundness of these proofs.

Ensuring the presenter of a credential is its legitimate owner. This prevents credential theft and replay attacks. Methods include:

• Cryptographic Binding: The credential is issued to a public key controlled by the holder's Decentralized Identifier (DID).
• Holder-Initiated Authentication: The verifier challenges the holder to sign a nonce with their private key during the exchange. Weak binding is a major attack vector, allowing stolen credentials to be used by malicious actors.

A verifier must trust the issuer of the credential. Trust can be established through:

• Decentralized Trust Registries: On-chain lists of accredited issuers and revoked credentials.
• Issuer DID Resolution: Verifying the issuer's DID document and its associated public keys.
• Credential Status Checks: Querying a revocation registry (e.g., using a smart contract or a verifiable credential status list) to ensure the credential has not been revoked. Blind trust in issuer keys is a critical security failure point.

Defenses against malicious attempts to misuse credential presentations.

• Replay Attacks: Prevented by including unique nonces and timestamps in the verifier's challenge, making each presentation single-use.
• MIMT (Man-in-the-Middle) Attacks: Mitigated by using secure, authenticated communication channels (e.g., DIDComm).
• Credential Tampering: Prevented by the cryptographic integrity of the digital signature, which makes any alteration detectable.

The security of the credential lifecycle depends on secure storage and key handling.

• Holder Wallet Security: Credentials and their corresponding private keys are stored in a digital wallet. Compromise of the wallet leads to total credential loss.
• Key Custody Models: Ranges from user-managed (self-custody) to institutional custodians, each with different risk profiles.
• Secure Enclaves: High-security wallets often use hardware secure elements or Trusted Execution Environments (TEEs) to isolate private keys from the host operating system.

A Verifiable Credential is a tamper-evident digital claim issued by an issuer to a holder. It contains metadata, claims, and a digital signature that allows any verifier to cryptographically confirm its authenticity and integrity without contacting the issuer. VCs are the fundamental data model for credentials in decentralized identity systems like W3C's VC Data Model.

• Structure: Composed of metadata, credential subject, claims, and proof.
• Example: A digital driver's license issued by a DMV, containing your name, birth date, and license class.

A Decentralized Identifier is a globally unique, cryptographically verifiable identifier controlled by its subject (e.g., a person, organization, or device), not a central registry. DIDs are the foundational identifier for holders and issuers in credential exchange, enabling self-sovereign identity. They resolve to a DID Document containing public keys and service endpoints for authentication and interaction.

• Format: did:method:method-specific-identifier (e.g., did:ethr:0xabc...).
• Control: Proved via cryptographic proofs, not usernames/passwords.

A Verifiable Presentation is the data format a holder uses to present one or more Verifiable Credentials to a verifier. The holder creates the VP, which packages the credentials, potentially applies selective disclosure, and adds its own proof. This allows the holder to control what information is shared and prove they are the legitimate owner of the credentials.

• Selective Disclosure: Techniques like BBS+ signatures allow revealing only specific attributes from a credential.
• Proof of Control: The VP's signature proves the holder controls the DID to which the credentials were issued.

The Holder is the entity (person, organization, or thing) that receives, stores, and controls Verifiable Credentials and presents them as Verifiable Presentations. The holder is the central actor in credential exchange, exercising self-sovereign identity by managing their own credentials in a digital wallet. Their core functions are:

• Storage: Securely storing credentials in a wallet.
• Consent: Choosing which credentials to present and to whom.
• Presentation: Creating and signing Verifiable Presentations for verifiers.

The Issuer is the authoritative entity that creates and digitally signs Verifiable Credentials and bestows them upon a holder. Issuers are trusted sources of truth for specific claims (e.g., universities for diplomas, governments for passports, corporations for employment records). Their role is critical for establishing trust in the credential's content.

• Attestation: The issuer attests to the truthfulness of the claims in the VC.
• DID: Issues the credential to the holder's Decentralized Identifier (DID).
• Revocation: May maintain a revocation registry to invalidate issued credentials.

The Verifier is the entity that requests and verifies Verifiable Presentations from a holder. Their goal is to assess the authenticity and validity of the presented credentials to grant access, authorize a transaction, or fulfill a compliance requirement. Verification involves checking:

• Cryptographic Proofs: Validating the digital signatures of the issuer and holder.
• Credential Status: Checking the credential has not been revoked.
• Policy Compliance: Ensuring the presented claims satisfy their specific business rules.

Example: A website verifying a user is over 18 using a government-issued credential.