Relying Party

A DeFi lending platform is a classic relying party. It requires proof of a user's collateral ownership and creditworthiness before issuing a loan.

• Verifies: On-chain proof of asset ownership (e.g., NFT, token balance) via a wallet signature.
• Grants: Access to borrowing liquidity against the collateral.
• Example: Aave or Compound requiring a signed message proving control of a wallet with sufficient ETH to open a collateralized debt position.

A DAO acts as a relying party when gating participation based on membership or reputation.

• Verifies: Proof of token-based governance rights or a soulbound token (SBT) representing membership.
• Grants: Voting power on proposals or access to exclusive channels and treasury funds.
• Example: A DAO verifying a user holds a specific NFT to grant them voting rights on a snapshot.org proposal.

Applications using zero-knowledge proofs rely on cryptographic attestations without exposing underlying data.

• Verifies: A ZK-SNARK or ZK-STARK proof that confirms a private statement is true (e.g., "I am over 18," "My credit score is >700").
• Grants: Access to age-restricted services or preferential loan rates while preserving user privacy.
• Example: A ZK-rollup bridge that verifies a proof of funds ownership before allowing asset transfer, without revealing the full wallet history.

A bridge is a relying party that must verify asset ownership on a source chain before minting a representation on a destination chain.

• Verifies: Cryptographic proof of a burn transaction or lock event on the origin chain, often via relayers or light clients.
• Grants: A wrapped or bridged asset (e.g., wBTC, axlUSDC) on the target chain.
• Example: The Wormhole bridge verifying a lock-up event on Ethereum before minting wrapped assets on Solana.

A service that allows users to log into multiple dApps using one cryptographic identity.

• Verifies: A signed message or decentralized identifier (DID) assertion from a user's wallet (e.g., Sign-In with Ethereum).
• Grants: Seamless authentication and personalized access across partnered applications without creating new passwords.
• Example: A gaming platform using Sign-In with Ethereum to authenticate a user and load their profile and assets.

This is a specialized case where a service acts as a relying party for one process (verifying initial credentials) to become an issuer for another.

• Verifies: Proof of completion (e.g., course certificate, KYC check) from a trusted source.
• Grants/Issues: A new, verifiable credential (e.g., a soulbound attestation) that can be used with other relying parties.
• Example: A university verifying a student's government ID, then issuing a blockchain-based diploma they can present to employers.

The Relying Party must perform rigorous cryptographic verification of any presented credential. This includes:

• Checking the digital signature against the issuer's public key.
• Validating the credential's schema to ensure data structure is correct.
• Confirming the credential has not expired and is not revoked (e.g., by checking a revocation registry or status list). Failure at this stage can lead to accepting fraudulent or invalid claims.

The presentation request defines what data the Relying Party asks for. Poor design creates privacy and security risks:

• Data Minimization: Request only the specific attributes needed (e.g., "Over 21" vs. full birthdate).
• Predicate Proofs: Use zero-knowledge proofs to verify conditions without seeing raw data (e.g., "salary > $50,000").
• Selective Disclosure: Allow users to share only parts of a credential. Overly broad requests erode user trust and increase data liability.

As the endpoint for user data, the Relying Party has significant privacy obligations:

• Correlation Risk: Avoid practices that allow user tracking across sessions (e.g., using persistent, unique identifiers from credentials).
• Secure Storage: If personal data is stored, it must be encrypted and protected with the same rigor as any PII.
• Retention Policy: Define and adhere to strict data retention and deletion policies. The goal is to verify, not necessarily store.

A Relying Party's security depends on trusting the credential's source. This requires managing trust frameworks:

• Issuer Accreditation: How does the Relying Party know an issuer is authoritative? This often involves consulting a trust registry—a decentralized list of approved issuers and their credential schemas.
• Registry Integrity: The trust registry itself must be tamper-proof, often implemented on a blockchain or other verifiable data structure.
• Dynamic Trust: Policies must adapt as issuers are added or removed from trust registries.

Relying Parties are targets for specific attacks that must be mitigated:

• Replay Attacks: Prevent a valid credential presentation from being reused. This requires using cryptographic nonces and short-lived session challenges.
• Phishing & Impersonation: Ensure the user is presenting a credential legitimately bound to them, not one stolen or intercepted.
• Man-in-the-Middle (MitM): Secure the communication channel between the user's wallet (holder) and the Relying Party to prevent interception of presentation data.

For enterprise and regulated use cases, Relying Parties must maintain verifiable logs of verification events.

• Immutable Audit Trail: Record the fact of verification (e.g., a hash of the presentation), the timestamp, and the issuer's DID, often leveraging blockchain anchoring for non-repudiation.
• Regulatory Alignment: Design processes to comply with regulations like GDPR (right to erasure), eIDAS (electronic identification), or industry-specific KYC/AML rules.
• Transparency: Be clear to users about what is being verified, logged, and stored.

An Issuer is the authoritative entity that creates and cryptographically signs Verifiable Credentials. The Relying Party must trust the Issuer's authority and the integrity of their signing keys. Issuers can be governments, universities, corporations, or decentralized organizations.

• Role: Creates credentials based on proven claims.
• Trust Anchor: The Relying Party's trust in the credential is derived from its trust in the Issuer.

The Holder is the entity, typically an end-user, that possesses and controls their Verifiable Credentials. The Holder presents these credentials to a Relying Party upon request. A core principle is that the Holder maintains custody of their credentials and controls what is shared.

• Wallet: Credentials are stored in a digital identity wallet.
• Selective Disclosure: The Holder can choose to share only specific attributes from a credential.

A Verifiable Presentation is the data package a Holder submits to a Relying Party. It contains one or more Verifiable Credentials, often with a proof that the Holder genuinely controls them (a holder-binding proof). The Relying Party verifies both the credential signatures and this presentation proof.

• Purpose: Proves the Holder possesses the credentials without revealing the full credential if not needed.
• Zero-Knowledge Proofs: Can be used to create presentations that prove a claim (e.g., age > 21) without revealing the exact birth date.

A Trust Registry is a system that lists the trusted entities (Issuers) and the schema of credentials a Relying Party accepts. It is a critical component for scalable trust, allowing a Relying Party to programmatically check if an incoming credential is from an authorized source and of an expected type.

• Function: Acts as a decentralized allow-list or governance framework.
• Example: A university's credential registry listing accredited departments that can issue degree credentials.