How it works

Paradym makes it easy to automate your digital identity workflows. The platform was created to make it more accessible for developers to build solutions that use new privacy-preserving technologies and standards to exchange data. Using Paradym, your application can easily issue or verify verifiable credentials, with the purpose of making it more secure and/or user-friendly.

Digital Identity

In itself, digital identity is definitely not a new concept. For as long as people have been communicating over the internet, there has been a need to verify attributes digitally. Your digital identity is a collection of the digital accounts, credentials, and attributes that are connected to you as a person existing in this world.

On the one hand digital identity is something people are often working on protecting. Data privacy, data collection regulations, and other digital privacy protections are set in place by governments, organizations, and companies to protect digital identities. On the other hand people are often working on sharing digital identities, as they are essential for verifying identity, or the authenticity of certain claims in the digital world. The balance between protecting digital identity and sharing it easily is a complex decision for many application builders.

In the past few years new technologies that facilitate the verification and management of digital identities have been getting more popular. The Self-Sovereign Identity (SSI) movement has come up as an increasingly popular way to think about digital identity. SSI promotes the idea that individuals should have full control over their own digital identities, allowing them to manage and share personal information securely, and without reliance on a central authority. Over the years this viewpoint has become the base of a large ecosystem of frameworks, standards, protocols and solutions that enable its technical realization. Paradym is built using some of these frameworks, and supports some of these standards and protocols.

In short, the newest wave in digital identity development is geared towards enhancing privacy, security, and user experience in all types of applications by using verifiable credentials to prove digital identity claims. Paradym functions as a abstraction layer for this, the platform is used to build and host workflows for verifiable data exchange, which can then be used at the applications layer.

Verifiable Credentials

Verifiable credentials are digital attestations that enable people to prove and share information in online interactions. They are digital credentials, often stored in a person or organizations digital wallet, that contain proof about some element.

A one-to-one comparison is often made with physical credentials. The same way you would store your physical ID, drivers license, gym membership card, etc. in you physical wallet, you could store your digital ID, drivers license, gym membership card, etc. in your digital wallet. Important to note is that with verifiable credentials, a person doesn't have a copy of, or access to their identity proof. They store and manage the actual proof, which contains the information that others can use to verify its authenticity and validity.

A verifiable credential contains information (often about the holder of the credential). It follows a set structure called a schema, ensuring that different verifiable credentials have a common format. The verifiable credential is created based on a set of rules, a credential definition, which functions like a blueprint, ensuring consistency. The credential also includes a digital signature, like a seal, created by the issuing party using their decentralized identifier (DID). This signature acts as proof that the information in the verifiable credential is accurate and hasn't been tampered with. So, when you share the verifiable credential online, others can verify that it's genuine and hasn't been altered.

Issuers, Holders and Verifiers

Interactions, when it comes to verifying proofs, always tend to follow the same pattern between an issuing party, a verifying party and a holding party. This pattern, called the triangle of trust, shows the relationship between these parties wanting to exchange information.

The holder is the entity that holds the credentials, often in a digital wallet. Credentials are issued to the holder, who can then use them to prove claims about themselves. Most often the information in the credentials is in some way about the holder (think about things you would need to prove, like your income, ownership, nationality, licenses, etc.) but there are cases where a holder would need proof about something or someone else. Holders do not have to be natural persons, for example a holder could be an organization holding information about their business and transactions.

An issuing party is an entity that issues credentials to a holder. The issuing party should be in some way capable of issuing these credentials, like a university issuing course completion credentials or a store issuing receipts. In most cases the issuing party has created the schema used to create the verifiable credential, because the schema determines which attributes need to be in a credential and how does credential look in user interfaces.

The verifying party is the entity that wants to request and/or verify information about the holder. The verifying party sends the holder a proof request, and the holder can share a presentation of their proof in return. Within the proof request, the verifier sends a proof template that defines what data they want to verify and how. A presentation of a proof from the holder could be the data from a verifiable credential, it could be a selection of the data, or it could have no identifying data at all through a zero knowledge proof.

Digital Wallet

A digital wallet is a secure digital environment where digital assets are stored and managed. Think for example of a password manager, Apple/Google wallet, or crypto wallets. In the case of digital identity, the digital identity wallet is what stores digital identity information. In this context in the form of verifiable credentials. A digital identity wallet could range all the way from an app on a person's phone where they collect and manage the personal credentials issued to them, to a system that stores an organizations many credentials.

In the Paradym platform we often use the Paradym digital identity wallet to store the holders verifiable credentials. The Paradym wallet is open source and free to use. It is a mobile wallet, which means it stores credentials on the holders device. Digital identity wallets that store credentials in the cloud instead of on the holders mobile device are called cloud wallets.

Selective Disclosure

The use of verifiable credentials enables some interesting and powerful options when it comes to sharing data. One of the reasons you might want to utilize verifiable credentials is because you could use selective disclosure or zero-knowledge proofs in your solution.

Selective disclosure refers to the disclosure of only select information on the attribute level. So although a credential with many attributes has been issued to the holder, only a selection of those attributes is shared during verification. For example, when using their drivers license to prove their age, a person could only show the relevant data to the question (like photo and birthdate) and leave out other information stored in the same credential (like the types of vehicles they can drive, or in some countries: their address). Selective disclosure is a powerful tool for both holders and verifiers to limit the data shared. There are many methods to achieve selective disclosure depending on the context of the specific cryptographic scheme. Existing cryptographic schemes for selective disclosure are SD-JWT (Selective Disclosure JSON Web Tokens) and Selective Disclosure via BBS+ Signatures. Credential formats with selective disclosure include AnonCreds and W3C credentials.

Predicates and Zero Knowledge Proofs

Predicates and zero-knowledge proofs are both concepts used in the context of selective disclosure but they serve different purposes and operate at different levels of the identity system.

Predicates are logical expressions created by a verifier to define conditions for identity attributes. These conditions can then be evaluated by verifiers to determine whether claims are true without revealing the actual attribute values. In this method, the verifier creates a condition or set of conditions (eg. to receive a certain concert ticket, an individual must by 21+ and have a VIP membership) and can evaluate it during the proof exchange without revealing the actual attribute values.

Zero-knowledge proofs (ZKPs) are cryptographic protocols that allow the holder to prove to the verifier that they know a certain piece of information without revealing the actual information itself. Zero-knowledge proofs are used to authenticate identity attributes without disclosing the attributes themselves. They focus on proving the authenticity of claims and operate at the cryptographic layer.

Credential Template

A credential template is needed if you want to issue a Credential. The template defines the characteristics of your credential, as well as the attributes that it will contain. Once created, a template can be used to issue as many credentials as you want. In the case that GreatUniversity wants to issue digital proofs of graduation, they might create a MasterDiploma template containing fields for the grade, field of study and graduation date to issue to a student.

Presentation template

Assuming that MegaCorp wants to verify a Master Diploma from a future employee, a presentation template defines exactly what elements should be asked of the future employee by MegaCorp, like the grade and the university. A presentation template is defined by the verifier of the information to determine what attributes and/or information the holder of the information should present as proof.

Once created, a template can be used to request as many presentations as you want. In Paradym you can create presentation templates for verifying SD-JWT credentials over OpenID4VC in the UI and through the Api.

Decentralized Identifiers (DIDs)

Decentralized Identifiers (DIDs) are cryptographically verifiable identifiers. When you issue a credential in Paradym it will be signed using a DID, which can be configured when creating a credential template. You can share your DID with verifiers which allow them to ensure the credential was issued by you, or your organization. This identifiers is unique and can only be used by you to issue credentials.

Revocation

Selective Disclosure Json Web Token Verifiable Credentials (SD-JWT VCs)

OpenID for Verifiable Credentials (OpenID4VC)