Let's Start from the Beginning
Paradym makes it easy to automate your digital identity workflows. The platform was created to make it more accessible for developers to build solutions that use new privacy-preserving technologies and standards to exchange data. Using Paradym, your application can easily issue or verify verifiable credentials, with the purpose of making it more secure and/or user-friendly.
Digital Identity
In itself, digital identity is definitely not a new concept. For as long as people have been communicating over the internet, there has been a need to verify attributes digitally. Your digital identity is a collection of the digital accounts, credentials, and attributes that are connected to you as a person existing in this world.
On the one hand digital identity is something people are often working on protecting. Data privacy, data collection regulations, and other digital privacy protections are set in place by governments, organisations, and companies to protect digital identities. On the other hand people are often working on sharing digital identities, as they are essential for verifying identity, or the authenticity of certain claims in the digital world. The balance between protecting digital identity and sharing it easily is a complex decision for many application builders.
In the past few years new technologies that facilitate the verification and management of digital identities have been getting more popular. The Self-Sovereign Identity (SSI) movement has come up as an increasingly popular way to think about digital identity. SSI promotes the idea that individuals should have full control over their own digital identities, allowing them to manage and share personal information securely, and without reliance on a central authority. Over the years this viewpoint has become the base of a large ecosystem of frameworks, standards, protocols and solutions that enable its technical realisation. Paradym is built using some of these frameworks, and supports some of these standards and protocols.
In short, the newest wave in digital identity development is geared towards enhancing privacy, security, and user experience in all types of applications by using verifiable credentials to prove digital identity claims. Paradym functions as a abstraction layer for this, the platform is used to build and host workflows for verifiable data exchange, which can then be used at the applications layer.
Verifiable Credentials
Verifiable credentials are digital attestations that enable people to prove and share information in online interactions. They are digital credentials, often stored in a person or organisations digital wallet, that contain proof about some element.
A one-to-one comparison is often made with physical credentials. The same way you would store your physical ID, drivers license, gym membership card, etc. in you physical wallet, you could store your digital ID, drivers license, gym membership card, etc. in your digital wallet. Important to note is that with verifiable credentials, a person doesn't have a copy of, or access to their identity proof. They store and manage the actual proof, which contains the information that others can use to verify its authenticity and validity.
A verifiable credential contains information (often about the holder of the credential). It follows a set structure called a schema, ensuring that different verifiable credentials have a common format. The verifiable credential is created based on a set of rules, a credential definition, which functions like a blueprint, ensuring consistency. The credential also includes a digital signature, like a seal, created by the issuing party using their decentralized identifier (DID). This signature acts as proof that the information in the verifiable credential is accurate and hasn't been tampered with. So, when you share the verifiable credential online, others can verify that it's genuine and hasn't been altered.
Issuers, Holders and Verifiers
Interactions, when it comes to verifying proofs, always tend to follow the same pattern between an issuing party, a verifying party and a holding party. This pattern, called the triangle of trust, shows the relationship between these parties wanting to exchange information.
The holder is the entity that holds the credentials, often in a digital wallet. Credentials are issued to the holder, who can then use them to prove claims about themselves. Most often the information in the credentials is in some way about the holder (think about things you would need to prove, like your income, ownership, nationality, licenses, etc.) but there are cases where a holder would need proof about something or someone else. Holders do not have to be natural persons, for example a holder could be an organisation holding information about their business and transactions.
An issuing party is an entity that issues credentials to a holder. The issuing party should be in some way capable of issuing these credentials, like a university issuing course completion credentials or a store issuing receipts. In most cases the issuing party has created the schema used to create the verifiable credential, because the schema determines which attributes need to be in a credential and how does credential look in user interfaces.
The verifying party is the entity that wants to request and/or verify information about the holder. The verifying party sends the holder a proof request, and the holder can share a presentation of their proof in return. Within the proof request, the verifier sends a proof template that defines what data they want to verify and how. A presentation of a proof from the holder could be the data from a verifiable credential, it could be a selection of the data, or it could have no identifying data at all through a zero knowledge proof.
Digital Wallet
A digital wallet is a secure digital environment where digital assets are stored and managed. Think for example of a password manager, Apple/Google wallet, or crypto wallets. In the case of digital identity, the digital idantity wallet is what stores digital identity information. In this context in the form of verifiable credentials. A digital identity wallet could range all the way from an app on a person's phone where they collect and manage the personal credentials issued to them, to a system that stores an organisations many credentials.
In the Paradym platform we often use the Paradym digital identity wallet to store the holders verifiable credentials. The Paradym wallet is open source and free to use. It is a mobile wallet, which means it stores credentials on the holders device. Digital identity wallets that store credentials in the cloud instead of on the holders mobile device are called cloud wallets.
Standards and Protocols
There are many ways to create and exchange verifiable credentials, involving many specific credentials, standards, protocols and framewoks. Data models determine the structure of verifiable credentials, standards define guidelines for how certain processes and structures should be implemented and protocols define practical procedures for issuing, presenting and verifying credentials. All layers come into play when building a solution that uses verifiable credentials.
Cryptographic Signatures
Cryptographic signatures are a fundamental component of protocols that dictate how verifiable credentials are issued by issuers and verified by verifiers. Although the use of cryptographic signatures typically falls within the layer of protocols, the standards or data model often specify the use of signatures within the protocols they define.
Selective Disclosure
The use of verifiable credentials enables some interesting and powerful options when it comes to sharing data. One of the reasons you might want to utilize verifiable credentials is because you could use selective disclosure or zero-knowledge proofs in your solution.
Selective disclosure refers to the disclosure of only select information on the attribute level. So although a credential with many attributes has been issued to the holder, only a selection of those attributes is shared during verification. For example, when using their drivers license to prove their age, a person could only show the relevant data to the question (like photo and birthdate) and leave out other information stored in the same credential (like the types of vehicles they can drive, or in some countries: their address). Selective disclosure is a powerful tool for both holders and verifiers to limit the data shared. There are many methods to achieve selective disclosure depending on the context of the specific cryptographic scheme. Existing cryptographic schemes for selective disclosure are SD-JWT (Selective Disclosure JSON Web Tokens) and Selective Disclosure via BBS+ Signatures. Credential formats with selective dislosuere include AnonCreds and W3C credentials.
Predicates and Zero Knowledge Proofs
Predicates and zero-knowledge proofs are both concepts used in the context of selective disclosure but they serve different purposes and operate at different levels of the identity system.
Predicates are logical expressions created by a verifier to define conditions for identity attributes. These conditions can then be evaluated by verifiers to determine whether claims are true without revealing the actual attribute values. In this method, the verifier creates a condition or set of conditions (eg. to recieve a certain concert ticket, an individual must by 21+ and have a VIP membership) and can evaluate it during the proof exchange without revealing the actual attribute values.
Zero-knowledge proofs (ZKPs) are cryptographic protocols that allow the holder to prove to the verifier that they know a certain piece of information without revealing the actual information itself. Zero-knowledge proofs are used to authenticate identity attributes without disclosing the attributes themselves. They focus on proving the authenticity of claims and operate at the cryptographic layer.