Steve Magennis
Founder, Polywug
Established Trust Ecosystems
Jan 12, 2021
As an issuer it is important that credential recipients (verifiers) trust that the statements (claims) in the credential are consistently factual, reliable and accurate. From the perspective of the verifier, it is important that they be able to assess these traits quickly and easily. If issuer and verifier have had time to build a trusted history together, they can make these judgements very efficiently. In situations where building individualized trust over time is not possible or simply not practical due to inefficiency, scale, distance or other factors, established trust ecosystems can play an important role in facilitating trust between parties wishing to transact with one another. Established trust ecosystems can enable trust to scale across transaction volume, geography and time.
Trust Ecosystems are Everywhere
Trust ecosystems help ensure that authoritative statements, or claims, made by parties in a business or government context adhere to standards of quality, accuracy and authority. It is generally the intention that these standards ensure levels of consistency and quality from those making claims and that the standards will be broadly recognized by the people and institutions that interact with those making the claims. When both of these conditions are met, a higher level of trust can exist between the parties and across their interactions, and transactions.
Trust ecosystems exist in just about every imaginable segment of society such as manufacturing, finance, trade logistics and education.
Trust ecosystems encourage participants to employ recognized standards, practices and controls. Doing so allows the participants to make statements about quality, safety and integrity that are meaningful to and trusted by their customers and partners. Ecosystems attempt to achieve this in a variety of ways that can include vocal industry leadership, formal governance requirements, certifications, auditing, indemnification and legislation. By working diligently to sustain trust among relevant communities, trust ecosystems permit participants that align with the terms set forth by the ecosystem to share in the collective trust of the network.
The Message and the Medium
Introducing verifiable credentials and the trust triangle model (issuer, holder and verifier) into an organization’s operation introduces new roles, protocols and controls that are specific to working with claims, identity and verifiable credentials. It is important though to distinguish the message from the medium. As groundbreaking as the technology is, it is the claim itself, conveyed through the medium of the technology, that matters. It is easy to get caught up and focus on cryptographic assurances or data portability and overlook the mechanisms that are available to ensure the value of the message that ultimately finds its way to a verifier.
Verifiers, especially those that have limited direct experience with a credential issuer, need strong evidence of the credibility and authority of the issuer making claims. Fortunately, the technology can provide such evidence when used in conjunction with reputable trust ecosystems.
Incorporating Trust over IP into Established Trust Ecosystems
The technology and protocols behind verifiable credentials and the trust triangle model allow a verifier to be certain of who issued a claim presented to them. They can also be certain that the claim they receive has not been adulterated between the time it was issued and the time they receive it.
If a verifier already trusts that an issuer is reputable and is known for providing quality and accurate claims then the verifier can be satisfied as to both the medium and the message upon accepting a verifiable credential presented to them.
When a verifier does not have the benefit of having established trust in an issuer, evaluating the message component of the transaction becomes more complex.
In this situation, in order to conclude that claims contained in a credential are accurate and authoritative, a verifier should start with a strong appreciation of the type and magnitude of exposure they might take on should they accept the claim. For example, accepting a claim of ‘lucky lotto number picks’ from an unknown issuer would present the verifier with very little exposure should they choose to purchase a lotto ticket using said lucky numbers. Accepting a claim from an unknown issuer to make a decision about the safety of a shipment of insulin by contrast, could expose a verifier to significant amounts of financial, legal, moral and reputational risk.
The importance of understanding the integrity of the issuer making a claim can range from trivial to critical when weighed against the potential risks and liability a verifier can be exposed to. For situations other than those considered trivial, the verifier should weigh at least two factors against their evaluation of risk:
- Access to a system of legal recourse should something go wrong
- The availability of trusted evidence indicating that the issuer can be trusted in making the claims they have made
Legal systems should always be considered a backstop and a last resort. Having access to such a system, however, goes a long way towards preventing the need to ever have to take advantage of it. Conveying trust evidence is where cryptography and credentials stand out.
Surfacing Trust Evidence
‘Bona fides’ can be attached to verifiable credentials as a way of supporting the claims made by an issuer. This in effect tells the verifier that they don’t have to personally know or trust the issuer of the claim so long as they know or trust the person or institution that vouches for the integrity of the issuer. It is important to recognize that the bona fides reflect the issuer, NOT typically an individual credential or claim. In other words, the bone fides may certify that an issuer has implemented critical processes and controls, passed performance criteria, had audits performed, etc., but will not (typically) be an indication that the certification authority has reviewed and approved any particular claim or credential.
In the physical world trust authorities deal in trust marks, certification labels, registries and other media as a means of vouching for the integrity, quality or accuracy of a party making claims. Verifiable credentials can be used in exactly the same way by trust ecosystems. Trust marks, certifications, etc., can be issued to an issuer so they can bind it to the credentials and claims they make.
Verifiable credentials have distinct advantages over legacy techniques in that recipients (verifiers) can, at the point of transaction and without involving any of the issuing parties, be certain:
- Who the certifying authority is
- Who the issuer is
- That the certification (claim) has not been altered.
Additionally, certification can be made conditional and as granular as necessary, allowing for scenarios that apply certification within specific time limits, apply only to very specific types of claims, are valid only in the presence of other certifications, etc. This makes fraudulent activity much more difficult to perpetrate and permits trust brands to ‘vouch’ at an appropriate level of granularity or under appropriate conditions.
Trust credentials may be bound to another credential at the time it is issued or can simply be made available on demand as proof that the issuer is aligned and in good standing with a trusted ecosystem.
Chain of Trust
In certain use cases, credentials that represent a trust mark, bona fides, or other representation of trust may themselves need to be part of a chain of trust. A verifier may not know or trust either the issuer, or the institution that provided the issuer with a trust mark. When this happens either the verifier needs to assume additional risk in a transaction or the credential must include a chain of trust.
Using the example of a model educational trust ecosystem, if an employer (verifier) is presented a graduation certificate issued by University C, the employer could only evaluate the quality of the graduation claims based on their direct trust of the school since the school has self-asserted its standing to be a university. University A and B by contrast can issue a graduation certificate that is backed by a verifiable credential from an Educational Accreditor. If for some reason the employer (verifier) does not recognize the Educational Accreditor, they may recognize and trust the educational governing authority (e.g., USDE, CHEA) which resides higher up the trust chain.
The trust chain may be as long as needed, ultimately ending with a government and corresponding legal system or simply a self-assertion as a root of trust. The lesser the aggregate amount of direct experience between issuer and verifier in any domain, the more likely it is that a longer trust chain would be needed to satisfy the participants and keep a use case viable. Marketplace scenarios that involve large numbers of issuers or large numbers of participants that alternate between the role of issuer and the role of verifier for example may need to surface longer trust chains.
Potentially, trusted third parties could indemnify issuers directly, thereby limiting the length of the chain and the complexity of the verification process. In practice, many use cases will fit within well-defined domains where there is a relatively small number of trusted issuers that are generally known to most or all of the use case participants, thereby also limiting the need for lengthy chains.
Chain of Authority
A chain of authority is similar to a chain of trust but rather than focusing on processes and controls that ensure the content of a claim made by an issuer is trustworthy, this concept focuses more specifically on the authority:
- An issuer has to make a claim
- A verifier has to demand a claim
- A verifier has to perform actions based on a claim
Much like trust evidence, a claim of authority can be bound to a verifiable credential, can exist separately or even be combined with a claim of trust depending on the use case.
Using a state driver’s license as an example, there are some locations where a person can obtain a ‘government issued’ physical license complete with ID photo through an independent commercial business. The business in this scenario is an issuer authorized by the state Department of Motor Vehicles (DMV) to act on their behalf, to perform certain functions and collect fees. The authorized business commits itself to follow standards and protocols set by the DMV and is permitted to perform select tasks under their authority and oversight. The DMV operates as a department of the state government, which in turn operates within the larger context of the federal government.
Each entity in the chain (ultimately) gets its authority to perform certain functions from a superseding entity until the root authority is reached (e.g., federal government). The root authority proclaims and maintains their authority on their own.
In this example it is important that the driver seeking a license knows the commercial business office is authorized by the DMV. The business needs to know the DMV operates as part of the State government, and has the authority to permit their business to act on behalf of the state. A traffic officer presented with a license obtained in this way would need to be aware of the authority of the foregoing as well.
In the physical world, proclamations, contracts, branding and communications all operate together to make this work. In the world of verifiable credentials, claims that bestow authority for parties to perform certain tasks or actions can be used instead, enabling a decentralized means of ensuring participants of the integrity of the process.
The Special Case of Credentials for Identity and Identity-Proofing
Verifiable Credentials that establish identity or certify identity proofing are a special case. Identity in one form or another underpins all Verifiable Credentials. Credentials representing an identity specifically (as opposed to credentials that represent a concert ticket, shipping container, employment, etc.) may become the foundation for portable claims of identity that can be used across a wide range of use cases and verification scenarios. As such, there are organizations developing frameworks for identity assurance that is specifically tied to their use with verifiable credentials and based on work across multiple industry segments.
Established trust ecosystems, especially those related to legal and finance, have put a great deal of effort into defining for their purposes, what an identity must be composed of and what is necessary to ‘prove’ that the identity represents the individual that claims it. NIST 800-63-3, PCTF and eIDAS, are all examples that discuss criterion for standardized levels of identity assurance and identity proofing. These standards describe actions that must be undertaken by the issuer and that are expected to be understood by the holder and verifier as a means of evaluating identity with various levels of certainty