By: Andres Olave
Part 2 in a three-part series on governance
Velocity Network aims to migrate career data to a three-party data exchange model with reliable data. This architecture is key to the revolution in career data that is waiting to happen. Without the three-party model, relying parties must create API integrations with a source of trusted digitized data from a single, often monopolistic, trusted issuer. Furthermore, in the majority of cases, there isn’t even a trusted data provider because it doesn’t exist, and the digitization of the data requires many such API integrations and is expensive. The fallback is what we are all personally familiar with: self-attested career and education information from LinkedIn or CVs, paper-based licenses, and emailing scanned documentation. The current model forces career and education institutions to make decisions based on completely unreliable data.
Instead, in Velocity Network, when a relying party receives verifiable credentials from a holder, the credential checks introduced in my previous article are critical to creating this step change to reliable data. To recap, those checks were digital tamper checks, validity checks, ownership checks, and issuer trust checks. The absence of any one of these checks would mean the switch to using verifiable credentials would be merely shuffling deck chairs on the Titanic of unreliable data. So Velocity Network’s major value-add is to provide a globally regulated environment for holders, issuers, and relying parties to exchange data and operate within a walled garden of trust and, therefore, reliable data.
The purpose of this article is to delve into the architecture of Issuer Trust (primarily because there is already copious material and standards relating to tamper-proofing, validity, and ownership). Within Velocity Network, the Foundation has established the architecture of Issuer Trust.
Issuer Trust checks are required to mitigate the relying party’s concern about the provenance of any credential. There are three relevant requirements to establish the provenance of the credential:
- Proof that the credential came from the issuer
- The issuer is the expected real-world organization
- The issuer is an authoritative source
Proof That the Credential Came from the Issuer
Verifiable Credentials contain two properties that are relevant to establishing that a credential was issued by the Issuer.
- An Issuer ID
- Proof created by the original issuer signing over the data contained within the credential
To prove that the credential came from the issuer, the high-level process is to retrieve the unique public key needed to verify the issuer’s credential proof and verify that the location from which that key is retrieved is under the control of the issuer with the specified ID.
This can be met in a number of ways. In typical DID-based VC ecosystems, the issuer ID claim is a DID that contains the keys used for verifying the credential proof. In typical OpenId Connect ecosystems, key sets are housed at well-known locations pointed to by the Issuer ID, which is also a URL.
In the case of Velocity Network, the mechanism is a little more complicated because Velocity Network implements a pay-to-verify network. Unique keys are generated for each credential that is issued, and are encrypted and written to the blockchain. The keys are stored within a Velocity Network account that is controlled by a key listed on the issuer’s DID:ION or DID:WEB document.
The Issuer Is the Expected Real-World Organization?
One of the first requirements for a trust model is for the Issuer (and Relying Party) identity to be trustworthy. Just like a bank needs to know that you are a real person and will do a Know Your Customer (KYC) checks, all participants in Velocity Network want to know that the issuer is real and corresponds to a real organization in the real world.
Furthermore, the organizational identities should not be able to be co-opted; the equivalent of domain squatting or Twitter (X) handle impersonation must be prevented.
Velocity Network, therefore, requires that all organizations undergo a Know Your Business (or KYB) check. Only once this is complete will the organization be added to the network. The Network signs and issues an accreditation as a Verifiable Credential for the organization. This Accreditation Verifiable Credential (AVC) contains the organization’s verified profile information, such as the names and logos they are permitted to use, and more. This AVC can be hosted by the organization themselves or by the foundation on their behalf. The Trusted Issuer check ensures that the Issuer has a current AVC available that has not been revoked. The Velocity Network Registrar tracks the URL to download the latest AVC for an organization. If the organization closes or rebrands and the original URL is no longer applicable, the Velocity Network also hosts a version on behalf of an organization.
The Issuer Is an Authoritative Source
The final element of provenance is the most complex. How does one determine if an issuer is an authoritative source for a particular credential? There are two separate requirements that Velocity Network addresses:
- Restrict certain credential types to certain Issuers: For example, an education institution should not be able to issue a driver’s license credential
- Restrict certain claims to certain Issuers: For example, would cover a license credential’s authority claim or an employment credential’s employer claim
These questions will be addressed in the next and final part of our tour through Verifiable Credential Trust.