
Verifiable Credentials on the Blockchain - theyblinked
https://medium.com/learning-machine-blog/blockchain-credentials-b4cf5d02bbb7#.6wrigzdjr
======
toomim
> Our goal is to help create an entirely new environment where individuals are
> the custodians of their official records and can easily share those records
> with others.

It doesn't look like they actually need a blockchain for this. They just need
an archive of signed documents. They could use a website, or IPFS.

Blockchains are hot right now, but they solve a very specific problem: finding
consensus on a history of transactions. If you need to prove that a document
was signed at a certain point in history, then a blockchain can help. But you
don't need one for any of the examples given in this proposal, such as hosting
student transcripts.

~~~
jbpetersen
Without a history all it takes is one leaked key to invalidate all credentials
from a given source.

There are no guarantees against credentials being tampered with whenever a new
version of that source is established.

~~~
grey-area
They could sign with multiple keys, some offline.

Bitcoin also offers no strong identity verification.

------
theyblinked
An open source blockchain technology project...

Digital Certificates Project
[http://certificates.media.mit.edu](http://certificates.media.mit.edu)

What we learned from designing an academic certificates system on the
blockchain [https://medium.com/mit-media-lab/what-we-learned-from-
design...](https://medium.com/mit-media-lab/what-we-learned-from-designing-an-
academic-certificates-system-on-the-blockchain-34ba5874f196#.kr7ptdyka)

A DSM for Achievement [https://medium.com/learning-machine-blog/a-dsm-for-
achieveme...](https://medium.com/learning-machine-blog/a-dsm-for-
achievement-9e52fd881428#.4rv2z0cx1)

The Learning Machine blog [https://medium.com/learning-machine-
blog](https://medium.com/learning-machine-blog)

------
RyJones
The Hyperledger Identity Working Group is using these [0] principles of self
sovereign identity for guidance. ChrisJ also presented some of his thoughts on
a block chain passport [1] from a while ago. Interesting space.

[0] [https://github.com/ChristopherA/self-sovereign-
identity/blob...](https://github.com/ChristopherA/self-sovereign-
identity/blob/master/ThePathToSelf-SovereignIdentity.md) [1]
[https://github.com/MrChrisJ/World-
Citizenship](https://github.com/MrChrisJ/World-Citizenship)

------
tzm
Excellent project. I think identity and trust are pending issues that need to
be explored, perhaps with self-sovereign identity[1]. Curious to see how this
project evolves.

Fwiw, I've been working on a digital credentialing system for
education/training and have testing blockchain notarization. I was aware of
this project and very happy to see it release.

[1] [http://www.lifewithalacrity.com/2016/04/the-path-to-self-
sov...](http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-
identity.html)

------
tobz
Ha! I was working on this very concept for a hackathon at work (edX) as a way
to think about the future of credentials / authenticity for students taking
ad-hoc courses.

It's really cool to see others working on this sort of thing. One of the
questions I saw, about identity, reminded me of an idea I had to solve this
very problem.

The hardest part about putting this stuff on the blockchain is that you need
to be able to prove that a transaction (containing your credential metadata)
that went to address A is an address you own, that you can sign for. Like the
credential proof itself, an easy way to associate ownership is to put some
hashed metadata in a transaction, sent from the address you intend to prove
you own.

This was the hardest part to do, IMO, in a way that is both high-assurance and
low complexity. Since academic credentials are most often checked for
employment, I thought that maybe using metadata that you wouldn't normally
share with anyone except for an employer (like social security #) would be
reasonable. Define a list of secret-ish values, define a specification for
what values are valid, how to order and format that, and how to generate a
hash from it. This way, third-parties are able to independently verify things
so long as they can get the values from you.

If you wanted to prove to a third-party that you, in fact, are the person
(bitcoin address) you say you are, you'd give them the shared bits of
information, they would hash it, and then check all the bitcoin transactions
and stitch together the web of trust that establishes your credentials. The
intention being that you wouldn't normally be compelled to fake credentials
for someone else -- take classes and then let them subsume the credit --
because it would involve more than just letting them assume your name, you'd
have to give them sensitive values like SSN, etc.

Other ideas included something like a standardized format for fingerprint
data, or something biometric -- very hard to easily replicate or steal -- as a
way to more closer tie the person to their address.. but I couldn't seem to
find anything that provided such a standard, and since giving blood or
fingerprints is kind of an uneven exchange.. never went down that avenue.

I'd really love to see some sort of solution to this.

~~~
rhyzomatic
I must be missing something here, but why not just go with a challenge-proof
type scheme? Something like

1\. You want to prove to $PotentialEmployer that you own address A which has
necessary credentials.

2\. $PotentialEmployer sends you a random string.

3\. You sign it with the private key of address A and send them the proof.

4\. $PotentialEmployer verifies the signed string.

If the employer has this proof and can see in the metadata that it's your name
and date of birth (or whatever), wouldn't that be enough?

~~~
tobz
The idea was that, for the lowest common denominator of "hmm, what was your
GPA/degree/whatever?", it's easier to give bits of more-or-less secret
information than to do a challenge response on the spot.

Everything was about leaving the institutions granting credentials / third
parties who consume the blockchain data to handle the technical bits, while an
employer or potential employee only had to know where to go and what secret
values to use.

I suppose this could be wrapped up in a simple app or something, but I was
going for bulletproof-ish. It's easy to remember a social security number,
full name, etc. It persists through broken laptops and smartphones.

------
deftnerd
This is exciting to me. About 3 years ago, I won 250k at the Texas Bitcoin
Conference hackathon for this basic concept. I built the platform but then the
angel investor that was funding the award changed his mind and backed out
because he said there wasn't a market already existing for it and that it was
a hard elevator pitch.

I sat on the code for years. Oddly enough, in the last month I've been
approached by 4 companies asking if I could build them pretty much the same
thing so I've brushed off the code and I'm making it so the certified facts
about people can be available to DAO's on Ethereum through oracles.

This doesn't need to be on a blockchain. As toomim notes, it would be better
as just a signed document. I stored all my data in a big json document for
every user, sometimes multiple times with different levels of encryption.

Most people found that the best way to access the data was with an OAUTH2
gateway. It would allow any kind of website to ask the user to connect their
credential gateway to determine if the user could use the site. For instance,
an adult site could require a user login with OAUTH2 in order to know that the
user is over 18. The user could see in the login dialog what information was
being requested. There were tons of potential markets [1]

The biggest market I found in all my research was with veterans. Whenever they
go to non-profits or social service agencies for help, their military records
are requested from the DOD and its a process that takes 4 to 6 weeks. The non-
profits were more than happy to receive the records and then digitally sign
the results so future service agencies could just query the system. When one
agency who provides rental assistance says "Trust me, I verified that John Doe
is a veteran with service between 1995 and 2005 who was honorably discharged,"
a future foodbank he might visit believes it.

Data brokers are scum and this kind of system is the best way to put them out
of business and remove false data associated with individuals.

[1] potential markets I discovered:

* Dating sites who want to make sure that users are really in a region, a certain gender, have a certain income, don't have criminal records, etc

* job search sites who wanted to be able to let users pre-vet their employment history for possible employers

* digital currency services who had to do KYC or verify someone wasn't in a certain area

* adult or gambling sites that need to verify ages and/or jurisdictions

* newspaper sites who wanted to cut down on comment spam

* investing sites that needed to make sure that individuals met the accredited investor criteria

* fundraising sites that wanted to make sure people raising funds were who they said they were and that they didn't have a history of fraud

A few dozen more.

~~~
MWil
I'm glad I found this comment

I work for a legal nonprofit and one of our trade associations is helping me
with my plan to run a veterans hackathon and your idea definitely rings true

------
wille92
Code can be found here [https://github.com/digital-
certificates](https://github.com/digital-certificates)

------
vessenes
This is actually very cool; nice work. MIT has a long history of identity
security work, so it's fun and appropriate to see this published.

