How Verifiable Credentials Bridge Trust Domains
This is part 3 of a 3-part series:
Part 1: Verifiable Credentials Aren’t Credentials. They’re Containers.
Part 2: Like Shipping Containers, Verifiable Credentials Will Economically Transform the World
Part 3: How Verifiable Credentials Bridge Trust Domains
TL;DR:
- Most organizations aren’t digitally connected to one another, creating “trust domain” barriers that are slow, manual, and expensive to traverse.
- Similar to shipping containers, Verifiable Credentials (VCs) can bridge trust domains between and within organizations, by using you as their courier.
- The potential ramifications of transitive trust with rapid verifiability are endless, when boundaries between trust domains from many of today’s friction-filled interactions all but disappear.
The Barriers VCs Can Bridge: Trust Domains
Today, if you’re applying for a loan at your financial institution (FI) and need to prove your employment, how can you do so digitally, instantly? You can’t, in most cases. Why? Because it’s not feasible for every FI to have a direct, digital connection to every possible employer they may need data from. The same boundaries exist between schools, when a student transfers and desires to receive credit for classes taken: it’s untenable for every school to have a direct connection to every other school.
This leaves FI’s, employers, schools and other organizations in separate, unconnected trust domains, unable to directly exchange trusted data and reliant on manual processes, often through third-party data brokers acting as intermediaries. Exchanging data between trust domains today is analogous to the manual, labor-intensive “break-bulk” process used for millennia for all global trade prior to shipping containers, and is similarly slow, complicated, and expensive.
This is also why VC adoption may be resisted by incumbent data intermediaries as vigorously as labor unions protested shipping containers.
And this is the same reason we have so many usernames and passwords in the first place: there is no universal way to traverse trust domains in the digital realm. Identity federations within a single trust domain, like what’s offered by the current IAM industry to large organizations, solve this problem elegantly. But cross-domain identity federations, however, have repeatedly attempted to address this and failed for various reasons, leaving the problem unresolved and ballooning.
The boundaries between digital trust domains are understandably high, as the stakes can be high, the risk of fraud ever-present, and fraudsters can comfortably apply their trade from anywhere. We know these boundaries well:
- Having many usernames and passwords
- Cumbersome forms and onboarding processes
- Verbally authenticating when calling a service center, and re-authenticating when being transferred
- Waiting for agreements to be signed or consent to be given
- Waiting for any kind of application to be approved
- Slow verifications of any kind of documents, records
- Many slow and/or tedious processes that rely on verifications
Any time you are slowed down or prevented from doing something because you can’t quickly prove something, it’s a manifestation of boundaries between trust domains, much like the bygone situation in shipping that necessitated “break-bulk.” If gatekeepers, human or automated, could quickly verify everything they needed to verify, they could quickly open their gates.
With VCs, they now can.
How VCs Bridge Trust Domains
This post already assumes a basic understanding of how VCs work, but at the risk of being redundant, I want readers to understand, mechanically, how VCs bridge trust domains.
I think this ^^ is one of the funnier “demotivators” at despair.com, a site everyone should check out for a good laugh. As with most humor, what makes a demotivator funny is the thread of truth that runs through it.
The relevant truth in this poster is this: the only consistent feature in ALL of your relationships — not just your dissatisfying ones — is you. You are the common factor between all your employers, your FIs, your schools, and every other organization you deal with, and that makes you the ideal courier of data between them.
If only you had the data… and if only it could be trusted when you delivered it…
Well, this is where our super duper data shipping container comes in, the VC. Here’s how it all comes together:
- You start with an empty digital SSI wallet. Not the Apple kind or Android kind or anything else similarly proprietary and non-portable, but a standardized self-sovereign digital wallet that’s all yours, where you literally hold the digital keys to it.
- You offer/accept connections to/from other people, organizations, or things using QR codes or other means of bootstrapping. These are peer-to-peer relationships that you now own and control, and not through some platform or company where they could be seen, controlled, or taken away from you.
- When VCs are offered to you by your connections, you choose whether to accept them into your wallet. When you do, you’re now a “holder.” An entity who gives you a VC, whether person, organization, or thing, is called an “issuer.”
- When you want to prove something to someone, or share verifiable data, you must first connect with them (#2) then you can share one or more of your VCs. You can also share a subset of data from a VC and not the whole thing, or just proof that you have a VC, or a compound proof from multiple VCs.
- In seconds, verifiers can verify four things about what you’ve shared:
- Who (or what) issued it to you
- It was issued to you and not someone else
- It hasn’t been tampered with
- It hasn’t been revoked by the issuer
Voila! Data has just left one trust domain and been accepted into another, without any direct connections between the two.
Most important: verifiers can confirm these four things cryptographically, without having to contact the original issuer. If verifiers had to contact the original issuer to confirm things, that defeats the whole purpose and we’d be back to square one. But they don’t, so we’re not, and that changes everything.
By using you as the courier of verifiable data between organizations you deal with, unrelated trust domains now have a bridge, and without requiring direct connections to one another. The key to making this all work is that issuers, holders, and verifiers all use the same interoperable protocols. This is why cooperation among competitors and the VC standards work¹ is critical, and exciting that it has made so much progress over the last several years.
The Vast Potential of Verifiable Credentials
The potential ramifications of transitive trust with rapid verifiability are endless, when boundaries between trust domains for many of today’s friction-filled interactions all but disappear:
- No more usernames or passwords, replaced by trusted VCs
- No more forms, quick and easy onboarding everywhere
- No more verbal authentication, you’re recognized everywhere you choose to be
- Instant, digital, multi-party consent (after waiting for slow humans to decide something)
- Instant application approvals
- Instant verifications of documents, records
- The efficient exchange of any trusted information
The effects for user experience would be wonderful. Friction from trying new vendors, products, and services would reduce to almost nothing. Customers can be instantly recognized as valued guests rather than treated as strangers at each new interaction. Processes and workflows can be simplified, automated, and accelerated, and new, nearly seamless experiences offered.
In Conclusion
The current inability for data to efficiently traverse trust domains bears a striking resemblance to global trade complexities prior to 1956; Verifiable Credentials bear a striking resemblance to its revolutionary solution, the shipping container.
Due to the enormous physical, logistical and even political obstacles to adoption, it took shipping containers more than a decade to hit their stride, for everyone to realize their potential. With VCs it will happen much more quickly, as much of our world is already digital, and connected.
I have often said during my five years in SSI that the tech titans of tomorrow are being created today, and I believe that now more than ever. If there’s a sweet spot for when to jump on the SSI bandwagon, we may still be a tad early, but not much, and I don’t think it will last as long as comparable opportunity sweet spots may have in the past.
VCs are the shipping containers of our lifetime, with all that entails.
This is part 3 of a 3-part series:
Part 1: Verifiable Credentials Aren’t Credentials. They’re Containers.
Part 2: Like Shipping Containers, Verifiable Credentials Will Economically Transform the World
¹ VC standards and governance efforts can be followed at W3C, the Trust Over IP Foundation, and the Decentralized Identity Foundation.
