owned this note changed 4 years ago
Published Linked with GitHub

Wrapping Indy Credentials (AnonCreds) in W3C VCs

AnonCreds are typically bound to a holder by using a link secret and not by issuing a credential to a public DID. In order to add such a credential (or a subset of attributes) to the public profile, we suggest the following mechanism which expresses the intent: I self-attest that I have this credential with the specific attribute values, if you require a proof you can ask me using the Aries present proof protocol.

Given an AnonCred based on the schema M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0 with attributes

iban: 456
bic: 1234

we dynamically create the following VC with an inline context generated on the fly:

{
         "@context":[
            "https://www.w3.org/2018/credentials/v1",
            {
               "@context":{
                  "sc":"did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
                  "bic":{
                     "@id":"sc:bic"
                  },
                  "iban":{
                     "@id":"sc:iban"
                  }
               }
            },
         "type":[
            "VerifiableCredential",
         ],
         "issuer": "did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt" 
         "id":"urn:583100e7-9141-4444-b3bf-3bd27fb1e33e",
         "credentialSubject":{
            "bic":"456",
            "iban":"1234"
         }
      }

Further, we have thought about two different mechansism to include Indy specific information in the credential.

Custom Proof Type

Defining a custom LD proof type, e.g. IndyCredDefProofType that contains the credential definition ID.

         "proof": {
            "type": "IndyCredDefProofType",
            "proofPurpose": "assertionMethod",
            "verificationMethod": "M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc" // credDefId
         }

Custom Credential Type

Defining a custom credential type, e.g. IndyCredential that defines the Indy specific vocabular

{
         "@context":[
            "https://www.w3.org/2018/credentials/v1",
            https://raw.githubusercontent.com/iil-network/contexts/master/indycredential.jsonld,
            {
               "@context":{
                  "sc":"did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
                  "bic":{
                     "@id":"sc:bic"
                  },
                  "iban":{
                     "@id":"sc:iban"
                  }
               }
            },
         "type":[
            "VerifiableCredential", "IndyCredential"
         ],
         "issuer": "did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt" 
         "id":"urn:583100e7-9141-4444-b3bf-3bd27fb1e33e",
         "credentialSubject":{
            "bic":"456",
            "iban":"1234"
         },
         "schemaId":"M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
         "credDefId":"M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc"
      }

Handling in public profile

The Verifier verifies the JSON-LD VP proof. The individual VC contained in the VP can not be verified directly, because their origin is an AnonCred. The Verifier can request a VP (AnonCred VP) via DIDComm in case the Holder's signature is not enough and a 3rd party (Issuer) confirmation (proof) is necessary.

Example of DIDcomm Presentation Request (indy proof request)

{
  "proof_request": {
    "requested_attributes": {
      "attr1_referent": {
        "names": ["iban", "bic"],
        "restrictions": [
          {
             "attr::iban::value": "456", // (optional)
             "attr::bic::value": "1234", // (optional)
             "cred_def_id":"M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc"
          }
        ]
      }
    },
    "requested_predicates": {}
  }
}
Select a repo