owned this note
owned this note
Published
Linked with GitHub
# Wrapping Indy Credentials (AnonCreds) in W3C VCs
AnonCreds are typically bound to a holder by using a link secret and not by issuing a credential to a public DID. In order to add such a credential (or a subset of attributes) to the public profile, we suggest the following mechanism which expresses the intent: I self-attest that I have this credential with the specific attribute values, if you require a proof you can ask me using the Aries present proof protocol.
Given an AnonCred based on the schema [M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0](https://indy-test.bosch-digital.de/browse/domain?page=1&query=M6Mbe3qx7vB4wpZF4sBRjt%3A2%3Abank_account%3A1.0&txn_type=) with attributes
```
iban: 456
bic: 1234
```
we dynamically create the following VC with an inline context generated on the fly:
```
{
"@context":[
"https://www.w3.org/2018/credentials/v1",
{
"@context":{
"sc":"did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
"bic":{
"@id":"sc:bic"
},
"iban":{
"@id":"sc:iban"
}
}
},
"type":[
"VerifiableCredential",
],
"issuer": "did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt"
"id":"urn:583100e7-9141-4444-b3bf-3bd27fb1e33e",
"credentialSubject":{
"bic":"456",
"iban":"1234"
}
}
```
Further, we have thought about two different mechansism to include Indy specific information in the credential.
### Custom Proof Type
Defining a custom LD proof type, e.g. `IndyCredDefProofType` that contains the credential definition ID.
```
"proof": {
"type": "IndyCredDefProofType",
"proofPurpose": "assertionMethod",
"verificationMethod": "M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc" // credDefId
}
```
### Custom Credential Type
Defining a custom credential type, e.g. `IndyCredential` that defines the Indy specific vocabular
```
{
"@context":[
"https://www.w3.org/2018/credentials/v1",
https://raw.githubusercontent.com/iil-network/contexts/master/indycredential.jsonld,
{
"@context":{
"sc":"did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
"bic":{
"@id":"sc:bic"
},
"iban":{
"@id":"sc:iban"
}
}
},
"type":[
"VerifiableCredential", "IndyCredential"
],
"issuer": "did:sov:iil:M6Mbe3qx7vB4wpZF4sBRjt"
"id":"urn:583100e7-9141-4444-b3bf-3bd27fb1e33e",
"credentialSubject":{
"bic":"456",
"iban":"1234"
},
"schemaId":"M6Mbe3qx7vB4wpZF4sBRjt:2:bank_account:1.0",
"credDefId":"M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc"
}
```
## Handling in public profile
```plantuml
skinparam BoxPadding 20
participant "Verifier" as verifier
box Holder
participant "Public Profile Endpoint" as holder_profile
participant "DIDComm Endpoint" as holder_didcomm
end box
database VDR
verifier <-> VDR: Resolve DID doc
verifier -> verifier: Find "profile" service from DID doc
verifier <-> holder_profile: Fetch public profile (JSON-LD VP) from "profile" endpoint
verifier -> verifier: Verify JSON-LD VP signature\n(with key from DID Doc)
loop for each VC in public profile VP
verifier -> verifier: find AnonCred specific information (credential definition id)
verifier -> verifier: Build DIDComm Presentation Request with restriction on credential_defnition_id and (optionally) attribute values
verifier <-> holder_didcomm: Request VP
verifier -> verifier: Verify VP and check with public profile information
end
```
The Verifier verifies the JSON-LD VP proof. The individual VC contained in the VP can not be verified directly, because their origin is an AnonCred. The Verifier can request a VP (AnonCred VP) via DIDComm in case the Holder's signature is not enough and a 3rd party (Issuer) confirmation (proof) is necessary.
### Example of DIDcomm Presentation Request (indy proof request)
```
{
"proof_request": {
"requested_attributes": {
"attr1_referent": {
"names": ["iban", "bic"],
"restrictions": [
{
"attr::iban::value": "456", // (optional)
"attr::bic::value": "1234", // (optional)
"cred_def_id":"M6Mbe3qx7vB4wpZF4sBRjt:3:CL:571:bank_account_no_revoc"
}
]
}
},
"requested_predicates": {}
}
}
```
Sign in with Wallet
