Connect with us

Cyber Security

Understanding the Verifiable Credentials (VCs)




Mickey Maler Hacker Noon profile picture

Article three – An introductory dive into VCs (verifiable credentials)

Verifiable Credentials heavily utilize Decentralized Identifiers to identify people, organizations, and things and to achieve a number of security and privacy-protecting guarantees. They are issued and cryptographically signed documents, intended to be understood by computers rather than people.



Most people nowadays use many forms of identity tokens – for instance, to verify their citizenship, their ability to drive a car, or membership in a gym. Today, these tokens assume the form of plastic cards. Sometimes, these cards can also be gathered in a phone app. However, this still has major drawbacks. The validity of the cards often depends on the issuer, and you cannot use them for other purposes, or in other places. What’s more, the validity is one-sided – the issuer can always revoke the token, and you lose all benefits at any time since you are not in direct control of these credentials.

But consider this: instead of a wallet full of plastic cards, most of which you can use under very specific circumstances and in specific locations, you would have a set of digital credentials, which would work both as your ID, your biometric info, university degree diploma, your club memberships, and more. Today, we often use our email address as a unified credential of sorts, but these are arbitrary and easily breached.

Fortunately, thanks to the blockchain, a far better alternative is on the horizon. Due to the current regulation made against decentralized finance (DeFi), all users on established DeFi platforms will soon need to be identified. This can be achieved by issuing a “virtual ID card with multiple uses”, in the form of Verifiable Credentials (VC).

Verifiable credentials

Verifiable Credentials (VC) are a digital version of our regular plastic identification cards, documents, or diplomas, issued to us by a specific issuer. A University diploma or a student ID card could be an example of such a VC that creates a verifiable link between the university and you, where the university acts as the issuer. Each instance of VC is kept off-chain, stored on a user device or possibly in the cloud, but always under its control.VC includes standard user information such as Name and Address, and also the Decentralized identifier (DID) – the purpose of which is to connect a real-world identity to a user’s public address, its public key, verifiable on any blockchain. DID is a new globally unique identifier format that is:

  • Resolvable with high availability
  • Cryptographically verifiable
  • Typically associated with cryptographic material, such as public keys and service endpoints.

A user signs their VC with their private key. The signing process declares that only the owner of the associated key pair can use the VC. The same key is stored in a blockchain, and upon request, it is handed over in the form of a decentralized identifier document (DID document). A DID document is a tiny JSON file that a blockchain company hands over to the company requesting the verification. By doing so, the verification party does not come into any direct contact with blockchain.

When you present your VC to somebody for verification, a terminal that wants to handle this verification sends a request to a company that is responsible for storing user public key information on a blockchain. The company then provides the requested information in the form of the DID document, and the resolved public address from the VC is compared to its associated public key. On the LTO Network blockchain, the Identity node is handling a process of providing the information in the form of a DID document. The identity node will give information on a DID on LTO Network in the form of a DID document. The DID document contains the public key, which is required to verify the address owner’s signature. The blockchain address, which is a part of the DID part on any VC, is generated from the public key using a hashing function. Hashing is a one-way function; it’s not possible to extract the public key from an address. That way, the user’s privacy is respected, and the identity can still be verified.

VC summarization

A user identifier that is:

  • In digital form
  • Able of communication with decentralized ledger
  • A property of its owner that is stored in a wallet
  • Contains the DID data string that pairs the user’s public address with a user’s public key stored on a blockchain
  • Representing user ID, diploma, and many others

The current challenges

Currently, however, there is no standard mechanism for issuing universally acceptable digital cards or credentials. Therefore, we need Verifiable credentials with Decentralized identifiers that individuals can own, independent of any entity, organization, or institution. These days, we use email addresses and phone numbers as identifiers to access websites and apps, but our access to these identifiers and our personal information is at the mercy of service providers, who can revoke them at any time. Secondly, there are no universally accepted standards for expressing, exchanging, and verifying digital credentials across organizational boundaries. This is all about to change in the near future and LTO Network will play its role in it.

VC benefits over classical plastic federal identifiers

The vast majority of these globally unique identifiers are not under our control. They are issued by external authorities that decide who or what they identify and when they can be revoked. They are useful only in certain contexts and recognized only by certain bodies, not of our choosing. They might disappear or cease to be valid with the failure of an organization. They might unnecessarily reveal personal information. In many cases, they can be fraudulently replicated and asserted by a malicious third party, which is more commonly known as “identity theft”.Since the generation and assertion of Decentralized Identifiers is entity-controlled, each entity can have as many DIDs as necessary to maintain their desired separation of identities, personas, and interactions. The use of these identifiers can be scoped appropriately to different contexts. They support interactions with other people, institutions, or systems that require entities to identify themselves, or things they control, while providing control over how much personal or private data should be revealed, all without depending on a central authority to guarantee the continued existence of the identifier.

* Read the complete list of Design Goals here.

User-oriented description with an example

A new form of digital identity based on emerging standards such as Verifiable Credentials and Decentralized Identifiers can enable such digital credentials to work everywhere, which also means in DeFi, be also more trustworthy while still respecting user’s privacy. Everything starts with a new digital wallet that empowers its owner to own and control credentials. This wallet can be represented by a mobile phone application. Since it is not tied to any one organization, authoritative sources can confidently issue standards-based credentials to a user. When a user presents these credentials, websites, apps, and dApps can check that they are valid, for example, with a bank where the user is registered and authenticated as a customer, and then grant access accordingly. While this process may be more straightforward, how do we know it’s trustworthy?

It is thanks to the DIDs that leverage proven cryptographic systems.  DIDs connect a real-world identity to an associated public address and hold the information about the public key. Note that DIDs contain no personal information. Afterwards, the user can present their digital Verifiable Credentials in communications with another bank, use them in a real estate office, or any other vendors. The credentials would in turn prove the user’s identity, the association with a specific bank, and also an available claim for money stored in the bank that could be used for a property purchase. Similarly, a student can present their digital student ID, Verifiable Credentials, in a bookstore that provides a 20% discount to students. Before granting a discount to the student, the bookstore can confirm by checking the distributed ledger for proof that the university issued the card to this student, and also confirm whether the card is still valid. Since this is a challenge-response verification, the bookstore needs to communicate with the app of the student. This operation is solved using Bluetooth or NFC. When using QR codes, to connect their phone with the bookstore system, the student’s app would scan a QR code of the bookstore and send the verifiable credential afterward. With a solution like this, we could all digitally present and authenticate a set of verifiable credentials, just like we are doing with physical cards. The VC can also easily be revoked by its owner with a simple click, just as we would put the physical card back in our wallet or tear it into pieces. The process of revoking a VC can be temporary, or it can be permanent.

VC as the JSON file

VCs are human and computer-readable entities, written as simple JSON files. The example below uses two types of identifiers. The first identifier is for the verifiable credentials and uses an HTTP-based Uniform Resource Locator (URL). The second identifier is for the subject of the verifiable credentials (the thing the claims are about) and uses DID.

Example – Bachelor of Science and Arts diploma

// set the context, which establishes the special terms a user will use, such as ‘issuer’

// @context literally states what type of JSON we are dealing with – Credentials

“@context”: [




// specify the identifier for the credential

“id”: “”,

“type”: [“VerifiableCredential”, “UniversityDegreeCredential”],

// the identity that issued the credential – a university of some sort

“issuer”: “”,

// when the credential was issued

“issuanceDate”: “2010-01-01T19:73:24Z”,

// claims about the subject of the credential

“credentialSubject”: {

“id”: “did:example:ebfeb1f712ebc6f1c276e12ec21”,

“degree”: {

“type”: “BachelorDegree”,

“name”: “Bachelor of Science and Arts”



“proof”: {  }



Cybersecurity-oriented providers of digital wallets, such as Sphereon from the Netherlands, could allow users to create their wallets and integrate them for the target solution.

Combination of public event chain and private settlement chain, such as LTO Network hybrid blockchain, creates a cornerstone for building up a blockchain solution for VC and DID, on the top of which companies and industries could create trust networks, like for example, a hierarchal chain of trust or trust endorsement model called web of trust.

The last piece to this puzzle would be a provider of tamperproof blockchain oracles, such as ChainLink, which would keep the data updated.

Associations can be used to specify a relationship between accounts on LTO Network. By using associations with cross-chain DIDs, relationships between accounts on different blockchains, such as Bitcoin, Ethereum, NEO, can be established on LTO Network. LTO Network is partnering with Chainlink to make this information available for smart contracts through its decentralized oracle network. For example, an organization could add associations to establish an account belonging to an accredited partner. In this example, the accredited partners are allowed to certify businesses. With the use of Chainlink, it’s possible to create a smart contract that can only be used by these certified businesses.

Why is Blockchain a good solution?

Traditionally, electronic security focuses on authorization, authentication, and access control. These mechanics are intended to keep unauthorized users from accessing or modifying data. However, when it comes to authorized access, either on the application or system level, it does not provide any protection. Blockchain enables tamper resistance for data through distribution over many systems that are run and managed by independent parties. This is ensured by the architecture of the blockchain, where every piece of data has thousands of globally distributed copies. A potential attacker intent on breaching the certificate would have to compromise the majority of the data distribution at the same time, which is extremely hard, expensive, and with a well-designed blockchain almost impossible.

Final thoughts

Verifiable credentials do not depend on DIDs and DIDs do not depend on verifiable credentials. However, it is expected that many verifiable credentials will use DIDs and that software libraries implementing this specification will probably need to resolve DIDs. DID-based URLs are used for expressing identifiers associated with subjects, issuers, holders, credential status lists, cryptographic keys, and other machine-readable information associated with a verifiable credential.

Mickey Maler Hacker Noon profile picture


Join Hacker Noon

Create your free account to unlock your custom reading experience.

Coinsmart. Beste Bitcoin-Börse in Europa

Cyber Security

Pending Data Protection and Security Laws At-A-Glance: APAC




In our continuing quest to provide a global overview of cyber-related legislation and regulation we have focused on the latest laws protecting PII in the United States, Regulation through Global Data Protection and Security Laws, and APAC Data Protection and Security Laws. This is an overview of 3 soon-to-be-enacted regulations that will change the APAC data privacy legal landscape.


On June 1, 2021, the National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment will go into effect. According to global law firm Detons, “The Guidance aims to guide the assessment of the potential impacts on individuals’ rights and interests as well as the effectiveness of security protective measures adopted when carrying out personal information processing activities, which is similar to the data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (GDPR).”

Draft PIPL

On October 21, 2020, a draft PRC Personal Information Protection Law (Draft PIPL) was published for review. Similar in many ways to GDPR, the PIPL, if passed, will require:

  • Organizations outside China that fall within the PIPL’s scope are required to appoint representatives or establish entities within China responsible for the protection of personal information
  • Personal Information Processors are required to perform and maintain a record of risk assessments where processing activity may have a significant impact on individuals, including international transfers of personal information, processing of sensitive personal information, automated decision-making, and disclosure of personal information to third parties.
  • That the processing of personal information must be lawful. In other words, there must be a legal basis for processing data such as consent
  • Individuals are informed that processing is happening, to restrict or object to the processing of their data, and to obtain a copy of, update, or delete their information.

Furthermore, it outlines strict requirements for international transfers of personal information. In addition, penalties for noncompliance have yet to be finalized but are so far rather austere. Proposed sanctions include the suspension of business activities and revocation of business permits or licences, the “blacklisting” of companies and fines up to 5% of a company’s yearly earnings. 


On June 5, 2020, the Japanese legislature passed several amendments (“Amendment Act”) to the Act on Protection of Personal Information of Japan (“APPI”) created to expand protections for personal data and impose new obligations on all businesses that use personal data for business purposes, including non-profit organizations.

Slated to go into effect the spring of 2022, one of the major changes it will bring about are new provisions expanding an individual’s rights to require the deletion or disclosure of personal information (‘PI’):

  • where there is a possibility of violating the data subject’s rights or legitimate interests
  • in the event of a breach of the APPI via transfer to a 3rd party
  • to include short-term data which is kept for 6 months or less; and
  • allowing the data subject to request the format of the disclosure of their data, including in a digital format.


Inspired by GDPR, India’s Personal Data Protection Bill (PDP) was introduced to overhaul India’s current data protection regulations outlined in the Information Technology Act of 2000. As that act was mainly concerned with ensuring the legal recognition of e-commerce within India, it does not include specific legislation on data protection aside from establishing the right to compensation for improper disclosure of personal information.

According to the bill’s preamble, the goal of PDP is to “create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.” Similar to GDPR, PDP establishes data privacy as a fundamental right and calls for the creation of an independent new regulatory authority, the Data Protection Authority (DPA), to carry out this law. 

In terms of how PDP and GDPR differ, you can find a comprehensive comparison of the two laws here. In summary though, the differences can be boiled down into 3 key areas:

  • India’s central government retains the power to exempt any government agency from the bill’s requirements for reasons such as national security.
  • The government now has the right to order firms to share any of the non-personal data they collect with the government
  • Personal and sensitive data must be stored and processed in India. Though there are exceptions to these rules, PDP’s restrictive regulations pose a number of challenges for organizations looking to do business in India and are, therefore, one of the most hotly contested provisions in the bill. 

Though DLA Piper expects the law to go into effect in late 2021, other legal experts aren’t so sure. Ongoing backlash pertaining to a number of its more restrictive provisions have resulted in multiple revisions and delays.  In addition to the issues surrounding data localization mentioned before, the bill “has also attracted criticism on various grounds such as the exceptions created for the state, the limited checks imposed on state surveillance, and regarding various deficiencies in the structures and processes of the proposed Data Protection Authority,” according to The Hindu

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

Wormable Windows Bug Opens Door to DoS, RCE




The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

GitHub Prepares to Move Beyond Passwords




The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading

Cyber Security

Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader




The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa

Continue Reading
Blockchain13 mins ago

Yearn Finance surges 45% as it joins dog pack with WOOFY

Blockchain41 mins ago

Meme Coins Craze Attracting Money Behind Fall of Bitcoin

Blockchain47 mins ago

Let The Bidding Begin: The First NFT Patent?

Blockchain48 mins ago

Sentiment Flippening: Why This Bitcoin Expert Doesn’t Own Ethereum

Business Insider54 mins ago

Rally Expected To Stall For China Stock Market

Business Insider55 mins ago

Merchants Capital Named #4 Multifamily Affordable Lender Nationwide by Mortgage Bankers Association

Business Insider58 mins ago

Japanese Financial and Tech Giant, GMO Internet Group, Partners with Binance to Bring World’s First Regulated JPY-Pegged Stablecoin ‘GYEN’ to the Masses

Business Insider58 mins ago

Toppen Shopping Centre extends its retailtainment space with a lifestyle RoofTopp nestled on a multi-storey car park

Business Insider58 mins ago

Freshii Inc. Announces First Quarter 2021 Results

Fintech1 hour ago

Australian BNPL firm Zip receives strategic investment in TendoPay, a pay over time Fintech in the Philippines

AR/VR1 hour ago

Watch Vera vs. Bhullar During ONE: DANGAL, May 15 in Venues

Crowdfunding2 hours ago

Digital Asset Financial Tech Firm BitOoda Reports Recent Increase in Bitcoin Mining Revenue

SaaS2 hours ago

Disease-related risk management is now a thing, and this young startup is at the forefront

Esports2 hours ago

Valve launches Supporters Clubs, allows fans to directly support Dota Pro Circuit teams

Big Data2 hours ago

UK unveils law to fine social media firms which fail to remove online abuse

Big Data2 hours ago

U.S. senator asks firms about sales of hard disk drives to Huawei

Big Data2 hours ago

EA signals gaming boom extending run with upbeat annual forecast

Big Data2 hours ago

Judge in U.S. case against Facebook delays trial preparation

Big Data2 hours ago

Exclusive – Waymo, Cruise seek permits to charge for self-driving car rides in San Francisco

Aviation2 hours ago

US Airlines Join UK Partners In Calling For A Travel Corridor

Blockchain2 hours ago

Ethereum, Dogecoin, XRP Price Analysis: 11 May

Cyber Security2 hours ago

Pending Data Protection and Security Laws At-A-Glance: APAC

Ecommerce2 hours ago

Prime today, gone tomorrow: Chinese products get pulled from Amazon

AI2 hours ago

Build a cognitive search and a health knowledge graph using AWS AI services

Crowdfunding2 hours ago

Coinbase Adds Support for Internet Computer (ICP), a Utility Token Supporting DeFi, NFTs

Fintech2 hours ago

Australian property development lending gets a boost with the launch of the UK’s CrowdProperty

Techcrunch2 hours ago

Instagram adds a dedicated spot for your pronouns

PR Newswire2 hours ago

HITEC 100 2022 – El periodo de nominaciones ya está abierto

Artificial Intelligence2 hours ago

Huma, which uses AI and biomarkers to monitor patients and for medical research, raises $130M

Blockchain3 hours ago

QAN Raises $2.1 Million in Venture Capital to Build DeFi Ecosystem