Issuer / Holder / Verifier Model

Author:

David Luna

Created at:

Sep 2023

Updated at:

Dec 2024

The issuer/holder/verifier model lies at the heart of wallet-based credentials.

Key Terms

image VERIFIABLE CREDENTIAL

Credentials are an encapsulation of a set of claims made about one or more subjects by an issuer. Verifiable credentials are cryptographically signed by their issuer, and as such can be verified as being authentic and not having been tampered with.

image ISSUER

Issuers create verifiable credentials and transmit them to a holder.

An issuer has a set of private keys, and a related set of public keys. When issuing a credential, one of these keypairs’ private key is used to sign the credential, the associated public key is stored in a verifiable data registry.

image
HOLDER

Holders retain verifiable credentials in a digital identity wallet. They receive presentation requests from verifiers, and send to them in response a verifiable presentation.

The holder is the pivotal role in the Issuer / Holder / Verifier model. It is their choices of which issued credentials to accept, and which presentation requests to respond to (and how) that places them at the heart of the model.

image

VERIFIER

Verifiers make presentation requests of holders, and verify the data that the holder transmits to them in a verifiable presentation. They do this by checking the cryptographic signatures of verifiable presentations, using the public keys associated with the credentials.

Typical Use-Cases

STANDARD

CLOSED-ECOSYSTEM

SELF-ASSERTED

https://backstage-community-prod.storage.googleapis.com/original/2X/c/c994d3f438f6ee11909bc58f8f327ac554301549

https://backstage-community-prod.storage.googleapis.com/original/2X/c/c994d3f438f6ee11909bc58f8f327ac554301549

https://backstage-community-prod.storage.googleapis.com/original/2X/c/c994d3f438f6ee11909bc58f8f327ac554301549

STANDARD

CLOSED-ECOSYSTEM

SELF-ASSERTED

Issuer, Holder, and Verifier are separate entities.

Issuer and Verifier are the same entity. Holder is distinct.

Issuer and Holder are the same entity. Verifier is distinct.

At a glance, issuing authorities issue credentials to holders. Verifiers that trust those holders and wish to consume their issued credentials may do so, as long as they have access to the verifiable data registry containing the issuer’s keys and metadata.

At a glance, the issuer of the credential issues credentials which their own service(s) will request the presentation of. Access to the verifiable data registry is limited to only the issuer and their own verification services.

At a glance, the issuer of the credential is the holder to whom the credential is issued. Most useful in the…

An issuing authority is any issuer with a set of holders who desire claims signed by it, and a set of verifiers that wish to consume those claims.

Particularly useful in workforce settings.

Standard use-case scenario

Column 1 Header

Column 2 Header

Alice has competed her Dirving Theory test after many weeks practise and revision. She passes, and the examination centre presents her with a QR code to scan with her digital identity wallet that contains claims including her test score and date of test. It’s signed by the testing centre’s private key. Their public key is available from their website, which acts as their verifiable data registry. It uses a schema common to all driving examination centres, which agreed it to encourage the use of digital credentials in place of old paper printouts that people kept losing. When Alice goes for her practical test, the instructor first asks her to present her theory certificate.

https://backstage-community-prod.storage.googleapis.com/original/2X/2/23923142cb54254ab13bc6ec4d9b2cc93acfdc1a

Alice has completed her Driving Theory test after many weeks practise and revision. She passes, and the examination centre presents her with a QR code to scan with her digital identity wallet that contains claims including her test score and date of test. It’s signed by the testing centre’s private key. Their public key is available from their website, which acts as their verifiable data registry. It uses a schema common to all driving examination centres, which agreed it to encourage the use of digital credentials in place of old paper printouts that people kept losing.

When Alice goes for her practical test, the instructor first asks her to present her theory certificate.

The practical test centre knows the schema of the credential it wishes to accept, and trusts the examination centres, as they’re both members of the same governance framework for driving tests, operated by the Driving and Vehicle Licensing Agency.

Once the certificate is presented and verified the instructor knows to continue with the practical test.

  • Practical driving centre trusts a large set of theory examination centres, of which Alice’s centre was one.

  • The examination centre’s website acts as a basic verifiable data registry from which to retrieve that centre’s public key.

  • The practical driving centre may have already retrieved the key ahead of time – it knows the set of issuers that it trusts, so may have pre-acquired the key or already had it cached.