Web3 Identity 101 – episode 2: DIDs & VCs

This article forms part of a 2-part series exploring Sybil Attacks, Sybil Resistance, and mechanisms that form part of the solution in the fight against Sybil attacks.

In our first episode, we discussed the crux of one of the ‘crypto-verse’ dilemmas – Sybil attacks; it ties into the overall narrative surrounding concerns around digital identity as a whole. If one human can pose as dozens or hundreds of unique accounts to spoof the system, it can cause a tsunami of troubles. Sybil resistance is the cornerstone of protecting, securing, leading with democracy, and allowing for the move from one-dollar-one-vote to one-person-one-vote personhood systems. We’re living in a new age of ever-evolving digital techniques – stepping into the solutions will anchor and strengthen the entire ecosystem to ensure safety and protection for all who choose to interact with web3.

Let’s talk mechanisms

Foremost among these new Sybil resistance techniques are Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs). From a developer’s perspective, implementing these technologies can enhance user privacy and security, and thereby solving one of the blockchain world’s largest problems – onboarding average, non-technical users to web3.

So what are Verifiable Credentials (VCs)? VCs are essentially digital versions of our current identification and credential cards. VCs are stored under the control of the user and create a verifiable link between the user and credential – whether this is issued from a university (degree), sovereignty (driver’s license), or corporate entity (proof of employment). The current vision for VCs is an all-encompassing digital identity ‘wallet’ that could replace the need for physical cards and wallets. 

One challenge VCs have faced since the idea’s inception was verifiable proof of issuance – essentially, how can we verify that a user’s university degree was in fact, issued by the university a user claims? This is where Decentralized Identities (DIDs) come into play. DIDs, recently made popular by Jack Dorsey’s web 5.0 announcement, offer a solution to the assignment (or issuance) problem by providing universally verifiable and globally unique identifiers to each user and issuer.

A DID in itself is just a format that is “resolvable, cryptographically verifiable, [and] associated with public keys and service endpoints” (Understanding the Verifiable Credentials (VCs), Hackernoon). DIDs distinguish themselves from traditional identities because they don’t rely on centralized entities (in the form of registries, providers, or authorities). Instead, DIDs are created and controlled by the users, allowing for user-owned and controlled credentials.

How do DIDs work without relying on centralized third parties?

When an entity wishes to grant an individual a credential to the user’s Verifiable Credentials’ ‘wallet’, they sign the issued credential with their private key, declaring the credential ‘issued.’ To verify that a credential on an individual’s VC’s ‘wallet’ is legit, the verifier could request the issuer’s public key (typically from a querier or blockchain company). Given the public key, the verifier could use a hashing function to derive the blockchain address from the known public key. Now that the blockchain address and public key are known, they can be used to verify the address owner’s signature, validating the credentials in question.

DIDs and VCs, although still developing technologies, could prove essential in deterring Sybil attacks. Blockchains in the future could verify users through their Verifiable Credential ‘wallets,’ contacting VC issuers via their DIDs to ensure that credentials are legitimate.

An example of this could be seen with a platform like Twitter: a prospective Twitter user submits their VCs to Twitter as a form of application to join the platform. Twitter’s role is simple: verify one of the credential’s issuers via their DID. For example, Twitter could see prospective users’ universities via their VCs. Twitter could then request the university’s (issuer’s) public key from a blockchain query company and verify that the user received a degree from the university through one-way hashing. Given that the user’s diploma (a certificate of identity) was proven, Twitter could be certain they are onboarding a legitimate user, not a bot. For a future involving DIDs and VCs to evolve, adoption of the digital identifiers would need to evolve as platforms would need to verify credentials from trustworthy issuers, such as governments, financial institutions, or corporate entities.  

VCs benefit both users and platforms in the crypto economy. Users can feel safe knowing their private information isn’t being stored and manipulated by centralized parties. Users can finally control their own data, only sharing credentials with the platforms of their choice for verification. From a user’s perspective, VCs severely limit the opportunity for data selling or leaks. Moreover, VCs and DIDs can help enhance a platform’s reputation, guaranteeing that users are legitimate and verifiable. Not only would a more legitimate user base provide for a bot-ridden user experience, but users would feel more comfortable knowing their interactions were with verified and benevolent users.

Gitcoin Passport is a DID – an aggregator of decentralized society credentials into one Passport through collecting “stamps” (web of trust tools), transmitting more Sybil resistance out to the entire ecosystem, and allowing you to consume it on your dApp. Passport’s SDK aims to help builders verify digital identity with a few lines of code – no matter what blockchain they build.

Have you created a Passport yet? It’s easy, takes a few short minutes and is your citizenship pass in the decentralized internet. At Passport.gitcoin.co, you’ll be able to create your Passport and begin collecting stamps. As well as keeping your information secure, you’ll be able to access a higher matching bonus for contributions to our upcoming grants round, GR15. 

– Team Gitcoin

Thank you to Dartmouth Blockchain and MathildaDV for creating this piece (and McKennedy for the fire memes).