Building Blocks of Decentralised Identity

Familiarise yourself with key concepts that enable decentralised identity and power the Affinidi Trust Network to realise the Holistic Identity vision.

Decentralised Identifiers

Decentralised Identifiers (DIDs) is a unique digital identifier that individuals issue, manage, and store themselves rather than relying on a centralized authority. Central to the DID framework is the use of cryptographic key pairs: a public key that is openly published for verification purposes, and a private key that remains confidential, ensuring security and authenticity. DIDs empower individuals to assert their identity independently, offering a self-sovereign form of identification. This autonomy enables individuals to provide verifiable facts about themselves to others in a secure and privacy-preserving manner, a cornerstone in the evolving landscape of digital interactions and trust.

A DID is assigned to Affinidi Vault user upon their successful registration.

The DID method used by Affinidi Vault is did:key

Verifiable Credentials

Verifiable Credentials (VCs) is a digital attestations that are cryptographically signed and verifiable, making them tamper-evident and reliable. VCs can represent various facets of an individual’s identity, from academic achievements and employment history to medical records. These credentials place control and privacy squarely in the hands of the individual, who can store and manage them in a digital identity wallet, for instance, Affinidi Vault.

Email VC is issued to Affinidi Vault users after successful account creation and it is signed by Affinidi. These verifiable credentials are stored in the Affinidi Vault and shared with user consent.

Affinidi Vault issues VCs using the W3C Data Model

Verifiable Presentations

Verifiable Presentations (VPs) is a collection of one or more VCs, packaged in a specific way for presentation to a “verifier” such as a service provider. VPs are digitally signed by the holder (using their private key) to prove control over the included VCs. They allow you to selectively disclose only the relevant information from your VCs, preserving privacy. The verifier can then cryptographically validate the VP. VPs are important as they offer a more secure and privacy-conscious way to prove your identity compared to sharing raw VCs. For example, to prove your age at an age-restricted venue, you can present a VP containing only your birthdate without revealing your nationality or address, as compared to the current method of showing your driver’s license or identification card.

    actor User
    participant Affinidi Vault
    participant Affinidi Login

    User->>Affinidi Vault: User confirm consent to share data
    Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP) of shared VCs
    Affinidi Vault->>Affinidi Login: Send the Verifiable Presentations (VP Token)

OpenID for Verifiable Presentations

OpenID for Verifiable Presentations (OID4VP) is an extension to the OpenID Connect (OIDC) standard that enables users to be their own identity provider without relying on third-party providers. This extension incorporates the Presentation Exchange Protocol, allowing for the request and presentation of verifiable credentials. Explore our documentation on how Affinidi Login utilises Presentation Exchange Protocol to enable developers to verify the identity of the user.

With OID4VP, the “VP Token” is introduced, a new token type for conveying Verifiable Presentations (VPs). It utilizes the Presentation Exchange Protocol from the Decentralized Identity Foundation (DIF) within the OIDC “claims” request parameter. This integration specifies the credential requirements for applications and assists verifiers in processing the presented credentials.

Here is the representation of OID4VP implementation with Affinidi Login and Affinidi Vault, which stores the verifiable credentials of the user and enables consent management for data sharing.

    actor User
    participant Affinidi Login
    participant Affinidi Vault

    Affinidi Login->>Affinidi Vault: Initialise request to the Vault with Authorisation request
    Affinidi Vault->>User: Show Consent screen to share data
    User->>Affinidi Vault: User confirm consent to share data
    Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP)
    Affinidi Vault->>Affinidi Login: Redirect to Affinidi Login with the VP Token Response
    Affinidi Login->>User: Show extension loading screen
    Affinidi Login->>Affinidi Login: Extract VP Token from the Response

Affinidi Login converts the VP Token into a standard format called “ID Token”. It sends the ID Token to the requestor (an application or website) to verify the user’s identity.

OpenID for Verifiable Credential Issuance

OpenID for Verifiable Credential Issuance (OID4VCI) is an extension to the OpenID Connect (OIDC) standard that provides the mechanism for Issuers to issue Verifiable Credentials to Affinidi Vault users and obtain the credentials. This extension uses the OAuth 2.0 authorisation flow to obtain authorisation to receive Verifiable Credentials, enabling the issuance process to benefit from the established security and flexibility of the OAuth 2.0 framework.

    actor User
    participant Affinidi Vault
    participant Credential Issuance Service

    User->>Affinidi Vault: Enters the Transaction Code to view the Credential Offer
    Affinidi Vault->>Credential Issuance Service: Resolves Offer URI and get the Credential Offer with Access Token
    Note over Affinidi Vault, Credential Issuance Service: Affinidi Vault will exchange Trx Code and Pre-Auth Code <br /> for the Access Token to Get the Credential
    Credential Issuance Service->>Credential Issuance Service: Validate credential proof
    Credential Issuance Service->>Credential Issuance Service: Update Credential Offer as Claimed
    Credential Issuance Service->>Affinidi Vault: Return the Verifiable Credential
    Affinidi Vault->>User: Presented the Verifiable Credential
    User->>Affinidi Vault: Accepts the Verifiable Credential
    Affinidi Vault->>Affinidi Vault: Securely Stores the Verifiable Credential

The Issuer sends the claim link to the Affinidi Vault user that contains the Credential Offer URI. The Credential Offer URI is used to get the required access token to retrieve the issued credential. The user can choose to accept the credential and store it in the Affinidi Vault or reject the credential offer.

Set up the Affinidi Vault and developer tools to get started with Affinidi Trust Network.