Building Blocks of Decentralised Identity

Familiarise yourself with key concepts that enable decentralised identity and power the Affinidi Trust Network to realise the Holistic Identity vision.

Decentralised Identifiers

Decentralised Identifiers (DIDs) is a unique digital identifier that individuals issue, manage, and store themselves rather than relying on a centralized authority. Central to the DID framework is the use of cryptographic key pairs: a public key that is openly published for verification purposes, and a private key that remains confidential, ensuring security and authenticity. DIDs empower individuals to assert their identity independently, offering a self-sovereign form of identification. This autonomy enables individuals to provide verifiable facts about themselves to others in a secure and privacy-preserving manner, a cornerstone in the evolving landscape of digital interactions and trust.

A DID is assigned to Affinidi Vault user upon their successful registration.

The DID method used by Affinidi Vault is did:key

Verifiable Credentials

Verifiable Credentials (VCs) is a digital attestations that are cryptographically signed and verifiable, making them tamper-evident and reliable. VCs can represent various facets of an individual’s identity, from academic achievements and employment history to medical records. These credentials place control and privacy squarely in the hands of the individual, who can store and manage them in a digital identity wallet, for instance, Affinidi Vault.

Email VC is issued to Affinidi Vault users after successful account creation and it is signed by Affinidi. These verifiable credentials are stored in the Affinidi Vault and shared with user consent.

Affinidi Vault issues VCs using the W3C Data Model

Verifiable Presentations

Verifiable Presentations (VPs) is a collection of one or more VCs, packaged in a specific way for presentation to a “verifier” such as a service provider. VPs are digitally signed by the holder (using their private key) to prove control over the included VCs. They allow you to selectively disclose only the relevant information from your VCs, preserving privacy. The verifier can then cryptographically validate the VP. VPs are important as they offer a more secure and privacy-conscious way to prove your identity compared to sharing raw VCs. For example, to prove your age at an age-restricted venue, you can present a VP containing only your birthdate without revealing your nationality or address, as compared to the current method of showing your driver’s license or identification card.

    actor User
    participant Affinidi Vault
    participant Affinidi Login Service

    User->>Affinidi Vault: User confirm consent to share data
    Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP) of shared VCs
    Affinidi Vault->>Affinidi Login Service: Send the Verifiable Presentations (VP Token)

OpenID for Verifiable Presentations

OpenID for Verifiable Presentations (OID4VP) is an extension to the OpenID Connect (OIDC) protocol that enables users to be their own identity provider without relying on third-party providers. This extension incorporates the Presentation Exchange Protocol, allowing for the request and presentation of verifiable credentials. Explore our documentation on how Affinidi Login utilises Presentation Exchange Protocol to enable developers to verify the identity of the user.

With OID4VP, the “VP Token” is introduced, a new token type for conveying Verifiable Presentations (VPs). It utilizes the Presentation Exchange Protocol from the Decentralized Identity Foundation (DIF) within the OIDC “claims” request parameter. This integration specifies the credential requirements for applications and assists verifiers in processing the presented credentials.

Here is the representation of OID4VP implementation with Affinidi Login and Affinidi Vault, which stores the verifiable credentials of the user and enables consent management for data sharing.

    actor User
    participant Affinidi Login Service
    participant Affinidi Vault

    Affinidi Login Service->>Affinidi Vault: Initialise request to the Vault with Authorisation request
    Affinidi Vault->>User: Show Consent screen to share data
    User->>Affinidi Vault: User confirm consent to share data
    Affinidi Vault->>Affinidi Vault: Generate Verifiable Presentation (VP)
    Affinidi Vault->>Affinidi Login Service: Redirect to Affinidi Login Service with the VP Token Response
    Affinidi Login Service->>User: Show extension loading screen
    Affinidi Login Service->>Affinidi Login Service: Extract VP Token from the Response

Affinidi Login Service converts the VP Token into a standard format called “ID Token”. It sends the ID Token to the requestor (an application or website) to verify the user’s identity.

Set up the Affinidi Vault and developer tools to get started with Affinidi Trust Network.