DIDkit exploration

#ahau is exploring in the space of identity and as part of that @Maui (Android) has been really involved with Digital Identity NZ - a collective of businesses, govt, banks, etc all working together on what digital identity could look like in NZ. For Maori this is quite and exciting space because it's an opportunity to move from state/crown-owned and issued credentials (passports, birth certificates) to iwi controlled processes. This is in alignment with the Treaty signed which guaranteed sovereignty

This week I started exploring @cel's work on DIDkit. I spun up the code and then had a call with Cel to learn more about the tools and the space. I'm gonna share a little of what I've learnt here

An example use case we might explore

Diagram showing Mix using Ahau to register with his Iwi (1). Upon being accepted to his Iwi he is issued a Verifiable Credential (object signed by the Iwi saying "yes Mix is part of this Iwi" (2). Later he applies for a bank account and presents his Verifiable Credential with his application (3). The bank recognises the Iwi's signature, and so trusts Mix is who he says he is

How does the the bank know about the Iwi and trust it as an Authority on identity?

Diagram showing that earlier, the Iwi has registered itself with the bank, jumping through a bunch of KYC/AML (known your customer, anti-money laundering) bureaucratic hoops (1). The bank processes and stores the the Iwi's DID info, allowing it to verify later credentials signed by that DID key (2), and say "good to go" to the Iwi

The idea is that this makes it much easier for the individual (Mix here) to get set up with a bank account. His identity is verified by his Iwi (by criteria that matter to the Iwi, not the crown), and the Iwi's identity and authority is acknowledged by the Bank.

What generating and checking a VC (Verifiable Credential) can look like with DIDkit:

const DIDKit = require('@spruceid/didkit')

const IwiKey = DIDKit.generateEd25519Key()
// => {
//   kty: 'OKP',
//   crv: 'Ed25519',
//   x: '3VnDgE3ttwbgWWxCGFBvfLRH03BISSig4EAHoX0PdQQ',
//   d: 'NgUiAQ5gM97-p5m1PbjrqtKnO07zuA6rUbjMxcPeFVU'
// }

const DID_TYPE = 'key' // this can be eth, sol, ...
const IwiDid = DIDKit.keyToDID(DID_TYPE, IwiKey)
// => did:key:z6MkuMKXw5roRQY3JoiVdybfGSDbqoEe3dcGVVbbXXRKZwu5
// mapped from curve + publicKey

const MixDid = 'did:ahau:d23dd687a7dc6787646f2eb98d0' // << Mix's ID

const verifialbleCredential = DIDKit.issueCredential({
  '@context': [
    'https://www.w3.org/2018/credentials/v1'
  ],
  type: ['VerifiableCredential'],
  issuer: IwiDid,
  issuanceDate: '2022-02-19T21:41:50Z',
  credentialSubject: {
    id: MixDid
  }
}, {}, IwiKey)
// => {
//   '@context': [ 'https://www.w3.org/2018/credentials/v1' ],
//   type: [ 'VerifiableCredential' ],
//   credentialSubject: { id: 'did:ahau:d23dd687a7dc6787646f2eb98d0' },
//   issuer: 'did:key:z6MkuMKXw5roRQY3JoiVdybfGSDbqoEe3dcGVVbbXXRKZwu5',
//   issuanceDate: '2022-02-19T21:41:50Z',
//   proof: {
//     type: 'Ed25519Signature2018',
//     proofPurpose: 'assertionMethod',
//     verificationMethod: 'did:key:z6MkuMKXw5roRQY3JoiVdybfGSDbqoEe3dcGVVbbXXRKZwu5#z6MkuMKXw5roRQY3JoiVdybfGSDbqoEe3dcGVVbbXXRKZwu5',
//     created: '2022-04-13T22:04:26.992Z',
//     jws: 'eyJhbGciOiJFZERTQSIsImNyaXQiOlsiYjY0Il0sImI2NCI6ZmFsc2V9..VkDlbxGNf5VRbIzaNLKUVgxdPe_CVFad13tNWToqxV_Rpfpsf1GjfG3JMF_TJ4HOCYrDHt8icoU0BwDVGA_aAw'
//   }
// }

const result = DIDKit.verifyCredential(verifialbleCredential, {})
// => { checks: [ 'proof' ], warnings: [], errors: [] }
// no errors = ✓

Notes from Call with cel:

• VerifiablePresentation:
  • once you have a VC, this is how you present it to a third party
  • this proves who is delivering it
  • this proves you have control over the did mentioned in the VC
• contexts are resolved to get definitions
  • either the definition is a common one and bundled with verifying application (e.g. didkit)
  • OR they have to fallback to going and getting it

• ssb-keys > did keys

  • multicodec base58
  • ssb-keys private key is concat(private, public) (which is why it appears longer)

• API pretty stable, based on:

  • https://w3c-ccg.github.io/vc-api/

• presentation / credential exchange notes:

  • https://github.com/decentralized-identity/presentation-exchange
  • https://github.com/decentralized-identity/waci-presentation-exchange/
  • https://mattr.global/verifiable-credential-based-authentication-via-openid-connect/
  • https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html
  • https://w3c-ccg.github.io/credential-handler-api/
• https://internetidentityworkshop.com/

for those interested, diagrams drawn with hackmd + mermaid.js: https://hackmd.io/Ub_nxSnETDy22HE4wF334Q?both

I did some manual css-manipulation to make the bank black. Note that the diagram rendering is weird in Firefox, so I used Chrome

Nice notes!