System architecture

Technologies and concepts being used

Self-Sovereign Identity (SSI)

SSI is a digital identity concept that gives individuals control over the information they use to identify themselves to websites by managing their identity data directly, without the need for intermediaries or central authorities, services, and applications on the Internet. In traditional identity systems, individuals often have limited control over their personal data, which is stored and managed by central authorities such as governments, companies, or service providers. This can lead to issues of privacy, security, and lack of user autonomy.

SSI is based on decentralized and cryptographic technologies, providing individuals with the ability to share only the specific information required for a particular transaction or interaction, without disclosing unnecessary personal data.

Through the SSI EduWallets implementation it is possible to leverage the features of this new paradigm and provide a new way to exchange data in a secure, agile and interoperable way.

European Digital Identity wallets (EUDI)

EUDI wallets are applications that allow you to manage the digital identity of a citizen of a country of the European Union, this applications are part of the proposal which provides a single european digital identity and allows to perform transactions both at a public and private level with greater security and control of information. EUDI wallets enable users to securely store and access identification data derived from their national eIDs within an app, on a local or remote basis upon request, with full control over their data moreover these wallets allow to store not only verifiable credentials for ID also other verifiable credentials like education verifiable credentials.

EUDI wallets comply with the ESSIF and use the services of EBSI to store some relevant information about the identity and transactions in the ledger to ensure data accuracy and security. These wallets will be used by both government services and private companies to centralize multiple procedures such as payments, travel, management of personal identity credentials or the management of academic degrees within the same application.

Since there is currently no digital identity provider under eIDAS 2.0 proposal, it is not possible to obtain verifiable identity credentials at the moment, so these credentials cannot currently be used in the implementation of the project. Therefore, the use of these wallets within the platforms implementing the SSI EduWallets is dependent on the use of the DIDs as unique identifiers for each user.

European Self-Sovereign Identity Framework (ESSIF)

ESSIF is an initiative and framework developed by the European Commission to promote and support the implementation of self-sovereign identity (SSI) solutions across Europe. It seeks to build a more user-centric and privacy-preserving approach to digital identity, supporting the broader goal of a trusted and secure digital society in Europe.

The goal of ESSIF is to enable individuals to have greater control over their digital identity and personal data while ensuring privacy, security, and interoperability establishing a standardized and interoperable ecosystem for SSI solutions. ESSIF allows individuals to manage their personal data, decide who can access it, and provide verifiable credentials without the need for intermediaries or central authorities.

SSI EduWallets leverage this framework to perform all the activities related to SSI and the management of verifiable credentials.

Decentralized Identifiers (DID)

Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identifiers. “A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc)”.

Decentralised Identifiers (DIDs) are the cornerstone of self-sovereign identity (SSI). DIDs are URL-based identifiers associated with an entity; “a DID is just a long string that does not provide any meaningful information about a natural or legal entity. DIDs and DID Documents are generated by their owners with their wallet or back-office systems”These identifiers are most often used in a verifiable credential and they are associated with subjects such that a verifiable credential itself can be easily ported from one repository to another without the need to reissue the credential.

A decentralized identifier document (DID document) is a document that contains information related to a specific decentralized identifier, such as the associated repository and public-key information . DIDs are used to ensure the authenticity of issuers and holders in machine verifiable documents known as Verifiable Credentials (VCs)

Within a decentralized blockchain infrastructure like EBSI, DIDs and DID Documents are aimed at Legal Entities. They are registered in DID Registries that help establish a trust framework and a secure and reliable Decentralised Public Key Infrastructure (DPKI). DID registries enable DID controllers to register, update or deactivate their DIDs and DID Documents.

DIDs consist of the schema or "did:", the first part of the definition of a DID, the "method", a mechanism or protocol for creating and managing unique and decentralized identifiers, and the "DID method specific identifier", a completely unique random number that follows method-specific generation rules.

SSI EduWallets use DIDs in both “issuer” and “holder”: In the case of the ”issuer” within EBSI, the DID and the public key are stored on the blockchain to be verified by third parties. In the case of the “holder”, the DID is generated and stored by the user’s wallet.

In case the DIDs are created with the method “key”, then none of them are stored on the blockchain. This method allows to work with DIDs and VCs without any decentralized service (no blockchain needed!).

Verifiable Credentials Data Model (VC)

Credentials are a part of our daily lives; driver's licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. Verifiable credentials with DIDs are the core of SSI paradigm, the verifiable credentials provides a mechanism to express these sorts of credentials digitally on the Web normally in the format of JSON-LD or JWT in a way that is cryptographically secure, privacy respecting, and machine-verifiable.

The verifiable credentials have features such as:

  • Portability: due they are digital documents, they can be safely shared with third parties.

  • Interoperability: because they are created in the same formats like JSON-LD or JWT and the definition is based on a schema that can be a public standard.

  • Security: VCs use asymmetric encryption and signatures to keep the credentials safe and tamper-proof.

  • Selective disclosure: the individual has control over which pieces of information they share in a given context. They can selectively disclose specific attributes without revealing unnecessary personal data.

  • Revocable: verifiable credentials can be revoked by the issuer if the information they contain becomes outdated or invalid. This adds an additional layer of trust and assurance.

In the SSI EduWallets implementation it is used as an educational verifiable credential; this is a type of digital credential that represents an individual's educational achievements, qualifications, or accomplishments in a verifiable and tamper-resistant manner. It serves as a secure and portable proof of the person's educational history and can be shared with third parties.

Verifiable Credential schemas

are a standardized format or data model normally in a JSON-LD format used to describe, define the constraints and structure of any verifiable credential type. Verifiable credential schemas allow verifiable credentials to be easily shared and verified between different parties because following a standard for defining a verifiable credential makes them interoperable between different systems.

Within EBSI or other decentralized systems the creation of these schemas usually are published in a public repository to be used and known for all parties within the system.

SSI EduWallets define their own schema for the user learning outcome verifiable credential that was created, this schema is based on the in a simplified way, because none of the current definitions are standardized yet. So interoperability will be possible once the issuer is onboard on the EBSI ecosystem and the schema is published.

Verifiable Presentation (VP)

Verifiable presentations are mechanisms like the verifiable credentials (they are based on JSON-LD or JWT as well) in which the definition about the presentation, the verifiable credentials that will be verified, and the sign and encryption of the user will be stored.

Verifiable presentations have the mission to demonstrate the validity of their verifiable credentials without revealing unnecessary or sensitive information. It is a core concept in decentralized identity systems and plays a crucial role in enabling selective disclosure of information during identity verification processes. When an individual needs to prove certain attributes or qualifications to a verifier they can create a verifiable presentation. This presentation acts as a wrapper around one or more verifiable credentials, allowing the individual to disclose only the specific attributes required for the verification process, while keeping the rest of the credential data private.

The verifiable presentation includes a cryptographic proof that proves the authenticity and validity of the underlying verifiable credentials without exposing the raw data contained within them.

When the verifier tries to verify the verifiable presentation, first it validates the sign of the user which is part of the verifiable presentation and then - for each verifiable credential within the verifiable presentation- it validates the sign of the issuer within the verifiable credentials.

The SSI EduWallets use verifiable presentations to exchange verifiable credentials from the user’s wallets to the third parties. The verification of the verifiable credentials is out of the blockchain due the fact that EBSI is not publicly available yet.

European Blockchain Services Infrastructure (EBSI)

EBSI is an initiative of the European Union (EU) aimed at developing a service infrastructure based on blockchain technology to enhance and strengthen the delivery of public services throughout Europe.

EBSI aims to leverage the potential of blockchain technology to provide more secure, transparent, efficient, and reliable digital services in various areas and sectors, such as public administration, healthcare, education, transportation, digital identity, and more.

The infrastructure is designed to be interoperable and available for use by different EU member states, allowing for greater collaboration and coordination in the provision of digital services at the European level. “The basic architecture of EBSI is composed of three main elements: APIs, exposed on the public internet, which allow applications to connect; Smart Contracts, which act as a go-between the outside world (APIs) and the ledger; that is a decentralized database of information that can be accessed by actors looking to complete a business process”. “All of EBSI's Core Technical Services - APIs, Smart Contracts, and the EBSI ledger - are hosted in a decentralized way, by a network of nodes all across Europe. They synchronize their copies of the ledger, making it distributed, and all make EBSI's Core Technical Services available”.

Basically the EBSI infrastructure serves to store records such as the DIDs of legal entities, record the transactions that are carried out and verify data by accessing the ledger. This way the security and the availability is enhanced.

The key points of using EBSI are:

  • Security and trust: Blockchain technology guarantees the security and authenticity of data, generating greater confidence in records and transactions.

  • Transparency and traceability: The immutability of the blockchain allows greater transparency and monitoring of operations and data.

  • Efficiency and cost reduction: Process automation improves efficiency and lowers operating costs.

  • Interoperability: EBSI is designed to be used by different countries of the European Union, facilitating collaboration and information exchange.

  • Authentication and identity security: Enables more secure and decentralized digital identity systems.

  • Document verification and authenticity: Guarantees the authenticity of important documents, reducing the risk of fraud.

  • Improvement of public services: Provides a more reliable and secure infrastructure for the provision of digital services.

  • Promotion of innovation: Promotes the development of advanced and efficient digital solutions.

SSI EduWallets seeks to leverage the EBSI ecosystem to perform all the operations related with the SSI paradigm.

European Learning Model (ELM)

is a multilingual data model providing a single vocabulary for the description of learning in Europe for Interoperability of Learning Opportunities, Qualifications, Accreditation and Credentials in Europe, developed by the European Commission.

“The European Learning Model aims to capture the results of any non-formal and formal learning across Europe, as well as the validation of non-formal and informal learning. It is designed to provide a single format to describe certificates of attendance, examination results, degrees and diplomas, diploma supplements, professional certifications, employer recommendations and any other kind of claims that are related to learning”. Having a single model at European level promotes the free movement of workers and learners through comparability, portability and transparency of data.

“This, in turn, eases the data exchange process across Europe as any organization or entity working with learning can make use of the same concepts, making the data understandable even across languages”.

Even though the ELM was created for the use cases, SSI EduWallets, by defining the verifiable user learning outcomes and the schema that defines this VC, use a portion of (which was created based on the W3C standards for verifiable credentials to be interoperable) rather than the entire definition of attributes and properties to provide and describe the key data within the verifiable credential once a user has completed a course or exam.

Qualification Metadata Schemata (QMS)

refers to a standard structure used to describe and represent detailed information about a specific qualification. This schema is commonly used in the context of Verifiable Credentials and other qualification management systems to provide additional details about a given qualification or competency.

The Qualification Metadata Schemata includes relevant information about the qualification within the verifiable credentials, such as the name of the qualification, the associated education or training level, the learning outcomes or skills acquired, the issuing institution, credits or study hours, among other attributes.

The qualification scheme used within verifiable credentials helps to expose the learning results that a user has acquired in a structured and detailed way, so that these verifiable credentials, once presented to third parties, can obtain the results in a structured and detailed way.

This is very important when issuing verifiable educational credentials in which learning outcomes, qualifications, learning opportunities, skills and occupations need to be disclosed. Within the QMS it is possible to use to describe what the user achieves once he/she completes a certain assessment. With this data a user can look for a specific job or a higher educational level.

The SSI EduWallets try to adapt and make use of this metadata schema in order to define a standard structure for classification of qualifications.

European Skills, Competences, Qualifications and Occupations (ESCO)

ESCO is the European multilingual classification of Skills, Competences and Occupations. ESCO works as a dictionary, describing, identifying and classifying professional occupations and skills relevant for the EU labor market and education and training. Those concepts and the relationships between them can be understood by electronic systems, which allows different online platforms to use ESCO for services like matching job seekers to jobs on the basis of their skills, suggesting training to people who want to reskill or upskill, etc.

The aim of ESCO is to support job mobility across Europe and therefore a more integrated and efficient labour market, by offering a “common language” on occupations and skills that can be used by different stakeholders on employment and education and training topics.

The SSI EduWallets make use of the ESCO classifications in order to provide the skills and occupations that the users achieve once a course or assessment completion happens.

System components

Wallets

Wallets are one of the three cornerstones of the SSI paradigm, these are applications that allow users to perform the exchange of verifiable credentials with the issuers and verifiers and store their verifiable digital credentials and decentralized identifiers that users must use to be compliant with the SSI EduWallets implementation. Those wallets are i.e. developed by third parties following European standards. The implementation of SSI EduWallets provides a web wallet that acts as a demo. It was also tested with another compliant wallet provider “” for a “proof-of-concept” of a cross-device flow. Both use cases could be tested successfully, so that it was possible to perform the issuance flow.

Demo web wallet

It is a demo wallet application that simulates a real wallet workflow and runs based on the. It was configured to perform a web wallet flow for performing the issuance and verification.

User Interface

The user interface is the part of the software that is responsible for graphically presenting an abstraction of the logic behind the implementation to users on the learning platforms that implement SSI EduWallets, and where users can interact directly with the implementation. The user interface is implemented based on several views in the frontend that display the steps of issuing verifiable credentials and verify verifiable presentations. This graphical framework makes requests to the different APIs to interact and exchange data.

Wallet Kit API

The Wallet Kit API is a third-party integration that is connected with the issuance & verifier APIs and it is the core of the Web 3.0 & SSI stack to perform all the operations related to the SSI paradigm and VCs. This API is responsible for DIDs creation, verifiable credential issuance, verifiable presentations, verifiable credential security, the exchange of verifiable credentials, and the demo web wallet. This API is not directly accessible but the other APIs are responsible for communicating with it.

Issuer API (Open API)

The issuer API is one of the three cornerstones of the SSI paradigm. This is the main component in charge of handling the user requests to start the verifiable credentials issuance flow and the communication with the wallet kit API (which performs the issuance process). This component must be implemented in each platform to enable the issuance of verifiable credentials to users using a compliant wallet. Once the issuer API is integrated in a platform, it can interact directly with the users’ wallets and it interacts with the wallet kit API to issue an educational verifiable credential to the users of the platform, e.g. once they complete a course.

Verifier API (Open API)

The verifier API is one of the three cornerstones of the SSI paradigm. This is the main component in charge of handling the user requests to create a verifiable presentation triggering the start of the verification flow and further on communicating with the wallet kit that performs the verification process. This component must be implemented within any platform to allow the verification and validation of verifiable credentials from the users using a compliant wallet. Once the verifier API is integrated in a platform, it can interact directly with the users and connects with the wallet kit API in order to verify if a verifiable credential is valid or not. As soon as the verification process is successful, the platform can use the released data of the verifiable credentials to perform further actions.

System architecture

Implementation architecture

The implementation of SSI EduWallets is based on the integration of 5 key components. Wallet KIT API, Issuer API, Verifier API,issuance / verification UI & demo Web Wallet within a client's infrastructure such as an e-learning platform. These components are in charge of allowing a platform to issue verifiable credentials & verify verifiable credentials to/from users who use compatible wallets or within the demo web wallet. Once these software components are integrated, they will communicate and exchange information with the users’ wallets through the . To integrate these components into an e-learning platform, a microservices-based architecture is provided to run and deploy these components using Kubernetes and Helm Chart.

The issuance and verification UI components can be integrated as a plugin into the front end of the client, from where platform users can interact with the SSI EduWallets implementation to graphically perform the operations associated with issuing and verifying verifiable credentials. These components make API calls to initiate the operations and establish communication between the platform and the user's wallet.

The demo web wallet is integrated into the client's platform by cloning the repository, deploying and running the front-end container that runs this web app. From this user interface, any user can use this demo as a custom web wallet that acts as a real web wallet to simulate the workflow of a web wallet with which it is possible to request verifiable credentials, create verifiable presentations, receive, store and manage verifiable credentials. This frontend makes API calls to perform all the operations related to the issuance, verification and storage of the verifiable credentials.

The integration of the issuer and verifier APIs into the client's platform is done by cloning the repositories and running the Kubernetes pod. These APIs are responsible for handling the user requests they enter through the issuance /verification UI to process and forward them to the wallet kit API.

The wallet kit API integration into the client's platform is performed by cloning the wallet kit repository, deploying and running the kubernetes pod, which is in charge of performing all the tasks related to the SSI and VCs workflow features like the DID generation, cryptography of the VCs, the exchange of VCs, the communication with EBSI ecosystem, issuance of VCs, reading the VPs, and the verification of VPs.

Since the issuance and verification processes can be implemented without any decentralized blockchain system, an issuer and a user can generate their own DIDs, public and private keys through their wallets. In case of using a blockchain ecosystem like EBSI, DIDs and key will need to be issued by the blockchain provider. For a “proof-of-concept” the method followed for the creation of DIDs is the "key”-method, which encodes the public key in the DID for the verification.

VPs are signed with the private key of both, the issuers of the VCs and the holder or presenter of the VP. Using the public key from the issuers and holder, the verifier is able to fully validate the custody chain for the hole VP.

In the SSI EduWallets implementation currently it is using the "key"-method because the EBSI ecosystem is not publicly available yet.

EBSI architecture

The entire stack can be integrated into any educational platform that is to be included in the EBSI ecosystem as a trusted issuer. In order to become an issuer in EBSI, the platform must meet some prior requirements and validation by the and then generate a DID, a private key, and a public key. This . The DID and public key are then stored in the EBSI ledger, a decentralized blockchain database that is synchronized between the nodes that comprise it. Afterwards a trusted authority organization (TAO) will grant permissions to the platform to issue certain types of verifiable credentials, in this case educational verifiable credentials.

Once the system is integrated into the EBSI, the Wallet Kit API is responsible for managing all processes within the EBSI ecosystem. Once a user requests the issuance of a verifiable educational credential, a record is stored in the EBSI ledger to ensure traceability. Later, if the user presents this verifiable credential to a third party, the third party can verify the credential's validation and authenticity by simply checking the issuer's DID and public key in the ledger and the user's (VC holder's) DID and public key (resolving the user's DID containing the public key).

Last updated