SSI Edu Wallets

Project workflow

Educational VC issuance workflow outside EBSI

The issuance process will be carried out on the different courses or assessments that a user completes so when a user completes a course or assessment, he/she can claim a digital certificate or "verifiable credential" from the issuance UI in which the user can perform the web wallet flow in which the user can start the issuance flow with her/his web wallet if the issuer configure it or the cross device flow in which the issuance UI generate a QR code to start the issuance flow from any user’s compliant wallet through the scan of the QR.

The educational VC generated is composed by the data of the user (like the user’s DID), the data of the platform (like the issuer DID), the course data like the ESCO skills and occupations which defines the different skills and occupations that the user has acquired on it. And finally the sign of the issuer. This verifiable credential is generated by the platform (issuer) that implements this system in a standard format defined by the Verifiable Credentials Framework to be easy to verify and impossible to fake.

The VC (Verifiable Credential) will be digitally generated and signed by the private key of the issuer using the Public Key Infrastructure (PKI) so it is cryptographically secure and then it cannot be falsified and guarantees that it has been issued by the defined platform to a defined user and also that it has not been altered for no one. Once the verifiable credential is created, it is sent to the user's wallet through the OIDC protocol, which the user will accept or not to receive the verifiable credential in her/his wallet.

Verification workflow outside EBSI

Another use case of the implementation is to verify any VC received from a user’s wallet, since some operations within the platform may require the presentation of a VC. To carry out this process, the platform (verifier) from the verifier UI requests the user's wallet to present a certain type of VC, then the verifier platform communicates with the user’s wallet through the OIDC/SIOP protocol and then the user from her/his wallet chooses which VC or VCs want to present to the verifier platform and once it accepts, a verifiable presentation is created acting as a wrapper of the VC or VCs that will be shared with the verifier platform.

Then the verifier platform will carry out a check process to check whether that VP is valid or not by checking the sign of the user that is presented in the body of the VP and sign of the VC or VCs that are in each VC with the public keys of both user and issuers encoded in their DIDs. Once the VP is valid the platform can make use of these verifiable credentials.

SSI EduWallets issuance & verification workflow under EBSI services

The incorporation of the SSI EduWallets to a platform using the services of EBSI follows the following process:

  1. The SSI EduWallets implementation is integrated in the defined platform to allow the issuance and the verification of verifiable credentials.

  2. The platform requests a Trusted Accreditation Organizations (TAO) to be onboarded on the EBSI ecosystem as a trusted issuer and verifier in order to issue and verify educational verifiable credentials.

  3. Once the platform accomplish the requirements it is onboarded on EBSI and then it can act as an trusted issuer and verifier, then the first step as a trusted issuer/verifier is to generate a DID (Decentralized Identifier), a public and private key and then store the DID and the public key on the EBSI ledger.

  4. Once the user requests to the platform through the issuance UI the issuance of an educational VC for the completed course or assessment, the platform will issue a VC with the DID of the user, the DID of the platform, the sign of the issuer and the other fields that compose the VC. The issuance could be done by the web wallet flow in which the issuer connects with the user’s web wallet if the issuer configure it or through the scan of the QR code in the issuance UI to perform the cross device flow in which any compliant wallet application can scan the QR code that the issuer UI generates and perform the issuance flow.

  5. Through the protocols OIDC/SIOP the issuer exchanges the VC with the user’s wallet, and then the user decides to accept or reject the VC.

  6. Once the user accepts the VC, then the user holds it in her/his wallet.

  7. If any platform needs a VC from the user in order to verify some knowledge, then the user from the verification UI creates a verifiable presentation which is a wrapper to share VCs with a verifier.

  8. The user from her/his wallet will choose the VCs that the verifier is claiming and then accepts to share the selected VCs with the verifier.

  9. Once the verifier receive the VP it verifies that the VCs are not manipulated and also check that the public key of the user that is encoded in her/his DID are matched with the sign of the VP that was signed by the user private key, also it will check if the signs of the VCs that were signed with the private keys of each issuer matches the public keys of the issuers that are stored in the EBSI ledger.

Currently, the EBSI infrastructure is not being used since it is not yet in production but rather in the testing phase and it has not been possible to obtain access to these tests in the different phases of tests that have been carried out. On the other hand, following the EBSI standards and requirements, an implementation has been carried out to be compatible with this system in the future

PreviousSystem architectureNextCourse of the work packages

Last updated