Proving claim ownership without sharing DID?


#1

Hello Sovrin community!
I found following piece in protocol docs.

Because Relationships and Attributes are orthogonal, an Issuer does not issue credentials to a particular DID. Remember DIDs are contextual to a relationship, and Credentials should be usable in different relationships without sharing correlation handles across relationships or contexts.

Source:
https://github.com/sovrin-foundation/protocol#the-relationship-attribute-plane

Let me validate my understanding of this.
Let’s say John is using DID “A” for relationship with a bank. Bank issues verifiable claim for John. Now John wants to prove to Organization Inc. certain information contained in the claim. How will this be done?

My original understanding was:
John will receive from a bank a claim - a signed document containing following information:

  • John’s DID “A” (therefore specifying for whom the claim was issued, and then it would be up to holder of the claim to prove he is owner of given DID)
  • Information issued by bank for John.
    For communication with Organization Inc., John would prove his ownership of “A” DID and submit his verifiable claim. The Organization will:
  • verify his ownership “A” DID
  • verify the whether the claim was truly signed by Bank.

My new, mixed thoughts and questions:
After reading the piece above from documentation, seems like I am completely off. My original understanding breaks down right at the beginning at the architecture of a claim. Particularly this part: “Issuer does not issue credentials to a particular DID”. If the claim is not tied with DID, what piece of information ties the claim with holder? How the holder proves the claim was really issued for him? Verkey?


#2

The concept that will make this mystery disappear is what we call a “link secret” (you might run into the older, deprecated term “master secret” in some docs).

A link secret is basically a large random number that only John knows.

When John’s credential is issued, it contains John’s link secret in blinded form. By “blinded”, I mean that John has done a one-way transformation on it, such that he can demonstrate the relationship between his original link secret and the blinded form–but nobody else can.

Now, when John goes to Organization, Inc, he generates a proof that conveys the claims/attributes/information from his credential that Organization, Inc needs to know. In addition to any primary attributes they ask about (like his name, proof that he’s held a bank account for a certain amount of time, etc), John must also prove that he, and nobody else, is the owner of the credential upon which his proof is based–without revealing any DID that he used with the bank.

The way he does this is to show that he knows the link secret value upon which the blinded link secret embedded in the credential is based. This is a mathematical operation that cannot be faked.


#3

is there documentation available for this?


#4

The mathematical treatment is documented here: https://github.com/hyperledger/indy-anoncreds/blob/master/docs/anoncred-usecase1.pdf

There is another doc being prepared, that bridges the gap between my very high-level description and the ultra-technical one in the above link. If you would like a copy of that doc when it comes out, please contact me on sovrin slack (@daniel.hardman).