W3C home > Mailing lists > Public > public-credentials@w3.org > July 2020

Re: Multi-sig credentials?

From: Daniel Hardman <daniel.hardman@evernym.com>
Date: Mon, 13 Jul 2020 09:22:10 -0600
Message-ID: <CAFBYrUom0FWM3jb_CHOtT+BHcJi7FCCqGwcw7BXNVWLrLUvi2g@mail.gmail.com>
To: Keerthi Thomas <thomas.keerthi@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Yes, there has been some thought around this.

The simple way would be to exert control over an issuer DID using a
multisig scheme. This would mean that issuance itself is trivial, and so is
the signature block and the revocation handling in the credential; all the
complexity shifts into what generates the signature from the DID
controller. The only DID method that I know of that explicitly describes
how to do this today is peer DIDs, but it would not be helpful in VC
issuance, since it isn't anchored to a ledger. Perhaps there are other
methods that support multisig as a verification method, that I'm not aware
of.

The other option is to make issuance itself a multisig process. Some design
work has been completed on this in Hyperledger Ursa discussion circles, but
it's only a little more than whiteboard, AFAIK. This would allow holders to
start with a credential signed by one issuer, and then to go around and
collect endorsements from other issuers until the endorsements hit a
critical mass, at which point the VC becomes valid. There are also some
other usage models it would enable. How revocation would be handled with
such a credential is not obvious, however.

Bottom line is that I think you're asking an important and interesting
question. It's received some attention already, but I don't believe there's
any mature solution yet.

On Mon, Jul 13, 2020 at 9:00 AM Keerthi Thomas <thomas.keerthi@gmail.com>
wrote:

> Hello everyone,
>
> I thought this community might be able to provide some direction. I am
> still on the learning curve, apologies if I missed some earlier work done
> by yourselves.
>
> I am currently working on a problem which I think may have already been
> solved, I would appreciate it if you can kindly point me in the right
> direction.
>
> I understand and I have previously built POCs using Hyperledger Indy/Aries
> that allows for verifiable credentials to be issued by a single party
> (issuer). The question is, how do we issue verifiable credentials issued by
> multiple-parties?
>
> Contracts and other legal documents are sometimes signed between multiple
> (more than two) parties. In a paper based approach, it is relatively
> straightforward, signatures are obtained serially.  A similar approach is
> adopted in electronic signing where copies of PDF are signed serially,
> internally, the system generates a 'certificate of completion' which
> captures metadata for legal purposes.
>
> In the real-estate use-case I am currently working on similar 'certificate
> of completion' to hold multiple cryptographic signatures of contracting
> parties over an digital artifact i.e. 'smart legal contract' (for
> simplicity, consider the artifact as a file containing some text and source
> code before they are deployed on a DLT or VM). I was thinking the SSI + VC
> model could be appropriate for this 'certificate of agreement or
> completion' but I am happy to hear your thoughts and suggestions.
>
> Many thanks in advance.
>
> Best wishes,
> Keerthi Thomas
>
>
Received on Monday, 13 July 2020 15:22:36 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:01 UTC