Page tree

European Commission ebsi European Blockchain
Access Help Desk(opens in a new tab)

Skip to end of metadata
Go to start of metadata

EBSI Verifiable Credentials Playbook

Context

EBSI Explained educational series walks you through the technologies that make it possible for Public Administrations and Businesses to easily verify and trust information received directly from Citizens (or Businesses). EBSI Verifiable Credentials Playbook provides all information for integrating and becoming compatible with all systems utilising identity based on the EBSI framework. Building upon the W3C Decentralised Identifiers (DIDs), W3C Verifiable Credentials (VCs), W3C Verifiable Presentations (VPs), OpenID Connect for Verifiable Credentials, GDPR, eIDAS, and other EU Regulations, EBSI is creating a generic profile for the full life-cycle of self-sovereign identity (SSI). This playbook will provide you with implementation guidelines, specifications, and technical standards - extensively researched, analysed and discussed with domain experts - that were accepted to meet the business requirements of many use cases. Business analysts, domain experts, architects, wallet providers, enterprise solution providers, and others can find valuable information to design and build their use cases and services.

EBSI builds the identity in a very modular way, consisting of several building blocks. This section provides an overview of the building blocks and points to their pages with more in-depth descriptions and implementation details.


Verifiable Credentials explained


Verifiable Credentials and Verifiable Presentations

Apart from digital identifiers explained below, data about entities makes the digital identity whole, e.g., passports, driver's licenses, educational credentials, and health certificates. This data should be structured and verifiable based on the common data models. EBSI is building data models based on W3C Verifiable Credentials and Verifiable Presentations. Verifiable Credentials define the structure of the data, while Verifiable Presentations provide the data model for presenting and exchanging the data. Everything related to Verifiable Credentials and Verifiable Presentations can be found here.



E-signing and e-sealing Verifiable Credentials and Verifiable Presentations (supporting eIDAS Regulation)

Trustworthiness in the presented credentials and data is achieved through digital signatures and other cryptographic primitives. The eIDAS regulation defines standards for electronic signatures needed to securely conduct business online in the European Single Market (ESM). EBSI is compliant with the eIDAS Regulation and is meeting its requirements. Everything related to digital signatures can be found here.



Decentralised Identifiers

Decentralized identifiers (DIDs) represent digital identities and unique identifiers of EU citizens and legal entities in the EBSI ecosystem. EBSI is building on the W3C DID method specification to define a comprehensive trust framework as a common set of best practice standards-based rules that ensure minimum requirements for security, privacy, identification management, and interoperability through accreditation and governance. Everything related to the EBSI DID method can be found here.



Digital Identity model

Digital identity sits at the foundation of all digital services, such as education, finance, work, health, and others. EBSI enables a decentralised identity model where users can choose their identifier, identity and wallet provider, the information they want to disclose to verifiers, and the verification method. In the decentralised model, issuers always issue verifiable credentials to the holder and holders present them to verifiers. W3C’s Verifiable Credentials can be used to create Verifiable eIDs which can be easily combined with other Credentials to expand the number of attributes used for authentication and identification purposes but also for record matching. The EBSI identity model supports the existing identification and authentication models, eIDAS authentication and identification, and eIDAS e-signatures and e-seals.



Trust models

Trust is at the centre of all digital transactions. Issuers must trust holders and wallet providers, holders must trust issuers and verifiers, and verifiers must trust wallet providers and issuers. EBSI introduces a simple, flexible and scalable way of mapping the existing trust relationships into the digital world so that the verifiable credentials are easy to trust and verify. 


Issuers trust model

Holders and verifiers must be able to check the identity of the issuer, whether the issuer has been accredited to issue verifiable credentials at a given point in time and if the accreditations and or identity were not revoked. The issuer trust model enables everyone to check the identity and accreditations of issuers in a simple, secure and transparent way. The issuer trust model is described here.

The same model can be applied to wallet providers.



Verifiers trust model

Holders should be able to check the identity of the verifier and the policies under which they request and process personal information. The verifier trust model can be built in the same way as the issuer trust model, or simpler, where identity and policies are self-hosted.

OpenID Connect for Verifiable Credentials

OpenId Connect specification for Verifiable Credentials defines protocols to issue Verifiable Credentials and present them as Verifiable Presentations. The building block implements and complies with these and the details can be found here and here.



Wallets and enterprise services

Wallet Providers and the Wallet Conformance testing

End-users handle their digital identity and interact with the EBSI network through digital wallets. These wallets will be provided by different wallet providers and not developed by EBSI. Wallet providers should test if their wallets conform with EBSI using EBSI Wallet Conformance Testing (WCT) services before releasing them. Everything related to the EBSI WCT can be found here.

Enterprise Service Providers

Enterprise Service Providers are entities providing services and data to the end-users. Providers should be onboarded to the EBSI network. Everything related to the onboarding of entities can be found here.



Use Cases

Discover EBSI's Use Cases guides you through the entire Lifecycle of the EBSI use cases and how they are implemented. EBSI is developing an infrastructure that will be able to handle countless use cases in the future. During the early stages, some use cases are developed inside EBSI to showcase the ability of the different components and the lifecycle of developing and putting the use case into the production. Currently, two main use cases are being developed: self-sovereign identity (SSI), diploma, and European Social Security Pass. You can find more information about use cases and their data models here.



Interacting with EBSI

You can interact with EBSI via APIs as defined in the API catalogue or via the EBSI CLI tool.



EU Regulations

EBSI Verifiable Credentials framework is fully compatible with GDPR, eIDAS v1, and follows other EU Regulations.





Appendix


Acronyms

Following acronyms are used in the document 

  • EBSI: European Blockchain Services Infrastructure
  • SSI: Self-Sovereign Identity
  • DID: Decentralized Identifier
  • VC: Verifiable Credential
  • VP: Verifiable Presentation
  • VA: Verifiable Attestation
  • OIDC: OpenID Connect
  • SIOP: Self-Issued OpenID Provider
  • NP: Natural Person
  • LE: Legal Entity
  • TI: Trusted Issuer
  • eIDAS: Electronic Identification, Authentication and Trust Services
  • GDPR: General Data Protection Regulation
  • JSON: JavaScript Object Notation
  • JWT: JSON Web Token 
  • JSON-LD: JSON for Linked Data
  • VDR: Verifiable Data Registry
  • WCT: Wallet Conformance Testing