AbstractIn this master’s thesis, we analyze the relation between the IRMA (“I Reveal My Attributes”) system and the Verifiable Credential (VC) standard. By contrasting and comparing IRMA with VC, we identify similarities and differences.
IRMA is a practical, privacy-friendly, and user-centric identity system. It is user-centric as the user, and not the identity provider, is the central role within the system. The goal of the VC standard is to advance interoperability between user-centric identity systems. A deliverable of the VC standard is a data model with related concepts and syntax. Hence, we look into possibilities on how to extend IRMA’s interoperability by making IRMA compliant with the VC standard.
Several concepts between IRMA and VC overlap, such as claims and credentials. A cre-dential is a set of claims, for instance, a full name or address of a subject. The credential is produced and signed by an issuing party, such as the government. A credential is verifiable if the claims can be cryptographically verified. Also, IRMA employs Zero-Knowledge Proofs, and VC supports the use of Zero-Knowledge Proofs.
We identify the relevant requirements of the VC data model and real-world use-cases between IRMA and other VC-compliant systems. Based on the requirements and use-cases, we describe modifications needed within IRMA. We suggest introducing a metadata server, which can deliver data from IRMA schemes to external actors via HTTP endpoints. When accepting messages from other VC-compliant systems, IRMA’s security properties can be significantly impacted.
We implement a subset of the identified modifications to compute VC-compliant messages within IRMA. The developed prototype can exchange those messages between IRMA components. We publish the modifications of the irmago and irma_mobile components via forks on GitHub. The limitation is that we do not modify the IRMA data model to comply with the VC data model as this is out-of-scope of this research.
We conclude that after modifying IRMA to comply with the VC standard, IRMA extends its interoperability by at least reaching level three of the “levels of conceptual interoperabil-ity model” (LCIM). However, it is one thing to make a system compliant with a standard. It is another to exchange messages with other VC-compliant systems as those might use different protocols, APIs, and other technology such as blockchains.
We recommend the Privacy By Design Foundation to modify IRMA to comply with the VC standard. An advantage might be to become a pioneer in the field within the Netherlands or even the EU. This can increase PbDF’s visibility and impact. In general, the interoperability of user-centric IMS should get more focus within institutions and industry. Consequently, citizens may see the benefits of such interoperable systems. Additionally, it can reduce the resistance against such systems.
|Date of Award||27 May 2020|
|Supervisor||G Alpár (Examinator) & Fabian van den Broek (Co-assessor)|