A Better, More Secure, and More Private Approach to COVID Credentials

Not all digital credential solutions are created equal – here’s what makes Evernym’s solution safe, private, and open.

Some legal, public health and identity leaders have expressed concerns about building high-stakes identity tools like COVID-19 digital health certificates. They point to immature standards and predict that scrutiny by governments and consumer advocates will reveal security, privacy, and regulatory flaws.

These worries are well-founded. Some parts of self-sovereign identity (SSI) technology are young, and many implementations give issues like privacy and security little more than lip service. However, Evernym is different. We have been pondering these challenges for years. We have made numerous investments to manage risks, and we are shipping production solutions with characteristics far more robust than a blockchain-happy startup. Specifically:

  • We have sophisticated, peer-reviewed threat models, and numerous proof points show that we are systematically eliminating potential risks they uncover.
  • Our approach to decentralized identifiers—peer DIDs—keeps all personal data off the blockchain. This radically enhances security and privacy and removes regulatory obstacles.
  • Working with a host of legal, business, and technical experts around the globe, we’ve deployed powerful, nuanced governance to protect all parties.
  • Far from being new-fangled and bleeding-edge, Evernym’s ‘zero-knowledge proof’ credentials are backed by thirty years of peer review and security analysis by some of the world’s greatest cryptographers and have now been in production for years. With respect to these concerns, they have huge advantages over more simplistic credential technologies in the space.
  • The technical protocols at the heart of Evernym’s approach (‘DIDComm’) are usable offline, without servers, and in other modes that solve thorny problems. They offer exceptional privacy and security benefits, improved inclusivity, and different legal dynamics.


Concerns surrounding COVID credentials

In both SSI circles and in the mainstream, there has been a lot of buzz around the notion of “immunity passports” and similar technologies containing test results and vaccination records. The thinking is that contactless data sharing of health data, delivered by mobile phone, could increase confidence that it’s safe to interact.

Critics have been quick to raise flags of caution about this approach. They warn that:

  • Science does not yet confirm important assumptions about immunity.
  • The technical foundations of these solutions have much deeper problems with privacy and security than a casual observer might detect.
  • Enforcement overreach could run afoul of legal roadblocks — or, perhaps more disturbingly, could degenerate into a surveillance state.

These critics are right.

With COVID-19 vaccines now being rolled out, the first objection is beginning to be addressed, but the second and third concerns remain. And they apply to all kinds of digital credential use cases, not just to health passports. Many approaches to SSI have little more than a veneer of privacy and security, and their proponents merely handwave when pressed. They should be discounted. They could do a lot of harm if they were deployed in a rush to solve a pressing problem.

However, Evernym has thought about this problem intensely and for many years. We believe we have satisfying solutions that hold up under scrutiny, and we invite the world to learn more about what makes us different.

To highlight the differences, let’s walk through some of the specific concerns that critics raise, and provide concrete details about how Evernym resolves them.


Concerns and Responses


1. Poor privacy

Concern: Digital credentials contain a lot of sensitive information. Repeatedly sharing them will allow people to be tracked in troubling ways. This is made worse if ledgers store personal data, DIDs, proofs of existence, hashes, or other digital breadcrumbs.

Response: Absolutely right. Some implementations of credentials and DIDs use the blockchain far too aggressively and have no real protection against data being indexed, subpoenaed, or overseen by governments. Among SSI vendors that take a more cautious approach, most implementations of verifiable credentials (VCs) still lack the ability to do selective disclosure. Without this capability – sharing only the minimum data required – users must reveal all the fields of a credential to the verifier, even though they only need to share one of them. Privacy degrades. And even among approaches that minimize what’s revealed, less sophisticated solutions will disclose the underlying signature values – which makes correlation, and therefore surveillance, trivial. (For more on this important matter, read our essay on correlation here.)

Evernym invented and champions peer DIDs, and gives them a central role in its architecture. These take all personal data off the blockchain entirely. It also advocates careful governance of public DID networks for institutions, precisely to protect against casual abuse. This eliminates any concerns about blockchain with respect to regulatory compliance, the right to be forgotten, or surveillance of personal DIDs and their metadata.

Evernym contributed most sections of the VC standard that relate to zero-knowledge proofs. We have built an anonymous credential technology that never reveals the same credential twice. The credential that is issued is not shared at all; rather, a new credential is derived just in time for each presentation. This reveals exactly and only the information needed in a given circumstance. Raw signature values are never shared, either; instead, a proof demonstrates that the original credential has a signature with the necessary properties. This prevents certain kinds of signature substitution attacks. No DID for the holder needs to be embedded in the credential, eliminating unnecessary correlators. Revocation is done in a privacy-preserving way, too. The same holder can prove something twice to the same verifier without being correlated as a single person. Evernym has gone out of its way to correct misunderstandings and FUD from community members who don’t understand the implications of this technology very well.

Evernym also invented the privacy-preserving routing mechanism used in DIDComm. This allows Alice and Bob to talk to one another through any number of untrusted intermediaries, with nobody along the route able to observe the origin and destination of the conversation.

In short, Evernym has done all of this and more to ensure SSI solutions can be private and safe by design. We’ve spent a lot of time with the identity community, customers, and partners to help shape an open architecture that we can all benefit from, and which protects everyone when deployed at scale.

Despite the sophistication of the technology in Evernym’s stack, it’s all bundled in an easy-to-use app and a SaaS subscription with a minimal learning curve. This minimizes the likelihood that users will make mistakes, and ensures that the solutions we power are all designed to be safe, private, open, and scalable.


2. Immature security

Concern: VCs can be abused in various ways to commit fraud. Cryptographic guarantees look good on paper but might be undermined by deployment context. Cryptocurrency incentives may not translate to identity. There is not a strong enough analysis of the risks.

Response: Evernym has long been troubled about the lack of rigor in some SSI security conversations, so this concern feels very reasonable to us. Parts of this ecosystem are entirely too casual and confident about security matters.

In our own corner of the space, we wrote an insider’s view of the security posture of the Indy blockchain and then hired independent experts to audit it. At least two additional audits have since been completed, one funded by the Linux Foundation. We earned the CII badge for projects embodying security best practices in open source. We contributed to responsible disclosure mechanisms for the Indy and Sovrin codebases, as well as our own. We have conducted emergency response fire drills and shepherded several disclosures through the process to a successful resolution. We’ve run multiple pen tests on our code. We use static code analysis. We have an internal roadmap for what we call “Safe SaaS,” that contemplates numerous threats including those from SSI vendors themselves, and that lays out an orderly sequence of investments that will strengthen our posture across the board. We crafted written security policies, and we hold staff training to reinforce them. As far as we can tell, few of these measures are even part of the strategies of competitors.

Evernym took a leadership role in developing the governance framework for Sovrin, which embodies consensus legal and cybersecurity judgments of dozens of peer experts from around the world. We also helped launch Hyperledger Ursa, where professional, credentialed cryptographers from numerous companies meet regularly to vet algorithms. And we based our anoncreds implementation on nearly two decades of peer-reviewed, rigorously scrutinized research by Dr. Jan Camenisch and other world experts in zero-knowledge proof technologies. We participate in the Technical Governance Board of the Sovrin Foundation, where security policies are debated and refined.

Under contract from the US Department of Homeland Security, and in consultation with unaffiliated experts, Evernym published original research and guidance about secure key management in SSI. Evernym has released an in-depth analysis of the security issues involved in an individual losing their phone. We also wrote the first and deepest threat model for the verifiable credential ecosystem, contributed significant chunks to the “Security Considerations” section of the DID spec, and co-wrote a paper on preventing VC fraud at the Rebooting Web of Trust conference. We also published a paper on how verifiable credentials can be strengthened by biometrics. And we are a founding member of the Trust Over IP Foundation, which seeks to bring method and many eyes to the analysis of issues like these.

Of course, no amount of effort guarantees that an ecosystem is free from vulnerabilities. However, at least in Evernym’s corner of the SSI space, vulnerabilities are a regular and important topic for conversation, and we find and eliminate them in a disciplined way. We involve credentialed experts, not just a few software engineers. And while the overall mixture of components is new, the foundations of our security are tried and true.


3. Online only

Concern: VCs, DIDs, and blockchains are online technologies. There’s no good answer for offline use. Vulnerable populations will be disenfranchised.

Response: This is indeed an issue for many SSI stacks — in particular those taking a web-centric or RESTful API viewpoint, or those emphasizing enterprise authentication with OpenID Connect and OAuth. Those technologies are inherently client-server, not peer-to-peer. They assume at least one party has expensive, always-connected infrastructure, reinforce power imbalances between institutions and people, and trigger many of the regulatory issues with GDPR.

Although Evernym provides RESTful APIs, cloud/SaaS subscriptions, and features to help integrate OpenID, our foundation is DIDComm. This makes it peer-to-peer all the way to the roots. DIDComm runs over many means of transport, including Bluetooth, NFC, and sneakernet. It can be used offline with ease and power. For example, one recent DIDComm experiment ran over slow, semi-connected serial links between cheap IoT devices and low-earth-orbit satellites. Evernym can support such modes of operation with only minor reconfiguration because it already models interactions using compatible paradigms. It is trivial to layer HTTP and other technologies on top of DIDComm; the reverse is not true. Evernym has invested wisely here.

The peer DIDs mentioned previously also help with this concern. They can be created and managed entirely offline. They also incur no fees, which puts them within reach of everyone’s budget. This complements another Evernym initiative to solve guardianship use cases, allowing those with limited access to technology the ability to participate fully in the ecosystem.


4. Non-standardized or obscurely standardized components

Concern: Some aspects of SSI depend on brand new standards that don’t yet show evidence of maturity. Others depend on specifications that are not standardized at all.

Response: Yes, this is a challenge. There are at least three mutually incompatible implementations of the VC standard. There are also a dozen auxiliary projects in the space, with a variety of participation models and contributors, that aim to contribute additional standards on top of VCs and DIDs.

Evernym has always valued practical interop over theoretical standards conformance. This is not because we’re mavericks; it’s because we think the space is still too new to predict the best trade-offs with confidence. But we’re eager to make forward progress; see our recent post about practical next steps for credential interoperability. We wrote the world’s first SSI implementation of the SIOP profile of OpenID Connect, allowing us to explore interop with Microsoft on credentials. We started Hyperledger Indy as a way to collaborate in open source with many vendors, and to get experience in the laboratory of shipping deployments. Later, we broadened the mandate to encompass other blockchains and credential technologies and nurtured Hyperledger Aries.

These combined communities now support hundreds of POCs and pilots from dozens of vendors — and they are the nucleus of several production deployments that are growing in scope and ambition. Aries has sponsored several multi-vendor interoperability initiatives, with impressive results. We regularly demo issuing credentials using tools from vendor A, holding them in software from vendor B, and proving them to a verifier running technology from vendor C. We have formalized interoperability tests and documented interoperability profiles.

Simply put, no other ecosystem in the SSI space has as deep or as broad a story on interoperability.

Evernym’s position on the standards in our space is nuanced. Yes, we want to comply. Yes, we contribute to these standards and will sponsor their development and release at standards organizations. No, we are not in a hurry. No, all standards are not equally useful. No, we are not going to implement a standard just to comply; a standard that doesn’t produce interoperability simply can’t be justified as a high priority.

We think this approach is pragmatic for us and our customers. It avoids knee-jerk reaction to rapidly evolving specifications, which eliminates some of the most obnoxious effects of emerging standards. Moreover, it keeps us skating to where the hockey puck will be in the future.


Conclusion

Those who express concerns about the rush to solve COVID-19 credentials with VCs and DIDs are not wrong to be worried. However, they paint with an overly broad brush when they imagine that immature standards equal immature solutions.

Faced with deep issues around security, privacy, and regulation, and operating against a backdrop of still-evolving standards, SSI vendors are making different trade-offs. Some prioritize shipping POCs that check standards boxes or demonstrate a slick Potemkin village feature.

Instead, Evernym has tried to stay grounded in practical considerations. We want interop that matters, based on a shared foundation of genuine security and privacy that respects legal requirements. This is what our customers need, and we’ve invested accordingly. The result is production deployments that deliver significant value today. These deployments are still pioneers with ambitious roadmaps, but they are not the overhyped, half baked solutions that critics worry about.