The following terms are used to describe concepts in this specification.
- claim
-
An assertion made about a subject.
- credential
-
A set of one or more claims made by an issuer.
The claims in a credential can be about different subjects.
Our definition of credential differs from,
NIST's definitions of credential.
- data minimization
-
The act of limiting the amount of shared data strictly to the minimum
necessary to successfully accomplish a task or goal.
- decentralized identifier
-
A portable URL-based identifier, also known as a DID,
associated with an entity. These identifiers are most often used in a
verifiable credential and are associated with subjects such that a
verifiable credential itself can be easily ported from one
repository to another without the need to reissue the credential.
An example of a DID is `did:example:123456abcdef`.
- decentralized identifier document
-
Also referred to as a DID document, this is a document
that is accessible using a verifiable data registry and contains
information related to a specific decentralized identifier, such as the
associated repository and public key information.
- default graph
-
The graph containing all claims that are not explicitly part of
a named graph.
- derived predicate
-
A verifiable, boolean assertion about the value of another attribute in a
verifiable credential. These are useful in zero-knowledge-proof-style
verifiable presentations because they can limit information disclosure.
For example, if a verifiable credential contains an attribute
for expressing a specific height in centimeters, a derived predicate
might reference the height attribute in the verifiable credential
demonstrating that the issuer attests to a height value meeting the
minimum height requirement, without actually disclosing the specific height
value. For example, the subject is taller than 150 centimeters.
- digital signature
-
A mathematical scheme for demonstrating the authenticity of a digital message.
- entity
-
Anything that can be referenced in statements as an abstract or concrete noun.
Entities include but are not limited to people, organizations, physical things,
documents, abstract concepts, fictional characters, and arbitrary text. Any
entity might perform roles in the ecosystem, if it is capable of doing so. Note
that some entities fundamentally cannot take actions, e.g., the string "abc"
cannot issue credentials.
- graph
-
A set of claims, forming a network of information composed of subjects
and their relationship to other subjects or data. Each claim is
part of a graph; this is either explicit in the case of named graphs, or
implicit for the default graph.
- holder
-
A role an entity might perform by possessing one or more
verifiable credentials and generating verifiable presentations
from them. A holder is often, but not always, a subject of the
verifiable credentials they are holding. Holders store their
credentials in credential repositories.
- identity
-
The means for keeping track of entities across contexts. Digital
identities enable tracking and customization of entity interactions
across digital contexts, typically using identifiers and attributes. Unintended
distribution or use of identity information can compromise privacy. Collection
and use of such information should follow the principle of
data minimization.
- identity provider
-
An identity provider, sometimes abbreviated as IdP, is a system
for creating, maintaining, and managing identity information for
holders, while providing authentication services to
relying party applications within a federation or distributed network.
In this case the holder is always the subject. Even if the
verifiable credentials are bearer credentials, it is assumed the
verifiable credentials remain with the subject, and if they are
not, they were stolen by an attacker. This specification does not use this term
unless comparing or mapping the concepts in this document to other
specifications. This specification decouples the identity provider
concept into two distinct concepts: the issuer and the holder.
- issuer
-
A role an entity can perform by asserting claims about one or
more subjects, creating a verifiable credential from these
claims, and transmitting the verifiable credential to a
holder.
- named graph
-
A graph associated with specific properties, such as
`verifiableCredential`. These properties
result in separate graphs that contain all claims defined in the
corresponding JSON objects.
- presentation
-
Data derived from one or more verifiable credentials, issued by one or
more issuers, that is shared with a specific verifier.
- repository
-
A program, such as a storage vault or personal verifiable credential
wallet, that stores and protects access to holders'
verifiable credentials.
- selective disclosure
-
The ability of a holder to make fine-grained decisions about what
information to share.
- subject
-
A thing about which claims are made.
- user agent
-
A program, such as a browser or other Web client, that mediates the
communication between holders, issuers, and verifiers.
- validation
-
The assurance that a claim from a specific issuer satisfies the
business requirements of a verifier for a particular use. This
specification defines how verifiers verify verifiable credentials and
verifiable presentations.
It also specifies that verifiers validate claims in verifiable
credentials before relying on them. However, the means for such validation
vary widely and are outside the scope of this specification. It is expected
that verifiers will trust certain issuers for certain claims and
apply their own rules to determine which claims in which credentials
are suitable for use by their systems.
- verifiable credential
-
A verifiable credential is a tamper-evident credential that has authorship that
can be cryptographically verified. Verifiable credentials can be used to build
verifiable presentations, which can also be cryptographically verified.
- verifiable data registry
-
A role a system might perform by mediating the creation and verification
of identifiers, keys, and other relevant data, such as
verifiable credential schemas, revocation registries, issuer public keys,
and so on, which might be required to use verifiable credentials. Some
configurations might require correlatable identifiers for subjects. Some
registries, such as ones for UUIDs and public keys, might just act as namespaces
for identifiers.
- verifiable presentation
-
A verifiable presentation is a tamper-evident presentation encoded in such a way
that authorship of the data can be trusted after a process of cryptographic
verification. Certain types of verifiable presentations might contain data that
is synthesized from, but do not contain, the original verifiable credentials
(for example, zero-knowledge proofs).
- verification
-
The evaluation of whether a verifiable credential or verifiable
presentation is an authentic and current statement of the issuer or
presenter, respectively. This includes checking that: the credential (or
presentation) conforms to the specification; the proof method is satisfied; and,
if present, the status check succeeds. Verification of a credential does not
imply evaluation of the truth of claims encoded in the credential.
- verifier
-
A role an entity performs by receiving one or more
verifiable credentials, optionally inside a
verifiable presentation for processing. Other specifications might refer
to this concept as a relying party.
- verification material
-
Information that could be a cryptographic public key or any other data
used to verify a proof.
- URL
-
A Uniform Resource Locator, as defined by [[URL]]. URLs can be dereferenced such
that they result in a resource, such as a document. The rules for dereferencing,
or fetching, a URL are defined by the URL [=url/scheme=]. This specification
does not use the term URI or IRI because those terms have been deemed to be
confusing to Web developers.