Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This section describes the main steps required to interact with Velocity network:
This section describes the following functions implemented as part of Velocity network integration:
Velocity network specific operation are available under the velocity command:
./ssikit.sh velocity -hThe interaction with Velocity network is implemented in SSIKit using a Rest API client which currently exposes the functionality through the command-line-interface. The available functions can grouped as follows:
organization related
onboarding
tenant configuration
credential related
issuance
verification
In order to cover the credential related functions, but also tenant management, SSIKit uses a credential agent deployed on walt.id infrastructure. For this, walt.id is registered on Velocity network (currently only on testnet) as a credential agent operator and can issue and verify credentials on behalf of issuer using either issuer's keys or walt.id keys. The diagram below shows how Velocity integration is currently done with SSIKit.
The organization related functions, such as onboarding and DID acquisition, are implemented by calling Velocity network registrar Rest API.
Velocity credential verification is available with the verify command:
E.g. Verify credential.
Intro to Velocity Network
Velocity NetworkTM is a public permissioned distributed network, based on a permissioned version of the Ethereum Blockchain utilizing Hyperledger Besu. Operating a node and writing to the Velocity Ledger requires permission from the Velocity Network FoundationR.
The following data is stored on chain:
organization metadata - DID, profile, endpoint
credential metadata (encrypted) - ID, type, public key, revocation status
verification voucher transactions
credential types and schemas
Holder - a person that holds the credential on behalf of the subject (themselves or another person)
Issuer - an organization that creates and issues credentials
first party issuer - an entity that can directly attest to the claims within the credential
notary issuer - an entity that can evaluate evidence to attest to the claims within the credential
Relying Party - an entity that requests and verifies credentials from a Holder
Wallet Provider (Holder App Provider) - an organization offering digital wallets to be used by Holders
Credential Agent Operator - an organization operating a credential agent
Agent - an interface to the network used by organizations (Issuer, Relying Party, Holder) - call contracts, retrieve account states - form the 'layer-2' network
Tenant - an organization’s delegate on which behalf the agent is acting
Node Operator - an organization operating a node
Node - a participant on the network holding copies of the underlying ledger
Members (Stewards) - read-only nodes with limited data access that forward write operations to Validators
Validators - full-write permission nodes that participate in consensus
Velocity Network Registrar - a set of centralized services that are used for administering the accredited organizations and credential types on the Network
Credits hub - a module where Velocity credits are administered and credit reward transactions can be executed
Voucher hub - a module where Velocity vouchers are administered and top up transactions can be executed
The ledger - the distributed blockchain-based, continuously-replicated, global cryptographic database maintained by Stewards operating nodes communicating with the Velocity consensus protocol
Issuing - the process of asserting claims about a Holder who receives the verifiable credential
by writing a transaction to the Velocity Ledger which includes the credential ID, its type, the Issuer ID, and the public key matching the private key that signed it
Revocation - the act of an Issuer revoking the validity of a credential
by writing a transaction to the Velocity Ledger marking the credential as revoked
Verification - the process of confirming that a verifiable credential is not modified, revoked or expired and is issued by a trusted authority
by accessing the Velocity Ledger to retrieve the unique public key associated with credential and verify its signature
Velocity currently uses the JWT format for encoding credentials with JWS signatures using SECP256K1 as proofs.
Verifiable credentials are divided into the following categories:
Layer-1 credential types - network’s core set of credential types (e.g. Email, IdDocument, OpenBadgeCredential)
for each issued credential, the Issuer receives a reward in the form of Velocity Credits
Layer-2 credential types - any custom credential type
should be mapped to a Layer-1 type in order for the Issuer to be eligible for a reward
More about credential types here https://docs.velocitynetwork.foundation/docs/developers/basics-credential-types.
did:ion - used to identify organizations or individuals
received when registering with the Registrar
did:velocity - used to identify credentials
is immutable
stores only a single key and credential type
resolving it will burn an NFT to permit DID resolution
./ssikit.sh velocity verify -h./ssikit.sh velocity verify -i did:ion:1234567890 credential.jwt checks.jsoneyJqd2siOnsia3R5IjoiRUMiLCJleHQiOnRydWUsImtleV9vcHMiOlsidmVyaWZ5Il0sIngiOiJVd3V5Y2lfMUJNa05DdVkwZ0lPWFZ3ZDZTOXBPMldOUWpsdUVXbWd3TGNBIiwieSI6Ik5vYlp6WFh1VUtNQmIwU1ZpaGo2cG10RWY2cXd4Y1FwSHlOMmRwSHBjM1kiLCJjcnYiOiJQLTI1NiJ9LCJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJpZCI6Ijc1NmZlMWIzLWYwOGEtNDgxYy05ZWFlLTU2ZWIwMGI2NWQ1NyIsInR5cGUiOlsiSWREb2N1bWVudCIsIlZlcmlmaWFibGVDcmVkZW50aWFsIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImZpcnN0TmFtZSI6eyJsb2NhbGl6ZWQiOnsiZW4iOiJBZGFtIn19LCJsYXN0TmFtZSI6eyJsb2NhbGl6ZWQiOnsiZW4iOiJTbWl0aCJ9fSwia2luZCI6IkRyaXZlcnNMaWNlbnNlIiwiYXV0aG9yaXR5Ijp7ImxvY2FsaXplZCI6eyJlbiI6IkNhbGlmb3JuaWEgRE1WIn19LCJsb2NhdGlvbiI6eyJjb3VudHJ5Q29kZSI6IlVTIiwicmVnaW9uQ29kZSI6IkNBIn0sImRvYiI6eyJkYXkiOjIwLCJtb250aCI6NiwieWVhciI6MTk2Nn0sImlkZW50aXR5TnVtYmVyIjoiMTIzMTAzMTIzMTIiLCJkZWZhdWx0Ijp0cnVlfX0sInN1YiI6ImFkYW0uc21pdGhAZXhhbXBsZS5jb20iLCJhdWQiOiIgIiwiaXNzIjoiNzU2ZmUxYjMtZjA4YS00ODFjLTllYWUtNTZlYjAwYjY1ZDU3IiwianRpIjoiNzU2ZmUxYjMtZjA4YS00ODFjLTllYWUtNTZlYjAwYjY1ZDU3IiwiaWF0IjoxNjIwMTI4NjgyLCJuYmYiOjE2MjAxMjg2ODJ9.iqbGO5LfYzUmvesVSCquWHekbC-z3VCvls156zsNnmvz7y6sFtcH7lH0IkRNwljGQQvsce50O7RG06QOSnMS4g{
"TRUSTED_ISSUER": "SELF_SIGNED",
"UNREVOKED": "PASS",
"UNEXPIRED": "NOT_APPLICABLE",
"UNTAMPERED": "PASS"
}Verification result:
true
{
"TRUSTED_ISSUER": "SELF_SIGNED",
"UNREVOKED": "PASS",
"UNEXPIRED": "NOT_APPLICABLE",
"UNTAMPERED": "PASS"
}
The verification process (inspection) is initiated by disclosure exchanges where the Relying Party requests credentials from Holder. These exchanges can be encoded in the following ways:
deep links - a URI that matches the spec:
QR-codes - a visual representation of a deep link
Depending on the use case, the Relying Party can request either:
verified credentials
requires payment in tokens
returns the verification checks (policies) result
unverified credentials:
requires no payment in tokens
can be verified later
The verification checks performed against the credential are the following:
UNTAMPERED
pass - hasn't been tampered
fail - has been tampered
voucher_reserve_exhausted - a voucher is required for verification
TRUSTED_ISSUER
pass - issuer is trusted
fail - issuer is not a member of Velocity
self_signed - data attested by the Holder
voucher_reserve_exhausted - a voucher is required for verification
UNREVOKED
pass - hasn't been revoked
has been revoked
voucher_reserve_exhausted - a voucher is required for verification
UNEXPIRED
pass - hasn't expired
fail - has expired
More details on credential verification checks can be found at https://docs.velocitynetwork.foundation/docs/developers/developers-guide-disclosure-exchange#credential-verification-checks.
More on credential verification at https://docs.velocitynetwork.foundation/docs/developers/developers-guide-disclosure-exchange.
Issuing involves an exchange between a Holder and an Issuer, by which the Holder receives a set of offers from the Issuer. Once the Holder accepts the offers, the Issuer converts them into verifiable credentials and supplies them to the Holder.
Depending on data source location and process initiating party, the following issuing types are supported:
custom - credential agent loads offers from itself as well as calling out webhooks
demand triggered - Holder initiates the credential claiming process
Issuer responds with the available credential offers according to Holder’s criteria
supply triggered - Issuer initiates the credential claiming process
offers are made available to the Holder using a notification mechanism by sending a deep-link or qr-code to claim the credentials
batch - credential agent loads offers only from itself
a specialized version of supply triggered custom issuing
More information on issuing can be found at https://docs.velocitynetwork.foundation/docs/developers/developers-guide-issuing.
In order to operate on Velocity network, any entity (regardless of scope - issuer, relying party or credential agent operator) has to register with the network.
The onboarding is currently done manually and will custody a DID on the DID:ION network:
get an account with the registrar
by sending an email to [email protected]
set up the organization(s)
set the required services according to the use case:
issuer - VlcCareerIssuer_v1
verifier - VlcInspector_v1
agent operator - VlcCredentialAgentOperator_v1
configure the tenants
add the required keys according to the use case:
issuer - ISSUING_METADATA
verifier - EXCHANGES
agent operator - DLT_TRANSACTIONS
The configuration steps from above can be completed either using:
or Rest API
More information on Velocity onboarding can be found at https://docs.velocitynetwork.foundation/docs/developers/developers-guide-getting-started.
Velocity issuance commands are available under issue command as follows:
offer management
credential management
./ssikit.sh velocity issue -hBefore being able to issue verifiable credentials, the credential data needs to be prepared. Offers represent the way to set up credential data. Basically, an offer is a credential that has not been signed. The offer management functions can be accessed from the command:
./ssikit.sh velocity issue offer -hCurrently available functions are:
create offer
E.g. Create an offer.
./ssikit.sh velocity issue -i did:velocity:0xd4df29726d500f9b85bc6c7f1b3c021f16305692 -d 61966dfc4732da2ea0e64826 -m [email protected]{
"type":
[
"PastEmploymentPosition"
],
"credentialSubject":
{
"vendorUserId": "[email protected]",
"company": "did:velocity:0xd4df29726d500f9b85bc6c7f1b3c021f16305692",
"companyName":
{
"localized":
{
"en": "Microsoft Corporation"
}
},
"title":
{
"localized":
{
"en": "Director, Communications (HoloLens & Mixed Reality Experiences)"
}
},
"startMonthYear":
{
"month": 10,
"year": 2010
},
"endMonthYear":
{
"month": 5,
"year": 2022
},
"location":
{
"countryCode": "US",
"regionCode": "MA"
},
"description":
{
"localized":
{
"en": "Big Data, AI, Hybrid, IoT, Datacenter, Mixed Reality/HoloLens, D365, Power Platform - all kinds of fun stuff!!!"
}
}
},
"offerCreationDate": "2020-08-04T21:13:32.019Z",
"offerExpirationDate": "2021-08-04T21:13:32.019Z",
"offerId": "ptIQrgxaicFX0QPVf_Z1L"
}{
"type":
[
"PastEmploymentPosition"
],
"credentialSubject":
{
"vendorUserId": "[email protected]",
"company": "did:velocity:0xd4df29726d500f9b85bc6c7f1b3c021f16305692",
"companyName":
{
"localized":
{
"en": "Microsoft Corporation"
}
},
"title":
{
"localized":
{
"en": "Director, Communications (HoloLens & Mixed Reality Experiences)"
}
},
"startMonthYear":
{
"month": 10,
"year": 2010
},
"endMonthYear":
{
"month": 5,
"year": 2022
},
"location":
{
"countryCode": "US",
"regionCode": "MA"
},
"description":
{
"localized":
{
"en": "Big Data, AI, Hybrid, IoT, Datacenter, Mixed Reality/HoloLens, D365, Power Platform - all kinds of fun stuff!!!"
}
}
},
"offerCreationDate": "2020-08-04T21:13:32.019Z",
"offerExpirationDate": "2021-08-04T21:13:32.019Z",
"offerId": "ptIQrgxaicFX0QPVf_Z1L",
"id": "634d9aacb6b4b8ab66563fac",
"createdAt": "2022-10-14T18:10:52.726Z",
"updatedAt": "2022-10-14T18:10:52.726Z",
"exchangeId": "634d9a9caa4dc9cf44a8f37f",
"issuer":
{
"id": "did:velocity:0x6872fedef46b03e9863a56859a1cdb45648907f7"
}
}Credential management functions include:
issue credential
./ssikit.sh velocity issue credential -hE.g. Issue credential.
./ssikit.sh velocity issue credential -i did:velocity:0x6872fedef46b03e9863a56859a1cdb45648907f7 -c PastEmploymentCredential credential-data.json{
"type":
[
"PastEmploymentPosition"
],
"credentialSubject":
{
"vendorUserId": "[email protected]",
"company": "did:velocity:0xd4df29726d500f9b85bc6c7f1b3c021f16305692",
"companyName":
{
"localized":
{
"en": "Microsoft Corporation"
}
},
"title":
{
"localized":
{
"en": "Director, Communications (HoloLens & Mixed Reality Experiences)"
}
},
"startMonthYear":
{
"month": 10,
"year": 2010
},
"endMonthYear":
{
"month": 5,
"year": 2022
},
"location":
{
"countryCode": "US",
"regionCode": "MA"
},
"description":
{
"localized":
{
"en": "Big Data, AI, Hybrid, IoT, Datacenter, Mixed Reality/HoloLens, D365, Power Platform - all kinds of fun stuff!!!"
}
}
},
"offerCreationDate": "2020-08-04T21:13:32.019Z",
"offerExpirationDate": "2021-08-04T21:13:32.019Z",
"offerId": "ptIQrgxaicFX0QPVf_Z1L"
}velocity-network://issue?request_uri=https://stagingagent.velocitycareerlabs.io/api/holder/v0.6/org/did:velocity:0x6872fedef46b03e9863a56859a1cdb45648907f7/issue/get-credential-manifest?exchange_id=634d9a9caa4dc9cf44a8f37f&credential_types=PastEmploymentPosition
Velocity onboading commands are available under the onboard command as follows:
./ssikit.sh velocity onboard -hOnce an account was set up with the registrar (see onboarding), cli-tool can be used to register the organization, using the command:
./ssikit.sh velocity onboard organization <org-file>E.g. Onboarding organization.
./ssikit.sh velocity onboard organization organization.json{
"profile":
{
"name": "WaltID",
"location":
{
"countryCode": "AT",
"regionCode": "W"
},
"founded": "2021",
"logo": "https://images.squarespace-cdn.com/content/v1/609c0ddf94bcc0278a7cbdb4/d7a7bc88-c700-4efe-a95f-8d3086bccb9d/Walt.id_Logo_round.png?format=1500w"
},
"serviceEndpoints":
[
{
"id": "#credential-agent-operator-1",
"serviceEndpoint": "https://agent.velocity.walt.id",
"type": "VlcCredentialAgentOperator_v1"
},
{
"id": "#credential-agent-inspector-1",
"serviceEndpoint": "https://agent.velocity.walt.id",
"type": "VlcInspector_v1"
},
{
"id": "#credential-agent-issuer-1",
"serviceEndpoint": "https://agent.velocity.walt.id",
"type": "VlcCareerIssuer_v1",
"credentialTypes":
[
"OpenBadgeCredential",
"EducationDegree",
"CurrentEmploymentPosition",
"PastEmploymentPosition",
"Badge",
"Certification",
"Course",
"Assessment",
"AssessmentDec2020",
"VaccinationCertificate-Apr2021",
"CourseRegistrationV1.0",
"CourseCompletionV1.0",
"CourseAttendanceV1.0",
"EducationDegreeRegistrationV1.0",
"EducationDegreeStudyV1.0",
"EducationDegreeGraduationV1.0",
"CertificationV1.0",
"LicenseV1.0",
"OpenBadgeV1.0",
"AssessmentV1.0",
"EmploymentCurrentV1.0",
"EmploymentPastV1.0",
"VerifiableCredential",
"ComprehensiveLearnerRecord",
"CourseRegistrationV1.1",
"CourseCompletionV1.1",
"CourseAttendanceV1.1",
"EducationDegreeRegistrationV1.1",
"EducationDegreeStudyV1.1",
"EducationDegreeGraduationV1.1",
"CertificationV1.1",
"LicenseV1.1",
"AssessmentV1.1",
"EmploymentCurrentV1.1",
"EmploymentPastV1.1",
"BadgeV1.1",
"OpenBadgeV2.0",
"OpenBadgeV2.1"
]
}
]
}{
"id": "did:ion:org-did",
"didDoc":
{
"@context":
[
"https://www.w3.org/ns/did/v1",
{
"@base": "<did:ion:org-did>"
}
],
"id": "<did:ion:org-did>",
"verificationMethod":
[
{
"id": "#vc-signing-key-1",
"type": "EcdsaSecp256k1VerificationKey2019",
"controller": "",
"publicKeyJwk":
{
"crv": "secp256k1",
"x": "<x-value>",
"y": "<y-value>",
"kty": "EC"
}
},
{
"id": "#eth-account-key-1",
"type": "EcdsaSecp256k1VerificationKey2019",
"controller": "",
"publicKeyJwk":
{
"crv": "secp256k1",
"x": "<x-value>",
"y": "<y-value>",
"kty": "EC"
}
},
{
"id": "#exchange-key-1",
"type": "EcdsaSecp256k1VerificationKey2019",
"controller": "",
"publicKeyJwk":
{
"crv": "secp256k1",
"x": "<x-value>",
"y": "<y-value>",
"kty": "EC"
}
}
],
"assertionMethod":
[
"#vc-signing-key-1",
"#eth-account-key-1",
"#exchange-key-1"
],
"service":
[
{
"type": "VlcCredentialAgentOperator_v1",
"id": "#credentialagent-1",
"serviceEndpoint": "https://agent.samplevendor.com/acme"
},
{
"type": "VlcCareerIssuer_v1",
"id": "#issuer-1",
"serviceEndpoint": "https://agent.samplevendor.com/acme",
"credentialTypes":
[
"CertificationV1.1",
"LicenseV1.1",
"CourseCompletionV1.1",
"EducationDegreeGraduationV1.1",
"EmploymentCurrentV1.1",
"EmploymentPastV1.1"
]
},
{
"type": "VlcInspector_v1",
"id": "#inspector-1",
"serviceEndpoint": "https://agent.samplevendor.com/acme"
}
]
},
"profile":
{
"name": "Test Organization",
"location":
{
"countryCode": "US",
"regionCode": "NY"
},
"logo": "https://images.squarespace-cdn.com/content/v1/609c0ddf94bcc0278a7cbdb4/d7a7bc88-c700-4efe-a95f-8d3086bccb9d/Walt.id_Logo_round.png?format=1500w",
"website": "http://www.organization.com",
"cntactEmail": "[email protected]",
"founded": "2021-01-01",
"registrationNumbers":
[
{
"authority": "DunnAndBradstreet",
"number": "1",
"uri": "uri://uri"
}
],
"id": "<did:ion:org-did>",
"verifiableCredentialJwt": "http://registrar.velocitynetwork.foundation/api/v0.6/organizations/<did:ion:org-did>/resolve-vc/<token>",
"permittedVelocityServiceCategory":
[
"CredentialAgentOperator",
"Issuer",
"Inspector"
]
},
"keys":
[
{
"id": "#vc-signing-key-1",
"purposes":
[
"ISSUING_METADATA"
],
"key": "<key-value>",
"publicKey": "<key-value>",
"algorithm": "SECP256K1",
"encoding": "hex",
"controller": "<did:ion:org-did>"
},
{
"id": "#eth-account-key-1",
"purposes":
[
"DLT_TRANSACTIONS"
],
"key": "<key-value>",
"publicKey": "<key-value>",
"algorithm": "SECP256K1",
"encoding": "hex",
"controller": "<did:ion:org-did>"
},
{
"id": "#exchange-key-1",
"purposes":
[
"EXCHANGES"
],
"key": "<key-value>",
"publicKey": "<key-value>",
"algorithm": "SECP256K1",
"encoding": "hex",
"controller": "<did:ion:org-did>"
}
],
"authClients":
[
{
"type": "auth0",
"clientType": "cao-node-client",
"clientId": "<id-value>",
"clientSecret": "<secret-value>",
"serviceId": "#credentialagent-1"
}
]
}Every organization needs a tenant on the credential agent. Tenant functions are available under the tenant command:
create tenant
./ssikit.sh velocity onboard tenant -hE.g. Add a tenant having verifier, issuer and agent operator purposes.
./ssikit.sh velocity onboard tenant tenant.json{
"serviceIds":
[
"#credential-agent-operator-1",
"#credential-agent-inspector-1",
"#credential-agent-issuer-1"
],
"did": "<did:ion:org-did>",
"keys":
[
{
"purposes":
[
"DLT_TRANSACTIONS"
],
"algorithm": "SECP256K1",
"encoding": "hex",
"kidFragment": "#eth-account-key-1",
"key": "<key-value>"
},
{
"purposes":
[
"EXCHANGES"
],
"algorithm": "SECP256K1",
"encoding": "hex",
"kidFragment": "#exchange-key-1",
"key": "<key-value>"
},
{
"purposes":
[
"ISSUING_METADATA"
],
"algorithm": "SECP256K1",
"encoding": "hex",
"kidFragment": "#vc-signing-key-1",
"key": "<key-value>"
}
]
}{
"id": "634d9327aa4dc9cf44a8f37a",
"createdAt": "2022-10-14T17:38:47.231Z"
}In order to be able to issue / verify credential, it is required to have the correct identification disclosure set up. Current disclosure management functions are:
create disclosure
./ssikit.sh velocity onboard disclosure -hE.g. Create an integrated issuing identification disclosure.
./ssikit.sh velocity onboard disclosure -i did:ion:1234567890 disclosure.json{
"types":
[
{
"type": "EmailV1.0"
}
],
"vendorEndpoint": "integrated-issuing-identification",
"vendorDisclosureId": "MSFT0001",
"purpose": "Id Check",
"duration": "16m",
"termsUrl": "https://www.velocityexperiencecenter.com/terms-and-conditions-vnf",
"activationDate": "2021-02-16T00:00:01Z",
"identityMatchers":
{
"vendorUserIdIndex": 0,
"rules":
[
{
"valueIndex": 0,
"path":
[
"$.emails"
],
"rule": "pick"
}
]
}
}{
"types":
[
{
"type": "EmailV1.0"
}
],
"vendorDisclosureId": "MSFT0001",
"vendorEndpoint": "integrated-issuing-identification",
"identityMatchers":
{
"rules":
[
{
"path":
[
"$.emails"
],
"rule": "pick",
"valueIndex": 0
}
],
"vendorUserIdIndex": 0
},
"purpose": "Id Check",
"duration": "16m",
"termsUrl": "https://www.velocityexperiencecenter.com/terms-and-conditions-vnf",
"activationDate": "2021-02-16T00:00:01.000Z",
"id": "634d9625b6b4b8ab66563fab",
"createdAt": "2022-10-14T17:51:33.769Z",
"updatedAt": "2022-10-14T17:51:33.769Z"
}
