How the consumer verify the issuer?

It is not clear for me how the consumer (employer) can trust the issuer based only on its public key. In other words, how the consumer authenticate the issuer’s public key?

This concern is not part of the Blockcerts scope currently, but it is an important concern. Here ere are some practical ideas for the short and long term.

  • Issuers can publish their public keys, making them known to the community, particularly over time. Perhaps registry services will emerge that make this knowledge more convenient. In the cases of school-systems, often the issuers and verifiers interact so much, the keys will be well known.

  • Issuers could start issuing from a Decentralized Identity Profile (DID) like Blockstack or UPort. The more these DIDs are used, the more reliable their reputation becomes. I can imagine this reputation someday becoming part of the verification process or a separate smart-contract.

  • Other ideas? Please share!

This is definitely an important issue to will require a more convenient solutions long term.

1 Like

Thank you so much for this clarifications.
Yes, I have a very small idea and if you want we can first, discuss it in private.

If there are no sensitive content, please post it here so that blockchain enthusiasts like me can get exposure to these suggestions and maybe improve ourselves, in a broader sense.

1 Like

Ultimately Decentralized Identifiers (DIDs) being developed by the W3C will help to better answer the question of “who” is behind the credential. Until then, other strategies can be employed, particularly on the issuer side. At Learning Machine, we developed a product to easily design/issue Blockcerts. Part of this product comes with a public key registry of certified issuing institutions, along with a public registry of those institutions.

For example, the Republic of Malta uses the Learning Machine Issuing System and has many issuing institutions. Check out their Issuer registry here: https://education.gov.mt/en/Blockcerts/Pages/Blockcerts-Public-Key-Registry.aspx

If a verifier wants to inspect whether a credential actually came from a legitimate Maltese source, this registry provides the information (public keys, dates used) to run a deeper inspection.

A research paper on Blockcerts’ security analysis was recently published finding that they are vulnerable to a certain type of impersonation attack by fabricating a fake issuer profile to impersonate a legitimate issuer “name” : https://arxiv.org/abs/1910.04622

I know that Blockcerts does not currently attempt to solve the problem of issuer identity directly, and that the Issuers must declare their official blockchain address on their official website in the Issuer Profile and it must be verified that the address that signed the transaction belongs to the university by pointing out that the URL of the profile of the Issuer is really on the official Issuer’s website.
In addition, the proposed evolution V3 envisages the use of Decentralized Identifiers, which more directly represent the identity of the issuer: DIDs as a way to properly identify issuers

However in this perspective we are providing for informative actions to help the user pay more attention to identity verification, modifying the verifier to display useful elements such as the URL of the Issuer Profile.

I would like to examine your views on this issue and the proposals on changes to the Blockcerts viewer in addition to creating an informative web page that also explains the meaning of the Blockcerts verification and contains instructions for “manual” verification of the origin.

Thank you.
Dario_

Dario,

Thank you for this thoughtfully formed question. Issuer identity is a threat vector, so I would like to address the various measures that are being employed today (as well as other possible tactics).

Until issuer DIDs are ready, traditional PKI infrastructure could be utilized. For instance, the same certificate authority that an organization uses for their website etc, could be used for signing keys as well.

In my company’s commercial experience, some customers aren’t willing/able to make that leap immediately. So, we’ve taken measure to help publish their signing keys so this can be cross referenced with the public key that is displayed on every blockert credential. Here is an example from MIT. Notice you can click a tab called “Signing Keys.” While this tactic isn’t perfect, it is helpful and makes issuer impersonation harder.

I hope this helps. Certainly an important conversation going forward.

Hi
Here is an idea
Lets say I want to verify that Chris has indeed completed a course on the University of Los Angeles
To verify Chris credential/course/degree, I could enter the Universitys webpage or portal, copy or put Chris public key or certificate, and receive the validation.
In that way I verify the validity through the webpage of the issuer

Sorry for my non-thechnical details, but i hope the concept is clear

Hi, I’m afraid that the option you suggested will not work because there is a law on personal data and suddenly Chris does not want to look at his certificate without his knowledge.
P.S. Sorry for my English, I hope you understand the content of my comment