Understanding how Blockcerts work


#1

I am working on a college project for blockchain certifications, and I am using Blockcerts as a main reference. However, I am not sure I perfectly understand the whole proccess of certificate issuing and verification, and I must have it clearly because I intent to develop a similar tool. I am going to describre here what I understand, and if possible I would like you to check if it is right. Keep in mind I am trying to describe the process in general, and not exactly how it is implemented on Blockcerts:

ISSUING
Okay, imagine my school wants to issue a digital certificate on the blockchain saying that I have completed a Machine Learning course, for example. For that to happen, these would be the steps:

  1. The school is going to create a JSON file with the information regarding the certificate (description of the course, number of credits, name of issuer, name of recipient etc).
  2. The school has a blockchain address (a public key and a private key). First they calculate the hash (SHA-256 for example) of the JSON created above in order to make sure it won’t be tampered with.
  3. I (the student) also have a blockchain address. So now, the school is going to issue a blockchain transaction from their address to mine
  4. Now there is a blockchain transaction with an “attached” hash.

VERIFYING:
Suppose an employer wants to make sure I did a Machine Learning course on that school.

  1. I am going to show the employer a JSON file containing the data regarding the certificate itself, so he understands what that certificate is about.
  2. Then, I also give him the address of the transaction on the blockchain.
  3. With that information, he will be able to get the hash that is “attached” to the transaction, calculate the hash of the JSON I showed him and thus verify that the certificate I showed him is the same that the university issued through that transaction.

So, how accurate are the steps described above? I am having some difficulty understanding the following:
1 - What exactly is the certificate file? Is it an image or a JSON?
2- Do I have to digitally sign the certificate file too? Or do I just hash it before issuing on the blockchain? (Meaning, do I have to use my blockchain private key to encrypt the certificate before issuing it?)
3 - Does my certificate file itself need to have the public key address of myself/the issuing institution?


#2

Philipe,

In direct answer to your questions:

  1. The certificate is ultimately a JSON file. It may contain images.
  2. The file contains the recipients public key, is digitally signed with the schools private key, and then hashed for the blockchain.
  3. Yes, the certificate needs the recipient’s public key so they can prove ownership later. It must also be signed by the issuing institution, so the point of origin can be known and validated.

#3

Hello Chris,

Thank you for the quick and objective response!

A few more questions about that:

In order to put a pretty image representing the certificate on my JSON it would have to be hosted somewhere, right? For instance, on the issuing instution’s website?

You stated that the JSON file must have the recipient’s public key as well, but why exactly is that necessary considering that the blockchain transaction was issued to the same recipient’s public key? Couldn’t the verifier just check the destination address to the transaction?

Also, I am having doubts regarding how to prove that institution X owns public key Y. In a non-blockchain (regular PKI) context, usually there is a certification authority that states instituion X owns public key Y. In our context, would that be necessary as well?

Thank you in advance!


#4

Hello Chris,

Thank you for the quick and objective response!

A few more questions about that:

In order to put a pretty image representing the certificate on my JSON it would have to be hosted somewhere, right? For instance, on the issuing instution’s website?

You stated that the JSON file must have the recipient’s public key as well, but why exactly is that necessary considering that the blockchain transaction was issued to the same recipient’s public key? Couldn’t the verifier just check the destination address to the transaction?

Also, I am having doubts regarding how to prove that institution X owns public key Y. In a non-blockchain (regular PKI) context, usually there is a certification authority that states instituion X owns public key Y. In our context, would that be necessary as well?

Thank you in advance!


#5
  1. Images can simply be encoded (like Base64) and inserted in the JSON file … so images do not need to be hosted.

  2. It’s best to have everything in file, self enclosed. Proving ownership of the cert that contains the actual public key is stronger than simply proving ownership of some unknowable transaction address on the blockchain.

  3. It will be helpful when institutions post a registry of the public keys they have used, or when accrediting authorities list a registry of their sanctioned institution and their keys. This will make it more convenient to check not only the issuing institution, but that their keys were valid when the cert was issued. Definitely lots of room for improvement here!


#7

Hello Chris,

Thanks for your answers again! You made your points clearly.

However I am still having a lot of trouble grasping the authentication process itself. This is what I have:

JSON Certificate -> Digital Signature process [Calculate certificate hash using SHA256 for instance -> Encrypt the hash with issuer private key] -> publish this digitally signed certificate on the blockchain transaction.

This way, verifier would use issuer’s public key to decrypt digitally signed certificate (obtained from blockchain transaction) and use this result to compare with calculated hash of certificate I showed to verifier.

Am I missing one hash operation? Do I have to hash the digitally signed certificate again before publishing it on the blockchain?

Apologies in advance if I am being inconvenient, just having a hard time grasping all the concepts!