selective disclosure.jpeg

A Detailed Guide on Selective Disclosure

Selective disclosure, one of the pillars of Self-Sovereign Identity, enables individuals to share just what is needed by the recipient
image
Affinidi
Nov 15, 2021

Vince walks into a casino and the security at the entrance wants to know if Vince is over 21 years old, as that’s the rule to legally play in the casinos.

Now, Vince is in a dilemma. He wants to prove that he is over 21 years old, but doesn’t want to disclose any other information to the security such as his name or address. How can he do that?

For starters, it is not possible through physical IDs such as your driver’s license or passport as they will have your name on it. So, how can Vince prove his age without disclosing any other personal information?

Think about it for a moment.

This is where selective disclosure comes into play. .

What is Selective Disclosure?

Selective disclosure is one of the pillars of Self-Sovereign Identity and it enables individuals to share just what is needed by the recipient to process the data and take actions based on it.

In the above example, selective disclosure allows Vince to share just his age with the security as that alone is enough to decide if he should be allowed to enter the casino or not.

Benefits of Selective Disclosure

The benefits of selective disclosure are:

  • Enhances the privacy of the user as minimum information is exchanged
  • Empowers users to determine what data must be shared with whom.
  • Reduces processing time for the recipients as only a small set of information has to be verified.
  • No storing and the related security hassles for recipients

Now that you know what selective disclosure is and its associated benefits, let’s jump to its implementation.

How Does Selective Disclosure Work?

One of the best ways to implement selective disclosure is through Verifiable Credentials (VCs), a tamper-proof and cryptographically-verifiable way of sharing Personally Identifiable Information.

Here is what a VC looks like.

VC.png

There are three entities to a VC and they are issuer, holder, and verifier, and together, they form what’s called a trust triangle. A VC will have the three key components, namely,

  • Metadata that identifies the issuer and the holder
  • Claim, which is the data that a holder wants to share with the verifier
  • Proof that includes digital signatures of both the issuer and the holder for authenticity.

Let’s look closely at the claim, as this is where selective disclosure is implemented.

In the above example, there is only a single claim, that the holder is an alumni of a specific institution.

Let’s look at another VC. { “@context”: [

http://schema.org/", “https://w3id.org/security/v2", “https://w3id.org/security/bbs/v1" ], “@type”: “Person”, “firstName”: “Jane”, “lastName”: “Doe”, “jobTitle”: “Professor”, “telephone”: “(425) 123–4567”, “email”: “jane.doe@example.com”, “proof”: { “type”: “BbsBlsSignature2020”, “created”: “2020–04–25”, “verificationMethod”: “did:example:489398593#test”, “proofPurpose”: “assertionMethod”, “proofValue”: “F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==”, “requiredRevealStatements”: [4,5] } }

This contains a ton of information about the holder such as firstname, last name, job title, email, etc. Many times, the holder may not have to share all this information with potential verifiers. At the same time, an issuer may find it cost-effective and convenient to issue these credentials in one go.

So, how do you balance between what the issuer offers and what the holder wants?

You guessed it — selective disclosure!

When an issuer creates and sends a verifiable credential, the holder stores it in his or her digital wallet. When it is time to share it with the verifier, the holder compiles the required credentials together into a verifiable presentation and sends it to the verifier.

Every time, when a holder shares a verifiable presentation with the verifier, he or she digitally signs it using public-key cryptography. Essentially, the holder signs with his or her private key and the verifier decrypts this information with the associated public key.

Likewise, the verifiable presentation will also contain the issuer’s digital signature that is signed using its private key.

Now, you may wonder how the holder can store each credential separately and compile it separately to have the issuer’s signature on each of it.

To make the question clear, in the above example, let’s say the holder shares only the phone number with a verifier. This is selective disclosure. But how will the issuer’s signature that applies to all of the credentials can be used for just one? Isn’t it a single block of content to which the entire signature applies?

Well, that’s where BBS+ signatures come in.

Implementing Selective Disclosure using BBS+ signatures

BBS+ signatures are a good way to implement selective disclosure as it allows the holder to share a part of a verifiable credential with a verifier.

The above verifiable credential of Jane Doe is an example of selective disclosure as it uses BBS+ signatures. Here is the line that shows this for you.

“type”: “BbsBlsSignature2020”,

As a result, the holder can send just her phone number to a verifier, her email address to another entity, and so on, and all of it will have the same digital signature.

Affinidi's Implementation of Selective Disclosure

At Affinidi, we have implemented the BBS group signature schema on our tech stack to give holders the flexibility to build a presentation with only the required fields from a credential. These fragments are cryptographically verifiable as they are signed by the BBS+ signature.

Specifically, we have created an API to create and share the URL for the VC fragment.

The createShareUrl is the API that enables selective disclosure in Affinidi’s tech stack. It takes credentialID as a required parameter and optional selective disclosure fields array to build fragment VCs. Of course, the chosen VC should support selective disclosure.

If this parameter is provided and the VC supports selective disclosure — the fragment from VC will be builded first and then shareUrl will be created for it.

To learn more about this API and how you can leverage, reach out to us on Discord or email us. Also, follow us on LinkedIn, Twitter, and Facebook.

Join our mailing list to stay abreast of all interesting developments in SSI.

The information materials contained in this article are for general information and educational purposes only. It is not intended to constitute legal or other professional advice.

Get an email whenever Affinidi Publishes!

Subscribe