Credential Issuance
Issuing and managing verifiable credentials for cookstove projects in the Emerging platform
Verifiable credentials are tamper-proof digital attestations that enable secure, privacy-preserving verification of entities and their attributes in your cookstove projects without requiring continuous connectivity to the issuer.
Product Overview
The Emerging platform’s Credential Issuance system provides a standardized way to create, issue, and verify digital credentials for all entities in your cookstove projects. Built on W3C Verifiable Credentials standards and integrated with the Impact Hub public blockchain network, this system enables:
- Tamper-Proof Attestations: Issue cryptographically secure credentials that cannot be forged or altered
- Privacy Preservation: Control what information is shared and with whom
- Offline Verification: Validate credentials without requiring continuous connectivity to the issuer
- Selective Disclosure: Share only the necessary information for a specific verification
- Revocation Management: Update or revoke credentials when information changes or is no longer valid
This documentation explains how cookstove project implementers can interact with the platform to issue and manage credentials for all project participants and assets.
User Personas
Credential Issuers
Organisations authorized to issue verifiable credentials (project implementers, manufacturers, etc.)
Credential Holders
Entities that receive and store credentials (households, customers, agents, etc.)
Credential Verifiers
Entities that need to verify credentials (auditors, regulators, carbon credit buyers)
Protocol Developers
Create and maintain credential schemas and verification rules
Use Cases / User Stories
Business Credential Issuance
As a Cookstove Project Implementer, I want to obtain a verified Business Credential so that I can establish my Organisation’s identity and authority within the platform.
- Acceptance Criteria:
- Organisation receives a cryptographically signed Business Credential
- Credential includes verified business information (name, registration number, etc.)
- Credential is linked to the Organisation’s DID
- Credential can be verified by third parties
Project Certification
As a Project Manager, I want to issue a Certified Project Document credential (such as a Mitigation Activity Design Document and Validation Report) for my cookstove project so that I can prove its legitimacy and compliance with standards.
- Acceptance Criteria:
- Project receives a Certified Project Document credential
- Credential includes project details, methodology, and compliance information
- Credential is linked to the project’s DID
- Credential can be presented to auditors and carbon credit buyers
Device Certification
As a Cookstove Manufacturer, I want to issue Certificates of Manufacture for cookstoves so that their authenticity and specifications can be verified.
- Acceptance Criteria:
- Each device receives a Certificate of Manufacture credential
- Credential includes device specifications, manufacturing date, independent lab testing results, and quality standards
- Credential is linked to the device’s DID
- Credential can be verified by project implementers and end users
Household Registration
As a Field Agent, I want to issue Household Credentials to participating households so that they can be uniquely identified and their participation verified.
- Acceptance Criteria:
- Each household receives a Household Credential
- Credential includes necessary household information, including eligibility criteria, without exposing PII on the blockchain
- Credential is stored with end-to-end encryption in IXO Matrix data rooms
- Credential can be selectively disclosed to authorized verifiers
Functional Requirements
Credential Types and Schemas
The Emerging platform supports various credential types based on standardized schemas from Protocol Domains. Each credential type has a specific purpose and set of attributes:
Business Credential
For cookstove project implementers and Organisations:
- Schema:
did:ixo:protocol:[unique identifier]#business-credential
- Key Attributes:
- Legal business name
- Registration number
- Jurisdiction
- Business type
- Authorized representatives
- Verification status
Certified Project Document
For cookstove projects:
- Schema:
did:ixo:protocol:[unique identifier]#project-credential
- Key Attributes:
- Project name
- Project location
- Project Document (e.g. Mitigation Activity Design Document and Validation Report)
- Start and end dates
- Certification standards
- Verification status
Certificate of Manufacture
For cookstove devices:
- Schema:
did:ixo:protocol:[unique identifier]#device-certificate
- Key Attributes:
- Manufacturer
- Model number
- Serial number
- Manufacturing date
- Technical specifications
- Efficiency rating
- Quality standards compliance
Household Credential
For participating households:
- Schema:
did:ixo:protocol:[unique identifier]#household-credential
- Key Attributes:
- Household identifier
- Location (region/district)
- Number of members
- Previous cooking methods
- Eligibility criteria
- Enrollment date
- Assigned devices
Customer Credential
For end customers:
- Schema:
did:ixo:protocol:[unique identifier]#customer-credential
- Key Attributes:
- Customer identifier
- Household identifier
- Service agreements
- Payment information
- Communication preferences
Agent Credential
For distribution agents:
- Schema:
did:ixo:protocol:[unique identifier]#agent-credential
- Key Attributes:
- Agent identifier
- Role and responsibilities
- Assigned region
- Training certifications
- Authorization level
Fuel Credential
For fuel sources:
- Schema:
did:ixo:protocol:fuel-certificate
- Key Attributes:
- Fuel type
- Source/manufacturer
- Production date
- Batch number
- Quality metrics
- Sustainability certification
Protocol Domains
Protocol Domains provide standardized credential schemas and verification rules:
Available Protocol Domains:
-
Clean Cooking Protocol:
did:ixo:protocol:[unique identifier]#clean-cooking
- Provides schemas for all cookstove-related credentials
- Defines verification rules and compliance requirements
- Establishes standard attributes for each credential type
-
Carbon Credit Protocol:
did:ixo:protocol:[unique identifier]#carbon-credit
- Provides schemas for carbon credit issuance and verification
- Defines methodologies for emissions calculations
- Establishes requirements for credit certification
-
Sustainable Development Protocol:
did:ixo:protocol:[unique identifier]#sdg
- Provides schemas for SDG impact measurement
- Defines indicators for each sustainable development goal
- Establishes reporting requirements for SDG contributions
Using Protocol Domains:
- Navigate to the “Protocols” section in the platform dashboard
- Browse available Protocol Domains
- Select the appropriate protocol for your credential type
- Review schema requirements and verification rules
- Use the protocol’s schema when creating credentials
Claim Submission and Evaluation
Before a credential can be issued, a claim must be submitted and evaluated:
Claim Submission Process:
- Navigate to the “Claims” section in the platform dashboard
- Select “Submit New Claim”
- Choose the claim type based on the desired credential
- Complete the required claim information
- Attach supporting documentation
- Sign and submit the claim
Using the API:
For programmatic claim submission, use the msgSubmitClaim
function:
Claim Evaluation:
Claims are evaluated through a combination of automated verification by Evaluation Oracle services and human review:
-
Automated Verification:
- Schema validation
- Required field checks
- Cross-reference with existing data
- Cryptographic signature verification
-
Human Review (when required):
- Verification of supporting documentation
- Compliance with standards and regulations
- Additional checks based on credential type
-
Evaluation Outcomes:
- Approved: Claim is verified and credential can be issued
- Rejected: Claim does not meet requirements
- Pending: Additional information or verification needed
- Disputed: Claim is valid but requires additional review
Credential Issuance
Once a claim is approved, a credential can be issued:
Issuance Process:
- Navigate to the “Claims” section and find the approved claim
- Select “Issue Credential”
- Review the credential information
- Sign the credential with the issuer’s private key
- Issue the credential to the subject
Using the API:
For programmatic credential issuance, use the msgIssueCredential
function:
Success Response:
Upon successful issuance, you’ll receive a response similar to:
Privacy-Preserving Storage
Credentials containing personally identifiable information (PII) are stored with end-to-end encryption:
IXO Matrix Data Rooms:
- Secure, encrypted storage spaces for sensitive credential data
- Controlled by Domain Controllers (credential issuers and subjects)
- Data is never stored unencrypted on the blockchain
- Access is granted through cryptographic authorization
- Servers may be hosted in-country to comply with local data protection laws
Storage Process:
- PII is identified in the credential content
- This data is encrypted using the subject’s public key
- Encrypted data is stored in the IXO Matrix data room
- A reference to the encrypted data is included in the credential
- The blockchain only stores a hash of the credential and its status
Access Control:
- Only authorized entities with the proper cryptographic keys can access the encrypted data
- The credential subject can grant or revoke access to specific verifiers
- Access can be time-limited or restricted to specific purposes
Credential Verification
Verification allows third parties to confirm the authenticity and validity of credentials:
Verification Methods:
- Direct Verification: Verifier directly checks the credential against the blockchain
- Intermediated Verification: Verification through a trusted third-party service
- Offline Verification: Verification without requiring internet connectivity
Verification Process:
- Verifier requests a credential from the holder
- Holder presents the credential (full or selective disclosure)
- Verifier checks:
- Issuer’s digital signature
- Credential status on the blockchain (active, revoked, expired)
- Schema compliance
- Proof of subject control (holder proves they are the subject)
Using the API:
For programmatic verification, use the verifyCredential
function:
Credential Exchange
Credential exchange enables secure sharing of credentials between parties:
Exchange Methods:
- Direct Exchange: Peer-to-peer sharing between holder and verifier
- Mediated Exchange: Exchange through a trusted intermediary
- Selective Disclosure: Sharing only specific attributes from a credential
Exchange Process:
- Verifier sends a credential request specifying required attributes
- Holder reviews the request and consent requirements
- Holder creates a Verifiable Presentation containing requested credentials
- Holder sends the Verifiable Presentation to the verifier
- Verifier validates the presentation and extracts the credential data
Verifiable Presentation
Verifiable Presentations allow credential holders to combine multiple credentials and selectively disclose information:
Presentation Creation:
- Navigate to the “Credentials” section in the platform dashboard
- Select “Create Presentation”
- Choose the credentials to include
- Select which attributes to disclose from each credential
- Sign the presentation with the holder’s private key
- Share the presentation with the verifier
Using the API:
For programmatic presentation creation, use the createVerifiablePresentation
function:
Non-functional Requirements
Security
- All credentials must be cryptographically signed by the issuer
- Private keys must never be transmitted or stored unencrypted
- Credential exchange must use secure communication channels
Privacy
- PII must be stored with end-to-end encryption
- Selective disclosure must be supported for all credential types
- Data minimization principles must be followed
Interoperability
- Credentials must conform to W3C Verifiable Credentials Data Model
- Credentials must be compatible with major wallet applications
- The system must support standard cryptographic algorithms
Performance
- Credential issuance should complete within 30 seconds
- Verification should occur in under 5 seconds
- The system should handle high volumes of credential operations
Compliance
- The system must comply with relevant data protection regulations
- Credential issuance must follow industry standards and best practices
Assumptions & Constraints
Assumptions
- Issuers have the necessary authority to issue specific credential types
- Users have access to digital wallets for storing and presenting credentials
- Internet connectivity is available for credential issuance and verification
- Users understand the concept of consent for credential sharing
Constraints
- Some credential types may require specific issuer qualifications
- Offline verification may have limited capabilities compared to online verification
- Credential schemas must conform to protocol standards
- Revocation checking requires periodic synchronization with the blockchain
Appendices
Glossary of Terms
- Verifiable Credential: A tamper-evident credential with authorship that can be cryptographically verified
- Claim: An assertion made by an entity about a subject
- Credential Schema: A document that defines the structure and constraints of a credential
- Issuer: An entity that creates and signs credentials
- Holder: An entity that receives and stores credentials
- Verifier: An entity that checks the validity of credentials
- Selective Disclosure: The ability to reveal only specific information from a credential
- Verifiable Presentation: A tamper-evident presentation of one or more credentials
Related Documentation
Was this page helpful?