A deep dive on tokenized identity: on-chain reputation and off-chain identity in the ShareRing Vault

February 14, 2024

Explaining off-chain identity in the ShareRing Vault

In real life (IRL), people recognize you through familiarity, reputation, and credentials that are bound to you. It is through these human interactions that our identity grants us access to services or experiences. In order for us to experience the same level of recognition via digital channels, we need to create not only digital versions of our information but also build credibility, privacy and security, and usability.

Off-chain reputation is represented by verifiable credentials (VCs). These are digital credentials that follow a globally recognized standard, W3C, which is the World Wide Web Consortium for international standards organization. Before your data becomes a VC, it undergoes a series of verification checks, including facial recognition, optical character recognition (OCR), liveness detection, and fraud detection. Once verified, they are digitized with cryptographic proof (into a VC), and stored in your Vault. In the future, we will support new VCs, as well as launch an issuance platform, so that issuers can directly issue VCs into your Vault.

Every VC inside your vault is categorized under 3 degrees of reputability. The higher the categorization, the more reputable and credible your VC becomes. This is especially important when interacting with dapps, businesses, or peers, as your off-chain identity establishes who you REALLY are. You can refer to our blog here which explains the different levels of reputability for your credentials.

What does it actually mean to be off-chain? For one, none of your credentials will ever be committed to ShareLedger in a public and transparent way. Your credentials are only stored inside the Vault - not a cloud server or centralized database, not even a decentralized database like IPFS. It is only inside your Vault and eventually will be tied to your decentralized identifier (DiD) developed by ShareRing.

Again, the only place your VCs are stored is inside the Vault, which is accessed through your smartphone. Your Vault is encrypted with your ShareLedger wallet private key, which adds an extra layer of protection over your personal information. This means that whoever has access to your private key, more commonly referred to as your seedphrase, has direct control to your identity.

We do recommend you backup your Vault, in case you ever need to migrate it to another Vault (device). Your backup is also encrypted with your private key, so it’s impossible for someone to hack. Make sure you secure your seedphrase, if you lose your seedphrase you won’t be able to decrypt your backup.

Here’s the guide on how to back up your Vault.

Explaining On-chain Reputation in the ShareRing Vault

Your VCs are stored securely inside the Vault, but when interacting with dapps or blockchain businesses, they might need to know bits and pieces of your identity before granting access to their services. This is where on-chain identity comes into play, whereby your VCs are tokenized onto ShareLedger. We’ve taken principles of privacy, and designed 2 new types of on-chain identity that allow you to prove your identity across blockchain ecosystems, without revealing any sensitive information.

Immutable Identity - These are soulbound tokens (1 per account), which hold hashes (click here to learn more about hashes) of your VCs.  

For most of the time, you won't need to do anything with your Immutable Identity. It is automatically minted after the creation of your first verified piece of off-chain information, and is primarily a means (with authorization) for 3rd parties to check whether your digital identity is valid or not. Diving deeper into this...

Immutable identities are first and foremost the genesis of your on-chain reputation. They sit on ShareLedger and act as a mechanism for dapps and protocls to check whether information about your identity is untampered with, as well as it’s validity status.

When VCs are added or revoked inside the Vault, your Immutable Identity will automatically reflect those changes. It’s like a ledger that keeps a record of every VC and status update made inside your Vault. Essentially, your immutable identity is here to ensure that your off-chain credentials remain untampered with and that they bear a truthful, and reputable nature throughout their lifetime. This is what we call “Anchoring”, which refers to creating a link between your off-chain reputation and ShareLedger.

Your Immutable Identity doesn't actually contain your digital identity information, at least not in a form that is legible by anyone or any machine.  Instead, it contains a list of hashes that represent each individual piece of off-chain verified information.

If we were to briefly explain what hashes are, we’d use the analogy of your DNA - it’s unique to you, it’s part of who you are, but looking at DNA alone does not reveal your identity. 

Hashes are the DNA of your VCs. If someone were to look up your hashes on the explorer, they would only see the string of letters and numbers (your hash), which means nothing to the non-technical eye, nor can it be deciphered to reveal sensitive about yourself (we’ve mitigated the risks associated with rainbow table hacks by salting the hashes). 

A key feature of an immutable identity is that it reveals ZERO sensitive information from your VCs. The beauty of this design though is that with cryptography, authorized (by you) 3rd parties or businesses have  means of checking whether your identity is valid or revoked. To briefly explain, a 3rd party would generate a hash based on a credential you authorize access to and then compared with your immutable identity. If it matches, then the status/validity of the credential is true on and off the blockchain.

Note that credentials have to bear a high level of credibility, so only 3rd party issued and ShareRing Verified VCs are able to be tokenized. ShareRing Checked and User-Added credentials inside the Vault are NOT VCs, nor bear the credibility to be tokenized.

You might be wondering where this functionally happens IRL. Take the example of entering a corporate metaverse, accessible only by employees. To access, employees would sign a transaction through their Vault to prove their employment identity, ie a valid employee ID. On the backend of the metaverse, they would (without being granted visible access to the VCs) generate the hashes. These generated hashes would be matched against the corresponding hashes on the employee’s Immutable Identity; if it matches, then there’s proof of immutability and the employee can enter the metaverse. 

Shielded Identity - These are soulbound tokens (infinite per account), which contain ‘yes’ or ‘no’ attributes pertaining to your identity.

For example, your Shielded Identity may reflect that you are of legal age in Australia. With this design mechanism, a dapp or business could read your Shielded Identity and validate whether you are of legal age in Australia, without ever revealing what your age is. 

Shielded Identities are a way for users, like yourself, to interact with dapps and businesses built on blockchain technology. If we think of this in the context of web-based interactions, you could essentially sign a transaction to prove that you have met the identity requirements to interact with the dapp/business, eg - whether you reside in a country other than that of the United States. A perfect example of this would be on Starknet ID, where a user has to identify whether they reside in the United States (obviously because of regulatory pressure…).

At launch, there will be 2 types of Shielded Identities for users to mint. They are:

  • Age based; and
  • Country based

To explain Shielded Identities in a “real” way, let’s revisit the example of the corporate metaverse. This time, the employee is trying to gain access to the metaverse’s finance hub. The employee signs a transaction and verifies the following information:

  • Shielded Identity: User owns a corporate employee ID = YES
  • Shielded Identity: User has rights to access the Finance room = NO
  • Immutable Identity: State of corporate employee ID = VALID

In this case, the employee will automatically be refused entry to the finance hub as they do not possess the Shielded Identity with corresponding access rights. The employee can still navigate the other areas of the corporate metaverse, subject to which Shielded Identities they own.

Shielded Identities can only be minted based on VCs that are 3rd party issued, and ShareRing Verified. Coming soon in Q2 2024.