How do you link Verifiable Credentials to a human?

https://shkspr.mobi/blog/2021/06/how-do-you-link-verifiable-credentials-to-a-human/

Verifiable Credentials are a brilliant standard to help... well... Verify Credentials. How do you know that someone has an MBA from Harvard? It's pretty easy to fake a degree certificate, or to change your name to George W. Bush, or simply lie. The same is true with any attestation - it's often hard to contact the issuer of a claim and check that it is genuine.

Verifiable Credentials aims to solve that. The standard describes a document which includes the claim (this person is an airline pilot), the person's identity (name, DOB, etc), the party making the claim (Name, ID, date of issuing), and a digital signature to tie it all together. (It is a lot more complicated than that, obviously.)

Let's take a look at the data inside COVID Vaccine "Passport". I've removed some of the metadata for simplicity, but you can read the full spec if you're interested.

   {   "ver": "1.0.0",   "nam": {     "fn": "Smith",     "gn": "Jo",   },   "dob": "1984-02-29",   "t": [     {       "tg": "840539006",       "tt": "LP217198-3",       "tr": "260415000",       "ma": "1232",       "sc": "2021-04-13T14:20:00+00:00",       "dr": "2021-04-13T14:40:01+00:00",       "tc": "GGD Fryslân, L-Heliconweg",       "co": "NL",       "is": "Ministry of VWS",       "ci": "urn:uvci:01:NL:GGD/81AAH16AZ"     }   ]},"YR/yMsyE3AOysWLCXuDc/Rlu507gH0/wgok+P8dxJtCwy0ydsIE2J5MeMxbynynU3n//zgOKSTB20FN0Fs1bgQ=="

It tells you the person's name, date of birth, when they had the vaccine, which vaccine it is, who administered it, some administrative codes, and then gives it a digital signature which can be verified without needing an Internet connection. Nifty!

The same is broadly true with academic qualifications. It lists your names, birthday, university, level obtained. Or your employment history can be encoded with your employment dates, salary, references.

So you can show the above - encoded as a QR code - to anyone. They can scan it and verify that it is authentic! AWESOME!

Except...

How do you prove that you're the person mentioned in the credential?

You could show your passport or driving licence at the same time. Assuming you can afford either of those documents. But that still leaves the same problem. How do you prove that the passport belongs to you? Perhaps you grabbed it at the same time you stole the certificate.

Humans are not very good at recognising faces from photos. So comparing the picture of me in my passport (young! clean shaven! well lit!) with the person in front of you (old and tired! beardy! under a street lamp!) is always going to be error prone.

This isn't a problem which can be solved by adding more digital signatures. Even if I co-signed the credential with my private key - you have no way of linking that key to a corporeal human being.

A Verifiable Credential could also contain a hash of biometric data like a fingerprint, for example. But that leads to further problems. Are people comfortable giving away their biometrics to lots of different organisations? Do verifiers want the extra expense of getting fingerprint readers? That might work for an airport, but is probably prohibitive for a café. You could use proxies - did I see this person unlock their phone to present the claim - but these are weak ties at best.

To be clear, this problem isn't limited to vaccine certificates. It applies to any Verifiable Credential. Whether it is an academic qualification, a health certificate, employment status, or any other claim.

This isn't something which can be solved by putting a claim on a blockchain (lolsob) - it is a fundamental limitation of the fact that humans don't come with built in, irrevocable, digital signatures.