General Answer

Technical Answer

Make it clear to whoever is viewing the credential who you (the issuer) are. The issuer field will likely contain an opaque DID or URL, so the main challenge for any implementer is -- how do I make it clear who the DIDs/URLs/public keys belong to? That is, how do I communicate that to whoever is interacting with the credential? Credentials may contain additional metadata about the issuer, such as a name, contact email, or URL, but verifiers should not trust these values to be accurate without confirmation of the issuer identifier with a trusted authority.

‍

Some issuer identifiers (such as those using the did:web method, or plain HTTPS URLs) are human-readable. For example, if the credential is signed by https://example.edu, the reader can at least go to the site and find out who the issuer is. But many are opaque strings or issuer identifiers. For those cases, when constructing the UI, you need to look up the opaque issuer in a registry or directory of some kind (see, for example, the Verified Issuers and Verifiers draft specification, or the European Union's lists of registered issuers). In short, when building the UI, you get the issuer's identifier from the credential itself, and you get the name and other information about the issuer from prior knowledge or external registries or directories that you trust.

‍

Are they authorized to issue these kinds of credentials?

Some known issuer specifications include optional indications of "which types of credentials is this issuer authorized to produce", but many do not. Additionally, in some use cases, you may be able to look up the issuer in some external database such as DAPIP among many others. A requester of a credential may also be able to ask for additional verifiable credentials that denote the issuer's accreditation. For example, when requesting a diploma (issued by a university), a requester could also require a VC marking the university as an accredited institution.

‍

What procedures should I follow to ensure the claimed achievements, skills, or competencies are well clearly substantiated?

Depending on which kind of credential you're using, it might have a specific property that denotes the procedure that was followed. The OB 3.0 specification uses a combination of evidence and criteria properties. In addition, some credentials will contain references to (or alignment with) industry-recognized competency frameworks; check with the appropriate credential type specification.

‍

What evidence of the performance (of the achievements in the credential) is available?

Many credential types also include a dedicated evidence section, where issuers can embed (or link to) external artifacts (such as videos, published papers, test results, and so on) that support the achievement claims.

‍

What is the current status of the credential?

Credentials have several mechanisms of determining current status, such as expiration, revocation, and Refresh Services. These should be accurate and current, and where possible a brief explanation of the meaning of the status conveyed.

General Answer

Technical Answer

There are a number of layers to the Verifiable Credentials tech stack that need to be implemented for issuing, transmitting, and verifying LERs issued as VCs. For some layers, there is a clear leading solution, and for others, there may be multiple options. The primary criterion that can guide these choices is interoperability across all software that handles the credentials. Many of these decisions are made by developers implementing LER VC software products that implementers purchase, so purchasers are more in the role of documenting those choices across the different software roles they need filled to ensure there is a path of mutual support for each layer.

‍

We’ve outlined here a list of key technical questions for you and your team to consider and make decisions on, whether you are building your own software or selecting from products available in the market.

‍

What envelope format should be used?

Options are: W3C VC 1.1 (final) or 2.0 (awaiting finalization but already in use by some implementers)?

Which wallets or verifiers have you identified as targets for these credentials, and do they list supported versions?

Which serialization of the envelope format best suits our use cases?

JSON/JSON-LD or JSON Web Token (JWT)
Do target wallets or verifiers list supported formats?

What LER credential type specification should be used for detailed claims?

Options include:

OB 3.0
CLR 2.0
EU ELM

Do target wallets or verifiers identify which formats they support?
Open Badges are the simplest and most final of these options, so if no clear answers are available, that is a great start.

What cryptographic key type should be chosen to sign the verifiable credentials?

Options include: Ed25519 (EdDSA), RSA, secp256k1 (P-256), secp384r1 (P-384).

EdDSA is emerging as a common option in the LER space, and is supported by 1EdTech's conformance certification tools.
P-256 keys may be more commonly used where governmental agencies are verifying credentials, where NIST-approved cryptography may be preferred or even required.

What type of identifier is used for issuers?

Commonly used options include did:web or did:key

did:web and did:key DID methods have the broadest support in 2024, but others may emerge.
HTTPS URLs can be used but have less support among wallets and verifiers than did:web which is equivalent.

What type of identifier is used for credential subjects?

DIDs (did:key, did:web) either through authentication with a learner wallet or through keys or URLs assigned by the issuing platform.
Email addresses (as an OB/CLR Identifier), which may improve holder authentication for systems that don't yet support key-based wallet authentication.
Student ID numbers or other assigned identifiers (as an OB/CLR Identifier)
Europass person identifier, for use with European Identity Wallets.
Multiple identifiers of different types may be included to increase subject identity authentication, but only one DID may be used.

How should skills be included in credentials?

Alignment to URLs is the most common method of referencing skills. Do skills have individual URLs assigned where they can be referenced or can this be done? If so, use "alignment" capabilities in OB/CLR or the equivalent capability of the selected credential type (such as relevant Concepts within a LearningActivitySpecification of ELM)
Publishing skills through an open data standard improves their reusability.
If the credential represents exactly one skill not published elsewhere with a URL, OB/CLR issuers may describe the skill in a lightweight manner with the "name" and "description" and set the "achievementType" to "Skill". This is an optional property that not all vendor solutions support.
Detailed data about assessments against specific achievement levels for skills may be provided using the OB/CLR Result and ResultDescription classes. Verifier or display support for this data is not as widespread as alignment.

Are biometrics required in the credential for the verifier to authenticate the identity of the subject? If so, which biometrics are required?

Possible biometric data includes height/weight data, fingerprints, iris scans, or a photograph.
Inclusion of such data in a credential should be done only where necessary, because it is sent to every verifier and may pose privacy concerns. If biometric identification is necessary for a use case, consider packaging it in an identity credential separate from LERs that represent skills or accomplishments.
OB/CLR/ELM do not support this type of data natively, so an approach would need to be coordinated with target verifiers.

Are the credentials intended to expire? If they expire, can they/should they be automatically renewed (with or without user involvement)?

If expiry is appropriate, set an appropriate validity period within credentials, and make it clear to subjects how to renew if applicable.
The specific properties to express the validity period (issuance date to expiration date) vary depending on which version of Verifiable Credentials in use (1.1 or 2.0). The latest terms are "validFrom" and "validUntil".
For credentials where there is no clear expiration of the claim, do not include an expiration date.

Do the credentials need to be revocable?

Implement a status method such as a Bitstring Status List, which is the most broadly supported status method as of this writing.
Identify whether in-scope wallets or verifier software supports

Which known issuer directories or registries should be used?

The implementation landscape is early for verifiers and registries, but consulting the wallets and verifiers that are relevant in your community or industry is the first place to start to identify which registries may be the most important.

General Answer

Technical Answer

Credential continuity requires a set of roles, policies, software and procedures and legal agreements are in place to reissue, manage, distribute, store and revoke digital certificates by a surrogate organization. and manage public-key encryption.

‍

Issuers should ensure continuity provisions enable a third-party to step in and guarantee the credentials issued by the defunct establishment to their students or employees remain viable in their absence. Options to operationalize this practice include::

‍

Identifying another institution or entity with whom trusted relationships exist, e.g., another college in a system to which the issuing institution is a member, a state agency, such as a Department of Higher Education, Department of Labor, state longitudinal data service, or state workforce board with whom they can rely on to sustain credential viability in their absence.
An issuer of LER credentials might wish to pursue continuity plans in which measures to ensure continuation of credential service are specified in anticipation of future circumstances that require a change in operational posture. Today this might include:some text
- Negotiated legal commitments signed by a partner institution, professional association, state agency or another entity in the event the original institution has either become disabled, e.g., a natural disaster forces operations to cease, or, has a planned shutdown due to acquisition or bankruptcy to take over the oversight of credential viability;
- Documentation of policies and procedures used in all aspects of the issuing/re-issuing, signing, revoking and verifying credentials of the defunct institution, along with other business practice rules such as issuer and verifier repository information in which the institution may be registered, software libraries;
- Copies of data in all credentials issued, including linked data such as may be used as evidence in issued credentials;
- Data integrity artifacts, which at present might be represented by DID documents and JW Key Sets,
- DNS redirect instructions to route verification requests to a new endpoint as per the negotiated business arrangements to ensure continuity of student and alumni services such for credential verification;

General Answer

Education

The intersection between what is in demand among the organizations or employers who rely on your credentials and what is in your project's capabilities to assess is the sweet spot for what achievements you should recognize. Reviewing recognized sources may enable you to identify in-demand skills.

‍

Credit-bearing credentials in education should align with program structures, including faculty governance and learning objectives, while non-credit-bearing credentials offer flexibility but still need to demonstrate performance evidence relevant to employers.Their value for employers is largely in the evidence that is provided, and the level of performance of the learner must achieve to merit the award. If non-credit bearing, there may be more flexibility in deciding what should merit an award, but the bridge to employer needs and job requirements are largely the same. Credentials should be ‘stackable’, that is, represent demonstrable achievements in a progression of increasing skill breadth and capability, that cumulatively build toward a more comprehensive representation of expertise or experience.

‍

Employers

Employers who issue LERs as VCs should consider recognizing competencies/skills from all types of learning including job performance assessment, education and training program assessments and other skill assessments done for workers to confirm skills developed elsewhere (e.g., hiring assessments). They should consider the specific competencies necessary for job success, differentiate levels of performance, prioritize essential job-related skills while also recognizing lateral skills that contribute to broader company objectives, and provide opportunities for skill advancement with worker input for capability development. Consider the competencies, or knowledge, skills, and aptitudes, needed to succeed within job categories. Are there degrees of performance that need to be distinguished?

‍

Companies that recognize skills are often also the first audience for that recognition as well as its issuer. Credentials may document the position an individual has in the company (job title/role), their work history and other relevant context for their work in that organization. The most useful things to recognize within a work environment may be those that best inform the team immediately about who has what skills and that enable the organization to work together better because of the knowledge embedded in the credentials.

‍

Employers do not need to see credentials as providing help to their employees to find and qualify for work elsewhere; the first and primary audience for employment-based recognition may be within the organization itself, even as it supports individuals' ability to interface widely with their industry and project the expertise of the organization more broadly. Local recognition may also involve an ongoing process of verifying and accepting LERs from ongoing experience their employees are gaining outside the organization, such as through attending conferences or participating in specialist communities or ongoing professional development.

‍

Technical Answer

General Answer

Technical Answer

Credential types that support LER claims include single assertion and composite credential types, which include multiple single assertion credentials inside an outer wrapper credential. The outer credential may represent, for example, a degree awarded, where the individual credentials embedded in it recognize the completion of individual courses. The outer credential, if signed alone, seals the entire compound credential as a set enabling the compound credential to be verified. If the embedded single assertion credentials are also individually signed, the learner may curate them, selecting just some of the courses for disclosure to a third party, if their wallet or other holder-focused service supports it.

‍

Single Assertion Credentials:

OB 2.0 - an older format not compatible with the VC Data Model, badges are hosted on the issuer's website, containing only publicly intended content. Note: this version of the specification is not VC-compatible, but it may be implemented alongside the VC-compatible OB 3.0 specification to support legacy verifier systems.
OB 3.0 - the current format, compatible with the W3C VC specification, where credentials may be cryptographically signed, and transferred through secure protocols, sometimes as Verifiable Presentations.
The European Union's ELM specification (micro-credentials section) reflects another development effort that initially used an XML data model, but has committed to implement their next releases compliant with the W3C VC specification. It is not yet finalized, but some early implementations may be getting started.

Composite/Comprehensive Credentials:

CLR 1.0 - an older format that is not compatible with the VC Data Model. These credentials are hosted on the issuer's website.
CLR 2.0 the comprehensive learner record compatible with VCs, with individual achievements embedded inside in OB 3.0 format.
The European Union's ELM specification which supports the European Diploma Supplement, European Qualification Framework, and micro-credential use cases.

‍

Open Badges 3.0 features the broadest adoption among Verifiable Credentials LER credential types to date, and is implicitly included in CLR 2.0 implementations, so it is a practical choice for many projects. But ultimately, credentials are only valuable if they are understood by verifiers, so some effort is worthwhile to understand what credential type verifiers and their software support.

General Answer

Technical Answer

Verification while offline, requires some or all of the following pieces to be in place:

A mechanism to present a digital credential to the verifier, such as generating QR codes that contain an understood encoding of a Verifiable Credential, or a protocol for requesting credentials over Near Field Communication (NFC), or other point-to-point method.
An issuer identifier that is resolvable offline, such as a DID that doesn't require resolution through online services. Examples include embedded DID methods such as did:key, did:jwk, and did:pkh or ephemeral DID methods such as `did:peer. Alternatively, only issuers previously known to the verifier may be accepted.
Locally stored or cached known issuer lists or some other ability to know which issuers to trust, while offline.
A way to make risk decisions on the freshness and validity of credentials in time. That is, since you can't use a remote revocation service, verifiers may be left with only the expiration mechanism (locally contained in the credential), to determine validity of status.
All JSON-LD contexts that are used in credentials will need to be cached locally within verifier software. This is a recommended step even for online usage for security and performance reasons, but it is necessary when an internet connection is not available.

‍

Computable Digital Credentials on Paper

There may be additional use cases for printed credentials that don't imply offline verification. Some proof-of-concept approaches exist to representing VCs as barcodes, QR codes or PDF417 barcodes. Other implementations encode a URL to a publicly available copy of the credential, at a potential cost to learner control and privacy. In any project that explores this method, a common pattern is that the credential may be delivered on paper but is backed with a digital credential for verification and status checking.

Projects may print a credential like a certificate, with a familiar layout for human consumption (like a printed diploma or certificate, or a letter on corporate letterhead). Adding a QR code to the printed document, can enable a mobile phone camera or a dedicated scanner to easily ingest the machine-readable version of the credential. Embedding anything other than a URL in a QR code requires the verifier to scan it with special software rather than just their phone camera or a basic barcode scanner.

‍

What will the QR code contain? Two choices:

‍

You can embed the entire digital credential into the QR code. Benefit: readable offline. Drawback: severe space restriction (4000 characters, for QR codes), which means, only small compact credentials can be embedded.
You can embed just the URL to the credential in the QR code. Drawbacks: requires that the verifier has a network connection (to load the credential from the URL), and the credential now must be hosted online at that URL where it may be potentially accessed by parties beyond those the holder intends. Benefit: you can have QR codes that link to much larger credentials than you would have in the previous option.

‍

Linking to an online-accessible credential in this way is convenient for many use cases. But who hosts the credential? In previous iterations of digital credentials (such as OpenBadges 2.0), it's the issuer that's required to host the credential. However, the whole point of digitally signed credentials (such as OB 3.0) is to separate the issuer from hosting requirements (so that they cannot detect when a credential is being verified), so this method of publishing credentials undercuts that benefit. In any case where URLs are available publicly that include personally identifiable information, it is wise to enable the data subject to have some degree of control over its availability.

General Answer

Documentation that backs up the claims made in a credential is known as evidence. It's likely that the platform you are using to create these records will dictate how evidence can be used and what procedures may exist to add evidence.

‍

Evidence is typically added as one or more links and/or as a narrative description of the qualifications. If you link to evidence in your credential, make sure you note where it is stored. Ensure the owner of the evidence is appropriate and has appropriate control over evidence for the expected useful life of the LER credential. Make sure appropriate permissions are set to allow the public or certain viewers you wish to view the evidence to have access to it. For example, you may wish for learners to hold and control linked portfolio items backing their credentials themselves rather than to store them in an institutional repository long after the student has graduated.

‍

Cost of evidence storage is a potential concern, depending on the type of evidence. While basic storage costs are generally low (Google Drive provides individuals 15 GB of storage at no charge in 2024), if your storage for things other than just credential evidence and you are issuing a large number of credentials with considerable evidence linked to them, it will cost something. One possibility is leveraging work an institution may already have done regarding retention of student e-portfolios or similar collections of student work. A portfolio of credential evidence that is linkable might give the institution the option to host this initially but transfer that responsibility to learners/alumni after some defined interval, with the prerequisite that the links to the evidence do not change and break in the process.

‍

Evidence may also be particularly useful for self-asserted credentials. It has been theorized that it may be possible to embed evidence within credentials themselves, though this is not a recommended practice, because large payload sizes may result in unpredictable results as holders attempt to move the credential through a variety of services that rely on it. Remember that it is increasingly common to find evidence in the form of an audio recording or movie files.

‍

Often, a summary of what evidence is available that may be easily embedded in the credential (for example as a "narrative" about the overall credential or about a specific item in an Open Badges 3.0 credential) is more than enough for verifiers to get the understanding they need. This approach may help organizations avoid complicated questions about data storage and access that may require expensive solutions.

‍

Employers can issue guidance on what evidence a worker may use to demonstrate a self-asserted credential if the worker gained the credential in the workplace. Employers will also benefit from identifying what fields are useful to receive from education and training providers and what this means to key business stakeholders, including Human Resources, Performance Review systems, and others. An ePortfolio, similar in format to those used by education and learning providers, may be useful and simple to modify and adopt for workers to demonstrate self-asserted credentials and protect proprietary company information.

‍

Technical Answer

General Answer

Technical Answer

General Answer

Technical Answer

When credential holders, such as students, employers, and lifelong learners are considering adopting a digital wallet for their Learning and Employment Records (LERs) and other credentials, there are several critical factors to consider.

The wallet should offer good support for the credential type specification used. For example, if an issuer is issuing Open Badges credentials as VCs, a wallet that provides native support for this credential type will be able to render them more completely than a wallet that doesn't understand this format and can only display basic data about the credential, such as its issue date. There may be variances between the levels of support for a credential type across wallets. For example, advanced optional fields like OB 3.0's "result" fields may display as rich rubrics in one wallet and be skipped in another wallet that has a more basic level of support for the OB credential type.
The digital wallet should offer robust security measures to protect sensitive information from unauthorized access. Look for features that respect user privacy, giving users control over what information is shared and with whom. For example, wallets should request holder authorization before accepting, declining, sharing, or removing digital credentials
Wallets should make it easier to understand your credentials and open up new things you can do with themsome text
- Select, package, and share multiple credentials with a recipient
- Unpack digital credential verifiable presentation contents and organizes them for you
- Facilitate the viewing of skills data
- Allow you to create your own credentials for your achievements, awarded by you, to you, that is, author your own self-asserted credentials (this is essentially what you do on a resume anyway)
The wallet should enable verification by a variety of verifiers and the platforms they use. It should allow who you share the credentials with to verify them.
You should be able to download all your credentials and take them elsewhere, or transfer them directly to another wallet.
The wallet's interface should be intuitive and user-friendly. If the wallet is using lots of jargon or has no guidance on how to use it, it may be challenging for users to adopt.
Ensure the wallet is compatible with the devices and platforms you use regularly or expect holders in your community to use.

‍

Bonus features to look for, either built-in, or through integration with other services:

Endorsements - holders may be able to request that others endorse or support your credentials or enable you to endorse credentials held by others.
Any integration or feature that shows career pathways which make use of the data in your credentials to provide more information that enables insight and decision making about your career journey.
Talent marketplaces - allows you to share your credentials with a job platform where you may be found by employers on the basis of your credentials and the skills they recognize.
Supports connection to social services - enables users to apply for benefits based on identity or qualification information in credentials.

General Answer

Technical Answer

General Answer

Technical Answer

A credential’s duration of validity is set at the time it is issued, fixed in the cryptographically signed credential at the time it is signed and delivered to a holder's wallet for instance. An individual holding credentials issued to them cannot change the duration for which the credential is valid. A credential will expire if an expiry date was written into it at the time it was created. However, the issuer cannot reset the expiry date.

Issuers, whether self-issued or issued by education institutions or employers, can revoke a credential if they have an appropriate status service set up. The VC specification includes an optional credentialStatus property, which serves as an extension point for various revocation mechanisms. At the current time, the most widely used revocation method is the Bitstring Status List 1.0 spec, but others are in development so check in the Credential Status section of the VC Specification Directory, for up to date links.

‍

Any software interacting with the VC (whether it's a wallet, a verifier service, or any other processor) then has to make the policy decision of what to do with an expired VC, such as should it be rejected, or just flagged as expired but continue to be relied upon to some degree, based on the understanding that it was once valid. It is not recommended to continue to accept revoked credentials for any purpose even if some expired credentials may continue to be accepted. This is analogous to real-world usage of paper and plastic based credentials; for example, some jurisdictions allow expired drivers licenses for purposes of age verification, and others do not. Certain purposes for which credentials are issued are more amenable than others to continued relevance after expiration. A skill may decay at an unpredictable rate after initially learning it, depending on reinforcement and continued related study, but a documented authorization to perform a certain duty may be more important to a verifier than whether the underlying skill remains.

General Answer

Technical Answer

Issuer Identity

Make it clear who you are. The issuer is primarily identified within the credential with an opaque DID or a URL, and any other information about the issuer in the credential should not be treated as trustworthy by a verifier until they have confirmed it with a trusted source, such as an issuer registry.

‍

They are a number of different Issuer identifier types you can use. Some issuer identifiers (such as those using the did:web method, or plain HTTPS URLs) are human-readable. For example, if the credential is signed by https://college.edu, the person viewing the credential can visit the site and find out who the issuer is. Where the digital identifier is not human readable the identifier should be listed in a registry or directory of some kind with human readable description for who it represents. For example, as might be expressed by a registry using the Verified Issuers and Verifiers draft specification, or the European Union's lists of registered issuers). Some industries or sectors also will develop registries of education, training and credential providers.

‍

Credential Issuing Accreditation or Authorization

In some industries and sectors, accreditation or the authorisation to issue certain credentials plays a vital role in enhancing the credibility, reliability, and value of digital credentials. Accreditation involves a rigorous process that ensures professionals and institutions meet specific standards and criteria related to education, training, competency, and ethical conduct.

‍

Authorization can be granted by various bodies from government departments or agencies (e.g., U.S. Department of Education), industry accreditors (e.g., in Healthcare, the Accreditation Commission for Education in Nursing (ACEN)) and/or certification bodies (e.g., in Healthcare American Board of Medical Specialties) amongst others. In higher education disciplinary professional organizations often define requirements a degree or certificate should follow (e.g., ABET for engineering).

‍

Making credential metadata clear and transparent, your organization's authorization or accreditation status to issue them can greatly impact the perceived credibility of the credentials you issue. This could be in the form of a link to a web page with the necessary accreditation details, a database of accredited organizations in which you are listed (e.g., DAPIP), or the issuing of a Verifiable Credential (VC) about your organizations accreditation status.

‍

Procedures for Assessment Credibility

The procedure for communicating the credibility of the assessments in skills-based credentials, will depend on which credential type you're issuing and if it includes a specific property to communicate the procedure that was followed and links to evidence. For example, the OB 3.0 specification uses a combination of evidence and criteria properties, as well as a dedicated Assessment credential type and even more detail about assessments in ResultDescription. ELM has its own vocabulary for describing LearningActivitySpecifications. In addition, some credentials will contain references to (or alignment with) industry-recognized competency frameworks; check with the appropriate credential type specification.

‍

Linked data to Evidence of Achievement Claims

Verifiable Credentials can utilize linked data allowing for rich, contextual information to be included or referenced. Many credential types include a dedicated evidence section, where issuers can embed or link to external artifacts such as videos, published papers, test results etc., that support the achievement claims.

‍

Identify i) which sources of external artifacts or learning assets can be used to corroborate the skills and competencies claimed by the credential, ii) decide how to treat any possible PII the assets linked to may disclosure, iii) how to effectively collect the links ensuring they remain active, open and accessible, and iv) include the linked data in the credential.

‍

Compliance with credential type requirements or schema (e.g., OB, CLR, or ELM)

Beyond the VC Data Model itself, there are a number of "credential type" specifications that organizations and institutions adhere to, which ensure that all such credentials are issued in a consistent manner. Examples of credential issuing standards include Open Badges (OB 3.0), and Comprehensive Learner Record (CLR 3.0), and European Learning Model (ELM). Once you’ve decided the credential type you will issue, you can read more information in their technical specification documentation as to how to comply with its schema for how metadata should be included and ensure all required data is present.

‍

Credential Status

Credentials have several mechanisms for verifiers to determine current status, such as whether or not a credential is revoked, suspended, or updated. These include expiration dates, revocation services, and refresh services. These should be accurate and current, and where possible a brief explanation of the meaning of the status conveyed.

‍

General Answer

At this stage in the development of the credential landscape, how you share will very much depend on the expectations of the requester (the person or organization that would like to receive your credentials).

Prior to LERs, there were few methods to share credentials data to most employers or job boards, such that it could be verified easily. The easiest way to think about this, is to compare existing workflows to the newly available LER-enhanced workflows.

Current Non-LER-based Requester-initiated ("pull") workflows today include:

‍

Single specific form field: an employer presents a form, asks for a specific credential ("Upload a picture of your driver's license").
Guided UI: an employer presents a "resume builder" type of interface, where they guide you through adding Job history items, Education history, and relevant certifications. (Examples: LinkedIn, other job search engines).
Resume document upload: an employer presents an "upload resume" or "upload relevant documents" field (resume, licenses, etc).

Common existing Sender-initiated workflows (non-LER based) include:

Email your resume: You send out an email with an attached resume or deliver one in person.

LERs and Verifiable Credentials essentially follow these existing workflows described above, automating wherever feasible. LER-enhanced Requester-Initiated ("pull") Workflows include:

Single credential request: Employer asks for a specific credential. For example, when filling out a form, you'll see instructions like "Please present a credential proving you have permission to work in <Country>", and a "Present" button.
The new element here is - when you press the button, the website sends a request to your wallet, which will present you with a set of credentials that fit the request's requirements out of those you have available. You would select the appropriate credential, and the wallet would send these back to the requester.
Guided UI: Employer or resume search engine presents a "resume builder" type of interface, where they would prompt you for broad credentials representing a Work History or Educational Achievements, or certifications. It may have a variety of places to upload credentials as files, which you might obtain via export from a wallet or issuer website directly.
Broad credentials request: Employer or app initiates a request for one or more credentials in the applicant’s credential wallet that are of supported credential types. The applicant selects or confirms the credentials being requested in their wallet, whereupon the wallet proceeds to group the credentials into a set, signs them with your private signature key in a document called a Verifiable Presentation, then sends them to the job platform or employer to be verified and integrated into their application or profile. This is the multi-LER credential equivalent of a single credential request)

‍

LER-enhanced Sender-Initiated Shared Link ("push"/"share") Workflows include:

Single Shared Links to a Credential: You pick a credential (and maybe some accompanying narrative) you want to share, and then send it to a ‘sharing server’ (such as DCC’s VerifierPlus) which constructs a temporary http link which the credential holder can then send to an employer (by email, text, or an application) which when clicked will present the user information about the credential and its verification. This is similar to the "send an email with attachments'' workflow, except the credential is viewed online, not sent directly to an employer's inbox.
Multi-credential Bundle Link: This is the multiple credential link-to-view version of the previous example. This is like building an ePortfolio and sharing the URL with an audience. Some sharing platforms may enable upload of a number of credentials at once either via API from a wallet integration, or on an online form like the Guided UI above. The experience to generate a share link may be built into a web-based wallet application. The shared bundle may be presented as a list, or an organized document akin to a resume, with credentials referenced to back up relevant skills or experiences.

‍

Technical Answer

When possible, we recommend wallets or other holder software to use the Verifiable Presentation data model which features the capability for credential holders to prove control of a DID-based identifier that identifies them as the credentialSubject instead of sending the Verifiable Credential files without this wrapper. Such wallets should cryptographically sign the presentation and transmit it using open-standards protocols (e.g. CHAPI, OIDC4VP, or VC-API) to an employer's endpoint. This is the preferred approach if the job board, employer, or other verifier system supports this method. The destination you wish to send your credentials will likely state if this is feasible and provide instructions to comply with this request. The ecosystem has not yet converged on a particular approach, which

‍

To facilitate this, verifier software should support at least one such open standard protocol for transmission of presentations. Coordination between issuer(s) and verifier(s) within a project or focus area can ease pain points related to otherwise mismatched protocols. If issuers can recommend at least one verifier where learners can reliably make use of their credentials, it can help avoid despair. Implementing more than one of the workflows listed in the general answer above can reduce the risk that users are stuck in a dead end.

‍

In addition to open protocols supporting transmission of signed presentations, the OB 3.0 API and CLR 2.0 API offer a holder-authorized mechanism for transmitting credentials between web-applications. Independent authentication of the user's association with the credentialSubject may be necessary.

‍

To use LER VCs to apply for a job or submit an application to an education/training organization the learner/earner must have:

Digital Credential Wallet - either a web-based credential wallet as a service or a credential wallet application installed on their mobile device that supports the communication methods the employer or education provider has chosen to enable this automated transfer of LERs as VCs
LERs that were issued compliant with the W3C Variable Credential standard and an open credential type specification that supports the type of learning or skills that learners have.

‍

In addition, the verifier must be able to obtain the LERs issued as VCs from the wallet via a workflow supported by both applications.

General Answer

‍

In conversations about Verifiable Credentials (VCs), you'll encounter terms like "verification", "validation", "authenticity", and similar related concepts. Although the VC community emphasizes nuanced technical differences between those terms, it's important to keep in mind the core concept behind VCs. That is, Verifiable Credentials exist to model only one idea: Some entity is claiming something about a subject.

That is, a VC is just a digitally-signed record of some entity (the issuer) making one or more claims about a subject.

‍

Notice that this model does NOT tell you anything about the quality of the information in the credential. Nor does it tell you if the information is accurate or truthful. It only tells you that the issuer that signed the credential has made those claims. It simply reveals whether the credential has been tampered with, and conforms to the specification of the credential type. With that main model in mind, the following is a list of things you can investigate when receiving and processing a credential.

‍

Authenticity: Who made the claims in the credential?

By definition, every Verifiable Credential must identify its issuer -- that is, the entity that has made the claims. The issuer is identified by an identifier in the verification method (usually, by cryptographic keys or Decentralized Identifiers in the digital signature). In the literal sense, checking who made the claims is easy and automatic: first, look in the issuer field for the issuer's identifier, and second, automatically (with the help of well-known algorithms) check that the credential was signed (or otherwise sealed) by that identifier. However, just knowing the issuer's identifier, by itself, is not sufficient.

‍

Issuer Identity: Who does the issuer's identifier belong to?

While determining the issuer's identifier is trivial, knowing who that identifier belongs to (what natural or legal entity claims control of that identifier) is a lot harder, at least from a logistical or organizational perspective. Essentially, you need one or more lists from a trusted source, directories of entities that map identifiers to legal or at least recognizable names known to the provider of each list.

‍

Where do these directories come from, who will host them, how will they interoperate, and what governance rules will they follow? The answers to these questions are still evolving in the credentials space, but will very likely depend on the subject matter or "vertical" of a given credential. A considerable amount of government, business, and nonprofit infrastructure exists that currently play these roles in society, from ministries and government departments, to global standards organizations, to professional associations, and consumer consortiums. Approaches to bringing these capabilities to the digital credentials ecosystem may involve a combination of strategies: specific lists of issuers known to specific verifiers by direct arrangements, the implementation of common protocols for expressing and consuming this type of trust information, and the development of new services specific to answering these questions for verifiers. As these pieces come together, collaborations between issuers and verifiers

‍

Signature Verification: Is the signature valid, and has the credential been tampered with?

In the context of Verifiable Credential, the term "verification" typically means "the process of determining whether the digital signature or seal on this credential is intact and valid". This process is automatic, performed by trusted code libraries or web services. And while this is a critical operation, and serves as the heart of all Verifiable Credentials, it is very limited in scope. It can only do two things:

‍

Check that a specific identifier has signed and sealed the credential. (But not who the identifier belongs to, see the previous section for more discussion.)
Ensure that the credential has not been modified since it was signed or sealed.

‍

Everything else about the credential (such as who controls the issuer's identifier, or whether the credential is acceptable according to the verifier's business rules), is the domain of trust frameworks, policy decisions, and risk assessments.

‍

Acceptance: Is the overall credential acceptable, according to the verifier's business rules and policies?

As the phrasing of the question implies, this is only answerable by each individual verifier or relying party, and solely depends on their use cases and policies. For example, while a credential code library can easily check whether the expiration date on a given credential has passed, it is up to the verifier to decide whether an expired credential is still acceptable. Similarly, while it's easy enough to automatically check if it's been revoked by the issuer, it is up to the verifier's risk profile to determine whether a revoked credential is acceptable. Consider, for example, existing use cases where a complex credential like a drivers license can be revoked by the issuing body (for traffic violations), but is still acceptable for some uses such as age verification. Acceptance of the credential issuer's claim is separate from the authentication of the issuer's identity; the acceptance of a skill claim may vary depending on whether it is issued by a peer or a prestigious institution.

‍

Technical Answer

In the context of processing Verifiable Credentials for purposes of verification and acceptance, implementers will need to keep several things in mind. A helpful way of thinking about the process is to divide it into VC verification (the mechanical components of credential processing) and acceptance (where you apply the business logic of your particular domain to interpret the meaning of the credential in the verifier's context or environment).

‍

Verification steps (handled by a typical VC library or service)

1. Is it a well-formed VC (according to the VC Data Model spec), are all the required fields present, etc.

2. Does the VC validate against the specified schema or verification rules of the credential type specification? See type-specific credential processing.

3. Verify the signature. This involves:

Resolving the issuer's identifier (it needs to be resolvable through a mechanism available to the verifier) and identifying authorized signing keys
Identify which key signed the message
Cryptographic signature verification (indicates the credential has not been tampered with) according to the algorithm defined by the securing mechanism used by the issuer.

When building an application to perform these verification steps above, the main decision an implementer needs to make is "which securing mechanisms, such as cryptographic suites or key types, and which DID methods, should our application support?" This is partly a technical decision (for example, "we'll use Ed25519 keys to start with, as they're well supported and performant"), partly a legal requirement or policy decision (for example, "NIST government guidelines require us to support the EC-256 key types"), and largely a question of which approaches relevant issuers will be using in credentials the verifier is likely to encounter.

‍

Acceptance steps (app-specific business logic and policy decisions)

In addition to the automated verification steps above, typical VC verifier libraries will also perform several policy-specific checks. If required by policy, check:

‍

The validUntil field to see if this credential has expired. (Don't forget about time zones and distributed systems clock skew.)
The validFrom field to see if the credential was "future-dated".
If the credential has been revoked. Some revocation methods support several different reasons for revocation (permanent vs temporary), so that needs to be taken into account as well.

‍

Lastly, your app logic will need to perform any remaining checks necessary for acceptance of this particular claim from this particular issuer. For example, if using one or more registries of known issuers, you will need to check the issuer's identifier (often a DID) to see if it is registered with a trusted authority and determine whether to accept the VC based on the issuer's reputation or other considerations.

‍

When all programmatic verification and acceptance checks complete, applications may present results for human-mediated decisions, like whether to bring a candidate in for an interview. Or in some cases they may be programmed to automatically respond by changing some records, such as recording a license requirement as met or a skill as mastered.

‍

Embedded (client-side) verification vs using a verifier web service

Another implementation decision is -- should you use an embedded standalone VC verification library, or call out to a verifier web service (such as one implementing a standard VC-API endpoint for verification)?

This will mostly depend on your platform constraints.

‍

Embedded Verification Library:

Benefits include: self-contained, no need to authenticate with an external verification API (this matters, for example, when creating an in-browser Single Page Application).
Drawbacks indluce: if you decide to support a different set of cryptographic suites, key types, or DID methods, you'll need to add that code and re-deploy the app. Also, some DID methods may require heavy-weight server side resolvers.

‍

Verifier Web Service:

Benefits may include the usual benefits of microservice architecture, such as: the verifier service can evolve independently (and receive security updates) from the rest of your application.
Drawbacks include: these services are typically gated behind API authorization, and some applications (called "public clients" in authorization parlance) may have difficulty keeping track of corresponding secrets and API keys. If the service is maintained by a third party, you may become dependent on their decisions about the priority of supporting the approaches used in certain credentials that you are presented with.

‍

General Answer

There are several reasons why an issuer may no longer be in service, such as if it closes its doors, leaves the market, is disabled by a natural disaster, or even just changes technology vendors. It would be a disservice to credential holders if their credentials became unverifiable. Issuers may protect against this possibility by making wise choices up-front. The continuity of verifiable credentials refers to ensuring the ongoing validity, reliability, and usability of verifiable credentials over time, especially if an issuer stops issuing credentials or shuts down infrastructure used to issue credentials. The intention of the LER VC ecosystem is to enable the holder (learner/earner) to maintain access to their credential and for those credentials to remain verifiable regardless of the issuer's operational status through a decentralized architecture, ideally avoiding the necessity to "phone home" (to the original issuer) for verification in the first place. This is compatible with credentials remaining verifiable even if the issuer is no longer offering all the services it once did.

The viability of these credentials will be at risk if the issuer has not made arrangements for continuity of their credentials. This is analogous to failing to arrange for insurance in the event of personal injury or death. This can be avoided by planning, in the same way essential business and academic parts of an institution plan today for the potential of a natural disaster.

‍

Continuity provisions should seek to ensure that:

Linked artifacts, such as evidence, are either referenced by URL to durable locations (or durable locations that redirect to current locations, such as "PURLs") or are adequately described within the credential to ensure adequate understanding in case the underlying artifact cannot be accessed.
Issuer identifiers and keys should not depend on services that require ongoing payment and maintenance by the issuer, as much as possible.
Policies are in place to ensure the continuity of issued credentials and dependency resources through a range of identified possible disruptions, such as natural disasters.
Maintain copies of issued credentials to enable reissuance of credentials from backup data if needed.

‍

These steps follow common Business Continuity Planning (BCP) procedures but in this case also covers continuity of credential verification, revocation checking, and/or other key processes even after a business has ceased operation. Credential continuity may involve putting in place a set of roles, policies, software and procedures, potentially including plans to reissue or transfer credentials to a surrogate organization or third-party issuer in the event of the issuer shutting down.

‍

Certain technology choices, such as the use of did:web identifiers rely on continuing maintenance of domain names and web servers, whereas others like did:key do not. There are tradeoffs to every choice; for example, did:key identifiers fundamentally don't enable the rotation of keys as a tradeoff to avoiding any dependency on a live service. Ensuring adequate continuity of credentials over the long term may require one or more breaking changes to how they are delivered as new technologies replace those at-risk. The standards in this space continue to evolve. For example, did:tdw aims to enable key rotation and other advanced features on top of did:web.

‍

The solutions available to issuers will rapidly evolve, but here are a number of recommended ways to operationalize this practice, based on what is available in 2024:

‍

Ensure issued credentials are included in Business Continuity Plans and any relevant business legacy plans so that they are not overlooked when needed.
Identify another institution or entity with whom a trusted relationship exists, and who could serve as a third-party issuer (e.g., another college in a system to which the issuing institution is a member, a state agency, longitudinal data service, or state workforce board).
Establish a digital escrow account in which continuation of credential service provisions are specified. This might include (but is not limited to):some text
- Negotiated legal commitments signed by all parties involved in the event the original institution can/does no longer serve as the issuing entity with the necessary oversights of credential continuity.
- Documentation of policies and procedures outlining all aspects of the issuing/re-issuing, signing, revoking and verifying credentials, along with other business practice rules such as issuer and verifier registry information in which the institution may be registered, software libraries etc.
- Copies of data in all credentials issued, including linked data.
- Data integrity artifacts such as those represented by DID documents and key sets.
- DNS redirect instructions to route verification requests to a new endpoint as per a business arrangement to ensure continuity of student and alumni services based on credential verification.

Technical Answer

General Answer

Technical Answer

Job search platforms could benefit from accepting uploads of LERs. A step was taken to enable both job search platforms and others who wish to accept LERs issued as VCs by the HR Open Standards organization, which sets standards for the HR industry. They have released v4.4 of their standard that adds:

Support for LER-Resume Standards (LER-RS). In essence it is preparing HR products to be able to integrate LER data into the schemas that these enterprise systems use by expanding and aligning terms with those used by LER standards organizations (W3C and 1EdTech).
LER-RS documents may contain OB 3.0 and CLR 2.0 Verifiable Credentials. The schema files distributed with the standard show implementers what OB/CLR metadata fields may appear in these credentials.
LER-RS provides a consistent and organized layout for resume data, making it easier for employers to scan and analyze
Emphasis is placed on highlighting skills and competencies, rather than simply listing past job titles and duties as has been approach in prior practice
LER-RS takes a preparatory step toward being able to handle credentials and achievements that use linked data, a central design of LER VC JSON-LD credentials
Anticipates the use of data structures that include embedded and linked data integrity proofs, that is the cryptographic methods by which LER VCs are signed to recognize the integrity of the credential and detect tampering that may have occurred since their issuance.
Support for xAPI assessment data generated by learning management systems. The exchange of assessments item level data and paves the way forward to support learner wallet initiatives and individual skills data. This is a step forward but still does not yet address the skills data currently defined within LERs
Support for increased flexibility in medical health care programs COBRA. This is clearly an issue parallel to SBHA, but obviously not directly related.

Some job platforms have integrated this HR Open Standards release into their systems, but it is still very new (v4.4 release date: 1/11/2024). It does not address how LER VCs sent to a platform or HR system are processed by them. At present that requires bespoke code to be written, tested, and implemented. The next step is to develop an API endpoint that eases the transfer of LER VCs to such systems.

General Answer

Technical Answer

Traditionally the primary determinants of credibility of a credential have been:

The brand of the issuer. Educational institutions among a certain tier of institutions, such as the “Ivys” on the East Coast of the U.S., or the so-called flagship institutions among public systems might have a higher credibility that is extended to the credentials they issue.
The accreditor of the credential issuer - within institutions of larger size there are often degree or certificate programs that are overseen by a third-party professional association. For example an Engineering program may be adhering to the guidelines and quality assurance practices of ABET (Accreditation Board of Engineering and Technology). They are an ISO 9001 certified quality assurance organization focused on college and university programs in the science, technology, engineering and math (STEM) disciplines. Similar professional bodies accredit programs in their area of expertise. A directory of accredited programs can be found at their websites, e.g., for ABET programs.

‍

This is analogous to using the Better Business Bureau for local companies that have been accredited and adhere to their Standards of Trust. The proliferation of single assertion credentials (originally developed by the Mozilla Foundation with support from the MacArthur Foundation for their Badges for Lifelong learning competition in 2011) has led to nearly a million badges issued, making an answer to this question even more difficult.

‍

Lists of Verifiable Issuers and Verifiers help to automate the decision process of whether to engage with a counterparty in a transaction and make it more auditable by ensuring that software can note that a party was on a list before engaging with them.

Digitally sharing lists of issuers and verifiers is a relatively new concept. There are at least two general considerations. The first is technical. A standard format for a registry of issuers and verifiers is the subject of several community groups and task forces among standards organizations, such as W3C, the Trust Over IP Foundation, the European Digital Identity Initiative and other European Trust Frameworks, Canadian Trust Framework activities, as well as commercial ventures. A community working group under the umbrella of the W3C has published an initial draft report “Verifiable Issuers and Verifiers v0.1 on March 8, 2024, but it is not completely ready for implementation. The ToIP draft of its ToIP Trust Registry Protocol V1 Specification has an accompanying animation of how a trust registry might work.

The second is the governance framework, what practices, rules, and policies will guid who is allowed to be added to the registry? An initial start at this for an issuer policy has been made by ASU for their TLN project. This is an early stage governance and process description of how their credentials are structured, how credit is assessed, and by whom as part of awarding credentials.

‍

As registries for Issuers and Verifiers become standardized they should include at least some of the following attributes:

‍

Description of Issuer Responsibilities
What privileges and capabilities do the issuer have and expect to use?
What types of credentials do issuers in the registry provide to credential subjects and their affiliated policies? These might include (but not be limited to)some text
1. Achievement credentials
2. Skill/competency credentials
3. Assessments
4. Certificates or Certifications
5. Degree
6. Diploma
7. License
8. Membership
Record quality requirementssome text
1. Quality assurances practices
2. Peer review procedures
Technical and security policies and practices
Disciplinary practices some text
1. Disciplinary policy and steps
2. Removal policies
3. Appeal policies and adjudication procedures

Audience

Resource Type

Network

topic

Audience

Resource Type

Network

topic