0. 前言
上篇我们从DID的相关基础概念和组成进行了介绍,为了更进一步的了解DID的的概念,本篇文章从员工工作跳槽,现雇主公司需要验证入职员工工资流水进行定薪的场景展开。
主要从场景描述、具体描述这两部分进行介绍。
- 场景描述:介绍个人收入证明场景下,参与方、验证过程、并对比同传统验证方案的区别和优势;
- 具体实现:结合实际场景,对DID架构中所使用的DID标识、DID Doc、可验证凭证及可验证表述数据模型进行构建,并描述其中的验证过程和原理;
1. 场景描述
1.1 传统验证过程
员工入职现雇主公司并根据工资流水定薪是一个非常常见的应用场景,大致过程如下:
- 入职员工通过提交上一家的工资流水证明来证明自己薪资水平,该证明一般通过向银行申请获得;
- 入职员工携带必要的材料去银行进行工资流水证明申请;
- 银行验证相关信息后,为其打印工资流水证明,证明会附上银行的印章信息;
- 入职员工携带材料去入职,并将银行开具的工资流水证明提交给现雇主公司;
- 现雇主公司HR查看银行开具的工资流水证明,能够获知该员工的工资收入情况并根据实际情况进行定薪;
上述过程是传统流程下的证明开具和验证流程,参与方分别为入职员工、银行、现雇主公司,证明内容反映的信息为该入职员工上一家工资收入情况,印章则能够证明该证明是银行所开具。
1.2 基于DID验证过程
基于DID的验证流程思想上同传统验证过程类似,也是根据证明信息来验证用户收入情况,不同之处在于在DID的体系下,代表实体身份的是不同的DID及对应的DID Doc,代表证明信息的是可验证凭证和可验证表述。
- 入职员工、银行、现雇主公司会分别进行DID注册,并生成相应的DID Doc;
- 入职员工通过线上或线下方式向银行申请关于工资流水的可验证凭证;
- 入职员工将可验证凭证封装为可验证表述,通过线上或线下的方式提交给现雇主公司;
- 现雇主公司会查看入职员工所提交的可验证表述来验证入职员工的收入情况;
- 验证通过后,现雇主公司会根据之前的收入情况对入职员工进行定薪;
同传统验证过程相比,DID架构下,身份和凭证的合法性通过基于密码学的数学方法进行验证。由于可验证凭证遵循同一套规范去定义的结构,所以不同机构或种类的证明可以更具有通用性,不同凭证的区别则更多体现在了凭证本身需要证明的内容上面。
2. 具体实现
2.1 构建模型
DID & DID Doc
在该场景下,参与方有三个实体,分别是入职员工、银行、现雇主公司,生成的DID和DID Doc信息如下:
- 入职员工
- DID:did:example:123456abcdef
- DID Doc
{
"@context": "https://test.cn",
"id": "did:example:123456abcdef",
"authentication": [{
"id": "did:example:123456abcdef#keys-1",
"type": "Ed255519VerificationKey2018",
"controller": "did:example:123456abcdef",
"publicKeyBase58": "H3xxxslkMv5423MJHjnamjxiklijinklkjijkew"
}],
"service": [{
"id": "did:example:123456abcdef",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://test.cn"
}]
}
- 银行
- DID:did:example:abcdef123456
- DID Doc
{
"@context": "https://test.cn",
"id": "did:example:abcdef123456",
"authentication": [{
"id": "did:example:abcdef123456#keys-1",
"type": "Ed255519VerificationKey2018",
"controller": "did:example:abcdef123456",
"publicKeyBase58": "H3AHjkMJZlkMv5423MJHjnamjxiklijinklkjijkeU"
}],
"service": [{
"id": "did:example:abcdef123456",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://test.cn"
}]
}
- 现雇主公司
- DID:did:example:xxxxxx123456
- DID Doc
{
"@context": "https://test.cn",
"id": "did:example:xxxxxx123456",
"authentication": [{
"id": "did:example:xxxxxx123456#keys-1",
"type": "Ed255519VerificationKey2018",
"controller": "did:example:xxxxxx123456",
"publicKeyBase58": "gQopTVs1CGXkUtYWkhKfGcXDFYUVBVDEvCvkRw75Xk5415p3Auo3S23v"
}],
"service": [{
"id": "did:example:xxxxxx123456",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://test.cn"
}]
}
VC & VP
上述验证过程中,涉及到的证明信息是银行颁发给入职员工可验证凭证,这里我们为入职员工建立可验证凭证(VC)模型:
{
"@context": [
"https://www.schema.org"
],
"id": "6746f790-f058-68ab-bd65-13b3c43391",
"type": [
"VerifiableCredential",
"ProofOfIncome"
],
"credentialSubject": {
"id": "did:example:123456abcdef",
"totalIncome": "20"
},
"issuer":"did:example:abcdef123456",
"issueanceDate":"2023-06-06T18:30:00Z",
"expirationDate":"2024-06-06T18:30:00Z",
"proof": {
"type":"Ed255519VerificationKey2018",
"created":"2023-06-06T18:30:00Z",
"verificationMethod":"did:example:abcdef123456",
"noce":"7857e689-e949-44fb-bd65-22a2b32244d9",
"signatureValue":"Li9jbWMgY2xpZW50IGNvbnRyYWN0IHVzZXIgdXBncmFkZSAtLWNvbnRyYWN0LW5hbWU9Y2FyYm9uX2ludGVncmFsIC0tcnVudGltZS10eXBlPURPQ0tFUl9HTyAtLWJ5dGUtY29kZS1wYXRoPS4vY29udHJhY3QvdjIzMS9jYXJib25faW50ZWdyYWwuN3ogLS12ZXJzaW9uPTIuMC4xIC0tc2RrLWNvbmYtcGF0aD0uL3Nkay55bWwgLS1hZG1pbi1rZXktZmlsZS1wYXRocz0uL3NoLmxjYWdvLmNlci5vcmcvdXNlci9hZG1pbjEvYWRtaW4xLnRscy5rZXkgLS1hZG1pbi1jcnQtZmlsZS1wYXRocz0uL3NoLmxjYWdvLmNlci5vcmcvdXNlci9hZG1pbjEvYWRtaW4xLnRscy5jcnQgLS1zeW5jLXJlc3VsdD10cnVlIC0tcGFyYW1zPSJ7fSI="
}
}
该结构中的credentialSubject
字段是凭证主要需要证明的信息,这里以入职员工年流水为值。
可验证表述则是在可验证凭证基础上进行了封装,这里是增加了入职员工的签名信息,将其放在VP中的proof
字段,可验证表述(VP)模型:
{
"id": "6746f790-f058-68ab-bd65-22a2b32280",
"type": [
"VerifiablePresentation"
],
"credential": [
{
"@context": [
"https://www.schema.org"
],
"id": "6746f790-f058-68ab-bd65-13b3c43391",
"type": [
"VerifiableCredential",
"ProofOfIncome"
],
"credentialSubject": {
"id": "did:example:123456abcdef",
"totalIncome": "20"
},
"issuer": "did:example:abcdef123456",
"issueanceDate": "2023-06-06T18:30:00Z",
"expirationDate": "2024-06-06T18:30:00Z",
"proof": {
"type": "Ed255519VerificationKey2018",
"created": "2023-06-06T18:30:00Z",
"verificationMethod": "did:example:abcdef123456",
"noce": "7857e689-e949-44fb-bd65-22a2b32244d9",
"signatureValue": "Li9jbWMgY2xpZW50IGNvbnRyYWN0IHVzZXIgdXBncmFkZSAtLWNvbnRyYWN0LW5hbWU9Y2FyYm9uX2ludGVncmFsIC0tcnVudGltZS10eXBlPURPQ0tFUl9HTyAtLWJ5dGUtY29kZS1wYXRoPS4vY29udHJhY3QvdjIzMS9jYXJib25faW50ZWdyYWwuN3ogLS12ZXJzaW9uPTIuMC4xIC0tc2RrLWNvbmYtcGF0aD0uL3Nkay55bWwgLS1hZG1pbi1rZXktZmlsZS1wYXRocz0uL3NoLmxjYWdvLmNlci5vcmcvdXNlci9hZG1pbjEvYWRtaW4xLnRscy5rZXkgLS1hZG1pbi1jcnQtZmlsZS1wYXRocz0uL3NoLmxjYWdvLmNlci5vcmcvdXNlci9hZG1pbjEvYWRtaW4xLnRscy5jcnQgLS1zeW5jLXJlc3VsdD10cnVlIC0tcGFyYW1zPSJ7fSI="
}
}
],
"proof": {
"type": "Ed255519VerificationKey2018",
"created": "2023-06-07T18:30:00Z",
"verificationMethod": "did:example:123456abcdef#keys-1",
"noce": "7857e689-e949-44fb-bd65-22a2b32244xx",
"signatureValue": "TGk5amJXTWdZMnhwWlc1MElHTnZiblJ5WVdOMElIVnpaWElnZFhCbmNtRmtaU0F0TFdOdmJuUnlZV04wTFc1aGJXVTlZMkZ5WW05dVgybHVkR1ZuY21Gc0lDMHRjblZ1ZEdsdFpTMTBlWEJsUFVSUFEwdEZVbDlIVHlBdExXSjVkR1V0WTI5a1pTMXdZWFJvUFM0dlkyOXVkSEpoWTNRdmRqSXpNUzlqWVhKaWIyNWZhVzUwWldkeVlXd3VOM29nTFMxMlpYSnphVzl1UFRJdU1DNHhJQzB0YzJSckxXTnZibVl0Y0dGMGFEMHVMM05rYXk1NWJXd2dMUzFoWkcxcGJpMXJaWGt0Wm1sc1pTMXdZWFJvY3owdUwzTm9MbXhqWVdkdkxtTmxjaTV2Y21jdmRYTmxjaTloWkcxcGJqRXZZV1J0YVc0eExuUnNjeTVyWlhrZ0xTMWhaRzFwYmkxamNuUXRabWxzWlMxd1lYUm9jejB1TDNOb0xteGpZV2R2TG1ObGNpNXZjbWN2ZFhObGNpOWhaRzFwYmpFdllXUnRhVzR4TG5Sc2N5NWpjblFnTFMxemVXNWpMWEpsYzNWc2REMTBjblZsSUMwdGNHRnlZVzF6UFNKN2ZTSQ=="
}
}
2.2 验证过程
入职员工将VP提交给雇主公司,雇主公司HR会根据VP中的DID信息从注册机构(区块链)获取对应的公钥信息。 我们将入职员工视为持有者、雇主公司视为验证者、银行视为颁发者。
首先,DID和DID Doc的对应信息以区块链为存储介质,能够一定程度上保证主体信息不被篡改。
其次,VP.proof.signatureValue
是对VP承载的VC内容进行签名,验证者通过公钥信息能够验证中的签名信息是否正确,并且通过相同的Hash算法对VP中的VC进行哈希运算可得持有者提交的内容是否篡改过。
最后,验证者需要验证VC颁发者的合法性及VC需要证明的内容是否正确,同VP验证类似,会通过DID获取公钥内容并针对签名信息进行验证。