Verification Process

To verify a digital credential, three key elements must be resolved and validated:

  • Issuer Verification (Ensuring Trust & Legitimacy)

    • This involves checking the issuer’s cryptographic signature and identity.

    • The verifier must determine who the issuer is and whether they are authorized to issue the credential according to a recognized trust framework.

  • Subject Verification (Validating the Holder’s Identity)

    • The verifier must confirm that the credential belongs to the person presenting it.

    • This process can be purely cryptographic, using authentication mechanisms to establish ownership.

  • Credential Format & Status (Ensuring Validity & Integrity)

    • The credential's type and structure must match the expected standard.

    • Its revocation status must be checked, as credentials can be revoked temporarily or permanently by either the issuer or the subject.

While cryptographic verification ensures authenticity, additional trust registry lookups are often required to resolve dynamic information that may change after issuance. Trust registries enable:

  • Issuer and subject key rotations without requiring credential reissuance.

  • Real-time validation of issuer legitimacy and credential revocation status.

  • Scalable, long-term credential usability by decoupling identity resolution from the original credential structure.

Trust registries can be centralized (e.g., government or industry-run) or decentralized (e.g., blockchain-based ledgers). At Blerify, we support both, but centralized trust registries face limitations, particularly in scalability. Conversely, decentralized trust registries provide publicly accessible roots of trust, ensuring greater interoperability and resilience. However, it is critical not to store sensitive, personal, or private data in a decentralized trust registry, even in encrypted form. A well-designed architecture leverages decentralized registries for scalability while preserving privacy and security.

What is verified (high level)?
What is verified (specific)?
How is it verified?
Verification mechanism

Issuer

To which issuer the credential signature belongs to

Resolving DID identifier against a trust registry

Call to Trust Registry

Issuer

If the issuer signed that same credential which is being presented by a subject to a third party

Applying a cryptographic algorithm to check issuer’s signature validity

Running Cryptographic algorithm

Subject

If the subject has rotated or delegated keys associated to the identity to which the credential was issued to

Resolving DID identifier against a trust registry

Call to Trust Registry

Subject

If cryptographic signature is valid

Applying a cryptographic algorithm to check issuer’s signature validity

Running Cryptographic algorithm

Credential Format

If credential format follows recognized standards and templates

Resolving credential context, schema, structure, and cryptographic elements

Call to Trust Registry

Credential Status

If credential has been revoked

Checking against trust registry

Call to Trust Registry

We have built a suite of Solidity smart contracts for EVM-compatible blockchain networks, to implement the first-of-its-kind Decentralized Root of Trust, combining smart-contract-based Key Directories and Trusted Lists to resolve complex issuer identity structures securely and transparently.

PreviousHow Does a POV Work in Blerify?NextQuantum-Resistant Cryptography

Last updated