One-Off Access

Summary

A credential holder can share a link to the verifier that is used to access the credential only once.

Context

Usually, an identification process lasts for a certain time period. After proving the identity of a party, the presented credential has accomplished its mission and should not be accessed again.

Note that the narrative of this pattern is presented in the context of self-sovereign identities. An identity credential could be generalised to any digital or digitalised content stored on the blockchain.

Problem

After receiving a credential, a verifier can continue to access, read, and verify certain identity data of the holder. If the credential is long-term or even permanently effective, the verifier can check the holder’s identity data even when there is no legitimate reason to do so. How to provide access to a credential only once?

Forces:

  • Privacy – A holder’s identity information should not be accessed or verified when the current identification process is finished.
  • Flexibility – Verifiers have their own identification processes, which may take different amounts of time.
  • Cost – On a public blockchain there is a cost to generate and maintain credentials. Hence, the cost of generating a separate credential for each interaction/relationship is cost-prohibitive.

Solution

Using the time-constrained access pattern the credential holder generates an identifiable link that redirects to the credential content only. However, instead of specifying a time window where the link remains accessible, specify a counter that limits the number of times the credential can be accessed by a given verifier. Once the counter is reached the reverse oracle should deny any requests from the verifier to obtain credential content. Thus, one-off access is a special case of the time-constrained access pattern where the time window is replaced by a counter that is set to 1. Similar to the time-constrained access pattern, this pattern can be generalised to control access to any digital or digitalised content stored on the blockchain.

One-off access pattern

Benefits

  • Privacy – A holder can determine the number of times the shared link can be specified, which ensures that the holder’s identity information can only be fetched within the specified count, typically 1. An expired credential cannot be verified again. Consequently, a malicious verifier is unable to further utilised the identity data.
  • Flexibility – Shared links do not affect the original credential. Consequently, this pattern can be applied to a credential valid for a long time, where links with different accessible counts can be sent to different verifiers.
  • Cost – Cost is reduced as the credential is created and recorded only once.

Drawbacks

  • Privacy – A malicious verifier may take a copy of the credential when accessing it. Then it has the credential content even if the shared link is no longer valid. Although the compromised credential cannot reveal up-to-date information of the holder, the attacker still maintains the historical identity attributes of the holder.
  • Permissioned – This pattern assumes that the verifier cannot access the blockchain directly, instead needs to rely on the service of a reverse oracle.
  • Cost – If the verifiers and counter specifying the number of accesses are recorded on the identifier registry, the transaction cost to include them in the registry increases.

Related patterns

  • The time-constrained access pattern can be adopted to implement this pattern to generate credentials with one-off access.
  • The identifier registry pattern is used to maintain the credentials registry.
  • The reverse oracle pattern is required to provide and limit access to the credential stored on-chain.

Known uses

  • Snapchat can automatically delete user-uploaded photos or videos when once read, according to the user’s setting.
  • In Snappass user-defined secret information is deleted and cannot be recovered after being read for once.