Hello ones who will read, I hope you’re having a great day and thanks for reading my post
I’m currently working on my masters’ thesis, which aims to explain Atala Prism as an implementation of Self Sovereign Identity (SSI). Additionally, I would like to see whether it could also be implemented within the EU when looking at privacy laws such as the GDPR. In order to do so, it is very important for me to understand what data is stored on-chain, and who has access to it. I don’t have a technical background but am passionate enough to want to understand the backend of Atala Prism :). Any help would be greatly apprecieted, and ofcourse I will share the end result here if anyone cares to read it! Please find my questions below. The video I mention is by Alexis Hernandez, Atala technical Architect. I have also included a screenshot, as the forum will not let me post the link.
What data is stored on-chain within Atala Prism? (for the actual question, see ALL CAP below) From what I gathered from the SDK-video by IOG, there’s five different actions from the issuer to verifier:
—> Issuer creates a DID
—> Holder generates an unpublished DID (no Cardano involved, it takes place in the Atala Prism app itself. Hence, no data on-chain)
—> Issuer creates a credential for holder, publishing it to Cardano
—> Verifier resolves the state of the issuer DID and the holders’ credential. (using the corresponding private key)
—> Verifier runs the credential verification process.
The third step here is the most important with regards to on-chain data, as this is where the credential is published onto the Cardano blockchain. According to the video, “Cardano metadata” is stored on-chain in order for verifiers to check some information. In light of the GDPR, this is where my question lies: What data is stored, and who can access it?
Metadata in case of an issued credential contains the following information (see video at 8:45): Confirmation that the request for a credential has been signed, what key it was signed with (in other words: by whom), the signature itself, the issuer DID (containing the credential), and the merkle root. The transaction is confirmed through the Cardano blockchain and the transaction contains the metadata mentioned above, which can then be found through the Cardano block explorer. However, the metadata in Cardano block explorer is encoded in binary data. (see video) [1: DOES THIS MEAN THAT THE DATA CANNOT BE READ BY PEOPLE OTHER THAN THE HOLDER (OR VERIFIER)? WHO CAN ACCESS THE TEXT WHICH HAS BEEN ENCODED? 2: ADDITIONALLY, BELOW THE ‘CREDENTIAL SUBJECT’,THE SCREENSHOT SHOWS THE “JSONOBJECT” WHICH CONTAINS THE KIND OF CREDENTIAL, IN THIS CASE A CERTIFICATE, AND A DESCRIPTION (VALUE:"…"). —> IS THIS ALSO INCLUDED IN THE METADATA? IN SOME CASES THIS MAY BE PERSONAL DATA, ASSUMING THAT PEOPLE FIND WAYS TO ACCESS THE METADATA AND FIGURE OUT WHO OWNS THE HOLDERS’ SIGNATURE KEY… ANY COMMENTS ARE APPRECIATED!
What happens when private keys are lost —> Can credentials be restored? Or should the data subject have them all reissued?