The Company

Sphereon is a fascinating firm that we have taken note of from day one. Founded in 2015 by Maarten Boender, its people have a long and impressive history in the world of document and process management, and the company was one of the first to recognize the value of blockchain and content working together. From first building connectors to blockchains for well-known ECM repositories such as Alfresco and SharePoint, the firm is pivoting and expanding further into the world of secure and verifiable exchange of data and documents using Verifiable Credentials. Their work builds on their original thesis that blockchain at its core is all about the concept of decentralized trust. The focus of this report is Sphereon’s work on Verifiable Credentials.

The Technology

As the name suggests, Verifiable Credentials (VC) is Sphereon’s solution to providing a digitally signed (verified) data object. This data object could come in many forms, from a university-issued degree certificate to a government-issued ID or work permit. Such objects need to be tamper-proof, secure, consistent, and of course, verifiable.

Sphereon VC is built on open standards from W3C and the Decentralized Identity Foundation (DIF). A VC is basically a self-sovereign data file that has been digitally signed by the creator. The issuer shares this data file with the party the data or document is about – the holder, or owner (see Figure 1).

What this means in practice is that a credential can be stored anywhere but anchored on a distributed ledger (blockchain) through a hash and signature. Further, rules and restrictions can be applied to the credential, such as adding an expiration date, etc. The credentials, which consist of the credential data, associated metadata, a unique identifier, and the issuing party’s signature, are held and accessed via a digital wallet or other secure storage space.

The holder has control of the use of the credential, who sees it, and what elements of it they can share. The party they share the VC with – typically an organization that needs to process the data or document – can independently verify the authenticity and integrity of the data or document through the issuer’s digital signature.

Sphereon VC is not the only blockchain credential system on the market. But what sets Sphereon apart is its history in document and process management alongside its expertise in building and managing APIs and embracing open standards; hence, the focus here on ensuring interoperability. In part, this interoperability comes through using the newly released W3C decentralized identifiers (DID). DIDs are persistent identifiers that do not provide any information regarding the owner; instead, they describe how to engage with the owner – for example, a specific cryptographic key and set of events to follow. DIDs build on the concept of self-sovereignty, whereby the owner can update and track their identity document without the need for any centralized or third-party authority.

So how does this all work? Fundamentally, there obviously needs to be a blockchain; this could be anything from Hyperledger or Ethereum to LTO Network or Accumulate. There are over 100 implementations that support DIDs.
Sphereon VC offers a series of APIs to provide access to issue, register, sign, verify, and/or
revoke a credential. The end users access the system through a mobile wallet, which provides the means to view the credential and, just as importantly, to create and manage new credentials across any blockchain or distributed ledger system. This is complex and even more complicated to build, but its use in the real world is relatively simple and effective. Sphereon also offers several standard plug-ins, including for SharePoint and Alfresco. Note that DIDs can be associated with pretty much anything; each is self-signed, protects privacy, and automatically verifies its provenance and validity.

On top of this, you may build a digital asset modelling language (DAML) framework workflow, typically used to create smart contract workflows anchored on blockchains, to provide a means of automating any business logic or rules. This enables automatic processing and proof of the process.

Again, the key to understanding Sphereon is that it is a company focused and grounded in the document and process management world. Their use of VCs and DIDs for secure and verifiable data exchange needs to be seen in that context. For example, files stored in an Alfresco or Microsoft SharePoint repository can, using Sphereon, be anchored on a blockchain to lock and notarize them. By using a DAML smart contract, those anchored files can have things like retention and disposition rules applied to them and triggered automatically. With the addition of Verified Credentials, the files can have a secure life outside of the repository and move from the ECM system that is the system of trust, through traditional document management mechanisms, to an independent, distributed life and shared trust through using cryptology and blockchain.

This technology has numerous potential use cases; most obviously, it can be used for know-your-customer/anti-money-laundering (KYC/AML) checks: only one trusted party has to perform these, and others can reuse the issued credential. Other use cases include employee onboarding or issuing many types of verifiable certificates. But what interests us are the use cases yet to be explored or yet to emerge. For even though organizations are implementing enterprise blockchains to reduce, automate, or eliminate paper and file-based processes, the traditional world of technology vendors that focus on paper and file-based processes has been understandably slow to embrace this. Tools like VC open the doors for developers, systems integrators, and, potentially, technology vendors to embrace those opportunities.