Hyperledger Aries, AnonCreds, and Hyperledger Indy have given enterprises and governments a powerful way to build and use open source, interoperable decentralized identity technology. The reasons? A large and diverse community of developers and users is driving a virtuous cycle of robust, flexible technology and innovative implementations that meet market needs
By Sam Curren and Mike Ebert
Hyperledger Aries, AnonCreds, and Hyperledger Indy are dedicated to making privacy-preserving identity solutions a reality, the exchange of trusted data easy and reliable, and the interactions between people, organizations, and systems enriching.
As a combination, they have demonstrated that they are robust, flexible, and extensible — capable of incorporating many new codebases, technologies, and cryptographic signatures, capable of delivering powerful solutions that have led to significant growth in implementations, community members, and customers.
While no technology runs perfectly on every device, a signal strength of Aries, AnonCreds, and Indy is that they work on the vast majority of current devices and systems, including $35 smart phones and low powered IOT/embedded devices. They represent the most inclusive way into this technology, which is an important factor in their popularity.
But as with any technology, they are also constantly evolving to meet the growing demand for decentralized identity solutions. To date, scaling has not been the primary challenge, but Aries and Indy are responding to this need. Important progress has been made, such as incorporating the Askar wallet, and work continues in areas such as clustering and multi-tenancy. The vision of having billions of verifiable credentials, devices, and users participating in trusted digital interactions all around the world has never been closer.
While solutions can’t simultaneously be new and tried and true, AnonCreds has been used since 2017. It is a battle-tested and reliable solution to identity and verifiable credential problems. Perhaps even more important, it is the only current credential specification that is able to meet the EU’s and real world privacy requirements; it offers the key privacy preserving features needed for marketplace identity solutions — selective disclosure, predicate proofs, and privacy-preserving holder binding. Formalization of the proven standards and best practices into an official specification is underway.
AnonCreds also coexists beautifully with other signature styles. Each has its own strengths and weaknesses, but when used for the right purposes, they complement each other powerfully. Aries added support for W3C credentials two years ago and is committed to supporting the best credentials and signature styles; Indy is incorporating cross-ledger compatibility and governance feedback.
All of this shows that Indy, Aries, and AnonCreds are robust, proven, trusted, dynamic, and adaptable — as are the community members, organizations, and customers that back them. They will continue to grow and be an important part of the decentralized identity and verifiable credential space, and we, as backers of these solutions and communities, are committed to creating the best solutions and making the right choices to implement and improve identity for all.
Some myths about Hyperledger Aries, AnonCreds, and Hyperledger Indy — and the reality
Inaccurate claims spread effortlessly on simplification, while understanding often requires mastering and translating complexity. That’s the challenge in communicating advances in science and technology. It’s easy to misunderstand what’s happening if you’re not immersed in the data or the code and then it’s hard to correct errors once they reach critical velocity or become sunk intellectual costs.
As leaders and active participants in the open source community, we urge people to attend these groups to learn about what they are doing, to ask questions, and, above all, to help solve problems that you see. This is the magic of open source technology—it’s open! And this openness accounts for its success in creating robust code and innovation.
Of course, not everyone is able to do this. Which is why we want to address some of the myths and misconceptions about the core open source technologies that we build on, contribute to, and use: Hyperledger Aries, and AnonCreds, and Hyperledger Indy.
Myth 1: Hyperledger Aries is fragile and isn’t flexible or extensible enough for decentralized identity to scale in part because it’s tied to AnonCreds
Reality: The reason Hyperledger Aries is the most widely used codebase for implementing verifiable credentials— by enterprises and governments alike— is that it currently provides the best extensible, flexible, and reliable platform for building verifiable credential solutions.
Far from being structurally dependent on the AnonCreds verifiable credential specification, Hyperledger Aries supports multiple credential formats including those that follow the W3C data model. Again, this flexibility is why Hyperledger Aries is so popular: it’s the easiest way to get a verifiable credential solution implemented.
In addition to the support for JSON-LD W3C credentials that has been available for years, the Aries community is working on chained credentials which will, in many cases, carry both AnonCreds and JSON-LD credentials in the same message of a credential workflow. The DIDComm protocols for issuance and presentation first developed with Aries have no opinion about which credential types and signature schemes are passed within its messages.
As with all the open source codebases mentioned here, Aries has a large developer community devoted to improving the specification and code. One strength of this is that the community is able to respond to real-world needs in enterprise and public sector implementations. Technology evolves through use, and this synergy between implementation and development is an example of the virtuous cycle created by open source technology.
Some of the criticism of Aries appears to be driven by a “good is the enemy of the perfect” attitude; to which the answer is, “well come join the Aries community and make the good better.” We’re at the beginning of the decentralized identity journey, not at the end—and we’re in a phase of rapid growth and innovation.
Myth 2: Aries doesn’t adapt well to mobile use
Reality: We’ve heard concerns that there just isn’t enough space on a mobile phone to use Aries—or that the space issue will block scale. Newer digital wallet apps are around 50mb in size, and some are smaller. This represents just 0.3% of a low end $35 smartphone.
Other concerns focus on the unavailability of libraries for different mobile codebases. As Aries is an open source effort, libraries will be added or expanded when interest exists and contributors show up for the work. We’ve seen interest and work expand and anticipate it will continue.
Myth 3: Hyperledger Indy can’t manage large-scale issuance or verification
Reality: The idea that Hyperledger Indy networks can’t manage the mass use of verifiable credentials is contradicted by real world use. The Government of British Columbia has issued millions of credentials based on a few (<10) writes to a ledger.
Any evaluation of scale requires understanding how a ledger is used. With AnonCreds, the use of a ledger scales with the number of issuers and credential schemas and, as nothing specific to a credential issuance is written to the ledger, issuance scales without impact on the ledger.
Verification only requires a cached copy of the relevant ledger assets, allowing verification to scale according to the number of verifiers calibrated by caching policy.
In other words both issuance and verification scale independently of the number of issued or verified credentials and the assets required for verification will be downloaded and cached prior to verification, which solves the speed problem.
Myth 4: Current revocation is insufficient for business needs
Reality: Hyperledger Indy has the only working open source privacy-preserving revocation; it has not proved a limiting factor in any current business or public sector deployment that we’ve built and implemented.
Will it get better? Yes, the community is working to make it better. But the concerns about business needs are theoretical when contrasted with real world practice.
Myth 5: The AnonCreds specification is out of date
Reality: There are two key reasons why governments, in particular, choose to build verifiable credential solutions using AnonCreds and why the specification is the most widely used in decentralized identity solutions around the world.
First, the AnonCred credential format is battle-tested. As an open source codebase, it’s been around and continuously updated since 2017. You can find the specification here.
Second, it’s the only credential specification that provides the privacy-preserving features that enable verifiable credentials to comply with data privacy law. No other credential specification is able to meet these critical legal and political needs. This is a non-trivial issue (see answer below).
On both counts, newer isn’t better. But at the same time, open source specifications are constantly evolving. You want to make AnonCreds better? Then get involved in the AnonCreds Specification Effort!
Myth 6: Anoncreds doesn’t align with the W3C Verifiable Credential Data Model.
Reality: The AnonCreds specification provides privacy-preserving features that no other credential specification provides: selective disclosure of data, and zero-knowledge proofs. AnonCreds also predates the W3C credential data model; as updating AnonCreds would yield few improvements in interoperability, such work has not been prioritized by the community.
The features provided by AnonCreds are essential for organizations to comply with data privacy law. This is not a theoretical point: Indicio has many global enterprise customers and they want and need privacy-preserving features in their verifiable credential implementation. If the current amendments to the European Union’s digital identity proposal are accepted, AnonCreds will be the only current verifiable credential specification that meets the EU’s privacy requirements.
The power of Hyperledger Aries and Indy is that they can support multiple credential specifications and thereby provide enterprises and organizations with the flexibility they need to build their solutions. The focus within the Aries community has been to support W3C credentials alongside AnonCreds, as they generally serve different use cases but are complimentary.
Two ways to learn more
Nothing beats learning by doing. And to this end, Indicio has created a series of hands-on workshops on every aspect of open source decentralized identity technology for technical and non-technical audiences. We understand that the multiple concepts and codebases and workflows can be difficult to grasp on paper!
For those willing to dive in directly, we invite you to attend the working group meetings at Hyperledger. It’s always best to talk to the people actually developing these codebases rather than second-hand opinions!