CN111191268A

CN111191268A - Storage method, device and equipment capable of verifying statement

Info

Publication number: CN111191268A
Application number: CN202010277236.5A
Authority: CN
Inventors: 杨仁慧
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2020-04-10
Filing date: 2020-04-10
Publication date: 2020-05-22
Anticipated expiration: 2040-04-10
Also published as: CN111191268B; WO2021204068A1

Abstract

The embodiment of the specification discloses a storage method, a storage device and storage equipment capable of verifying a statement. The scheme comprises the following steps: the data warehouse used for storing the verifiable claims obtains a storage request of the verifiable claims and obtains a distributed digital identity of a sender of the request, and whether the sender has the use authority of the data warehouse or not can be judged according to the distributed digital identity of the sender; if the sender has usage rights for the data warehouse, the verifiable claims that the sender requested to be stored may be stored to the data warehouse's database.

Description

Storage method, device and equipment capable of verifying statement

Technical Field

The present application relates to the field of computer technologies, and in particular, to a storage method, an apparatus, and a device for verifiable statements.

Background

Initially, digital identity authentication was centralized. The essence of a centralized identity system is that a central centralized authority holds identity data. The authentication, authorization, etc. processes performed around the data are all determined by a centralized authority. The digital identity is not controlled by the user himself. On the other hand, different centralized websites have a set of identity systems, so that a user needs to register an account again at each website. The identity systems (and the data corresponding to the accounts) of different websites are not intercommunicated.

In summary, the main problems of centralized identity include at least the following two problems, namely that the user cannot really own the identity of the user and the identities cannot be intercommunicated.

In order to solve the above problems, a technical concept of distributed Digital Identity (DID) is proposed.

Distributed digital identity, as the name implies, is a kind of digitized identity credential implemented based on a distributed system. Distributed digital identity technology is typically implemented based on a blockchain system. The basic elements forming the distributed digital identity at least comprise a distributed digital identity and a distributed digital identity document.

The distributed digital identity document does not include content related to the personal real information of the user (such as the real name, address, mobile phone number and the like of the user). Therefore, when the distributed digital authentication is adopted for authentication, a Verifiable statement (VC) is also needed.

The verifiable statement here is understood to be a digital certificate issued by an authority with relevant qualifications based on a request of a user. A distributed digital identity may have a corresponding plurality of verifiable claims. For example, a verifiable claim attesting to the distributed digital identity being in position at a company, a verifiable claim attesting to the academic story of the distributed digital identity being doctor's graduation, a verifiable claim attesting to the distributed digital identity being a proprietor of a cell, and so forth. It can be seen that there is little upper limit to the number of verifiable claims that a distributed digital identity can correspond to.

At this time, the storage and management of verifiable claims becomes an urgent technical problem to be solved.

Disclosure of Invention

In view of this, embodiments of the present application provide a method, an apparatus, and a device for storing a verifiable assertion, which are used for storing a verifiable assertion of a distributed digital identity.

In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:

the storage method for the verifiable statement provided by the embodiment of the specification comprises the following steps:

a data warehouse for storing the verifiable claims obtains a verifiable claims storage request;

acquiring a distributed digital identity of a sender of the request;

judging whether the sender has the use authority of the data warehouse or not according to the distributed digital identity, and obtaining a first judgment result;

and when the first judgment result shows that the sender has the use authority of the data warehouse, storing the verifiable statement requested to be stored by the sender to a database of the data warehouse.

acquiring a first storage request sent by a holder of a verifiable statement; the first storage request is to request the first device to provide proxy storage service for the verifiable claims of the holding party;

acquiring a distributed digital identity of the holding party;

judging whether the holding party has the use authority of the proxy storage service or not according to the distributed digital identity, and obtaining a first judgment result;

when the first judgment result shows that the holding party has the use authority of the proxy storage service, sending a second storage request to a data warehouse for storing verifiable declarations; the second storage request is to request the data warehouse to store the verifiable claims of the holding to a database of the data warehouse.

acquiring a first storage request sent by a publisher of a verifiable statement; the first storage request is used for requesting the first device to provide proxy storage service for the verifiable declaration issued by the issuer;

acquiring a distributed digital identity of the publisher;

judging whether the publisher has the use authority of the proxy storage service according to the distributed digital identity of the publisher to obtain a first judgment result;

when the first judgment result shows that the publisher has the use right of the proxy storage service, sending a second storage request to a data warehouse for storing verifiable declarations; the second store request is to request the data warehouse to store the publisher's publication verifiable assertion to a database of the data warehouse.

An embodiment of this specification provides a storage apparatus capable of verifying a statement, including:

the verifiable statement storage request acquisition module is used for acquiring a verifiable statement storage request by a data warehouse for storing verifiable statements;

the distributed digital identity acquisition module is used for acquiring the distributed digital identity of the sender of the request;

the first judgment module is used for judging whether the sender has the use authority of the data warehouse or not according to the distributed digital identity so as to obtain a first judgment result;

and the storage module is used for storing the verifiable statement requested to be stored by the sender to a database of the data warehouse when the first judgment result shows that the sender has the use authority of the data warehouse.

the first storage request acquisition module is used for acquiring a first storage request sent by a holder of a verifiable statement; the first storage request is to request the first device to provide proxy storage service for the verifiable claims of the holding party;

the distributed digital identity acquisition module is used for acquiring the distributed digital identity of the holding party;

the first judgment module is used for judging whether the holding party has the use authority of the proxy storage service according to the distributed digital identity to obtain a first judgment result;

a second storage request sending module, configured to send a second storage request to a data warehouse for storing verifiable claims when the first determination result indicates that the holder has the usage right of the proxy storage service; the second storage request is to request the data warehouse to store the verifiable claims of the holding to a database of the data warehouse.

the first storage request acquisition module is used for acquiring a first storage request sent by a publisher of a verifiable statement; the first storage request is used for requesting the first device to provide proxy storage service for the verifiable declaration issued by the issuer;

the distributed digital identity acquisition module is used for acquiring the distributed digital identity of the publisher;

the first judgment module is used for judging whether the publisher has the use authority of the proxy storage service according to the distributed digital identity of the publisher to obtain a first judgment result;

a second storage request sending module, configured to send a second storage request to a data warehouse for storing a verifiable assertion when the first determination result indicates that the publisher has the usage right of the proxy storage service; the second store request is to request the data warehouse to store the publisher's publication verifiable assertion to a database of the data warehouse.

An embodiment of the present specification provides a verifiable assertion storage device, including:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

controlling a data warehouse for storing the verifiable claims to obtain a verifiable claims storage request;

acquiring a distributed digital identity of a sender of the request;

at least one processor; and the number of the first and second groups,

acquiring a distributed digital identity of the holding party;

at least one processor; and the number of the first and second groups,

acquiring a distributed digital identity of the publisher;

The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects: the data warehouse used for storing the verifiable claims obtains a storage request of the verifiable claims, then obtains a distributed digital identity of a sender of the storage request, judges whether the sender sending the storage request of the verifiable claims has the use right of the data warehouse or not according to the distributed digital identity, and stores the verifiable claims requested to be stored by the sender to the database of the data warehouse when the sender has the use right of the data warehouse. Thereby completing the storage of the verifiable claims corresponding to the distributed digital identity.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

FIG. 1 is a schematic diagram illustrating an application of a storage method of verifiable claims in an embodiment of the present specification;

fig. 2 is a schematic flowchart of a storing method of verifiable claims provided in embodiment 1 of the present specification;

fig. 3 is a schematic flowchart of a verifiable statement storage method sent by a holder in a verifiable statement storage method provided in embodiment 1 of this specification;

fig. 4 is a schematic flowchart of a verifiable statement storage method sent by a publisher in a verifiable statement storage method provided in embodiment 1 of this specification;

fig. 5 is a schematic flowchart of a storing method of verifiable claims provided in embodiment 2 of this specification;

fig. 6 is a schematic flowchart of a verifiable assertion storage method sent by a DIS agent issuer, provided in embodiment 2 of this specification;

fig. 7 is a schematic flowchart of a storing method of verifiable claims provided in embodiment 3 of this specification;

fig. 8 is a schematic flowchart of a method for storing verifiable statements sent by a DIS agent holder in a method for storing verifiable statements provided in embodiment 3 of this specification;

FIG. 9 is a schematic diagram of a storage device corresponding to one of the verifiable claims of FIG. 2 provided in this specification;

FIG. 10 is a schematic diagram of a verifiable claim storage device provided herein and corresponding to FIG. 5;

FIG. 11 is a schematic diagram of a storage device corresponding to one of the verifiable claims of FIG. 2 provided in this specification.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Fig. 1 is a schematic application diagram of a storage method of a verifiable statement in an embodiment of this specification. As shown in fig. 1, the client 101 may be a mobile terminal such as a mobile phone, or may be a device such as a desktop computer. The client is logged with the user's accounts, each of which may correspond to a distributed digital identity 102. In practical application: a distributed digital identity may correspond to an individual user, or to a merchant, or to a company, etc. A distributed digital identity may also correspond to an item in the physical world, for example, a device, or a ticket, etc.

A verifiable claim is to be understood as a claim whether the identity identified by a distributed digital identity is of some sort. Specifically to the data plane, a verifiable assertion can be data that records such an assertion.

A distributed digital identity may have multiple verifiable claims 103. Such as: for a distributed digital identity used by user A, the distributed digital identity may contain verifiable claim 1 for proving that user A is 18 years old, verifiable claim 2 for proving that user A has more than 100 million properties, verifiable claim 3 for proving that user A is qualified for motor vehicle driving, and so on. In practice, the verifiable claims may be issued by an authority with associated qualifications based on a user's request, the issued verifiable claims having a unique correspondence with the distributed digital identity of the user applying for the verifiable claims. For example, in the three specific examples above, the issuing authority for verifiable statement 1 may be the police station, the issuing authority for verifiable statement 2 may be the bank, and the issuing authority for verifiable statement 3 may be the vehicle authority.

In practical applications, there may be many (n) verifiable claims corresponding to the user a, i.e. one distributed digital identity. At this point, a plurality of verifiable claims need to be stored and managed uniformly, and therefore, the data store 104 may be employed to store verifiable claims 103 corresponding to distributed digital identities.

Specifically, the following method steps can be adopted to explain the scheme:

fig. 2 is a flowchart of a storing method of a verifiable statement according to an embodiment of the present disclosure. From the viewpoint of a program, the execution subject of the flow may be a program installed in an application server or an application client. Specifically, the execution subject of embodiment 1 may be a data repository, and the data repository may be mounted on an application server or a client device.

As shown in fig. 2, the process may include the following steps:

step 202: a data warehouse (VC Repo) for storing Verifiable claims obtains a Verifiable Claim storage request.

It should be noted that VC Repo may be a data warehouse for storing verifiable declarations, may store private data of users and verifiable declarations, and has complete authorization control capability. Roles of VC Repo may include storage and management of verifiable claims, control of access rights to verifiable claims, and circulation of verifiable claims, among others.

VC Repo can be understood as a logical concept and is not a specific entity. In number, the VC Repo can be one or more; the present disclosure may be deployed on one device or multiple devices, and is not limited in this respect.

The verifiable claims storage request may specifically include identification information of a sender sending the verifiable claims storage request, such as: a distributed digital identity of the sender; signature information that can verify the claim, etc. may also be included.

When the VC Repo stores the verifiable declaration, a storage request of the verifiable declaration can be obtained first.

Step 204: and acquiring the distributed digital identity of the sender of the request.

Distributed digital identity is a globally unique verifiable identity without the need for a registration authority. A user's distributed digital identity may contain all of the user's identity information and a company's distributed digital identity may contain all of the company's identity information.

In the saving scenario of the verifiable claims, the sender may represent a device corresponding to the sender that sends the storage request of the verifiable claims to the VC Repo, and for convenience of discussion in this embodiment of the present specification, the "sender" is directly used for discussion.

In this embodiment of the present specification, the sender may be a holder of the verifiable assertion, or may be a publisher of the verifiable assertion, or may be a device providing a service of storing the verifiable assertion by proxy in the distributed digital identity service system. The sender may send a verifiable declaration storage request to the VC Repo, waiting for the VC Repo to verify.

Step 206: and judging whether the sender has the use authority of the data warehouse or not according to the distributed digital identity, and obtaining a first judgment result.

In practical application, only if the use authority of VC Repo is provided, the corresponding verifiable declaration can be stored in the database of VCRepo. In the specific judgment, the judgment can be performed according to the distributed digital identity of the sender in the acquired verifiable statement request.

The usage right mentioned here may indicate that the sender is registered in advance or that the device corresponding to the sender belongs to an authorized device corresponding to VC Repo.

Step 208: and when the first judgment result shows that the sender has the use authority of the data warehouse, storing the verifiable statement requested to be stored by the sender to a database of the data warehouse.

When storing the verifiable statement specifically, the verifiable statement may be stored in a database of VC Repo, and specifically, the verifiable statement stored by sending the request may be stored in the database of VC Repo only when the sender sending the storage request for the verifiable statement has VC Repo usage rights.

The method in embodiment 1 is configured to obtain a storage request for storing a verifiable statement, obtain a distributed digital identity of a sender of the storage request, determine, according to the distributed digital identity, whether the sender sending the storage request for the verifiable statement has a usage right of VC Repo, and store the verifiable statement requested to be stored by the sender to a database of VC Repo when the sender has the usage right of VC Repo, thereby completing storage of the verifiable statement corresponding to the distributed digital identity.

Based on the method of fig. 2, the present specification also provides some specific embodiments of the method, which are described below.

In the method in fig. 2, when determining whether the sender has the right to use the data warehouse, the following method may be specifically adopted:

the first method judges whether the sender has the use authority of VC Repo by judging whether the sender belongs to a registrant of VC Repo.

The determining whether the sender has the usage right of the VC Repo may specifically include:

querying whether the distributed digital identity exists in a registered distributed digital identity set.

In practical applications, the registered distributed digital identity set may be a data table or a database with a storage function, and the registration information corresponding to the registered device may be stored in the data table or the database. When judging whether the sender has the use right of the VC Repo, whether the distributed digital identity of the sender exists in a registered distributed digital identity set or not can be inquired, and if so, the sender can be considered to belong to registered equipment and have the use right of the VC Repo.

And secondly, judging whether the sender has the use authority of VC Repo by verifying the signature information capable of verifying the statement.

The determining whether the sender has the usage right of the data warehouse may specifically include:

acquiring signature information contained in the verifiable statement storage request;

acquiring a public key corresponding to the distributed digital identity;

and verifying the signature information by adopting the public key.

When sending a storage request of a verifiable statement to the VC Repo, a sender may sign the verifiable statement, specifically, when signing the verifiable statement, an asymmetric encryption algorithm may be selected for signing, and different asymmetric encryption algorithms may be selected for signing the verifiable statement according to an actual application scenario.

Asymmetric cryptographic algorithms typically require two keys, a public key and a private key. If the public key is used for encrypting data, the data can be decrypted only by using a corresponding private key; accordingly, if data is encrypted with a private key, it can only be decrypted with the corresponding public key. In the above method, the verification statement may be encrypted with a private key and then decrypted with a corresponding public key. Specifically, because the verifiable declaration request includes the signature information, the corresponding public key can be determined according to the distributed digital identity of the sender, and the public key is used to verify the signature information.

By the method, when the VC Repo receives the storage request of the verifiable statement sent by the sender, different methods can be adopted to judge whether the sender has the use authority of the VC Repo, and the verifiable statement can be accurately stored in the database of the corresponding VC Repo.

In step 204 of the method in fig. 2, it is mentioned that the sender may be the holder of the verifiable assertion, or the issuer of the verifiable assertion, or a device in the distributed digital identity that provides a service for brokering the storage of the verifiable assertion. Specifically, the sender may be a first device logged in to a first account of a holder of the verifiable claims, may be a second device providing a service for brokering and storing the verifiable claims in the distributed digital identity service system, and may be a third device logged in to a second account of a publisher of the verifiable claims.

The "first, second and third" in the "first device, second device and third device" and the "first and second" in the "first account and second account" have no special meaning, but are used to distinguish different sender devices.

The holding party may represent a device holding a verifiable claim and the issuing party may represent a device issuing a verifiable claim.

For different senders, when the data warehouse obtains the storage request of the verifiable declaration, the method specifically includes the following steps:

the obtaining of the verifiable statement storage request may specifically include:

acquiring a verifiable statement storage request sent by first equipment; the first device is logged on with a first account of a holder of the verifiable claim.

acquiring a verifiable statement storage request sent by second equipment; the second device is a device in the distributed digital identity service system that provides a service for brokering the storage of verifiable claims.

acquiring a verifiable statement storage request sent by third equipment; the third device is logged into a second account of the issuer of the verifiable claim.

It should be noted that, when the sending party provides the second device serving as the proxy for storing the verifiable claims in the distributed digital identity service system, the mentioned second device may obtain the verifiable claims through the device of the holder of the verifiable claims, that is, the verifiable invention in the second device may be obtained from the holder of the verifiable claims.

In the distributed digital identity Service system, a device providing a Service for storing verifiable claims in a proxy manner is also referred to as a device of a distributed digital identity proxy Service (DIS for short), the DIS may proxy a Decentralized identity Service, specifically, may proxy an information storage Service sent by each device, in this specification embodiment, may proxy a storage Service for a verifiable claim sent by a holder, and may also proxy a storage Service for a verifiable claim sent by a publisher.

Further, when the sender is the second device or the third device, before storing the verifiable assertion requested to be stored in the database of the VC Repo, the DIS and the device corresponding to the issuer need to determine whether the holder has the usage right of the VC Repo. Specifically, the method may include:

when the first judgment result shows that the sender has the use authority of the data warehouse, judging whether the holder of the verifiable statement has the use authority of the data warehouse or not to obtain a second judgment result;

the storing, to a database of the data warehouse, the verifiable statement requested to be stored by the sender specifically includes:

and when the second judgment result shows that the holder of the verifiable statement has the use right of the data warehouse, storing the verifiable statement requested to be stored by the sender to a database of the data warehouse.

In practical applications, a verifiable statement in the DIS or the issuer may be obtained from the holder of the verifiable statement, but in order to determine that the verifiable statement has the stored rights, it is necessary to determine whether the holder has the usage rights of VC Repo, and in addition, VC Repo also determines whether the DIS or the issuer has the usage rights.

The storage method of the verifiable statement provided in the above embodiment 1 may be specifically implemented by the following processes:

specific flows may include interactive flows between the holder of the verifiable claim, the publisher, the DIS, and the data warehouse.

Fig. 3 is a schematic flowchart of a verifiable statement storage method sent by a holder in a verifiable statement storage method provided in embodiment 1 of this specification.

As shown in fig. 3, when the sender is the holder of the verifiable assertion, the specific implementation flow of storing the verifiable assertion may be:

step 302: the data warehouse obtains a verifiable claims storage request sent by the holder.

Step 304: and judging whether the holder has the use authority of the data warehouse.

Step 306: upon determining that the holder has usage rights for the data warehouse, storing the verifiable claims that the holder requested to be stored to a database of the data warehouse.

Fig. 4 is a schematic flowchart of a verifiable statement storage method sent by a publisher in an verifiable statement storage method provided in embodiment 1 of this specification.

As shown in fig. 4, when the sender is an issuer of the verifiable assertion, the specific flow for implementing storage of the verifiable assertion may be:

step 402: the data warehouse obtains the verifiable assertion storage request sent by the publisher.

Step 404: and judging whether the publisher has the use authority of the data warehouse.

Step 406: upon determining that the publisher has usage rights for the data warehouse, storing the verifiable claims that the publisher requested to be stored to a database of the data warehouse.

When a sender provides a device (DIS for short) for proxying a service of storing a verifiable assertion in a distributed digital identity service system, a specific process for storing the verifiable assertion may be as follows:

the data warehouse obtains the verifiable assertion storage request sent by the DIS.

And judging whether the DIS has the use authority of the data warehouse.

Storing the verifiable claims that the DIS requested to be stored to a database of the data warehouse when it is determined that the DIS has usage rights of the data warehouse.

It should be noted that, when the DIS is the same organization as the operator of the data warehouse, it may not be determined whether the DIS has the use authority of the data warehouse.

Example 2

Fig. 5 is a flowchart schematically illustrating a storing method of verifiable claims provided in embodiment 2 of this specification. From the viewpoint of a program, the execution subject of the flow may be a program installed in an application server or an application client. In particular, it may be a device for providing a proxy service for decentralized identification. In this embodiment, the execution principal may be the first device, DIS, to provide the proxy storage service of the verifiable claims.

As shown in fig. 5, the process may include the following steps:

step 502: acquiring a first storage request sent by a holder of a verifiable statement; the first storage request is to request that the first device provide proxy storage service for the verifiable claims of the holding party.

The first device may be a device corresponding to the DIS, and the holder does not directly request the data warehouse to store the verifiable assertion, but sends the verifiable assertion to be stored to the data warehouse for storage through the DIS as an agent.

The first storage request is a storage request sent by the holder of the verifiable assertion to DIS, requesting DIS to provide proxy storage service for the verifiable assertion.

Step 504: and acquiring the distributed digital identity of the holding party.

Distributed digital identity here refers to the identity of the device of the holding party.

Step 506: and judging whether the holding party has the use authority of the proxy storage service or not according to the distributed digital identity, and obtaining a first judgment result.

After the owner sends the first storage request to the DIS, the DIS may verify whether the owner has the usage right of the proxy storage service.

Step 508: when the first judgment result shows that the holding party has the use authority of the proxy storage service, sending a second storage request to a data warehouse for storing verifiable declarations; the second storage request is to request the data warehouse to store the verifiable claims of the holding to a database of the data warehouse.

If the owner has usage rights to the proxy storage service, the DIS may send a storage request to the data warehouse requesting the data warehouse to store the owner's verifiable claims in the data warehouse's database.

The method in embodiment 2 is configured to obtain a storage request for the verifiable claims by a data warehouse for storing the verifiable claims, then obtain a distributed digital identity of a sender of the storage request, determine whether the sender sending the storage request for the verifiable claims has a use right of the data warehouse according to the distributed digital identity, and store the verifiable claims requested to be stored by the sender into a database of the data warehouse when the sender has the use right of the data warehouse, so as to complete storage of the verifiable claims corresponding to the distributed digital identity.

Before sending the second storage request to the data warehouse for storing the verifiable claims, the method may further include:

searching a target data warehouse which has the use authority of the holder from the distributed digital identity document;

the sending the second storage request to the data warehouse for storing the verifiable claims may specifically include:

sending the second storage request to the target data warehouse.

It should be noted that the distributed digital identity document can be used to store information related to the distributed digital identity. The document may include distributed digital identities for each device, an identification and name of the data repository for each distributed digital identity, a key for the corresponding device (e.g., the distributed digital identity document includes a public key for the distributed digital identity), any public credentials that the identity owner wants to disclose, and a network address that can interact with the identity information. The owner of the identity information can query or manage these distributed digital identity documents by obtaining the associated private key.

The distributed digital identity document is stored on a block chain, an asymmetric encryption algorithm is adopted during signature, a private key is used for encryption, and a public key is required during decryption and verification.

In practical applications, all verifiable claims corresponding to distributed digital identities may be stored in a database corresponding to one data warehouse, or may be stored in a database of a different data warehouse. In a specific scenario, a corresponding relationship between each distributed digital identity and each data warehouse may be established and stored in a distributed digital identity document, and from the distributed digital identity document, a target data warehouse having a use right of the holder may be searched, and a storage request may be sent to the target data warehouse.

Therefore, in practical applications, before sending the second storage request to the target data warehouse, the method may further include:

searching the key of the holding party from the distributed digital identity document;

generating signature information by using the key;

a second storage request is generated that includes the signature information.

The key corresponding to the holder can be searched from the distributed digital identity document, the signature information is generated according to the key, and the storage request of the signature information can be generated.

The storage method of the verifiable statement provided in the above embodiment 2 may be specifically implemented by the following processes:

Fig. 6 is a flowchart illustrating a verifiable assertion storing method DIS provided by an embodiment of this specification, where the verifiable assertion storing method DIS is sent by a publisher.

As shown in fig. 6, when an object requesting DIS to provide a proxy storage service of a verifiable assertion is a holder of the verifiable assertion, a flow for implementing storage of the verifiable assertion may be as follows:

step 602: a holding party DIS sends a first storage request, wherein the first storage request is used for requesting the first equipment to provide proxy storage service for the verifiable declaration of the holding party DIS;

step 604: the DIS judges whether the holding party has the use authority of the proxy storage service;

step 606: generating signature information using a key of the holder when it is determined that the holder has a use right of the proxy storage service;

step 608: the DIS sends a second storage request containing signature information to a target data warehouse which has the use authority of the holding party, and requests the target data warehouse to store the verifiable declaration of the holding party in the corresponding database;

step 610: the verifiable claims of the holding party are stored in a database of the data repository.

Example 3

Fig. 7 is a flowchart schematically illustrating a storing method of verifiable claims provided in embodiment 3 of this specification. From the viewpoint of a program, the execution subject of the flow may be a program installed in an application server or an application client. In particular, it may be a device for providing a proxy service for decentralized identification. In this embodiment, the execution principal may be the first device, DIS, to provide the proxy storage service of the verifiable claims.

As shown in fig. 7, the process may include the following steps:

step 702: acquiring a first storage request sent by a publisher of a verifiable statement; the first storage request is used for requesting the first device to provide proxy storage service for the verifiable assertion issued by the issuer.

The execution subject in this embodiment is the same as the execution subject in embodiment 2, and the first storage request in this embodiment may be a storage request sent to DIS by the issuing party of the verifiable assertion, requesting DIS to provide proxy storage service for the verifiable assertion.

Step 704: and acquiring the distributed digital identity of the publisher.

Step 706: and judging whether the publisher has the use authority of the proxy storage service according to the distributed digital identity of the publisher to obtain a first judgment result.

Step 708: when the first judgment result shows that the publisher has the use right of the proxy storage service, sending a second storage request to a data warehouse for storing verifiable declarations; the second store request is to request the data warehouse to store the publisher's publication verifiable assertion to a database of the data warehouse.

If the publisher of the verifiable assertion has usage rights to the proxy storage service, the DIS may send a storage request to the data warehouse requesting the data warehouse to store the publisher's verifiable assertion in the data warehouse's database.

searching a target data warehouse which has the use authority of the publisher from the distributed digital identity document of the publisher;

sending the second storage request to the target data warehouse.

Before the obtaining the first storage request sent by the issuer of the verifiable assertion, the method may further include:

obtaining a first authorization request sent by a holder of a verifiable statement; the first authorization request is used for authorizing the issuer of the verifiable assertion to have the right to store the verifiable assertion of the holder;

acquiring a distributed digital identity of the holding party;

judging whether the holder has the use authority of the first device or not according to the distributed digital identity of the holder to obtain a second judgment result;

when the second judgment result shows that the holding party has the use authority of the first device, sending a second authorization request to the data warehouse; the second authorization request is for requesting that the issuer be granted permission to store the owner's verifiable claims to the data warehouse.

The specific implementation principle of this embodiment is the same as that of embodiment 2, except that in embodiment 3, the DIS agent is requested to store the verifiable assertion of the publisher to the database of the data warehouse.

The methods in embodiments 2 and 3 may be implemented by the system in which the DIS provides the proxy service for storing the verifiable claims, which may simplify the operation of the user end device. For example, for the user of DIS, the user terminal only needs to interact with DIS during the storage process of the verifiable claims, and may not need to directly interact with the data warehouse.

The verifiable claims sent by the publisher come from the holder of the verifiable claims. Upon determining that the publisher has the usage rights of the DIS, the DIS requests the data warehouse to grant the publisher the right to store the owner's verifiable claims to the data warehouse.

The storage method of the verifiable declaration provided in the above embodiment 3 can be specifically implemented by the following procedures:

Fig. 8 is a flowchart illustrating a method for storing a verifiable assertion sent by a DIS agent holder in a verifiable assertion storage method according to an embodiment of this specification.

As shown in fig. 8, when an object requesting DIS to provide a proxy storage service of a verifiable assertion is a holder of the verifiable assertion, a flow for implementing storage of the verifiable assertion may be as follows:

step 802: the holding party DIS sends a first authorization request of the holding party DIS, and requests an authorization issuing party to have the authority of storing the verifiable declaration of the holding party DIS;

step 804: the DIS judges whether the holding party has the use right of the proxy storage service providing the verifiable declaration;

step 806: when the holder is determined to have the use right of the proxy storage service, sending a second authorization request to a data warehouse, and requesting to grant the right of the issuer to store the generated verifiable statement to the data warehouse;

step 808: the holder applies the publisher to issue a verifiable statement;

step 810: the issuing direction DIS issues a verifiable statement;

step 812: the DIS generates a verifiable assertion. It should be noted that, the issuer issues a verifiable declaration, and the specific data content required to be stored by the verifiable declaration may be generated by the DIS.

Step 814: the DIS sends a storage request of a verifiable statement to the data warehouse;

step 816: the data warehouse judges whether the DIS has the use authority of the data warehouse or not;

step 818: storing the verifiable claims generated by the DIS into a database of the data warehouse when it is determined that the DIS has usage rights of the data warehouse.

Based on the same idea, the embodiment of the present specification further provides an apparatus corresponding to embodiment 1 of the above method.

Fig. 9 is a schematic structural diagram of a storage device corresponding to one verifiable assertion in fig. 2 provided in this specification. As shown in fig. 9, the apparatus may include:

an authenticatable assertion storage request obtaining module 902, configured to obtain an authenticatable assertion storage request by a data repository storing authenticatable assertions;

a distributed digital identity obtaining module 904, configured to obtain a distributed digital identity of a sender of the request;

a first judging module 906, configured to judge, according to the distributed digital identity, whether the sender has the usage right of the data warehouse, so as to obtain a first judgment result;

a storage module 908, configured to store the verifiable assertion that the sender requests to store in the database of the data repository when the first determination result indicates that the sender has the usage right of the data repository.

Optionally, the first determining module 906 may specifically include:

and the query unit is used for querying whether the distributed digital identity exists in the registered distributed digital identity set or not.

Optionally, the first determining module 906 may specifically include:

a signature information acquisition unit configured to acquire signature information included in the verifiable declaration storage request;

a public key obtaining unit, configured to obtain a public key corresponding to the distributed digital identity;

and the verification unit is used for verifying the signature information by adopting the public key.

Optionally, the module for obtaining the verifiable statement storage request may specifically include:

the first obtaining unit is used for obtaining the verifiable statement storage request sent by the first equipment; the first device is logged on with a first account of a holder of the verifiable claim.

Optionally, the verifiable statement storage request obtaining module 902 may specifically include:

a verifiable statement storage request second obtaining unit, configured to obtain a verifiable statement storage request sent by the second device; the second device is a device in the distributed digital identity service system that provides a service for brokering the storage of verifiable claims.

a verifiable statement storage request third obtaining unit, configured to obtain a verifiable statement storage request sent by a third device; the third device is logged into a second account of the issuer of the verifiable claim.

Optionally, the apparatus may further include:

the second judgment module is used for judging whether the holder of the verifiable statement has the use authority of the data warehouse or not when the first judgment result shows that the sender has the use authority of the data warehouse, so as to obtain a second judgment result;

the storage module specifically comprises:

and the storage unit is used for storing the verifiable statement requested by the sender to a database of the data warehouse when the second judgment result indicates that the holder of the verifiable statement has the use authority of the data warehouse.

Based on the same idea, the embodiment of the present specification further provides an apparatus corresponding to embodiment 2 of the foregoing method.

as shown in fig. 10, the apparatus includes:

a first storage request obtaining module 1002, configured to obtain a first storage request sent by a holder of a verifiable claim; the first storage request is to request the first device to provide proxy storage service for the verifiable claims of the holding party;

a distributed digital identity obtaining module 1004, configured to obtain a distributed digital identity of the holding party;

a first determining module 1006, configured to determine whether the holding party has the usage right of the proxy storage service according to the distributed digital identity, so as to obtain a first determination result;

a second storage request sending module 1008, configured to send a second storage request to the data warehouse for storing verifiable claims when the first determination result indicates that the holder has the usage right of the proxy storage service; the second storage request is to request the data warehouse to store the verifiable claims of the holding to a database of the data warehouse.

Optionally, the apparatus may further include:

the target data warehouse searching module is used for searching a target data warehouse which the holder has the use authority from the distributed digital identity document;

the second storage request sending module 1008 specifically includes:

a second storage request sending unit, configured to send the second storage request to the target data warehouse.

Optionally, the apparatus may further include:

a key lookup module for looking up a key of the holder from the distributed digital identity document;

the signature information generating module is used for generating signature information by adopting the key;

and the second storage request generation module is used for generating a second storage request containing the signature information.

Based on the same idea, an embodiment of the present specification further provides an apparatus corresponding to embodiment 3 of the foregoing method, where the apparatus includes:

Optionally, the apparatus may further include:

the target data warehouse searching module is used for searching a target data warehouse which has the use authority by the publisher from the distributed digital identity document of the publisher;

the second storage request sending module may specifically include:

Optionally, the apparatus may further include:

the first authorization request acquisition module is used for acquiring a first authorization request sent by a holder of a verifiable statement; the first authorization request is used for authorizing the issuer of the verifiable assertion to have the right to store the verifiable assertion of the holder;

the second judgment module is used for judging whether the holding party has the use authority of the first equipment or not according to the distributed digital identity of the holding party to obtain a second judgment result;

a second authorization request sending module, configured to send a second authorization request to the data warehouse when the second determination result indicates that the holder has the usage right of the first device; the second authorization request is for requesting that the issuer be granted permission to store the owner's verifiable claims to the data warehouse.

Based on the same idea, the embodiments of this specification further provide an apparatus corresponding to the method in embodiment 1.

FIG. 11 is a schematic diagram of a storage device corresponding to one of the verifiable claims of FIG. 2 provided in this specification. As shown in fig. 11, the device 1100 may include:

at least one processor 1110; and the number of the first and second groups,

a memory 1130 communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory 1130 stores data executable by the at least one processor 1110.

Corresponding to embodiment 1, the instructions may enable the at least one processor 1110 to:

acquiring a distributed digital identity of a sender of the request;

Based on the same idea, an embodiment of the present specification further provides a device corresponding to the method in embodiment 1, where the device may include:

at least one processor; and the number of the first and second groups,

the memory is stored executable by the at least one processor.

Corresponding to embodiment 2, the instructions may enable the at least one processor to:

acquiring a distributed digital identity of the holding party;

at least one processor; and the number of the first and second groups,

the memory is stored executable by the at least one processor.

Corresponding to embodiment 3, the instructions may enable the at least one processor to:

acquiring a distributed digital identity of the publisher;

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), traffic, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), langue, Lola, HDL, laspam, hardsradware (Hardware Description Language), vhjhd (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A method of storing verifiable claims, comprising:

acquiring a distributed digital identity of a sender of the request;

2. The method according to claim 1, wherein the determining whether the sender has the usage right of the data warehouse specifically includes:

3. The method according to claim 1, wherein the determining whether the sender has the usage right of the data warehouse specifically includes:

acquiring a public key corresponding to the distributed digital identity;

and verifying the signature information by adopting the public key.

4. The method of claim 1, wherein the obtaining of the verifiable claims storage request specifically comprises:

5. The method of claim 1, wherein the obtaining of the verifiable claims storage request specifically comprises:

6. The method of claim 1, wherein the obtaining of the verifiable claims storage request specifically comprises:

7. The method of claim 5 or 6, prior to storing the sender-requested stored authenticatable assertion to a database of the data repository, further comprising:

8. A method of storing verifiable claims, comprising:

acquiring a distributed digital identity of the holding party;

9. The method of claim 8, prior to sending the second storage request to the data warehouse for storing verifiable claims, further comprising:

the sending of the second storage request to the data warehouse for storing the verifiable claims specifically includes:

sending the second storage request to the target data warehouse.

10. The method of claim 9, prior to sending the second storage request to the target data warehouse, further comprising:

generating signature information by using the key;

a second storage request is generated that includes the signature information.

11. A method of storing verifiable claims, comprising:

acquiring a distributed digital identity of the publisher;

12. The method of claim 11, prior to sending the second storage request to the data warehouse for storing verifiable claims, further comprising:

sending the second storage request to the target data warehouse.

13. The method of claim 12, prior to obtaining the first storage request sent by the issuer of the verifiable claim, further comprising:

acquiring a distributed digital identity of the holding party;

14. A storage device that can validate assertions, comprising:

15. The apparatus according to claim 14, wherein the first determining module specifically includes:

16. The apparatus according to claim 14, wherein the first determining module specifically includes:

17. The apparatus according to claim 14, wherein the verifiable assertion storage request obtaining module specifically includes:

18. The apparatus according to claim 14, wherein the verifiable assertion storage request obtaining module specifically includes:

19. The apparatus according to claim 14, wherein the verifiable assertion storage request obtaining module specifically includes:

20. The apparatus of claim 18 or 19, further comprising:

the storage module specifically comprises:

21. A storage device that can validate assertions, comprising:

22. The apparatus of claim 21, the apparatus further comprising:

the second storage request sending module specifically includes:

23. The apparatus of claim 21, the apparatus further comprising:

24. A storage device that can validate assertions, comprising:

25. The apparatus of claim 24, the apparatus further comprising:

the second storage request sending module specifically includes:

26. The apparatus of claim 25, further comprising:

27. A storage device that can validate assertions, comprising:

at least one processor; and the number of the first and second groups,

acquiring a distributed digital identity of a sender of the request;

28. A storage device that can validate assertions, comprising:

at least one processor; and the number of the first and second groups,

acquiring a distributed digital identity of the holding party;

29. A storage device that can validate assertions, comprising:

at least one processor; and the number of the first and second groups,

acquiring a distributed digital identity of the publisher;