Technical viability of the solutions: question about credential transfer

[pranavpatilsce]

Hi PrIde,

I am guessing via APIs you will transfer the credentials between the issuing authority, the user, and the verifier organization.

I didn't see a UI diagram uploaded to your github repo in an image or pdf format, so it's not clear how you intend to transfer the 'credential key' between these parties.

I am guessing its like this?
Issuer -> SHA256 -> user gets the hashed key. The same key is also put into the blockchain. Then when the user gives the key to the verifying authority, the verifying authority checks for the key in the blockchain and if it matches, it transfer's the user's details to the verifying's authority?

I am not sure how this will work from the web UI side. Will there be a login and then the user has a pin to unlock the process to transfer the key to a list of organizations that will then verify the data in the blockchain?

What stops someone in the verification authority to use that key to go to the issuer and 'pretend' to be the user and update the user's information to something wrong? Or does the user get 2 keys from the issuer authority and the public key is what the user gives the verification authority and the private key is used by the user to update/alter information in the Issuer's system? The private key is then mapped to the SHA256 hash internally inside the Issuer's system?

In my undergrad project, my team and I had to think about some of these issues and the handling of the keys. It became cumbersome for us during implementation. I didn't see a UI design document on your repo so I don't know how it works so I raised this issue.