How to use DigSigs to protect academic certificates
Why use a DigSig for this purpose?
Imagine yourself being a university or some other academic institution. How do you prevent graduates from tampering with their certificates to fraudulently improve their own grades. Effectively undermining your institution and tainting your reputation.
There aren’t that many options available to you. Your signature on the document can’t prevent tampering, and neither will it prevent the creation of fraudulent copies. Unless you spent a fortune on security paper to print your certificates on that is. Fraudsters can simply change a name and viola, instant graduate!
Today employers are tasked with verifying academic certificates by calling up institutions and asking verifying qualifications manually. This is not only an labour intensive job, but it can also become especially challenging when trying to communicate across language barriers and/or time zones.
Digital signatures are commonly used in cases where it is important to detect forgery or tampering of documents, messages and also internet banking.
Defining your document type
From this certificate we extract the following fields:
Graduate Full Name | James McPherson |
Type of qualification | Bachelor of Science |
Name of degree | Truthology |
Issued Date | 1st January 2017 |
Field types
By communicating with the client and analysing the fields we can conclude the following about these fields
Graduate Full Name |
|
Type of qualification |
Will always be one of the following options
|
Name of degree | The following courses are on offer at the University of Atlantis
|
Defining the data structure
The data structure used for creating DigSigs is referred to as a ‘Data Definition Descriptor’ or DDD for short. It is a JSON based language used for describing all the data fields one want to include in a DigSig.
A DDD is a JSON object with two main properties; digsiginfo and datafields.
{ "datafields":[ … // Mandatory fields dicated by standard …. // Application specific fields to include in our DigSig ], "digsiginfo":{ ….. // General information about the Issuer and Issuing process } }
For each data field we want to include in our final DigSig we would have to make a entry in the “datafields” array. This entry is called a field descriptor, and as its name says it is a JSON object describing all the properties of a single field.
Field descriptors
Graduate full name field
People can be very difficult about how their names are written out and therefore it would be wise to support a fully featured string for this field. Such a name should always have a length between 2 and 40 characters.
{ "fieldid": "graduate_full_name", "type": "string", "fieldname": { "en": "Graduate full name", "zh": "全名" } }
ISO/IEC 20248 strings are stored using UTF8 thereby including character sets from most non-english speaking countries.
The “fieldname” attribute will be used to display the human-friendly field name during verification.
Name of degree field
{ "fieldid": "degree", "type": "enum", "fieldname": { "en": "Name of degree", "zh": "资格名称" }, "enumvalues": [ "BSC", "BA", "BCOMM" ], "enumvaluedesc": [ { "en": "Bachelor of science", "zh": "理学学士" }, { "en": "Bachelor of arts", "zh": "文科学士学位" }, { "en": "Bachelor of Commerce", "zh": "商学学士" } ] }
The “fieldname” attribute will be used to display the human-friendly field name during verification.
Type of qualification field
Our client supports only three types of qualifications and this would only change on a yearly basis. By utilising the DigSig enum feature we can optimally encode this data into binary format.
{ "fieldid": "qualification_type", "type": "enum", "fieldname": { "en": "Type of qualification" }, "enumvalues": [ "Truthology", "Alchemy", "Astrology", "Snake Oil Apologetics", "Geocentric Astronomy", "Nibiru Archeology", "Moon landing conspiracies", "Hollow Earth Theory", "Great Flood Geology", "Perpetual motion machinery", "Electrogravitics", "Cryptozoology", "Ufology", "Numerology" ], "enumvaluedesc": [ { "en": "Truthology", "zh": "伪科学" }, { "en": "Alchemy", "zh": "炼金术" }, { "en": "Astrology", "zh": "占星学" }, { "en": "Snake Oil Apologetics", "zh": "蛇油" }, { "en": "Geocentric Astronomy", "zh": "地心天文学" }, { "en": "Nibiru Archeology", "zh": "Nibiru的考古" }, { "en": "Moon landing conspiracies", "zh": "登月阴谋" }, { "en": "Hollow Earth Theory", "zh": "空心地球理论" }, { "en": "Great Flood Geology", "zh": "大洪水地质" }, { "en": "Perpetual motion machinery", "zh": "永动机机械" }, { "en": "Electrogravitics", "zh": "电引力" }, { "en": "Cryptozoology", "zh": "动物学" }, { "en": "Ufology", "zh": "飞碟学" }, { "en": "Numerology", "zh": "数学" } ] }
Since the list of degrees has a total of 14 items. By following the standard we should be able to encode this field using only 4 bits.
Full Data Definition Descriptor (DDD) Example
{ "datafields": [ { "fieldid": "specificationversion" }, { "fieldid": "dauri" }, { "fieldid": "daid" }, { "fieldid": "cid" }, { "fieldid": "signature" }, { "fieldid": "timestamp" }, { "fieldid": "graduate_full_name", "fieldname": { "en": "Graduate full name", "zh": "全名" }, "type": "string" }, { "fieldid": "qualification_type", "type": "enum", "fieldname": { "en": "Type of qualification" }, "enumvalues": [ "BSC", "BA", "BCOMM" ], "enumvaluedesc": [ { "en": "Bachelor of science", "zh": "理学学士" }, { "en": "Bachelor of arts", "zh": "文科学士学位" }, { "en": "Bachelor of Commerce", "zh": "商学学士" } ] }, { "fieldid": "qualification_type", "type": "enum", "fieldname": { "en": "Name of Degree", "zh": "资格名称" }, "enumvalues": [ "Truthology", "Alchemy", "Astrology", "Snake Oil Apologetics", "Geocentric Astronomy", "Nibiru Archeology", "Moon landing conspiracies", "Hollow Earth Theory", "Great Flood Geology", "Perpetual motion machinery", "Electrogravitics", "Cryptozoology", "Ufology", "Numerology" ], "enumvaluedesc": [ { "en": "Truthology", "zh": "伪科学" }, { "en": "Alchemy", "zh": "炼金术" }, { "en": "Astrology", "zh": "占星学" }, { "en": "Snake Oil Apologetics", "zh": "蛇油" }, { "en": "Geocentric Astronomy", "zh": "地心天文学" }, { "en": "Nibiru Archeology", "zh": "Nibiru的考古" }, { "en": "Moon landing conspiracies", "zh": "登月阴谋" }, { "en": "Hollow Earth Theory", "zh": "空心地球理论" }, { "en": "Great Flood Geology", "zh": "大洪水地质" }, { "en": "Perpetual motion machinery", "zh": "永动机机械" }, { "en": "Electrogravitics", "zh": "电引力" }, { "en": "Cryptozoology", "zh": "动物学" }, { "en": "Ufology", "zh": "飞碟学" }, { "en": "Numerology", "zh": "数学" } ] } ], "digsiginfo": { "cid": 0, "daid": "QC DGSG", "dauri": "https://dauri1.20248.info", "revocationuri": "https://dauri1.20248.info/revoked", "specificationversion": "ISO/IEC CD2 20248:2016", "verificationuri": "https://v1.20248.info" } }
Note that a DA-wide unique CID will be assigned to you during publishing.
Producing DigSigs
Publishing DDDs to a DigSig Generator and getting your Certificate Signing Request signed by a Domain Authority falls outside the scope of this article. But for convenience we went ahead and deployed this DigSig to to our demo DigSig generator and signed the resulting CSR using our demo 20248.info DA.
Once your DDD has been deployed to a DigSig Generator then we can go ahead and produce the required ddd-data blobs required for generating DigSigs.
A DDD-Data blob is a simple json encoded array with each element in the array corresponding a item in the “datafields” array as declared in the DDD.
By sending the ddd-data blob to your DigSig generator through the DigSig Generator REST API the DigSig Generator will produce a DigSig.
Full Name | James McPherson |
Qualification Type | Bachelor of Science |
Name of degree | Truthology |
DDD-Data | [ "ISO/IEC CD2 20248:2016", "https://dauri1.20248.info", "QC DGSG", 131, null, null, "James McPherson", "BSC", "Truthology" ] |
DigSig |
V10 QR |