Luxury Handbags as an Identity problem - Part 1

This article discusses whether a Decentralised Identity (DID) system can help to prevent counterfeiting of a luxury handbag brand. The IOTA DID scheme is used in the code examples.

author: @dumdave (Iota and Assembly Discord tag)

All improvements welcome. Or just help to fix typos.

last updated: 8th Feb 2022


Article summary: Sets the challenge faced by a luxury handbag supplier in maintaining control of not just initial sales but also subsequent 'pre-loved' sales of their handbags. Poses the question of how cryptonetwork based Decentralised Identity systems might manage this.


IMPORTANT. The IOTA DID system described below is under development and there may be sudden code changes that render the code examples inaccurate. Also, the DIDs created as examples may over time disappear from the network as they are not entered to a 'permanode' ( a permanent way of storing data).

[1] Introduction - YotaBags.

YotaBags. Imagine a small British luxury leather handbag supplier, YotaBags. Its products sell worldwide. A new YotaBag is typically USD 2000.

There is a huge counterfeit problem in this industry. This is not a problem for new sales as YotaBags use only a select group of retailers. Anybody who is not in this group who offers a YotaBag for sale soon receives a visit from the YotaBag legal department.

yotabags new sales diagram

The real problem lies in the 'pre-loved' sales area. Clients who have paid USD 2000 often decide to sell their bag on to a third party, perhaps for USD 1500 (and even sometimes, when there are shortages of supply, for more than USD 2000). Many online services and specialist auction houses exist to offer such items.

In this secondary market, YotaBags cannot control the situation. If a good quality fake is introduced to this market, then they cannot easily spot it. As a result, there are five fake bags in circulation for every real one. This devalues the product value in the eyes of the market.

yotabags pre-loved sales diagram

YotaBags would like to be able to ensure that both the new sales AND the subsequent on-sales process exclude counterfeit items. Can a cryptonetwork based solution solve the problem?


[2] Approach - Decentralized Identifiers.

One way to approach the YotaBags problem is to regard it as one of Identity. In other words, if each genuine YotaBag could have a unique identity code associated with it, say with an attached barcode, and there was a reliable way of checking that that any bag being inspected had a genuine identity code, then fakes could be driven from the market.

One way of handling such identity codes might be by a centralized database maintained by the manufacturer. That is possible, though it is runs into difficulties with the tracking of 'pre-loved' sales. Also, in an era where many customers wish to maintain control of their own identity, data protection laws can restrict what is possible.

An alternative is the use of Decentralised Identifiers, which is the main topic of this article. It is an area where there is a published standard.

The W3C Standard. Decentralized Identifiers (DIDs) v1.0 That gives this definition.

Decentralized Identifier (DID)

"A globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically."

In this article the IOTA www.iota.org scheme will be used to illustrate the points being made. For IOTA a Decentralized IDentifier (DID) looks as follows. Note that the DID Tag itself gives no clue as to what it is a DID for, so it could be an object, a person, or even a concept.

did:iota:DrbLjreftVCicKTiizd4RMuxBGJYLLegXmqMz7uWfUk6

IOTA DIDs can be resolved here:

The IOTA Identity Resolver

Alternatively, the general IOTA Tangle Explorer can be used by entering a Message ID related to the publication of the DID Document. Note that this second method is insecure however as it does not check whether the DID Document shown has been correctly 'signed'.


[3] Replit Code Examples?

Throughout this article, Replit examples are used to show relevant code and worked examples. These run in a browser and have two parts, the code and a self-contained Console where the code runs.

The first example shows an IOTA DID being created, signed, and published to the IOTA Tangle. Each time it is run it creates a new DID and DID Document. You can check that the DIDs appear on the Tangle and are properly 'signed' by using the IOTA Identity Resolver.


_ _ _ _ _ _ _ A REPLIT SHOULD BE BETWEEN THESE MARKERS _ _ _ _ _ _ _

Start by viewing the 'code' tab for the code! Then in the console press green arrow icon to run the code (you can also use the x top right to clear a previous run). DID Document creation should happen quickly, but you may have to wait a few seconds for the DID to be published.

_ _ _ _ _ _ _ A REPLIT SHOULD BE BETWEEN THESE MARKERS _ _ _ _ _ _ _

Note that to avoid disrupting the flow of the article, subsequent Replits will not be embedded as the above one is, but will simply have links shown.

For example, this Replit shows a DID Document that has been signed before Publication to the IOTA Tangle by a different KeyPair to the one used to create the DID itself. This is not allowed as otherwise any bad actor could publish a DID that they did not own and appear to have ownership of it.

YotaBags Replit Test 2

If the DID is once again tested by entry in the IOTA Identity Resolver it will show an error - saying that no valid entry with that DID exists.

This final Replit shows how to retrieve a full signed DID Document from the IOTA Tangle given the DID.

YotaBags Replit Test 3


[4] How does a DID solve the counterfeit YotaBags problem?

By itself it does not. Say for example the manufacturer publishes on their website a complete list of all valid DIDs for genuine YotaBags. Imagine that a YotaBag is being examined and it has an attached barcode giving its DID. By comparing that with the listed DIDs, it is possible to see whether or not the YotaBag's barcode indicates that it is a genuine bag.

This leaves two ways for the maker of fakes to beat the system.

[a] The original barcode could be detached from the original, then put onto a fake bag, leaving the faker with a genuine bag and also a cheaper fake bag that can be sold at high price.

[b] A genuine barcode could be copied and put onto a fake bag, or a hundred fake bags.

For the purposes of this article it will be assumed that there is no method for preventing such barcode substitution or copying - that is, no clever barcode attachments that cannot be removed or copied.

Any system must therefore add some additional steps. These will be examined in stages.


[5] Adding a Verifiable Credential

A Verifiable Credential is defined in the W3C standard given in Section [2]. The Credential part is a statement like "This is a genuine YotaBag", made by a person who has authority to make such a statement - in this case, the Manufacturer.

The Verifiable part indicates that it is possible to take the statement and check that it has been made by the Manufacturer about that particular YotaBag - or more precisely, about the DID that represents that particular YotaBag.

As the standard is generalized to work for many situations, the Manufacturer here will also need to create themselves a DID. That will then mean that the Verifiable Credential is saying:

DID (Manufacturer) is stating that DID (particular YotaBag) is genuine.

For this article the following will be used:

A particular YotaBag DID: did:iota:Ff86MkpEVpQKxpjZxs13XPNJoF67niwmHiD3d6ADNyyK

The Manufacturer DID: did:iota:FY3sEhUPhWE5TcdZxeERdGmSGWc3jZCRDZKpnX8dadbY

Using the following Replit, a Verifiable Credential is created as follows:

YotaBags Replit Test 4

{
  '@context': 'https://www.w3.org/2018/credentials/v1',
  id: 'did:iota:FY3sEhUPhWE5TcdZxeERdGmSGWc3jZCRDZKpnX8dadbY',
  type: [ 'VerifiableCredential', 'Certification of YotaBag authenticity' ],
  credentialSubject: {
    id: 'did:iota:Ff86MkpEVpQKxpjZxs13XPNJoF67niwmHiD3d6ADNyyK',
    alias: 'Brushed leather - blue',
    color: 'blue tone',
    contribution: 'Certified as a genuine YotaBag',
    name: 'YotaBag PA',
    size: 'medium'
  },
  issuer: 'did:iota:FY3sEhUPhWE5TcdZxeERdGmSGWc3jZCRDZKpnX8dadbY',
  issuanceDate: '2022-02-07T18:00:37Z',
  proof: {
    type: 'JcsEd25519Signature2020',
    verificationMethod: '#authentication',
    signatureValue: '5H2Sr4xfXHe86DpaDYD6oXo5d2EBdjNpja64oJYK4qFaeYx6CujAA3ygVq5BWR47U8BXWBWNgFVcod4U7Akup5Mz'
  }
}

Verification result: true
        

[6] Understanding the Verifiable Credential.

First look at the part called credentialSubject. This refers to the particular YotaBag. It has the correct DID number from above (begins Ff86), and the remainder both certifies it as a genuine YotaBag and gives a description. In this sense it is like a passport, facing both ways. That is, it gives some information that allows the reader to confirm that the bag described is the same as the one they are looking at, and then certifies a 'right' for the bag.

Note. If YotaBags could find an aspect of each bag that was unique, a fingerprint of some kind, then this descriptive aspect would be very powerful. For example, if they could encode the 'grain pattern' of the material of each bag. For this article, it is assumed this is not possible.

credentialSubject: {
    id: 'did:iota:Ff86MkpEVpQKxpjZxs13XPNJoF67niwmHiD3d6ADNyyK',
    alias: 'Brushed leather - blue',
    color: 'blue tone',
    contribution: 'Certified as a genuine YotaBag',
    name: 'YotaBag PA',
    size: 'medium'
  },
        

The second important part is the Issuer information. In particular, the line giving the Issuer DID, which is the Manufacturer one shown above.

issuer: 'did:iota:FY3sEhUPhWE5TcdZxeERdGmSGWc3jZCRDZKpnX8dadbY'

Taken together, along with the fact that the whole Verifiable Credential can be tested and shown to be TRUE or FALSE by using the signature, this Verifiable Credential document proves that the Manufacturer has certified the YotaBag with the given DID as genuine.

All that remains is to check that the Manufacturer is the owner of the DID shown, and uses it to certify those particular bags. This would be expected to be on the Manufacturer's website.

Note. A large Manufacturer may well use different DIDs for different ranges of products, or during particular period of times. They may also change the DID used from time to time as a security measure. That does not mean that the original Verifiable Credential becomes invalid - it is just to show that the Manufacturer may have several DIDs.




[7] Summary of what Part 1 has shown.

A Decentralised Identifier is given to a particular YotaBag, and also to the Manufacturer of that YotaBag. The two DIDs are then connected using a Verifiable Credential that proves that the Manufacturer certifies that particular bag. Some additional descriptive information about that bag is included in the Verifiable Credential.

This still does not tackle the problem of a bad actor who either substitutes the 'barcode' carrying the YotaBag DID onto an inferior article, or indeed mass duplicates it.

Tackling that next stage of the problem will be the topic for Part 2 in this series of articles.

_ _ _ _ _ _ _ _ _ _ _ _ end _ _ _ _ _ _ _ _ _ _ _