Dynamic Delegation Access Control Protocol for Sharing Verifiable Credentials

Abstract

Abstract The emergence of Self-Sovereign Identity (SSI) has introduced a paradigm shift in digital identity management, moving back the control over their credentials to their owners. However, current SSI implementations do not present an e!ective mechanism for access delegation for a Verifiable Credential (VC) without compromising the subject’s privacy or control. The objective of this project is a novel Dynamic Delegation Access Control Protocol to address these limitations of present methods, enabling controlled and privacy-preserving credential sharing among participating roles. The Access Delegation Credential (ADC) introduced in this protocol is a verifiable credential issued by the delegator to assert the delegatee’s access to the Delegated Credential (DC). Since the original credential is not transferred to the delegatee and remains with the delegator until it is presented to the verifier, this design is preserving the SSI principle while achieving the delegation. The protocol was evaluated under privacy-by-design requirements of SSI. The prototype implemented for the evaluation uses Veramo, Open Policy Agent, with multiple DID methods, including two real-world use cases: student-supervisor access to a library system and employee access using organizational credentials. Performance of the prototype was benchmarked using di!erent key types and DID methods. The protocol achieves the objective of the project, incurring additional overhead compared to traditional delegation methods, but it significantly enhances transparency, enables fine-grained access control, and privacy compliance. It establishes a strong foundation for privacy-preserving delegation in SSI systems.