Towards Academic and Skills Credentialing Standards and Distributed

Ledger Technologies

Morné Pretorius

, Nelisiwe Dlamini

and Sthembile Mthethwa

Council for Scientiﬁc and Industrial Research (CSIR),

Information and Cyber Security Centre (ICSC),

Pretoria, South-Africa

Keywords:

Distributed Ledger Technology, Blockchain, Education, Standardisation, Standards, Veriﬁable Credentials,

Skills Tracking.

Abstract:

Today’s internet-connected world is moving towards evermore digitisation. Consequently, the education

system globally is experiencing various problems whilst trying to keep up with this disruptive and ongoing

change that is introduced. One way to alleviate the problem is standardising how skills and academic

achievement are quantiﬁed, digitised, authenticated and persisted to achieve a means of automated veriﬁcation

and matching of the current need with what skill-sets are available. This research aims to provide a starting

point towards a standardised future solution which considers existing emerging standards and technologies

to provide skills tracking capability. The existing standards, data schema, technologies and techniques are

discussed and an existing real-world prototype architecture is identiﬁed. This prototype’s terminology is then

mapped to the emerging World Wide Web Consortium (W3C) standards which will serve as a baseline design.

1 INTRODUCTION

During hunter-gatherer times, there was no separation

between learning and playing and thus education used

to be an exploratory pass time, which later changed

with the need for children to do forced agricultural

labour (Gray, 2008). As agricultural automation

increased, the need for childhood labour began to

decrease, which freed up children’s time upon which

the concept of compulsory childhood education was

gradually introduced from the 16th to 19th century.

Even today education is predominantly seen as a

separation of work and play, or rather: work, then

play (Gray, 2008).

Traditional 19th and 20th-century education

systems have served the world for decades by

developing students’ skills, availing systems that are

set up to provide training and awarding their learning

with recognition and qualiﬁcations. Consequently

contributing to the preparedness and readiness of the

workforce.

Digital advancements have reshaped the world

and led to innovations in education and training.

This changes traditional classroom-based learning in

https://orcid.org/0000-0002-7665-4778

https://orcid.org/0000-0002-8635-8948

https://orcid.org/0000-0001-7961-5240

various ways by introducing new learning

methodologies or, is perhaps leading us closer

to the original hunter-gatherer way of education.

This learning is backed by experience accumulated

throughout a person’s lifetime, skills developed

by completing projects, lessons learned via online

teaching systems, and self-guided information

gathering (The Mozilla Foundation et al., 2012).

These help the person to keep abreast of current skills

and obtain knowledge, especially in a time where

21st-century skills (navigating and detecting truth in

vast collections of online websites and information

sets) are required by most if not all employers. This

self-directed interest-driven learning aims to (The

Mozilla Foundation et al., 2012):

• establish a broader accreditation and recognition

ecosystem;

• granularly track traditional curriculums along

with new skills and literacies;

• inspire and assist students to seek new learning

avenues;

• capture obtained skills and achievements across

different contexts;

• expose or communicate captured skills and

achievements to relevant stakeholders and

• facilitate cross-context learning.

Pretorius, M., Dlamini, N. and Mthethwa, S.

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies.

DOI: 10.5220/0010340602490257

In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 249-257

ISBN: 978-989-758-491-6

249

One problem with the existing education system

is the continuous proliferation of information and

disruptive technologies, where these education

systems often ﬁnd themselves lagging and do not

recognise post-curricular or informal skills and

knowledge gained as the learner or person progresses.

Instead, educational institutions mostly require a

learner to be enrolled to study on a formally deﬁned

learning path. The formal achievements of the learner

are awarded, leaving out potentially important skills,

knowledge and competencies obtained throughout

self-directed or lifelong learning.

There is thus an urgent need to establish an

internationally recognised method in which all

skills and knowledge can be consolidated, digitised,

authenticated and persisted in a manner where the

learner has control over their information and then

gets to amend or update it (Chakroun and Keevy,

2018).

Distinctions should be made to avoid unintended

debates around terminologies, most prominently

known as macro-credentials and micro-credentials

(Chakroun and Keevy, 2018). Macro-credentials refer

to the more traditional and formal super-sets that

represent university degrees and micro-credentials

refer to subsets that could make-up (or stack) an

equivalent macro-credential. For example, a macro-

credential could be an engineering degree whereas

a micro-credential could be the subjects that make-

up the overall degree or, it could be a series or

selection of short courses that form the equivalent

of the subjects needed to represent an engineering

degree.

One example of micro-credentials is that of

Massive Open Online Courses (MOOC) which started

surfacing as early as 2007 (Table 1) and has gained

traction with an increase from 16–18 million in

2014 to about 35 million registered users in 2015

(Chakroun and Keevy, 2018). One challenge that

arises with introducing MOOCs is to ﬁnd a means

to match the equivalent of what MOOC represents to

that of what macro-credentials represent. If this can

be done, then learners can be notiﬁed of the amount

of work they need to do to achieve an equivalent

university degree and how far along a particular career

path they are which could foster motivation towards

formal, online or practical achievements. Another

challenge is to ensure the integrity and fairness of

MOOC when matching the equivalent competency

needed to achieve a formal or traditional degree and to

make this equivalent legible to an employer when the

learner reaches a point of employability (Chakroun

and Keevy, 2018). An advantage that could arise from

a digitised skills and achievements track record is to

match the current labour market need to what skills

and knowledge are available. However, doing this

implies analysis of the credential data which implies

access control, anonymisation and encrypted storage

if privacy is of any concern to the public to comply

to the Privacy by Design (PbD) requirements of the

General Data Protection Regulation (GDPR) (Raul

et al., 2017; DLA Piper, 2017). In the South African

context, there are also requirements for mandatory

and voluntary disclosure of personal information and

data safeguarding under the Protection of Personal

Information Act (POPIA) (DLA Piper, 2017).

Table 1: List of online micro-credential issuer initiatives.

Year Founded Country Initiative

1997 USA, Australia IMS Digital Credentialing

2007 Ireland ALISON

2008 Germany iVersity

2011 USA Udacity

2012 USA Coursera

2012 USA EdX

2012 United Kingdom FutureLearn

2012 Japan Schoo

2012 Spain UniMOOC

2012 Brazil Veduca

2013 China Ewant

2013 China XuetangX

2013 Australia Open2Study

2013 Saudi Arabia Rwaq

2013 Russia Universarium

Table 1 lists some current MOOC initiatives,

which illustrate the early stages of credential

digitisation. The problem with these issuers is that

the credentials they issue are hosted by themselves

on central data repositories which makes these

credentials and claims (e.g. macro- and micro-

credentials) about an individual less discoverable and

interoperable with the larger education ecosystem

than it could be. It is also difﬁcult to link

these obtained credentials to a persistent identity, as

they usually use e-mail-based authentication methods

to service their clients or learners. Furthermore,

from the perspective of more traditional certiﬁcate

authorities and education institutions that issue

macro-credentials, they mostly manage their learner

data, courses and results using inefﬁcient and

centralised systems such as excel sheets (Gräther

et al., 2018). This makes it tedious to search for

information and present an overview which also

induces manual veriﬁcation.

This research is not about any particular MOOC

or their associated strengths and weaknesses but

rather aims to illustrate the role that accompanying

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

250

technologies, such as Veriﬁable Credentials (VC) and

Distributed Ledger Technology (DLT), could play

in macro-credential or micro-credential services’

advancement. The goal is to serve the research

community towards either re-using existing efforts or

to assess the efforts that will be needed to implement

a digitally veriﬁable credentialling system in future.

Ideally, this system should comply with data privacy

legislation and existing standards. Regarding

interoperability, most DLTs lack standards adoption

as most are siloed with no architecture, software

design and interoperability uniﬁcation approach

(International Telecommunication Union (ITU),

2019). Associated standards and interoperability

requirements that are recognised and accepted

internationally are still emerging and can serve as a

baseline for user protection and performance of these

technologies (Faridi, 2020). The contribution of this

study can therefore be summarised as follows: a) A

technology prototype architecture which incorporates

novelty by complying with emergent standards

using emergent technologies and with user centric

data control as required by recent data regulations.

b) Establish a baseline design through mapping

existing prototype terminology and components to

standards which will allow other sectors or groups

to learn from and re-use ideas. The required system

then presents multiple novelties because traditional

systems differentiate themselves to this one in various

ways:

• All issued credentials and identities are hosted on

a central data repository, which is susceptible to a

single point of failure.

• Traditional systems make it difﬁcult to link

credentials to a persistent identity as they

usually use email-based authentication methods to

interact with users, i.e. learners.

• Identities are less discoverable and interoperable

and are susceptible to censorship.

Section 2 brieﬂy outlines our methodology.

Section 3.1 summarises the concepts that are a

starting point towards using standard terminology

alongside technologies that would improve future

education ecosystem interoperability. Section 3.2

discusses what relevant data schemas are available to

be used within the skills and academic achievement

context. Section 3.3 discusses paths towards

utilising these technologies to improve existing

micro-credentialling services and how they relate to

blockchain or DLT. Section 3.4 brieﬂy touches on

what methods are available to selectively disclose

subsets of credentials, which is a requirement by

more recent regulations such as the GDPR and

POPIA. Section 4 provides a mapping to the W3C

standard’s concepts as well as recommendations to

further decentralise credential issuer authorisation

and section 5 concludes with future work and ongoing

challenges that are to be resolved if such a system is

to be instantiated successfully.

2 METHOD

Information Systems (IS) ﬁnd themselves instantiated

in the natural world because of previous design

choices that aim to satisfy human requirements. This

has led to the research method know as Design

Science Research (DSR) (Hevner and Chatterjee,

2010) and is the core method that we are required

to use as we aim to either bring new systems into

being or improve on existing systems. Where natural-

and behavioural science aim to hypothesise, collect

data, prove a hypothesis and develop theory, the DSR

method aims to understand and improve or produce

a new artifact which leads to its evaluation after

instantiation (Hevner and Chatterjee, 2010). This

work is the ﬁrst phase, or rather conceptual and

architectural assessment towards what is required to

satisfy a need established by (Chakroun and Keevy,

2018). It is a push to move from what has and is being

abstractly deﬁned in the W3C emergent standards

towards a concrete instantiation of one particular

sector use case (Otto et al., 2019). We therefore aim

to answer various questions:

1. What technologies and speciﬁcations exist

that are needed to create an international

credentialling and skills tracking system?

2. What technologies exist that enable the solution

to minimise data disclosure (PbD) for regulatory

compliance whilst still providing discoverability

of the system actor identities?

3. What standards exist that could provide future

international interoperability and also aid in

automated digital credential veriﬁcation?

Various searches were conducted to identify

architectural components that are required to realise

the required credentialling and veriﬁcation system.

Sources presenting trends in education digitisation

efforts, academic and online course achievements

standards along with DLT-based digitisation efforts

in the education context were collected. The sources

were then ﬁltered based on their ability to align

with the architectural requirements deﬁned by leaders

or pioneers in the educational digitisation ﬁeld and

standards advancement entities.

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies

251

3 REQUIRED SYSTEM

TECHNOLOGIES

3.1 Veriﬁable Credentials

VCs are an emerging W3C technology and standard

that enables online entities to present claims or

attestations about themselves or other entities in a

cryptographically veriﬁable manner. This makes

it possible for micro-credential services to prove

that a particular qualiﬁcation or competency claim

is associated with an identity, or in the standard’s

context, a Decentralised Identiﬁer (DID) (Reed et al.,

2020). A DID aims to solve the single point of

failure problem associated with centralised solutions

where traditional identities are maintained by some

custodian or central authority, for example, the

Department of Home Affairs (DHA) or a certiﬁcate

authority in the current internet ecosystem. Each

DID can refer to one or several DID documents that

contain meta-information about an entity or subject

such as public keys (veriﬁcation methods or contact

information).

In the micro- and macro-credential context

these DID documents and VCs can store academic

or life long learning achievements or subsets of

achievements. The VC and DID standards are

agnostic of the physical data storage location of the

DID and its associated document(s). This location

is referred to as a Veriﬁable Data Registry (VDR)

which is controlled by a controller which can be a

person, organisation, autonomous software, logical

thing or multiple of these, each with their own DID.

This DID controller can also be the person (also

referred to as the DID subject) which provides the

person or subject the ability to be in control of their

own veriﬁable claims or attestations. The standard is

also agnostic of many implementation details, such

as the cryptographic primitives used to generate a

DID, how to persist credential- or meta-data related

to a DID, and how to resolve or lookup a DID.

Instead, generic syntax and requirements are deﬁned

to execute the basic Create, Read, Update, Delete

(CRUD) operations on DID associated meta-data,

which in the skills tracking context is the information

that makes up a macro- or micro-credential.

It is important to realise the abstract nature of

the four basic roles that are present within the VC

standards as depicted in Figure 1. There is the issuer

who generates a claim about a subject and binds it to

that particular subject. Then there is the veriﬁer who

computes the cryptographic proof to verify claims

about a particular subject, and ﬁnally, there is the

holder who could be the subject or another entity

Figure 1: W3C VC data model ecosystem overview (Sporny

et al., 2019).

(organisation, autonomous software vault) that acts

as custodian on behalf of the subject (Otto et al.,

2019). All the entities that fulﬁl these roles are

referenced or referred to via their own DID. The

abstract and variable nature of these roles are intended

to extend the VC standard well beyond the skills

tracking context and into healthcare, ﬁnance, retail,

legal identity and devices and is beyond the scope of

this article. Here we focus only on the developments

that are in progress regarding the digitisation of the

education sector.

3.2 Education Credentialing Schemas

From Table 1 it is evident that the pioneers in

education technology and interoperability standards

advancement are the Instructional Management

Systems (IMS) global learning consortium, which

has been active since 1997. They have initiated

the development of the digital education credentials

data schema speciﬁcation known as Open Badges

(OB) (Consortium, 2018b) which has been in active

practical use for close to a decade (Otto et al.,

2018) and is an open speciﬁcation that is maintained

and updated across many organisations such as

Campus Labs, Credly, Mozilla, Digitalme, D2L

Corporation and Pearson (Consortium, 2018b). A

worldwide view regarding OB usage can be accessed

at badgetheworld.org and a list of badge issuers are

presented at openbadges.org.

The OB speciﬁcation serves as lexicon or

vocabulary that can structure the data that make up

skills or educational achievements, much like how

website developers can use schema.org to structure

data on their pages to allow search engines to more

easily discover or crawl and understand published

data. This discoverability is also one of the ten

design goals of the W3C VCs speciﬁcation (Reed

et al., 2020). These schemas deﬁne the make-

up of the information to establish a form of re-

use and interoperability. There are other signiﬁcant

similarities in how OBs function when compared to

W3C VCs which lays good groundwork for future

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

252

standardisation and interoperability. This is due

to an underlying data format that is used by both

OBs and VCs known as JavaScript Object Notation-

Linked Data (JSON-LD) and in addition, JSON-LD

signatures which are used to authenticate claims or

credentials cryptographically. JSON-LD provides

web-developers the ability to structure their data

according to a pre-deﬁned data schema which is

maintained by afﬁliates from Google, Microsoft,

Yahoo and Yandex in the case of schema.org.

From an identity perspective, OBs use a string-

type identiﬁer (predominantly e-mail addresses) to

associate an assertion or credential with an issuer

and/or subject, although there are efforts underway to

support the alternative DID-based identity integration

within the "Open Badges Validator" (Otto et al.,

2018). This would de-couple the OBs from

central points of failure and provide badge holders

more freedom as to where their badges are

kept and provide decentralised veriﬁcation in the

future. Currently, OBs utilise centralised veriﬁcation

methods (HostedBadge and SignedBadge) which

are only associated with an e-mail or centrally

hosted identity which is more prone to attack and

compromise. Two methods or options are listed by

(Otto et al., 2018) that could align the OB schema

or data model with that of the W3C DID and VC

standards which would advance the efforts of the

IMS digital credentials initiative in terms of security

although a majority of the credential information

remains only authenticated and not encrypted. It

is thus important to consider the privacy guidelines

deﬁned in the W3C VC documentation to prevent

domain cross-correlation and to provide sufﬁcient

anonymisation, particularly when references and

proofs of credentials are stored on an immutable

DLT network infrastructure which persists the data.

This could stand in contrast to what is required by

the GDPR which grants individuals the right to be

forgotten (Raul et al., 2017) and requires credential

mutability or revocation.

OBs also feature a badge "baking" speciﬁcation

(Consortium, 2018a) where micro- or macro-

credential data is merged or embedded into an image

ﬁle format such as a Portable Network Graphic (PNG)

or Scalable Vector Graphic (SVG). This functionality

is also consolidated with the W3C VC standards since

it is currently represented as a JSON-LD document

but should ideally also be representable as a DID

document. Another analogous concept within the

OB speciﬁcation is the badge backpack which relates

to the holder deﬁned in the W3C VC standards.

The OBs ecosystem also cannot currently issue the

same BadgeClass or badge type from a different

issuer (Otto et al., 2018) which is analogous to,

for example, all chemical engineering degrees being

issued by one university only. If these similarities

can be aligned with the W3C DID and VC standards

speciﬁcations, then the OB schema could become the

de facto vocabulary to digitise education and skills or

competencies and would be on the right track towards

interoperability across the different issuers, subjects,

holders and veriﬁers.

3.3 Distributed Ledger Technologies

A DLT is deﬁned by the W3C as follows: “A

distributed database in which the various nodes use

a consensus protocol to maintain a shared ledger in

which each transaction is cryptographically signed

and chained to the previous transaction”(Reed et al.,

2020). A DLT or blockchain is a form of public

utility with two predominant operational settings,

namely permissionless and permissioned. In the

permissionless setting, anyone who wishes to take

part in hosting the service is incentivised to join in,

which provides the service by the people and for the

people. In the permissioned setting, the number of

participatory nodes are agreed upon beforehand and

are trusted to provide the shared information service.

The intersection at which DLTs meet the W3C

DID and VC standards begin with a DID method,

which deﬁnes the implementation details necessary

to make decentralised authentication possible instead

of having central points of failure that host identities.

Noteworthy is the ability of the W3C DID documents

concept to also contain biometric service provider

contact information to verify identity authenticity

against a biometric vector as a multi-factor.

Many DID implementations have been deﬁned

by DLT development teams and are listed on the

DID methods registry. If the OB data schema

updates suggested by (Otto et al., 2018) are accepted

by the greater IMS digital credentialling developer

community and applied, it would make it possible

to utilise any of the listed DLT networks to provide

identiﬁcation alongside the IMS OB skills and

academic achievements data schema. By analysing

the DID methods registry, as of June 2020, there are

58 different provisional DID method implementations

in total. There are 3 implementations that run on the

Bitcoin network, 4 for Hyperledger Fabric and 9 for

Ethereum. Two of the 9 Ethereum implementations

can also operate on additional networks from an

interoperability point of view. The did:signor

method can additionally operate on the Hedera

Hashgraph, Quorum and Hyperledger Besu networks

and the did:gatc method can function on the

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies

253

Hyperledger Fabric, Hyperledger Besu and Alastria

DLT networks.

The question that needs to be asked is what does

the education credentialling context stand to gain

when using a distributed system such as a DLT? The

answer lies in the assessment around what properties

are provided by these technologies? A DLT typically

possesses 3 signiﬁcant properties:

1. It provides a temporal ordering of events or

claims without the need to synchronise the clocks

of the network nodes that provide or host the

network ledger service infrastructure and acts as

a form of public utility.

2. It provides immutability that ensures historical

integrity by including hashes (unique identiﬁers

of a data frame) of the previous data frame

or block in the next data frame and by non-

deterministically gossiping this to all other nodes.

3. It provides persistence of data and resilience by

redundantly storing multiple copies of the data in

a distributed manner.

What is to be gained by the digitisation of any

information is ﬁrstly a reduction in administrative

overhead through automation, and this surely is a

need for most traditional education institutions that

still conduct paper-based veriﬁcation. From the

perspective of the MOOCs, who already possess

digitisation, they stand to gain a form of globally

recognisable persistent identity along with persistent

credential information provided that these identity

implementations comply with the aforementioned

standards and that global consensus is reached around

the adoption of said standards. The entire education

ecosystem can gain historical information uniﬁcation

through the temporal ordering property, as they do

not need to keep track of which claims were made

in which order or at which time. This should also

reduce fraud via automated auditability because of the

immutable event history that resides on the ledger.

Cryptographic veriﬁcation also provides additional

automation through the immutability property, along

with built-in authentication through the cryptographic

signatures that are linked to a DID.

Although there are many efforts underway

(according to existing surveys) to provide education

and skills digitisation and veriﬁcation in conjunction

with DLTs (Hameed et al., 2019; Yumna et al.,

2019), very few of them aim towards the DID

and VC standards and very few of them utilise

the same standards-based roles terminology in their

descriptions. One project that stood out in terms

of alignment with the mentioned standards and the

IMS OB data schema speciﬁcation (Labs, 2019), was

Blockcerts by Massachusetts Institute of Technology

(MIT) Media Labs, which has submitted a proposal

(Ronning and Chung, 2019) towards alignment and

compliance.

Another project that stood out is the Blockchain

for Education platform deﬁned by (Gräther et al.,

2018) because they incorporated the IMS OB data

schema within their implementation. Also notable

was the requirements they gathered through real-

world surveys which identify role-players within the

more traditional macro-credential setting as well as

components for DLT inclusion.

3.4 Selective Disclosure

Recent data regulations require PbD and user centric

data access control, which can be addressed by

incorporating selective disclosure into the design.

Selective disclosure is also related to the concept of

generating a subset of the ﬁelds within a particular

attestation or credential that claims something about

a subject. In W3C terminology, this is referred to

as a veriﬁable presentation. Because information can

be easily copied from one hard-drive to another, it is

more secure to generate a view or presentation of the

data and to minimise the amount of information that

gets disclosed.

There seem to exist two methodologies to achieve

selective disclosure to the best of our knowledge.

One is to use a zero-knowledge proof as described

in (Sonnino et al., 2018) and the other is to pack

the information into a Merkle tree data structure

as described in (Patka, 2019). Zero-knowledge

proof cryptography is iterative and asymptotically

approaches the certainty that a claim is valid without

revealing the actual knowledge or information itself,

and care should be taken to ensure that computational

efﬁciency is not compromised that the system’s

performance remains sufﬁcient. Merkle tree proofs

reveal and expose a subset of the VC to the veriﬁer,

but is more computationally efﬁcient.

4 DISCUSSION

Standardisation is required to achieve the urgently

required and international credentialling system

described by (Chakroun and Keevy, 2018). What we

found missing in existing DLT-based credentialling

systems are the alignment with current internet

identity and credentialling standards. These standards

relate to the concept of Self Sovereign Identity

(SSI) and provide a censorship resistant alternative

to current e-mail or password-based identity. The

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

254

following lists are an attempt to relate the components

and actors deﬁned by (Gräther et al., 2018) and shown

in Figure 2 to the concepts deﬁned in the W3C DID

and VC speciﬁcations and standards where actors can

instead be identiﬁed by their own persistent and life-

long identity or DID:

Figure 2: Blockchain for Education architecture (Gräther

et al., 2018).

• issuer - Accreditation Authority (AA) which is

identiﬁed by a quorum of authoritative entities

(multiple DIDs), issues a credential to the

authority at the next level down the hierarchy (see

Figure 3). This authorisation credential could

contain a multi-signature or threshold signature

(Hwang and Chang, 2005). The signature’s hash

is calculated which the AA timestamps on the

DLT so that anyone that looks up any k of n

total signer DIDs (Gräther et al., 2018), and their

associated public keys, can verify the authenticity

and temporal or historic issuance.

• issuer - Certiﬁcation Authority (CA) issues a

certiﬁcate to the Certiﬁer (MOOC or academic

institution) and stores the hash of this certiﬁcate

on the DLT. This certiﬁcate could also be veriﬁed

by the learner in a similar way, except for using

only a single DID and public key associated with

the Certiﬁer.

• issuer - Certiﬁer which issues and signs the

academic credentials achieved by the learner and

timestamps its unique hash on the DLT.

• subject - Learners or certiﬁcate recipients that

can present their DID to the employer or

perhaps include a barcode or QR-code on their

Curriculum Vitae (CV) that resolves to their

DID and consequently their credentials under

cryptographic conditions.

• veriﬁer(s) - Employers that can resolve the

learner’s DID and DID document which contains

the same hash that is veriﬁed against the hash

that was stored on the DLT by the Certiﬁer. This

temporal integrity check includes the learner and

issuing institutions DID associated asymmetric

cryptographic signatures which could also be

veriﬁed.

Figure 3: Blockchain for Education Identity Hierarchy

(Gräther et al., 2018).

From the aforementioned list in conjunction with

Figure 3, it is shown that there are three layers of

issuers in the identity hierarchy. The information

formats associated with the DIDs are as follows:

• DID Document - CA Proﬁle Information and

associated public key(s) used to establish a secure

communications channel with a system actor.

• Veriﬁable Credential (VC) - Learner certiﬁcate or

macro-credential or micro-credential information

with attached cryptographic proofs such as

signatures.

Entities that hold and persist information related

to the actors:

• holder - Document Management System in this

instance is centralised and could be further

decentralised by a DID document that resolves

to one or more VC, stored in an encrypted

distributed vault.

• holder - Distributed File System relates to

a storage mechanism that holds any public

information such as the DID document which

holds actors’ public keys that establish a secure

communications channel between actors.

Both the Blockcerts and Blockchain for Education

platforms store only the hash of the claims

or credentials on a blockchain, which makes

sense from a privacy and GDPR compliance

perspective where the blockchain merely acts as a

temporal (immutable event history) and authenticity

veriﬁcation mechanism. This also limits the overuse

of blockchain storage capacity since it is a form

of public utility in the permissionless DLT setting.

Both implementations currently use public keys

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies

255

as identiﬁers showing scope for DID inclusion as

proposed in (Ronning and Chung, 2019), because

their "strictly hierarchical" identity architecture is

prone to a single point of compromise at the AA

(Gräther et al., 2018).

Another notable system proposed by (Gresch

et al., 2019) is focussed to suit speciﬁc needs

of the University of Zurich (UZH). It does not

introduce any form of standardisation across other

educational entities to bring them in alignment.

Particularly since various organisations are now

exploring standardisation to enable interoperability

of technologies and improvements in identity. The

lack in alignment with standards is concerning, since

standards could prove very helpful, i.e. harmonizing

terminology and deﬁnitions used, minimising

redundancy, etc. What we have found valuable was

the overlap in requirements from (Gresch et al.,

2019) and (Gräther et al., 2018) which will be used

in the second DSR iteration to consolidate lower

level requirements for further analysis and particular

technology selection.

5 CONCLUSION AND FUTURE

WORK

This research has focussed on the required technical

components, standardisation efforts and data schema

speciﬁcations that are currently underway, and how

they relate to the use of DLTs in education and skills

credentialling. DLTs provide a single source of truth

that could bring international education authorities in

alignment with each other and aid in standardisation

and auditability across ecosystem players while

automating credential veriﬁcation processes. DLT

could solve the data proliferation problem where

information systems currently have duplicate data that

operate in centralised and mostly isolated silos.

Technological components are discussed that are

required to achieve the end goal of digitising,

consolidating, authenticating and persisting all

attested knowledge and achieved skills alongside a

life-long persistent identity. Current prototypes that

align with required technologies and that use DLT in

education credentialling are identiﬁed and mapped to

the W3C emerging standard terminologies and will

serve as a starting architecture towards implementing

a credential and skills tracking system that complies

with current data privacy laws within our research

and development group. The next phase in this DSR

process is to consolidate speciﬁc requirements from

literature and assess DID compliant DLTs in terms of

their ability to satisfy these requirements.

Some problems cannot be solved by technologies

such as DLTs and cryptography until a widespread

agreement is reached around how skills and

knowledge can be recognised and quantiﬁed through

frameworks to enable skills matching to the market

need as well as matching the make-up of traditional

macro-credentials through standardisation. One

example effort in this regard is the Competencies

and Academic Standards Exchange® (CASE®)

from the IMS global learning consortium and its

associated competency framework tool: OpenSALT.

Further analysis and comparison are required between

competency measurement frameworks such as:

• World Reference Levels (WRL) from the United

Nations Educational, Scientiﬁc and Cultural

Organisation (UNESCO).

• European Qualiﬁcations Framework (EQF)

from the European Quality Assurance Register

(EQAR) and the European Association for

Quality Assurance in Higher Education (ENQA).

• National Qualiﬁcations Framework (NQF) from

the Department of Higher Education & Training

(DHET) in South Africa.

• Connecting Credentials from the Lumina

Foundation in the United States of America

(USA).

Notably, the South African Qualiﬁcations

Authority (SAQA) has begun an initiative to align

the WRLs with the South African NQF but it is

still unclear how far they have progressed (Jaftha

and Samuels, 2017; South African Qualiﬁcations

Authority (SAQA), 2018). The accreditation bodies

that have implemented the listed frameworks could

form the issuer hierarchy from Figure 3 or an

accreditation group. If at least the issuer, subject and

veriﬁer entities from Figure 2 are each assigned a

DID, the signature issuance hierarchy from Figure 2

could be replaced with a multi-signature or threshold

signature strategy to form a ﬂat or ring structure of

signatures where anyone with a DID could verify the

issued credentials.

One concern from an implementation perspective

is the amount of DID document resolutions that

might be induced when implementing such a system

and ensuring that the servers that host such digital

documents are always available. Each DID and

document lookup results in a communications call

to a server, and care has to be taken during design

time to keep DID document resolutions/lookups to a

minimum.

ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy

256

REFERENCES

ITU (2019). Distributed ledger technology use cases.

Technical Report FG DLT D2.1, International

Telecommunication Union (ITU).

Chakroun, B. and Keevy, J. (2018). Digital credentialing:

Implications for the recognition of learning across

borders.

Consortium, I. G. L. (2018a). Open badges baking

speciﬁcation: Ims ﬁnal release. Accessed: 2018-04-

12.

Consortium, I. G. L. (2018b). Open badges v2.0: Ims ﬁnal

release. Accessed: 2018-04-12.

DLA Piper (2017). Data protection laws of the world, full

handbook.

Faridi, O. (2020). Establishing proper standards is key

to ensuring blockchain or dlt sector moves forward:

Report.

Gräther, W., Kolvenbach, S., Ruland, R., Schütte, J.,

Torres, C., and Wendland, F. (2018). Blockchain

for education: Lifelong learning passport. European

Society for Socially Embedded Technologies

(EUSSET), 2(10).

Gray, P. (2008). A brief history of education: To understand

schools, we must view them in historical perspective.

Gresch, J., Rodrigues, B., Scheid, E., Kanhere, S. S., and

Stiller, B. (2019). The proposal of a blockchain-based

architecture for transparent certiﬁcate handling. In

Business Information Systems Workshops, pages 185–

196. Springer International Publishing.

Hameed, B., Murad, M., Noman, A., Javed, M., Ramzan,

M., Ashfaq, F., Usman, H., and Yousaf, M. (2019).

A review of blockchain based educational projects.

International Journal of Advanced Computer Science

and Applications, 10(10).

Hevner, A. and Chatterjee, S. (2010). Design Research in

Information Systems. Springer US.

Hwang, M.-S. and Chang, T.-Y. (2005). Threshold

signatures: Current status and key issues.

International Journal of Network Security, 1.

Jaftha, C. and Samuels, J. (2017). World Reference Levels:

A global learning outcomes initiative to promote

recognition of learning. Accessed: 2017-09-28.

Labs, M. M. (2019). Blockcerts:the Open Standard

for Blockchain Credentials, Standards Alignment.

Accessed: 2019-11-19.

Otto, N., Duffy, K. H., Singh, K., and Aoqui, L.

G. F. (2018). Open badges are veriﬁble credentials.

Accessed: 2018-03-06.

Otto, N., Lee, S., Sletten, B., Burnett, D., Sporny, M.,

and Ebert, K. (2019). Veriﬁable credentials use

cases: W3C working group note 24 september 2019.

Accessed: 2019-09-24.

Patka, I. (2019). How share kit works: A guide to secure

data sharing. Accessed: 2019-06-14.

Raul, A. C., Faircloth, F. E., Mohan, V. K., and Brown, S.

(2017). The privacy, data protection and cybersecurity

law review. Publication, Law Business Research Ltd.

Reed, D., Sporny, M., Longley, D., Allen, C., Grant, R.,

Sabadello, M., and Holt, J. (2020). Decentralized

identiﬁers (DIDs) v1.0: Core architecture, data model,

and representations. Accessed: 2020-05-29.

Ronning, A. and Chung, W. W. (2019). Blockcerts V3

Proposal: A white paper from Rebooting the Web of

Trust IX. Accessed: 2019-11-19.

Sonnino, A., Al-Bassam, M., Bano, S., and Danezis,

G. (2018). Coconut: Threshold issuance selective

disclosure credentials with applications to distributed

ledgers. Computing Research Repository (CoRR),

abs/1802.07344.

South African Qualiﬁcations Authority (SAQA) (2018).

Annual performance plan for 2019/20. Accessed:

2019-10-25.

Sporny, M., Longley, D., and Chadwick, D. (2019).

Veriﬁable credentials data model 1.0: Expressing

veriﬁable information on the web. Accessed: 2019-

11-09.

The Mozilla Foundation, Peer 2 Peer University, and The

MacArthur Foundation (2012). Open badges for

lifelong learning.

Yumna, H., Khan, M. M., Ikram, M., and Ilyas, S.

(2019). Use of blockchain in education: A

systematic literature review. In Intelligent Information

and Database Systems, pages 191–202. Springer

International Publishing.

Towards Academic and Skills Credentialing Standards and Distributed Ledger Technologies

257