# 1 - Swiyu Signup and Exploration

The goal of this exercise is to understand the objectives of the swiyu E-ID project, as well as how it works in a pragmatic way.

**Security**: All involved parties depend on cryptographic guarantees that credentials cannot be tampered with.  

**Decentralized storage**: Issued credentials live only in the holder’s wallet—no copies are stored elsewhere.  
**Holder-binding**: Even if credentials are copied, they cannot be used by anyone other than the rightful holder.

Overview:

1. Installing the swiyu app  
2. Get a Beta Government E-ID  
3. Create an "E-ID HoW" Credential  
4. Verify your Credential  
5. Inspect Logs  
6. Analyze Logs  
7. Linkability of Multiple Presentations

## 1.1 – Install the Swiyu App

The Swiyu wallet app is a key component of the E-ID ecosystem. It securely stores credentials issued by various authorities and enforces holder-binding so they cannot be used elsewhere. By adhering to the Swiyu specification, the wallet interoperates seamlessly with any issuer or verifier following the same standard.

Please install the version that suits your device:

- Android: https://play.google.com/store/apps/details?id=ch.admin.foitt.swiyu&hl=en&pli=1  
- iOS: https://apps.apple.com/ch/app/swiyu/id6737259614

### Discussion Points

- What is the primary purpose of the Swiyu app?  
- What security guarantees does it provide?  

## 1.2 - Get a Beta Government E-ID

The swiyu ecosystem supports all types of verifiable credentials. However, at the center of everything, there needs to be an E-ID: a root verifiable credential that proves your identity.

The swiyu team has developed a Beta-ID verifiable credential that you can create to test the workflow.

Create your Beta-ID here:  
https://www.bcs.admin.ch/bcs-web/#/beta-id/create

### Discussion Points

- How does this relate to the “real” E-ID?  
- Where is each piece of data stored?  


## 1.3 – Create an E-ID “HoW” Credential

With your Beta-ID, you can prove your identity to the C4DT website, which will then issue a new credential confirming your attendance of the E-ID HoW workshop.

- The issued credential follows the SD-JWT VC standard and is holder-bound to your wallet.  
- The Swiyu base registry and trust registry validate that C4DT is a trusted issuer and verifier.  
- The app’s UX clearly indicates verified issuers and verifiers.

**Base & Trust Registries**  
These registries store DID documents for issuers and verifiers, including public keys and identifiers, and other metadata that enriches the user experience.

Steps:

1. Go to https://eid.c4dt.org and open the **Issuer** section.  
2. Verify your identity using your Beta-ID.  
3. Issue the workshop attendance credential (you’ll set your own “grade” field).  
4. Receive the new credential in your wallet.

### Discussion Points

- How is the Beta-ID linked to the “HoW” credential?  
- Which messages are exchanged between wallet and issuer?  
- How is the issuer configured and certified?  
- How does the issuer verify the Beta-ID’s validity?  



## 1.4 – Verify Your Credential

Now we act as a verifier—e.g., a company—requesting proof of workshop attendance.

- Swiyu supports selective disclosure (SD): verifiers request only the necessary fields, and holders choose what to disclose.

Verify your credential at:  
https://eid.c4dt.org/verifier/verify

### Discussion Points

- Which messages are exchanged between wallet and verifier?  
- If credentials are unlinkable, under what conditions does the presentation remain unlinkable?  

## 1.5 – Inspect Logs

At https://eid.c4dt.org/logs you can view interactions between wallet and services. These follow the OID4VC and OID4VP specifications, enabling easy integration but also exposing message flows to potential observers. Cryptographic guarantees and holder-binding prevent misuse by any third party.

**Task**  
Locate the logs for your VC presentation (the request your wallet made when you scanned the QR code to verify your credential).

**Tips**  
- Look for the timestamp of your request.  
- Find sections preceded by `=== REQUEST BODY ===` and `=== RESPONSE BODY ===`.

### Discussion Points

- Who can see these messages?  
- What would a man-in-the-middle observe on an unsecured Wi-Fi network?  

## 1.6 - Analyze Logs

Hopefully you’ve found the logs specific to your requests, but they’re all encoded. To decode them, follow these steps:

1. URL-decode the presentation (e.g., using Python).  
2. Extract the encoded VC presentation from the request body.  
3. Decode it at https://www.sdjwt.co/decode.  
4. Identify the various data types contained.

### Discussion Points

- Which fields could link multiple presentations?  
- How does selective disclosure secure data?  
- Why can’t low-entropy fields (e.g., postal codes) be guessed?  

In [22]:
# Use a python url parser to decode the url-encoded string you've found.
import urllib.parse
encoded_msg = "vp_token=eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMjYXV0aC1rZXktMDEifQ.eyJfc2QiOlsiLTBWS0E0WFMzRHJGQmhZZWNvbGZoRU5pUnBzeE5JZHpnanBfcV9vSlFzdyIsIjUtUE1GSjdROWVxTWhCT185dHJJeldLZTFYOG1yNERVbkw5N1U5bzRYSWsiLCJRekc4UnF1b01hUEIwcVFkTWVTTjJES19wTEg5a0tPNzhGYUtGWmhESWcwIiwiUnZMdW9QLVFCZGd2anpJX1U3Mnl1QXJwbU9jS3BXQ29SbkJqLTJ4My1aRSIsIlh5ZFZIaXpuaTk1RjhXU3JodFJwYWF3bEY4eEVIT2Y0NjU1UzhBcU9RTE0iLCJiUWR6aXUyNnRZeTdOcHMxWk5ual9GMWpmakRQNk1yNXd6N1BxOUwzb1JFIiwiekFIcTNoeDdNdUU2N3BxYU0zSmFrbEc4b1gwOXZ3QjI5OWlZTWlySVlwayJdLCJuYmYiOjE3NTA4MDI0MDAsInZjdCI6ImUtaWQtaG93LTA2LTIwMjUiLCJfc2RfYWxnIjoic2hhLTI1NiIsImlzcyI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMiLCJjbmYiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJZVGh4R054ZHIwWVJpd3ZLc0pyaHo4ZFh5YzdUQWdpem1kMHczU0d5Zi13IiwieSI6ImNfLTdtenNKNWhzX0JNa2VMbk5Hbk94b0xfOUVTUURPN0VvVFBBVnl6clEifSwiZXhwIjoxODkzNTI1ODA0LCJpYXQiOjE3NTA4NTE4MDB9.zKk3huO8gpKQRB7qJRAZUHEXwqG4jFoBIdAorusQHgpekGCg-wYK80FcCLCPRLY7abdai-3FruOWBV668NZziQ~WyJsZld6QTVJWWx6NE8xMTNWbERqYzhRIiwiZmlyc3ROYW1lIiwiSGVsdmV0aWEiXQ~WyI4N0JCcGpuX1pfRXE4RVNuTDhpSGdnIiwibGFzdE5hbWUiLCJOYXRpb25hbCJd~WyI4aVF2MWV3dW90bldXazVtdWFsUXBnIiwiZGVncmVlIiwiIl0~eyJ0eXAiOiJrYitqd3QiLCJhbGciOiJFUzI1NiJ9.eyJzZF9oYXNoIjoieUJ5bDg2dUd6V2VNM0JSSW9BQ0pLNlc5NmNZQlFDOVZhMjE2bWVWV2ZzUSIsImF1ZCI6Imh0dHBzOi8vZWlkLmM0ZHQub3JnL29pZDR2cC9hcGkvdjEvcmVxdWVzdC1vYmplY3QvY2Y5MjNkNjgtZWM1Yy00ZDk4LTg4MTMtNjY2ODk3MjIyZWYwL3Jlc3BvbnNlLWRhdGEiLCJub25jZSI6IjJacEE5ZXZUT1ppNldINUZrYnFSb2ExMnAyRm0zdkwwIiwiaWF0IjoxNzUwODUxODIwfQ.bKtTCbKj6WrTP0gQCnTpbt4MhRg89Ixr9i2VOPdjL6744NzCXYqGf6NrjI-YvpEqj7XhtevUCU36V7fsrVh14g&presentation_submission=%7B%22definition_id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%2C%22descriptor_map%22%3A%5B%7B%22format%22%3A%22vc%2Bsd-jwt%22%2C%22id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%2C%22path%22%3A%22%24%22%7D%5D%2C%22id%22%3A%2246aa0c1c-bccb-4dc2-9e68-bd080b4e46a6%22%7D"
decoded_verification = urllib.parse.parse_qs(encoded_msg)

vc_presentation_jwt_token = decoded_verification["vp_token"][0]
vc_presentation_jwt_token  # This output is a SD-JWT VC token that can be decode using the decoder link shared above

'eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMjYXV0aC1rZXktMDEifQ.eyJfc2QiOlsiLTBWS0E0WFMzRHJGQmhZZWNvbGZoRU5pUnBzeE5JZHpnanBfcV9vSlFzdyIsIjUtUE1GSjdROWVxTWhCT185dHJJeldLZTFYOG1yNERVbkw5N1U5bzRYSWsiLCJRekc4UnF1b01hUEIwcVFkTWVTTjJES19wTEg5a0tPNzhGYUtGWmhESWcwIiwiUnZMdW9QLVFCZGd2anpJX1U3Mnl1QXJwbU9jS3BXQ29SbkJqLTJ4My1aRSIsIlh5ZFZIaXpuaTk1RjhXU3JodFJwYWF3bEY4eEVIT2Y0NjU1UzhBcU9RTE0iLCJiUWR6aXUyNnRZeTdOcHMxWk5ual9GMWpmakRQNk1yNXd6N1BxOUwzb1JFIiwiekFIcTNoeDdNdUU2N3BxYU0zSmFrbEc4b1gwOXZ3QjI5OWlZTWlySVlwayJdLCJuYmYiOjE3NTA4MDI0MDAsInZjdCI6ImUtaWQtaG93LTA2LTIwMjUiLCJfc2RfYWxnIjoic2hhLTI1NiIsImlzcyI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2

## 1.7 – Linkability of Multiple Presentations

We now test whether a verifier can correlate presentations from the same holder.

1. Perform multiple verifications on the C4DT verifier page, disclosing only your degree.  
2. Extract and decode each VC presentation token.  
3. Compare them to assess linkability.

### Discussion Points

- What makes unlinkability difficult given the fields shared?  
- Which fields can be disclosed while preserving anonymity?  
- Compare with peers: which fields remain constant?  
- What simple measure could reduce linkability?  