# 1 - Swiyu Signup and Exploration

The goal of this exercise is to understand the objectives of the swiyu E-ID project, as well as how it works in a pragmatic way.

**Security**: All involved parties depend on cryptographic guarantees that credentials cannot be tampered with.  

**Decentralized storage**: Issued credentials live only in the holder’s wallet—no copies are stored elsewhere.  
**Holder-binding**: Even if credentials are copied, they cannot be used by anyone other than the rightful holder.

Overview:

1. Installing the swiyu app  
2. Get a Beta Government E-ID  
3. Create an "E-ID HoW" Credential  
4. Verify your Credential  
5. Inspect Logs  
6. Analyze Logs  
7. Linkability of Multiple Presentations

## 1.1 - Install the swiyu app

The swiyu wallet app is a key component of the E-ID ecosystem. It is where users store the credentials they obtain from different issuers. It is responsible for storing those credentials securely and helps ensure they can’t be used elsewhere through holder-binding. By following the swiyu specification, the wallet works with all issuers and verifiers adhering to the same standard.

Please install the wallet app version that suits your mobile phone:

a. https://play.google.com/store/apps/details?id=ch.admin.foitt.swiyu&hl=en&pli=1  
b. https://apps.apple.com/ch/app/swiyu/id6737259614

### Discussion Points
- What is the main usage of the swiyu app?  
- What security guarantees are provided?

## 1.2 - Get a Beta Government E-ID

The swiyu ecosystem allows us to create all types of verifiable credentials. However, at the center of everything, there needs to be an E-ID: a root verifiable credential that proves your identity.

The swiyu team has developed a Beta-ID verifiable credential that you can create to test the workflow.

Follow the link to create one now: https://www.bcs.admin.ch/bcs-web/#/beta-id/create

### Discussion Points

- How does this work with the "real" E-ID?  
- Which data is stored where?

## 1.3 - Create an E-ID HoW Credential

With a Beta-ID from the previous step, we can use it to prove our identity to the C4DT website, which will then issue a new verifiable credential confirming that you've attended this workshop.

The issued credential follows the SD-JWT VC standard in the swiyu specification, along with holder-binding to the wallet. At this stage, it's important to note that the swiyu base registry and trust registry come into play. These registries keep track of issuers and verifiers in the ecosystem, proving that C4DT is who it claims to be.

They also provide clear UX in the app, indicating that this issuer is verified and can be trusted.

**Base and Trust registries**: These registries hold the DID documents for issuers and verifiers and store additional information that enhances the user experience across different workflows. DID documents are identifying documents for issuers and verifiers, including their public keys and public identifiers.

Go to https://eid.c4dt.org and navigate to the Issuer section:  
a. The website will ask you to verify your identity first.  
b. It will then issue you a credential for attending the workshop.  
c. All data will be populated from the Beta-ID credential you verified, except for the grade – you will set that yourself.  
d. You will receive the credential in your wallet.

### Discussion Points

- How is the Beta-ID linked to the HoW credential?  
- Which messages are exchanged between the wallet and the issuer?  
- How is the issuer configured and certified?  
- How does the issuer verify the validity of the Beta-ID?

## 1.4 - Verify your Credential

The second part of this demo puts us in the shoes of a verifier who needs to obtain specific information from a verifiable credential. In our use case, this is a company verifying that an applicant has acquired certification of attendance at a C4DT workshop on E-ID.

The swiyu specification supports selective disclosure (SD), which means we can request only the parts of the verifiable credential that matter and allow the holder to negotiate which data they disclose to a specific party.

Go to https://eid.c4dt.org/verifier/verify to verify your newly acquired credential.

### Discussion Points

- Which messages are exchanged between the wallet and the verifier?  
- Supposing the credential is unlinkable, under what conditions is the presentation/verification also unlinkable?

## 1.5 - Inspect Logs

On https://eid.c4dt.org/logs, we’ve exposed a portion of the system logs—specifically all interactions between the wallet and various services. These interactions follow the OID4VC and OID4VP specifications, which make integration into the ecosystem straightforward but also expose the communication to a man-in-the-middle observer. However, thanks to strong cryptographic guarantees, including holder-binding, these VCs cannot be used by any other party.

Use this section to locate your logs and identify the important parts.

**Task**  
Go to https://eid.c4dt.org/logs and look for the entries that match your VC presentation (the request your wallet sends when you scan the QR code to verify your newly acquired VC).

### Tips to Find Your Logs

Find your specific VC presentation request in the logs. Hint: look for the:  
a. Timestamp – when you made the request  
b. Request content preceded by `=== REQUEST BODY ===`  
c. Response content preceded by `=== RESPONSE BODY ===`

### Discussion Points

- Who can see these messages?  
- What will a man-in-the-middle see, e.g., on an unsecured WiFi connection?

## 1.6 - Analyze Logs

Hopefully you’ve found the logs specific to your requests, but they’re all encoded. To decode them, follow these steps:

1. The presentation is URL-encoded; decode it first (e.g., with Python).  
2. In the decoded request body, locate the encoded VC presentation.  
3. Use https://www.sdjwt.co/decode to decode the presentation.  
4. Identify the different types of information stored there.

### Discussion Points

- Which parts could be used to link two presentations?  
- Observe how selective disclosure works when revealing different parts of your credential:  
  - How is the data secured?  
  - Why isn’t it possible to guess low-entropy entries like the postal code?

In [22]:
# Use a python url parser to decode the url-encoded string you've found.
import urllib.parse
encoded_msg = "vp_token=eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMjYXV0aC1rZXktMDEifQ.eyJfc2QiOlsiLTBWS0E0WFMzRHJGQmhZZWNvbGZoRU5pUnBzeE5JZHpnanBfcV9vSlFzdyIsIjUtUE1GSjdROWVxTWhCT185dHJJeldLZTFYOG1yNERVbkw5N1U5bzRYSWsiLCJRekc4UnF1b01hUEIwcVFkTWVTTjJES19wTEg5a0tPNzhGYUtGWmhESWcwIiwiUnZMdW9QLVFCZGd2anpJX1U3Mnl1QXJwbU9jS3BXQ29SbkJqLTJ4My1aRSIsIlh5ZFZIaXpuaTk1RjhXU3JodFJwYWF3bEY4eEVIT2Y0NjU1UzhBcU9RTE0iLCJiUWR6aXUyNnRZeTdOcHMxWk5ual9GMWpmakRQNk1yNXd6N1BxOUwzb1JFIiwiekFIcTNoeDdNdUU2N3BxYU0zSmFrbEc4b1gwOXZ3QjI5OWlZTWlySVlwayJdLCJuYmYiOjE3NTA4MDI0MDAsInZjdCI6ImUtaWQtaG93LTA2LTIwMjUiLCJfc2RfYWxnIjoic2hhLTI1NiIsImlzcyI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMiLCJjbmYiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJZVGh4R054ZHIwWVJpd3ZLc0pyaHo4ZFh5YzdUQWdpem1kMHczU0d5Zi13IiwieSI6ImNfLTdtenNKNWhzX0JNa2VMbk5Hbk94b0xfOUVTUURPN0VvVFBBVnl6clEifSwiZXhwIjoxODkzNTI1ODA0LCJpYXQiOjE3NTA4NTE4MDB9.zKk3huO8gpKQRB7qJRAZUHEXwqG4jFoBIdAorusQHgpekGCg-wYK80FcCLCPRLY7abdai-3FruOWBV668NZziQ~WyJsZld6QTVJWWx6NE8xMTNWbERqYzhRIiwiZmlyc3ROYW1lIiwiSGVsdmV0aWEiXQ~WyI4N0JCcGpuX1pfRXE4RVNuTDhpSGdnIiwibGFzdE5hbWUiLCJOYXRpb25hbCJd~WyI4aVF2MWV3dW90bldXazVtdWFsUXBnIiwiZGVncmVlIiwiIl0~eyJ0eXAiOiJrYitqd3QiLCJhbGciOiJFUzI1NiJ9.eyJzZF9oYXNoIjoieUJ5bDg2dUd6V2VNM0JSSW9BQ0pLNlc5NmNZQlFDOVZhMjE2bWVWV2ZzUSIsImF1ZCI6Imh0dHBzOi8vZWlkLmM0ZHQub3JnL29pZDR2cC9hcGkvdjEvcmVxdWVzdC1vYmplY3QvY2Y5MjNkNjgtZWM1Yy00ZDk4LTg4MTMtNjY2ODk3MjIyZWYwL3Jlc3BvbnNlLWRhdGEiLCJub25jZSI6IjJacEE5ZXZUT1ppNldINUZrYnFSb2ExMnAyRm0zdkwwIiwiaWF0IjoxNzUwODUxODIwfQ.bKtTCbKj6WrTP0gQCnTpbt4MhRg89Ixr9i2VOPdjL6744NzCXYqGf6NrjI-YvpEqj7XhtevUCU36V7fsrVh14g&presentation_submission=%7B%22definition_id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%2C%22descriptor_map%22%3A%5B%7B%22format%22%3A%22vc%2Bsd-jwt%22%2C%22id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%2C%22path%22%3A%22%24%22%7D%5D%2C%22id%22%3A%2246aa0c1c-bccb-4dc2-9e68-bd080b4e46a6%22%7D"
decoded_verification = urllib.parse.parse_qs(encoded_msg)

vc_presentation_jwt_token = decoded_verification["vp_token"][0]
vc_presentation_jwt_token  # This output is a SD-JWT VC token that can be decode using the decoder link shared above

'eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMjYXV0aC1rZXktMDEifQ.eyJfc2QiOlsiLTBWS0E0WFMzRHJGQmhZZWNvbGZoRU5pUnBzeE5JZHpnanBfcV9vSlFzdyIsIjUtUE1GSjdROWVxTWhCT185dHJJeldLZTFYOG1yNERVbkw5N1U5bzRYSWsiLCJRekc4UnF1b01hUEIwcVFkTWVTTjJES19wTEg5a0tPNzhGYUtGWmhESWcwIiwiUnZMdW9QLVFCZGd2anpJX1U3Mnl1QXJwbU9jS3BXQ29SbkJqLTJ4My1aRSIsIlh5ZFZIaXpuaTk1RjhXU3JodFJwYWF3bEY4eEVIT2Y0NjU1UzhBcU9RTE0iLCJiUWR6aXUyNnRZeTdOcHMxWk5ual9GMWpmakRQNk1yNXd6N1BxOUwzb1JFIiwiekFIcTNoeDdNdUU2N3BxYU0zSmFrbEc4b1gwOXZ3QjI5OWlZTWlySVlwayJdLCJuYmYiOjE3NTA4MDI0MDAsInZjdCI6ImUtaWQtaG93LTA2LTIwMjUiLCJfc2RfYWxnIjoic2hhLTI1NiIsImlzcyI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2

## 1.7 - Linkability of Multiple Presentations

Having decoded the presentation, we now want to see if a verifier can correlate multiple verifications from the same holder.

1. Perform one or more verifications on the C4DT verifier page, requesting to selectively disclose only the degree.  
2. Extract the VC presentation tokens from the logs.  
3. Decode them using the decoder tool.  
4. Compare the tokens and assess how easily they can be linked, given that the verifier only requested your degree.

### Discussion Points

- What makes avoiding linkability difficult when considering the fields you share with the verifier?  
- Which fields can be revealed while maintaining anonymity?  
- Compare with your neighbors: which fields remain constant between two wallets?  
- What simple method could reduce linkability?