# 1 - swiyu Signup and Exploration

The goal of this exercise is to understand the objectives of the swiyu E-ID project, as well as how it works in a pragmatic way.

**Security**: All involved parties depend on cryptographic guarantees that credentials cannot be tampered with.  
**Decentralized storage**: Issued credentials live only in the holder’s wallet — no copies are stored elsewhere.  
**Holder-binding**: Even if credentials are copied, they cannot be used by anyone other than the rightful holder.

Overview:

1. Installing the swiyu app  
2. Get a Beta Government E-ID  
3. Create an "E-ID HoW" Credential  
4. Verify your Credential  
5. Inspect Logs  
6. Analyze Logs  
7. Linkability of Multiple Presentations

## 1.1 – Install the swiyu App

The swiyu wallet app is a key component of the E-ID ecosystem. It securely stores credentials issued by various authorities and enforces holder-binding so they cannot be used elsewhere. By adhering to the swiyu specification, the wallet interoperates seamlessly with any issuer or verifier following the same standard.

Please install the version that suits your device:

- Android: https://play.google.com/store/apps/details?id=ch.admin.foitt.swiyu&hl=en&pli=1  
- iOS: https://apps.apple.com/ch/app/swiyu/id6737259614

During the installation, the app will ask you if you want to install the `Beta ID`.
You can answer `Yes`, and go to 1.2.

### Discussion Points

- What is the primary purpose of the swiyu app?  
- What security guarantees does it provide?

## 1.2 - Get a Beta Government E-ID

The swiyu ecosystem supports all types of verifiable credentials. 
However, at the center of everything, there needs to be an E-ID: a root verifiable credential that proves your identity.

The swiyu team has developed a Beta-ID verifiable credential that you can create to test the workflow.

Create your Beta-ID here, if you didn't click on `Yes` when the app asked you about installing the `Beta-ID`:

![QRCode for Beta-ID](attachment:5bb7df37-95f3-4867-963f-c7ff0882e6e6.png)

https://www.bcs.admin.ch/bcs-web/#/beta-id/create

### Discussion Points

- How does this relate to the “real” E-ID?
- Where is each piece of data stored?

## 1.3 – Create an E-ID “HoW” Credential

With your Beta-ID, you can prove your identity to our test page, which will then issue a new credential confirming your attendance of the E-ID HoW workshop.

- The swiyu base registry and trust registry validate that C4DT is a trusted issuer and verifier.  
- The issued credential follows the SD-JWT VC standard and is holder-bound to your wallet.  
- The app's UX clearly indicates verified issuers and verifiers.

During the registration, you will see the steps and messages sent between our issuer and your device on the right.
Look at the messages to understand what is communicated when.

**Base & Trust Registries**  
These registries store DID documents for issuers and verifiers, including public keys and identifiers, and other metadata that enriches the user experience.

Steps:

1. Go to https://eid.c4dt.org and open the **Issuer** section.  
2. Verify your identity using your Beta-ID.  
3. Issue the workshop attendance credential (you’ll set your own “grade” field).  
4. Receive the new credential in your wallet.

![https://eid.c4dt.org](attachment:83c40a9b-84fb-412d-b08f-b953268d3bee.png)

https://eid.c4dt.org

### Discussion Points

- How is the Beta-ID linked to the “HoW” credential?  
- Which messages are exchanged between wallet and issuer?  
- How is the issuer configured and certified?  
- How does the issuer verify the Beta-ID’s validity?  



## 1.4 – Verify Your Credential

Now we act as a verifier, e.g., a company, requesting proof of workshop attendance.

- swiyu supports selective disclosure (SD): verifiers request only the necessary fields, and holders choose what to disclose.

Verify your credential here:  

![https://eid.c4dt.org/verifier/verify](attachment:1a55a123-86df-46f1-bc10-6b09f88805f5.png)

https://eid.c4dt.org/verifier/verify

### Discussion Points

- Which messages are exchanged between wallet and verifier?  
- If credentials are unlinkable, under what conditions does the presentation remain unlinkable?
- Look how the data changes if you disclose one or more fields
- What changes in the data if you disclose the same field twice? 

## 1.5 – Inspect Logs

At https://eid.c4dt.org/logs you can view interactions between wallet and services. These follow the OID4VC and OID4VP specifications, enabling easy integration but also exposing message flows to potential observers. Cryptographic guarantees and holder-binding prevent misuse by any third party.

**Task**  
Locate the logs for your VC presentation (the request your wallet made when you scanned the QR code to verify your credential).

**Tips**  
- Look for the timestamp of your request.  
- Find sections preceded by `=== REQUEST BODY ===` and `=== RESPONSE BODY ===`.

### Discussion Points

- Who can see these messages?  
- What would a man-in-the-middle observe on an unsecured Wi-Fi network?  

## 1.6 - Analyze Logs

Hopefully you’ve found the logs specific to your requests, but they’re all encoded. To decode them, follow these steps:

1. URL-decode the presentation (e.g., using Python).  
2. Extract the encoded VC presentation from the request body.  
3. Decode it at https://www.sdjwt.co/decode.  
4. Identify the various data types contained.

### Discussion Points

- Which fields could link multiple presentations?  
- How does selective disclosure secure data?  
- Why can't low-entropy fields (e.g., postal codes) be guessed?
- Why is the base64 decoding of the presentation token failing?

In [None]:
# Use a python url parser to decode the url-encoded string you've found.
from urllib.parse import parse_qs
from base64 import b64decode

url_encoded = "presentation_submission=%7B%22id%22%3A%22B502AC04-0D29-4091-A219-95DB89844B6C%22%2C%22descriptor_map%22%3A%5B%7B%22id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%2C%22format%22%3A%22vc%2Bsd-jwt%22%2C%22path%22%3A%22%24%22%7D%5D%2C%22definition_id%22%3A%224ac0a851-464f-4714-9b2f-0480865a0799%22%7D&vp_token=eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMjYXV0aC1rZXktMDEifQ.eyJfc2QiOlsiOGM5cjFHdjVxcGVNU0xPbGxvQUV4N1V3N3dZaDBmenFHajRvWW82eTNHOCIsIjlRVTFoU05UQnVwSS1oSy1LYWEyTThvVUtqRUlEMHVJbFkyMmZGeWMzTHciLCJTaUdHNDkzdVcwYWFfbngwVHo5aVdOZTJMRnBhQko1cVRWX2gyNzlfR1ZBIiwiaWtpbVJoYTBpRjhyNGpqTUdUV0lyNjF6X0tFcFdKaTVYWno2UmVxNmI4byIsImpHaGR0S3RNZHF5U1pwM0FrcnNBVGtIQnhobkFCblBpN3B5a3phWGZETjAiLCJwQ3NMQ1FsVFlaeU5YSmpSbmdHX04wTE9PQl9mRVVZZHA2aXR2MmdmRUhNIiwiczhiNlhUU3NzWjU3Z0xJLWZELWRnLVlxVTc2d3h2LVFjYUF3UmxXNFVzUSJdLCJuYmYiOjE3NTA4ODg4MDAsInZjdCI6ImUtaWQtaG93LTA2LTIwMjUiLCJfc2RfYWxnIjoic2hhLTI1NiIsImlzcyI6ImRpZDp0ZHc6UW1YOW83QWJuSktaTVVNaG9YS0VIemtjSEg4bUd3aXdneFpGYzlyRndIRmlzbTppZGVudGlmaWVyLXJlZy50cnVzdC1pbmZyYS5zd2l5dS1pbnQuYWRtaW4uY2g6YXBpOnYxOmRpZDo5NWRmMjE4ZC0zMGNmLTRiZjMtYTg2NC04ZGViOThjZTNmNjMiLCJjbmYiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJtd2ZGVVNtUU5zVC1tRUtud3A5Qk1ZeXpScklrNnpGLWJZTEUwdjg5VE9FIiwieSI6IjBGNjRoSXRDREhmSUZNbGxWZ0x2SGVnalhTVnowUTBHN3BuRGlOZHBiZWsifSwiZXhwIjoxODkzNTI1ODA0LCJpYXQiOjE3NTA5Mzg5NjR9.6UaMztSUcsYMtqShhKOCCtIf83NK2xXJLGdM5XNgs7KJj3aSYnITBaPjaN3oHpIedsTy38qBTGbXs2vJhZilAA~WyJ5WHVTenRULVAza2xUeFlPc2J4QWJBIiwiZGVncmVlIiwiIl0~WyJCVGtRSnFiR2hkQUE3eTAzSmx2TFBRIiwiYmlydGhEYXRlIiwiMTk4OC0wNi0xOSJd~eyJ0eXAiOiJrYitqd3QiLCJhbGciOiJFUzI1NiIsImp3ayI6eyJ5IjoiMEY2NGhJdENESGZJRk1sbFZnTHZIZWdqWFNWejBRMEc3cG5EaU5kcGJlayIsImt0eSI6IkVDIiwieCI6Im13ZkZVU21RTnNULW1FS253cDlCTVl5elJySWs2ekYtYllMRTB2ODlUT0UiLCJjcnYiOiJQLTI1NiJ9fQ.eyJpYXQiOjE3NTA5NDEyNzkuODU4ODQ0LCJzZF9oYXNoIjoiNEtBRDBtLU9EaWhmc2p3YlpvS3lhNWJDbEwweWozN1pMQ1g1SGt0dElyTSIsImF1ZCI6IkVERTk4QUQ2LTBEQTktNDdFNC1BMUNGLTc0QjE0QzFEQThCQiIsIm5vbmNlIjoiSmJFd0dFUUFwQVo0WlZHTWNHNTZRSFBSRld6RFV6aDcifQ.GTKynEYSUtsL2LuJy5CaLMAHFsqJa_w0ypKA_hClM-q4TBoqvpkxRn69BpOzyfVoi1ptOywdZxdD0rGpw7IeHw"
decoded_verification = parse_qs(url_encoded)
decoded_verification

vp_token = decoded_verification["vp_token"][0]
print(f"Base64 encoded VP Token is:", vp_token)

print(f"Decoded VP Token:", b64decode(vp_token[0:-(len(vp_token)%4)-1]))

## 1.7 – Linkability of Multiple Presentations

We now test whether a verifier can correlate presentations from the same holder.

1. Perform multiple verifications on the C4DT verifier page, disclosing only your degree.  
2. Extract and decode each VC presentation token.  
3. Compare them to assess linkability.

### Discussion Points

- What makes unlinkability difficult given the fields shared?  
- Which fields can be disclosed while preserving anonymity?  
- Compare with peers: which fields remain constant?  
- What simple measure could reduce linkability?  