Quick Read ยท ConceptsIssuers, Holders, and Verifiers
Digital identity systems are built around three key roles. These roles define who creates the credential, who owns it, and who verifies it.
ConceptsTrust ModelQuick Read
Role 1Issuer
The issuer is the trusted organization that creates and signs a digital credential.
The issuer digitally signs the credential so that any verifier can confirm it was issued by a trusted authority โ without needing to contact the issuer at the time of verification.
Government
Driver's licenses and passports
Government agencies such as DMVs issue mobile driver's licenses using ISO/IEC 18013-5.
Education
Student IDs and diplomas
Universities issue digital credentials to students and graduates.
Employment
Employee credentials
Employers issue credentials that verify employment, role, or access rights.
- Layer
- Credential format
- Detail
- ISO/IEC 18013-5 mDL or W3C Verifiable Credentials
- Layer
- Signature
- Detail
- COSE cryptographic issuer signatures
- Layer
- Trust anchor
- Detail
- Government certificate chain (IACA) or issuer DID
| Layer | Detail |
|---|
| Credential format | ISO/IEC 18013-5 mDL or W3C Verifiable Credentials |
| Signature | COSE cryptographic issuer signatures |
| Trust anchor | Government certificate chain (IACA) or issuer DID |
Role 2Holder
The holder is the person who owns the credential and stores it in their digital wallet.
The holder decides when and where to share the credential and approves every identity request. Nothing is shared without explicit consent.
iOS
Apple Wallet
Stores mDLs on iPhone and presents them via the Digital Credentials API in Safari.
Android
Google Wallet
Stores mDLs on Android and presents them via Android Credential Manager.
Android
Samsung Wallet
Participates through Android Credential Manager using OID4VP flows.
Government-issued
Government mobile ID apps
State-issued apps such as the CA DMV app store and present official credentials.
Role 3Verifier
The verifier is the organization requesting proof of identity.
The verifier checks the credential by validating the issuer's digital signature and certificate chain. No personal data is read before those checks pass.
Travel
Airports
Verify identity at security checkpoints using NFC tap or QR code.
Retail
Age verification
Retailers verify age for alcohol, tobacco, or age-restricted purchases.
Online
Web services
Websites verify identity for account creation, onboarding, or step-up authentication.
Employment
Professional credentials
Employers verify licenses, certifications, or background credentials.
- Channel
- In person
- Transport
- NFC tap or QR code โ ISO/IEC 18013-7 proximity protocols
- Channel
- Online (browser)
- Transport
- Digital Credentials API โ Safari (iOS) or Chrome (Android)
- Channel
- Online (redirect)
- Transport
- OpenID4VP Annex B redirect flow
| Channel | Transport |
|---|
| In person | NFC tap or QR code โ ISO/IEC 18013-7 proximity protocols |
| Online (browser) | Digital Credentials API โ Safari (iOS) or Chrome (Android) |
| Online (redirect) | OpenID4VP Annex B redirect flow |
SummaryThree roles, one trust model
Every digital identity interaction involves all three roles working together.
โน๏ธHow the roles connect
The issuer signs the credential and establishes trust. The holder stores it and controls when it is shared. The verifier requests it and checks the issuer's signature โ confirming authenticity without ever calling back to the issuer.
Creates
Issuer
Signs and issues the credential to the holder's wallet.
Owns
Holder
Stores the credential and approves every share request.
Validates
Verifier
Requests the credential and validates the issuer signature and trust chain.