Automating document verification with TrustDocs
Document submission and verification are crucial in many processes such as job and grant applications, but can be time consuming and cases of fraud still occur when not enough care is taken.
In 2019, we launched OpenCerts in conjunction with SkillsFuture Singapore (SSG) for educational certificates. With the successful adoption of OpenCerts, we are expanding beyond certificates and introducing TrustDocs — all-encompassing verifiable documents that can be used for certificates, licences, permits and more.
Both OpenCerts and TrustDocs use OpenAttestation, an open-sourced framework built by GovTech to endorse and verify documents.
In this article, we examine how requesting for and automatically verifying TrustDocs can optimize existing processes and help against fraud.
1. Existing document verification flows
Let’s take a look at what a typical job application flow looks like without verifiable documents.
As seen in the diagram above, job application processes typically involve some form of document submission and verification. It is at this portion where they can be streamlined and made more secure with the help of TrustDocs.
After submitting their documents, applicants have to wait for HR personnel to manually process them before getting a response. In addition, companies typically do not check every document at the verification stage due to cost or time considerations.
But what if document verification could be instant and foolproof?
2. Verifying TrustDocs
At their core, TrustDocs are files that contain structured data in the JSON format.
{
"name": "Tan Chen Chen",
"qualification": "BEng in Issuing Verifiable Credentials"
}A TrustDoc document follows the same format but includes other data generated during the issuance process that allows them to be verifiable in real-time.
{
"version": "https://schema.openattestation.com/2.0/schema.json",
"data": {
"name": "db36c2ab-8c72-4ae2-84e2-198d267a3001:string:Tan Chen Chen",
"qualification": "0bb4aab5-d7fc-4bf6-b4d0-4782850588aa:string:BEng in Issuing Verifiable Documents",
"issuers": [
{
"id": "33ac0947-7f4a-4fe3-ad09-a3f6b84c9d22:string:did:ethr:0xe6fc34456df9e8109ac33e48d721dd092403fc6a",
"name": "8cee11b7-365b-453b-8483-5248b12c2afa:string:GovTech Singapore",
"revocation": {
"type": "c27bac24-d98c-421d-93d9-adbbfce0b1d6:string:NONE"
},
"identityProof": {
"type": "941c3998-6e20-452e-9696-838ac3a3a4f9:string:DNS-DID",
"location": "e365d766-8ef9-4c92-9ede-b5862b0a4147:string:demo.trustdocs.gov.sg",
"key": "a15d3603-f44b-40e0-b476-d4d0edb280f4:string:did:ethr:0xe6fc34456df9e8109ac33e48d721dd092403fc6a#controller"
}
}
]
},
"signature": {
"type": "SHA3MerkleProof",
"targetHash": "7e073de21102dd8182d40fdf76819a9774f06340df52c86cd10884b0679c7837",
"proof": [],
"merkleRoot": "7e073de21102dd8182d40fdf76819a9774f06340df52c86cd10884b0679c7837"
},
"proof": [
{
"type": "OpenAttestationSignature2018",
"created": "2024-05-29T09:33:15.128Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:ethr:0xe6fc34456df9e8109ac33e48d721dd092403fc6a#controller",
"signature": "0x923097a0f7d4b70c0fc3d085715cae48abc1104768cf22359774ab8736a01eeb5b17d88d037cf51fe852a6379384c113162a52303758cbdc3460b53c750bb3ba1b"
}
]
}To illustrate verification, we will be using a simple API that accepts a JSON and responds with its validity and verification fragments. For more information, you can refer to our sample implementation.
curl -X POST https://api.verify.gov.sg/verify \
-H "Content-Type: application/json" \
-d @degree.trustdocUpon executing the above request, the response looks something like this:
{
"isValid":true,
"fragments":
[
{
"type":"DOCUMENT_INTEGRITY",
"name":"OpenAttestationHash",
"data":true,
"status":"VALID"
},
... // The remaining fragments
]
}Most importantly we can see that the property isValid is true. The remaining verification fragments¹ detail each specific check that was done and the corresponding result, which can be referenced to determine which check failed during an unsuccessful verification.
¹Find out more about the verification process or check out our GitHub repo.
So what happens when a document is fraudulent or invalid? Let’s try again with the same file but change the qualification to a PhD instead.
Now when we try to verify the document we get this response:
{
"isValid":false,
"fragments":
[
{
"type":"DOCUMENT_INTEGRITY",
"name":"OpenAttestationHash",
"data":false,
"reason": {
"code":0,"codeString":"DOCUMENT_TAMPERED",
"message":"Document has been tampered with"
},
"status":"INVALID"
},
... // The remaining fragments
]
}Specifically, if we examine the DOCUMENT_INTEGRITY fragment we can see that it was returned with an INVALID status with the reason being that the document has been tampered with. Other common reasons that documents will be invalid include revocation by the issuer and failing to confirm the issuer’s identity.
By leveraging a verification API, we can perform checks on uploaded document automatically to ensure that they are authentic.
3. Automating TrustDocs verification
Now that we know how easily verification can be done, all we have to do is to integrate it into our application process. For example, we could add automated verification for HR personnel to see different details from submitted documents as well as their verification statuses.
Government agencies such as the Early Childhood and Development Agency (ECDA) have added requirements that applicants from the relevant cohorts must submit the .opencert documents they were issued for their certifications, ensuring that proper checks are in place before confirming applicants as teachers.
4. Conclusion
Now let’s revisit the same typical job application flow but with automated document verification.
What was previously three different methods in the original flow is now covered by a single instant verification, lowering the overall time and cost taken for applications while also reducing the risk of fraud.
From a Government Agency and interested in issuing Verifiable Documents?
Contact us at trustdocs_support@tech.gov.sg
