The Trust Triangle: Issuer–Holder–Verifier Design for zk-KYC

In traditional identity systems, trust is a direct line between a user and a server.

You (the user) send your passport photo to a bank (the server). The bank verifies it, stores it, and assumes the liability for keeping it safe. If you want to use a different service, you repeat the process: send the passport, wait for verification, create another copy of your data.

This is the "Client-Server" model. It is the architecture behind many of the biggest breaches—centralized databases with high-value identity data.

For architects and product leaders, this model creates a liability trap. Every time you verify a user, you inherit the concentrated risk of their personal data. You become a "honeypot."

Zero-Knowledge KYC (ZK-KYC) introduces a fundamental architectural shift. It moves from a linear "Client-Server" model to a triangular "Issuer-Holder-Verifier" model.

In this design, the application (Verifier) never sees or stores the user's source documents. Instead, the user (Holder) collects credentials from trusted authorities (Issuers) and presents cryptographic proofs to the application.

This guide explains the trust triangle issuer holder verifier design for zk kyc. We will break down the roles, the cryptographic handshake, and the specific design choices—from replay attacks to credential revocation—that allow you to verify users without ever touching their data.

Why “Client–Server KYC” Creates a Liability Trap

To understand the solution, we must audit the failure of the current model.

The Classic Model: Centralized Breach Blast Radius

In the classic Client-Server model, the application is the custodian of truth.

Step 1: User uploads PII (Personally Identifiable Information).
Step 2: App verifies PII (often via a third-party API).
Step 3: App stores PII in a centralized database to prove regulatory compliance.

This creates a "honeypot risk." The more users you onboard, the more valuable your database becomes to attackers. The blast radius of a breach scales linearly with your success.

Why “More Data” Often Becomes “More Liability”

For a Chief Compliance Officer, data used to be an asset. Today, under GDPR and CCPA, it is a liability.

Every specific piece of data you hold—passport numbers, home addresses, selfie videos—is a distinct legal risk. If you only need to know "Is this user over 18?", holding a scan of their driver's license (which contains their exact birthdate, address, and license number) is a violation of the data minimization principle. It is dangerous over-collection.

The Alternative: Three-Party Trust

The Trust Triangle decouples verification from data storage.

The Issuer handles the compliance check and data verification.
The Holder keeps the resulting credential.
The Verifier checks the cryptographic proof of that credential.

By separating these roles, the Verifier (your dApp or platform) can verify users instantly without ever inheriting the data liability.

Table: Client–Server vs. The Trust Triangle

Feature	Client-Server (Traditional)	The Trust Triangle (ZK-KYC)
Who Holds Data?	The Application (Verifier)	The User (Holder)
Verification Basis	Checking raw documents	Checking cryptographic proofs
Breach Risk	High (Centralized Honeypot)	Lower (Reduced centralized blast radius)
User Control	Low (Data siloed in app)	High (User owns credential)
Reusability	None (Re-KYC for every app)	High (Verify once, use everywhere)
Liability	Centralized on the App	Distributed / Minimized

The Trust Triangle in One Picture (Issuer, Holder, Verifier)

The architecture relies on three distinct roles. It is critical to understand what each party does—and more importantly, what they do not do.

1. The Issuer: The Source of Trust

The Issuer is the entity that attests to the user's identity.

Who they are: Governments (issuing passports), Banks (confirming account ownership), or KYC Providers (like Onfido or SumSub).
What they do: They verify the raw documents off-chain and sign credentials using their private key.
What they do not do: They do not track where the user uses the credential (if implemented correctly with privacy-preserving status checks).

2. The Holder: The Owner of Data

The Holder is the user.

Who they are: An individual using an identity wallet or a digital agent.
What they do: They request credentials from Issuers, store them securely (usually off chain), and generate zero knowledge proofs to answer questions from Verifiers.
What they do not do: They do not hand over their private keys or raw documents to the Verifier.

3. The Verifier: The Relying Party

The Verifier is the application that needs assurance.

Who they are: A decentralized exchange (DEX), a lending protocol, a permissioned pool, or an age-gated commerce site.
What they do: They request a proof (e.g., "Prove you are not sanctioned"). They check the validity of the proof against the issuer’s public key and the credential status.
What they do not do: They do not store PII. They store an audit record (e.g., timestamp + proof hash) to prove compliance without holding liability.

Table: Who Holds What?

Component	Issuer Holds	Holder Holds	Verifier Holds
Raw Identity Docs	Yes (during KYC)	Yes (on device)	No
Verifiable Credential	No (only signature log)	Yes (full VC)	No
Keys Used	Issuer signing key	Holder wallet key	Issuer public key + ZK verification key
Verification Proof	No	Yes (generated)	Yes (audit record)

What Is a Verifiable Credential (VC) in This Model?

The currency of the Trust Triangle is the Verifiable Credential (VC).

A VC is not a token on a blockchain. It is a portable, tamper-evident digital data object.

VC as Signed Data

A VC works like a digital envelope sealed with wax.

The Content: The data claims (e.g., "Name: Alice", "DOB: 01/01/1990").
The Seal: The cryptographic signatures of the Issuer.

Because the data is digitally signed, the Holder can carry it anywhere. Any Verifier can mathematically prove that the data has not been tampered with since the Issuer signed it.

How Verifiers Check Authenticity

When a Verifier receives a VC (or a proof derived from it), they perform two checks:

Integrity: Does the signature match the data?
Authenticity: Does the signature belong to a trusted Issuer?

This is done by resolving the Issuer's DID document to fetch their public key. Note that DID methods vary: did:ethr resolves via blockchain, while did:web resolves via DNS. If the public key unlocks the signature, the credential is authentic.

Clarification: VC ≠ Data Published On-Chain

A common misconception is that VCs are stored on the blockchain. They are not.

VCs contain sensitive data. Storing them on-chain would be a privacy disaster. VCs are stored in the Holder's wallet (off chain). Typically, verifiers resolve issuer public keys via DID methods (some on-chain, some off-chain), and they check credential status via a public registry or status list that can be anchored on-chain or published off-chain.

Where Zero-Knowledge Proofs Fit (Proof Replaces Paperwork)

If the VC is the passport, the Zero-Knowledge Proof (ZKP) is the cryptographic window that lets you see the validity without seeing the details.

Zero Knowledge Proofs: Proving Statements, Not Showing Data

In a standard VC exchange, the user shares the VC. This reveals the data.

In a ZK-KYC exchange, the user keeps the VC private and generates a proof.

Standard VC: "Here is my passport. You can see I was born in 1990, so I am over 18."
ZK-KYC: "Here is a mathematical proof that 'Current Date - Birthdate > 18 years'. You cannot see the birthdate."

Selective Disclosure Examples

This capability enables selective disclosure:

Age verification: Prove "Over 18" without revealing birthdate.
Sanctions checks: Prove "Not on OFAC list" without revealing name or citizenship.
Residency: Prove "Resident of EU" without revealing exact address.

The Cryptography: Proof Generation

This process relies on three artifacts:

Proving Key: Used by the Holder's wallet to generate the proof from the credential and their secret inputs.
Verification Key: Used by the Verifier to check the proof.
The Proof: The tiny string of data that confirms the statement is true.

This allows for privacy preserving kyc where the Verifier gains certainty without gaining data.

The Verification Process Step-by-Step (What Actually Happens)

Let's walk through the lifecycle of a trust triangle interaction.

Step 1: Issuer Creates and Signs the Credential

The User (Holder) performs identity verification with an Issuer (e.g., scans passport and face).
The Issuer verifies the documents.
The Issuer creates a JSON object (the Credential) containing the claims.
The Issuer signs credentials using their private key.
The Issuer sends the VC to the Holder.

Step 2: Holder’s Wallet Generates a Proof

The User connects to a Verifier (e.g., a dApp).
The Verifier requests a specific proof: "Prove you are Accredited."
The Holder's wallet identifies the correct VC.
The wallet uses the VC and the proving key to generate a zero knowledge proof. This happens entirely on the user's device.

Step 3: Verifier Requests, Verifies, and Records Only What It Needs

The Holder submits the proof to the Verifier.
The verification process runs (either on a server or a smart contract).
The Verifier checks the valid credential status (is it revoked?) and the signature.
If valid, access is granted. The Verifier stores an audit record (e.g., proof hash + timestamp) but learns nothing else about the user.

Replay Attacks, Correlation, and How to Avoid “Proof Reuse”

Architects must defend against specific threats in this model. The most common is the replay attack.

Defining Replay Attacks in Proof Contexts

If a user generates a proof that says "I am Accredited," what stops them from sending that same proof string to 100 other people? Or giving it to a friend to use?

A proof is just data. If it isn't bound to a specific context, it can be replayed.

Using Nonces and Challenge-Response

To prevent this, the verification process uses a challenge-response pattern.

Verifier: Sends a random number (Nonce) to the Holder.
Holder: Must include that Nonce inside the zero knowledge proof generation.
Verifier: Checks that the proof contains the specific Nonce they issued.

This ensures the proof is fresh and created specifically for this session. It cannot be reused.

Minimizing Correlation Across Verifiers

Privacy isn't just about hiding data; it's about preventing correlation.

If a user uses the same decentralized identifier (DID) with every dApp, the dApps can collude to track the user's activity.

To solve this, modern wallets use Pairwise DIDs or Directed Identity. The Holder generates a unique, single-use DID for each Verifier relationship, helping to reduce cross-site correlation, though network-level metadata must still be managed carefully.

Credential Status, Revocation, and “Still Valid?” Checks

A VC is a snapshot in time. But reality changes. Passports expire. People get added to sanctions lists. How does the Verifier know the credential is still valid?

Why Credential Status Matters

Credential status is the mechanism for revocation. Without it, a user who passes KYC today could continue using that credential even if they become a bad actor tomorrow.

Credential Revocation Patterns

We must avoid a design where the Verifier "phones home" to the Issuer for every check, as that creates a tracking trail.

Instead, we use privacy-preserving accumulators or status lists:

Status Lists (Bitstrings): The Issuer maintains a compressed list of revoked IDs on-chain or IPFS. The proof includes a check against this list.
Sparse Merkle Trees: A cryptographic structure where the Holder proves their credential is not in the revocation tree.

The goal is that the verifier can confirm "not revoked" without learning a stable identifier that enables tracking. These methods allow the Verifier to check valid credential status without leaking user activity to the Issuer.

On-Chain vs Off-Chain: What Goes Where

Design mistakes here are costly (in gas costs) and dangerous (in privacy).

Off-Chain: Storage and Context

The Credential: Always off-chain (User Wallet).
The PII: Always off-chain (User Wallet).
The Proof Generation: Always off-chain (User Device).

On-Chain: Anchors and verification

DID Documents: On-chain (for methods like did:ethr or did:ion).
Revocation Registries: On-chain (for censorship-resistant status checks).
Verification Logic: Sometimes on-chain (Smart Contracts).
The Proof: Can be submitted on-chain for verification, but architect must ensure it contains no public identifiers.

Note on Transaction Costs: Verifying a ZK proof on Ethereum can cost significant gas. Many architectures verify the proof off chain (via an oracle or server) and only post the result on-chain to save costs.

Trust Frameworks: Who Gets to Be an Issuer?

The cryptography guarantees the data hasn't changed. It doesn't guarantee the data was true to begin with. That is the job of the Trust Framework.

What “Trusted Issuers” Means in Practice

A Verifier must decide which Issuers to trust.

Example: A DeFi pool might only accept "Accredited Investor" credentials issued by a specific set of regulated KYC providers listed in an on-chain allowlist.

The Trust Framework is the governance layer—often a curated list of DIDs that the Verifier accepts.

Governance and Interoperability

In the World Wide Web Consortium (W3C) model, trust is flexible. You can build a Verifier that accepts credentials from any government-issued DID. This decentralized nature avoids vendor lock-in. You aren't tied to one KYC provider's API; you are tied to a standard.

Design Checklist (Operator-Ready)

If you are implementing the trust triangle, verify your architecture against this list.

Role Separation Checklist

[ ] Is the Issuer completely decoupled from the Verifier?
[ ] Does the Holder retain full custody of the raw VC?
[ ] Are you ensuring the Issuer cannot see where the Holder uses the VC (anti-tracking)?

Data Minimization Checklist

[ ] Are you requesting selective disclosure proofs instead of raw data?
[ ] Is the Verifier storing only the audit record/result, not the PII?

Security Checklist

[ ] Is replay attack protection (nonces) implemented?
[ ] Are you checking credential revocation status on every presentation?
[ ] Are keys managed securely (Holder in secure enclave, Issuer in HSM)?

Privacy Checklist

[ ] Are you using pairwise DIDs to reduce correlation?
[ ] Is all PII kept off chain?

Conclusion: The Architectural Shift That Shrinks Data Liability

The Trust Triangle is more than a technical specification; it is a liability shield.

By moving from a Client-Server model to an Issuer-Holder-Verifier model, you fundamentally change the risk profile of your platform. You no longer hoard data to prove compliance. Instead, you verify cryptographic proofs that attest to compliance.

In many designs, the safest way to reduce liability is to minimize what you ever collect and retain — and push sensitive identity data back to the user’s control.

Frequently Asked Questions (FAQ)

What is the trust triangle in zk-KYC?

The Trust Triangle is the architectural model where trust is distributed among three parties: the Issuer (who attests to identity), the Holder (the user who holds the data), and the Verifier (who checks the proof). It replaces the direct Client-Server trust model.

Who holds the data in issuer–holder–verifier design?

The Holder holds the credential. The Issuer may retain issuance logs as required by policy/regulation. The Verifier holds only the minimum verification record it needs.

Are verifiable credentials stored on-chain?

No. Verifiable Credentials contain sensitive data and are stored off chain in the user's wallet. Only the definitions (schemas) and public keys (DIDs) are typically stored on-chain.

How do verifiers prevent replay attacks?

Verifiers use a "challenge-response" mechanism. They send a unique random number (nonce) to the wallet, which must be included in the signed proof. This ensures the proof is unique to that specific session and cannot be replayed.

How does credential revocation work without tracking users?

Issuers maintain a "Status List" or cryptographic accumulator (like a sparse merkle tree) on-chain. The user's proof includes a check against this public list to prove their credential hasn't been revoked, without revealing which specific ID on the list is theirs.

What’s the difference between on-chain attestations and off-chain credentials?

On-chain attestations are public/semi-public records stored on the ledger. Off-chain credentials are private files held by the user. ZK-KYC favors off-chain credentials with on-chain proofs for maximum privacy.

Do I need a DID to use VCs?

Yes. Decentralized Identifiers (DIDs) are the addressing layer of this architecture. They allow the Verifier to look up the Issuer's public keys and verify the signatures.

What Comes Next?

We have established the architecture of the Trust Triangle and how the three parties interact.

But how do we prove a specific fact—like "Over 18"—without revealing the underlying data? That requires a deep dive into the cryptography of Selective Disclosure.

Next, we explain the mechanics of proving specific attributes while keeping the rest hidden.

Selective Disclosure: Proving “Over 18” Without Revealing Birthdate