There are multiple types of users:
The short answer is no. What is stored on the blockchain is a 1-way hash. This makes it useful only for verification; i.e. you can hash a certificate and compare to what is on the blockchain. And given what is on the blockchain, the original data cannot be feasibly recovered. This makes it easy for a recipient to reveal a certificate only to intended third parties.
Yes, the blockchain is an immutable and distributed store of transactions, with each block building upon the last. When a certificate is issued, its data is compressed into a hash and logged on the blockchain. This generates a “receipt” that can always be checked at a later date. The verification service validates the signature of the issuer and the certificate data; it also ensures that the certificate status has not expired or been revoked.
The friendly display of certificates could be spoofed to trick a non-technical viewer. This is why it is important to use a separate verification service when circumstances are important. While the issuer may include a friendly verification button below a certificate, the most secure way to ensure a certificate is valid is to use a separate verification service to check the blockchain. That cannot be spoofed.
Certificates are immutable and cannot be updated.
In general, we anticipate the need for a range of solutions balancing convenience, privacy, and security. For example, a recipient may want it to be easy for third parties to view and verify that they graduated from a university with a certain GPA, but only want to expose basic transcript information.
This can currently be achieved by issuing separate certificates, one for high-level information and another with detailed personal information for use in very specific situations.
In Futarium, the issuer uses their digital signature to provide a credential to a recipient, identified by a recipient-owned public key, and issued on the blockchain. The recipient’s credential contains proof linking the credential with a specific blockchain transaction. This is used to establish the integrity of the credential; i.e. that it hasn’t been tampered with. Additionally, the recipient-owned public key embedded in the credentials allows the recipient to prove ownership.
To establish authenticity, one must establish that the issuer-owned the issuing key at the time the credential was issued. This is why a reliable timestamp is needed. This could be done through use of a timestamping authority (TSA) but that places a dependency on a trusted third party.
In contrast, blockchain provides permanent, trusted timestamping by design. It requires massive computational effort – rewriting the entire blockchain – to tamper with the timestamps.
The verification process ensures that the certificate you see wasn’t tampered with by comparing hashes with what is registered on the blockchain. It ensures the certificate wasn’t revoked through a convention that relies on spending transaction outputs.