Zoogma
A collaborative, long-term effort to chart an open, interoperable Verifiable Credential standard for the US pharmaceutical supply chain — and beyond.
Many small vessels, lashed into one resilient bridge.
Zeugma (ancient Greek Ζευγμα: ‘bridgehead’ or ‘crossing place’). A zeugma pontoon bridge is a system of many small vessels lashed together to form a stable bridge.
In the same way, Zoogma helps many individual verifiable-credential vessels form an identity system more resilient than a monolithic, centralized one — and it has its genesis in the XATP Working Group and similar efforts to drive interoperability and better patient outcomes in compliance with the Drug Supply Chain Security Act (DSCSA).
Decentralized by design
No single point of failure — trust is distributed across independently verifiable credentials.
Compliant with US law
Built to the letter and spirit of the DSCSA, starting with the Authorized Trading Partner community.
Open & interoperable
Grounded in GS1, W3C, and other open standards, so it connects rather than encloses.
Rooted in the XATP Working Group
Zoogma has its roots in the XATP Working Group, spearheaded by UCLA Health and drug manufacturers including Genentech, Amgen, and Sanofi to drive interoperability in compliance with the DSCSA. Leveraging GS1, W3C, and other open standards, the group developed and tested a digital ID system that lives up to the letter and spirit of US federal law — while improving patient outcomes and security.
Starting with credentialing and interoperability for the ATP community, our goal is to work with stakeholders in the healthcare and identity space to chart a path to a global standard for all healthcare Verifiable Credentials.
Amgen
- Natalie Helms
- Nikkhil Vinnakota
Genentech
- Nirmal Annamreddy
- Kathy Daniusis
- Mark Karhoff
- Vid Rajaram
IQVIA
- Greg Plante
LedgerDomain
- William Chien, PharmD, MBA
- Will Jack
- Ben Taylor
Providence Health
- Todd Barrett, PharmD
Sanofi
- Arthi Nagaraj
UCLA Health
- Josenor de Jesus, PharmD, MBA, FACHE
- Ghada Ashkar, PharmD
- Kalpan Patel, PharmD, MBA
The Working Group would also like to thank Jose Arrieta (formerly US Department of Health and Human Services); Paul Hackett (Accenture); Diane Shoda (Greyscaling); Alan Lodder, PharmD (formerly Intermountain); Dr. Leo Alekseyev, Rick Burgess, Alex Colgan, Dr. Victor Dods, Mike Lodder, and Ben Nichols (LedgerDomain); Mike Karhoff (Ten Count Consulting); Mike Marchant (UC Davis); and Jen Colon, PharmD (Yale).
“A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over with a working simple system.”
A standard for decentralized Verifiable Credentials
In the twenty-first century, the rising tide of privacy laws and massive data breaches has fundamentally challenged how we collect, store, and share sensitive information. Within this landscape, healthcare information is sacrosanct — and intimately tied to identity and data ownership.
Building on prior learnings with UCLA Health, Genentech, Sanofi, Amgen, Biogen, and others, Zoogma is an effort to motivate the development of a standard for decentralized Verifiable Credentials (VCs) — empowering Authorized Trading Partners (ATPs) in the pharmaceutical supply chain to trade and exchange information in compliance with US federal law.
Starting with credentialing and interoperability for the ATP community, our ultimate goal is to chart a path to a global standard for all healthcare Verifiable Credentials — giving individuals and healthcare professionals control over their own data. By sharing our results and releasing essential components of the work to the public domain, we hope to align and connect with other foundational efforts, evolving standards within a truly open framework with broad stakeholder involvement.
A complete, open-source reference implementation
We propose a fully transparent, open-source reference implementation that satisfies the requirement for interoperability across all ATP types, and we’re looking to work with a coalition of the willing to design and contribute the key components — an initial implementation adequate for everyday use and upgradeable over time.
A global ATP schema
It begins with defining a global Authorized Trading Partner schema — entirely open source, and including protocols for revocation.
Rust core, portable wrappers
As a strawman, the reference implementation is written in Rust with a GoLang wrapper (standard) and a WebAssembly wrapper (desired).
Built on W3C VCs
Grounded in the W3C Verifiable Credential data model, so credentials interoperate across the ecosystem.
Example of a possible ATP VC
One example of an ATP Verifiable Credential for a Dispenser, represented in JSON-LD. Refer to the W3C Verifiable Credential standard for technical context.
{
// Definitions used in the credential (e.g. what belongs in a
// VerifiableCredential or AuthorizedTradingPartnerCredential)
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.fda.gov/atp/v1/credentials", // Maybe defined by FDA?
"https://www.atp.gov/v1/credentials" // Or by a consortium?
],
// Identifier for this credential. Alternately a DID, e.g.
// "did:ledgerdomain:atp:v1:f2f12eb1a522e7d1596fed2d7692f993df703eb8819eec5f7e98951a5aeeba0d"
"id": "https://atp.ledgerdomain.com/v1/credentials/f2f12eb1a522e7d1596fed2d7692f993df703eb8819eec5f7e98951a5aeeba0d",
// Type(s) of this credential
"type": [
"VerifiableCredential",
"AuthorizedTradingPartnerCredential"
],
// Entity that issued the credential (could also be a DID)
"issuer": "https://atp.ledgerdomain.com/v1/credentials/c7afdc84362a388a6e1398173b5a88fa6322c5e4eb7fd4961234661170647722",
"issuanceDate": "2010-01-01T19:23:24Z",
"expirationDate": "2020-01-01T19:23:24Z",
// Claims about the subject
"credentialSubject": {
// Identifies the subject itself (distinct from the credential id)
"id": "https://atp.ledgerdomain.com/v1/subjects/92fcb91eacb8b91874fd1c45f05adf2b6265d37fbcbcf3c2cfa51e5dbc0bd57a",
// What kind of ATP entity this is, and therefore what to expect below
"ATPEntityType": "Dispenser",
// ATP-specific data — individual attributes can be revealed or hidden
// via selective-disclosure (ZKP) signatures
"ATPDispenserState": "CA",
"ATPDispenserLicenseNumber": "58934085943",
"ATPDispenserName": "Fancy Pharmacy",
"ATPDispenserPhoneNumber": "1-800-SO-FANCY"
},
// Digital signature on the credential by the issuer. W3C defines several
// types: EcdsaSecp256k1Signature2019, Ed25519Signature2018, RsaSignature2018…
"proof": {
"type": "EcdsaSecp256k1Signature2019",
"created": "2010-01-01T19:23:24Z",
"expires": "2020-01-01T19:23:24Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "https://atp.ledgerdomain.com/v1/credentials/c7afdc84362a388a6e1398173b5a88fa6322c5e4eb7fd4961234661170647722#public-key-3",
"jws": "XXX"
}
}
Example of a corresponding Verifiable Presentation
One example of how a holder might present the credential above.
{
// Definitions used in the presentation
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.fda.gov/atp/v1/credentials", // Maybe defined by FDA?
"https://www.atp.gov/v1/credentials" // Or by a consortium?
],
// The credentials themselves
"verifiableCredential": [
{ … } // omitted; derived from the VC above
],
// Digital signature by the credential holder on the presentation
"proof": {
"type": "RsaSignature2018",
"created": "<timestamp>",
"proofPurpose": "authentication",
// Public key of the holder — the subject of the ATP credential
"verificationMethod": "https://atp.ledgerdomain.com/v1/subjects/92fcb91eacb8b91874fd1c45f05adf2b6265d37fbcbcf3c2cfa51e5dbc0bd57a#public-key-1",
// "challenge" and "domain" prevent replay attacks
"challenge": "1f44d55f-f161-4938-a659-f8026467f126",
"domain": "4jt78h47fh47",
"jws": "YYY"
}
}
More detail lives in the peer-reviewed proposal, and in the cryptography behind every LedgerDomain signature.
Join a superteam building open health infrastructure
Join a superteam of independent programmers who donate their time working with cutting-edge decentralized technologies — securing improved health privacy and better health outcomes for everyone, worldwide.
Reach us directly at info@zoogma.org
