Open Badges provides the JSON data model to represent achievements issued by some entity to a given recipient.
The core entities they define are:
Data model for an entity, either a recipient of an achievement, or its issuer. Provides details about them (name, description, image) and how to contact them (email, phone, URL).
For instance, a university that issues certificates like the M.I.T. or the recipient who completes a course.
In practice, Profile is a data model just used for certificate issuers.
Data model to represent an achievement, issued by an entity defined by the previous Profile data model. They provide information about the achievement obtained, the knowledge obtained, what was required to obtained the achievement and more.
For instance, a Computer Science degree by the M.I.T. could be a badge.
It is also referred to as BadgeClass, but we call them Badges for short.
Data model to issue a badge to a given recipient. Includes the badge issued, the recipient who receives the badge and data about the issuance, like data to verify if the assertion is valid or not.
For instance, a Computer Science degree by the M.I.T. issued to Silvio Micali could be an assertion.
In previous versions it was called a Badge but this lead to overloaded meaning of the badge word. Please avoid using Badge to refer to a badge issued to a recipient and refer to it as an Assertion. The badge is just an achievement without any recipient.
Data model to provide extra information about an Assertion, either to provide more information about the Assertion, comments about the existing information or validation information. The standard is open to receive any kind of extra information about a given assertion.
In order to ensure that the certificates following this data model can be verified (to avoid fake certificates with impersonation), Open Badges provides two kinds of validations:
The certificate is valid if is hosted on a trusted place.
For instance, a certificate issued by an issuer whose URL is https://mit.edu
is valid just if the certificate can be downloaded from an URL related to
The certificate contains an RSA signature using JWS. Therefore you can know that if the certificate signature is valid, the certificate was signed and therefore issued by the specified RSA public key.
The standard does not care about the real world™ identity of the holder of the private key. Therefore you can know whether the certificate was issued by a public key, but not who in the real world™ is behind the control of the signatures made by the private key matching that public key.
Using a PKI could be a solution for that, but that’s not specified in the standard.