Who can you trust to protect your Self-sovereign Identity?
This Self-sovereign Identity idea has me captivated, that your ID is so valuable that you can’t trust anyone to be the guardian of it, unless you’re an owner of that company. New business models had to be invented, just to make sure your ID is never sold, used, stolen or borrowed.
A good name is more desirable than great riches;Proverbs 22
to be esteemed is better than silver or gold.
This question tends to stem from the notion that data associated with a person’s identity is destined to be stored, shared and used for verification on some form of distributed ledger technology. My hope is that this article with help to debunk that notion and provide a basic foundational understanding of how distributed ledger technology is being used to solve our identity infrastructure dilemma and resolve the impacts of the internet lacking an identity layer.
A trusted server, or certificate authority, uses digital certificates to provide a mechanism whereby trust can be established through a chain of known or associated endorsements. For example, Alice can be confident that the public key in Carol’s digital certificate belongs to Carol because Alice can walk the chain of certificate endorsements from trusted relationships back to a common root of trust.
Our current identity authentication scheme on the internet is based on asymmetric encryption and the use of a centralized trust model. Public key infrastructure (PKI) implements this centralized trust model by inserting reliance on a hierarchy of certificate authorities. These certificate authorities establish the authenticity of the binding between a public key and its owner via the issuance of digital certificates.
Rebooting the web of trust
What if we wanted to avoid this centralized reliance on a trust chain of certificate authorities? What if we could leverage distributed ledger technology as a transparent and immutable source for verifying and auditing the authenticity of the binding between a public key and its owner?
An alternative to the PKI-based centralized trust model, which relies exclusively on a hierarchy of certificate authorities, is a decentralized trust model. A web of trust, which relies on an individual’s social network to be the source of trust, offers one approach to this decentralized alternative. However, the emergence of distributed ledger technology has provided new life to the web of trust vision. Solutions using SSI can leverage distributed ledger as the basis for a new web of trust model that provides immutable recordings of the lifecycle events associated with the binding between a public key and its owner.
The Sovrin Solution
The Sovrin Network is a new standard for digital identity – designed to bring the trust, personal control, and ease-of-use of analog IDs – like driver’s licenses and ID cards – to the Internet.
We want to give people, organizations, and things the freedom to collect and carry their own lifelong verifiable digital credentials. “Self-sovereign” means the individual identity holder can access and use their credentials on the Sovrin Network whenever and however they please.
It’s time to evolve the current system of siloed identities, endless passwords, and insecure databases. The time is here for the frictionless, secure identity verification of self-sovereign identity. – Read the Sovrin Network Whitepaper.
Above sources were IBM and Sovern, below is a piece from Phillip J. Windley, Ph.D. an Enterprise Architect in the Office of the CIO at Brigham Young University and a leading authority on Self-sovereign and Multi-sovereign identity theory.
Multi-Source and Self-Sovereign Identity
Self-sovereign identity is multi-source, but not all multi-source identity systems are self-sovereign. Self-sovereignty requires that people and organizations have control of their credentials and interact as peers.
The world is full of credentials. Some, like a driving license, an employee ID card, a passport, or a university diploma are widely recognized as such. But many other things are also credentials: a store receipt, a boarding pass, or a credit score, for example. Credentials, designed properly, allow verifiable data to be employed in workflows without centralized hubs, point-to-point integrations, or real-time communication between the various players. Credentials enable decentralized, asynchronous workflows.
Multi-source identity (MSI) allows multiple credentials from multiple providers to be brought to bear, flexibly and conveniently, in a situation where trusted attestations are needed for the participants in a workflow to make progress. In MSI, there are three players: credential issuers, credential holders, and credential verifiers. Any person or organization can play any or all of the roles.
- Credential issuers determine what credentials to issue, what the credential means, and how they’ll validate the information they put in the credential.
- Credential holders determine what credentials they need and which they’ll employ in workflows to prove things about themselves.
- Credential verifiers determine what credentials to accept and who to trust.
Because of these features, MSI is decentralized. In contrast, traditional identity systems have a single identity provider (IdP) who administers an identity system for their own purposes, determines what attributes are important, and decides which partners can participate.
In MSI, a particular credential is not intrinsicly true. Rather each verifier determines who and what they will trust by relying on the attestations of other parties. Thus, truth is established through a preponderance of evidence. How much evidence is needed for a situation depends on the risk, something the verifier determines independently.
Self-sovereign identity means the individual or organization controls and manages their identity. Multi-source identity becomes self-sovereign identity (SSI) when the individual is able to control the credentials and use them in a privacy-preserving manner whenever and where ever they want. Privacy is a critical feature of SSI because without privacy, there is no control. In SSI, the identity owner must be able to control who sees what and that means that privacy is a fundamental property of the architecture for SSI.
SSI also implies that the parties to the credential transaction behave as peers. In traditional identity systems the rights of the so-called “identity subject” are subordinate to those of the identity provider. In SSI, every player independently determines the role they’ll play, who they trust, and what they will believe. As we’ve seen, in SSI, an identity owner holds credentials from multiple providers and can use them where ever she wants. While these credentials can be revoked individually, the identity owner still controls her own identity wallet and all the other credentials she has collected.
Self-sovereign identity represents a monumental shift in how identity functions on the Internet. Internet identity systems have traditionally only supported a limited set of attributes and required prior agreement and custom integration. SSI frees Internet identity from this narrow view by introducing support for the exchange of credentials by individuals and organizations acting as peers. The result will be an Internet identity regime that is more flexible, more secure, more private, less burdensome, and less costly.