Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the National Agency. Neither the European Union nor National Agency can be held responsible for them.

The Midas Touch of Blockchain for Self-Sovereign Identity

The author's name is Enza Cirone and her LinkedIn can be found here: https://www.linkedin.com/in/enza-cirone-2625b0167/

A first introduction

We are at the gates of an epochal and structural change to the dynamics of society. This innovation is brought about by the so-called Self-sovereign identity (SSI) which offers a new point of view to users who can manage and be in control of their digital identities.

Why “self-sovereign”?

This concept represents the idea of a person’s identity that is neither dependent on nor subjected to any other power or state.

How far back does this concept go?

When Satoshi Nakamoto first published Bitcoin: A Peer-to-Peer Electronic Cash System in October 2008, no one expected it could also inspire a fundamental transformation in the idea of identity and trust.

Yet, the relationship between money and identity has been already explored by many experts such as David Birch, the author of Identity is the new money who in 2014 analysed how identity and money were profoundly and equally changing. Additionally, in the 2015 Internet Identity Workshop, several sessions were held on “blockchain identity”.
That event opened the discussion on the potential applicability of Blockchain to create a distributed and scalable system for identity management.

But what is the role of decentralization?

The evolution of internet identity models can provide a thorough explanation.

Three Models for Digital Identities: centralized, federated and decentralized

The centralized model is the easiest to explain because is the original form of digital identity, as well as the one that, in many cases, we still use today. In this model, all identifiers and credentials (e.g., passports, ID cards, social media handles) are issued by central authorities or service providers. It is also called the account-based identity model.

So, one might ask what the problem is with this model, considering thatwe are still using it today and that this should imply that it is all right. Not exactly. The user’s identity exists as long as the corresponding account resides in some centralized system. Users do not have control over their identity.

Besides, as a customer, users have to remember several credentials, one for each app or service. This can easily lead to forgetting or reusing passwords, causing security loopholes.

With the federated identity model, a third-party company or consortium (identity provider)is added between the user and the central authority.

Why do we call it “federated”? Because the identity provider only gives the user one identity account with which they can accede any site or app that uses that IDP.

This model has also assumed the connotations of a user-centric model within the consumer environment. A common example of this model is “social login” on the Web using a social media account (e.g., Facebook, Twitter, Google) to access a third-party service.
One of the downsides of the IDP model is that there is not one identity provider that works with the sites, services, and apps. Therefore, users need accounts with multiple IDPs, that is multiple digital identities for each service they interact with. Practically, that means users will end up forgetting which IDP they used with which site.

Examples of social login buttons

Could the downsides of the previous two models described be mitigated by the self-sovereign identity model?
The answer is yes. In this model, there is no central authority needed to allow the system to work. Conversely, identity and its related claims (i.e., anything «linkable» to an identity, such as a diploma) are given back to the user.

This system works like identity in the real world, as it is based on a direct relationship between a user and another party as peers. This means that any peer can connect to any other peer anywhere.
And how does Blockchain technology allow this model to work as an identity layer?

It is possible by leveraging the key characteristics of Blockchain, that is decentralization, immutability and transparency. Blockchain is indeed a shared ledger which uses a consensus mechanism to achieve trust and maintain security across the underlying decentralized protocol.
Self-sovereign identity is a set of technologies that build on core concepts in identity management (decentralized identifiers and verifiable credentials), cryptography (public/private key) and blockchain.

What about the underlying technology of the SSI model?

Blockchain technology, Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) are the three pillars of Self-Sovereign Identity.[1]

Let’s see them in further detail.

First, the SSI model is based on the use of Decentralized Identifiers (DIDs) that are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority. They allow for the creation of unique, private and secure peer-to-peer connections between two parties.
“DIDs are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID.”[2]

Second, as conceptualized and standardized by the W3C, the Verifiable Credentials Protocol is another necessary backbone of the SSI system. “Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner.” [3]

By using verifiable credentials, entities act as central actors controlling everything related to their identity in a “digital wallet” (similar to a physical wallet) that contains verifiable claims (e.g., diplomas, passports). These verifiable credentials are digitally signed and can cryptographically prove:

1. Who (or what) is the issuer;

2. To whom (or what) it was issued;

3. Whether it has been altered since it was issued;

4. Whether it has been revoked by the issuer.[4]

Source w3c

Essentially, VCs are:

standardized, VCs follow the W3C Verifiable Credentials standard so they can be used and recognized worldwide;
tamper-proof, as they are cryptographically signed by trusted authorities;
sovereign, as they allow users to have control of their identities;
portable, as users are not limited to using the VC within the issuer’s ecosystem (for ex. a national ID within e-government services);

With Verifiable Credentials, credential holders (i.e., each of us!) can manage and share their identity credentials stored in the digital wallet and use them to immediately prove their identity and access digital or in-person services.

Likewise, organizations (i.e., universities, banks, etc) can automatically verify user identities to prove their legal validity.

And right there the blockchain infrastructure plays a leading role. The verifying parties do not need to check the validity of the actual data in the provided proof but can rather use the blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.

Conclusion

The purpose of this article was to shed light on the SSI model, highlighting its pros in comparison to other identity management models. SSI is indeed rooted in the belief that individuals have the right to an identity independent of reliance on a third-party identity provider (e.g., the state or any other central authority).
Furthermore, this analysis aimed to show that, like most other technologies, SSI stands on the shoulders of giants. Yet, even though the self-sovereign model has been tied to the use of blockchain and has been implemented as blockchain adjacent, it is not a blockchain-dependent identity management system; conversely, this system is guided by the fundamental principle of user-centric design and based on technical standards.

I am aware that, when it comes to analysing the benefits of the SSI, other competing social interests like user privacy, security and law enforcement should be taken into account. However, my intention was not to conduct a thorough and comprehensive analysis of the subject, on the contrary, I briefly introduced this new model to leave the discussion of its (legal) implications to another article.

This is not the end, indeed the journey towards a decentralised identity system has just begun. And the best is yet to come.

********

Thanks to the DLT Talent program (DLTT), an 18-week mentoring program to empower young female talent for leadership in the blockchain space. More information about this program can be found here: http://www.dltt.io.

********

[1] Verifiable Credentials Data Model v1.1 — Expressing verifiable information on the Web https://www.w3.org/TR/vc-data-model/.

[2] https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186.

[3] The foundation concepts of SSI were officially brought to life when the Credentials Community Group was created under the international organization World Wide Web Consortium (W3C) which generates standards and recommendations for the Internet.

[4] Decentralized Identifier Resolution (DID Resolution) v0.2 — Resolution of Decentralized identifiers (DIDs), Draft Community Group Report 02 February 2022, https://w3c.github.io/did-core/.

© 2024 Generation Blockchain. All rights reserved.
menuchevron-down