In this blog article, Martin Schäffner, the initiator of the EuSSI Working Group of the European Blockchain Association and expert in Self-Sovereign Identity, explains the concept of Self-Sovereign Identity and how it differentiates from conventional digital identities. He focuses on the basic idea of SSI, the technology it is using and remaining challenges in the SSI ecosystem.
Problems of Today’s Digital Identities
Many of today’s websites require the user to create an account or authenticate with an existing account from an Identity Provider (IDP) like Google or Facebook. This causes three major problems.
• Firstly, the account is solely stored on the website’s backend and therefore the user essentially only borrows the account, giving the website’s maintainers the possibility to restrict, block, or even delete the account. The user, therefore, has barely any control over its identity on that website.
• Secondly, the websites need to store the account information on their databases which creates data silos that are attractive for cyberattacks and need to provide functionalities to the user to manage it and also protect it from unauthorized third-party access. If the user doesn’t reuse an account from IDPs like Google, the user has to create another identity and needs to remember the passwords. The website has to provide and maintain a secure infrastructure.
• Thirdly, knowing the user’s behavior is lucrative information for third parties like advertising providers who pay a lot of money for it. As a result, every step of the user is closely monitored and analyzed to target the user’s advertisements as precisely as possible. The user often does not have any means to stop this data exploitation.
Potential of SSI
Self-Sovereign Identity (SSI) intends to give the user an alternative to conventional digital identities where the user is in full control and other services need to request access to this identity information. As a result, the user can decide by herself which information is being shared with others and for how long.
SSI is relying on cryptographic key pairs which are often based or compatible with blockchain technologies. This allows for establishing private and encrypted message channels between two or more parties. Attestations about an identity in the form of Verifiable Credentials (see below) are not stored on the blockchain but solely on the holder’s device(s). These credentials can be shared with third parties fully, partially, or in combination with other credentials and are cryptographically signed which allows for Zero-Knowledge Proofs. To avoid identity correlation, users can create new identifiers for each connection with others and manage them inside their wallet. As a result, SSI is considered highly privacy-preserving.
Furthermore, SSI is not only for persons but for any digital actor like IoT devices, companies or digital agents. They all agree on standardized technologies and formats which enable seamless integration in every sector of the internet that requires a form of digital identity (so almost everywhere).
Blockchain and other Distributed Ledger Technologies play a fundamental role in SSI. It enables the creation of Decentralized Identifiers (see below) in a censorship-resistant manner. Additionally, blockchains serve as a root of trust on which issuers can publish their DID or their revocation registries to simplify the verification process of verifiers. However, the underlying technology does not need to be a blockchain and is therefore often generalized as a Verifiable Data Registry.
The center of SSI is the Decentralized Identifier (DID) standard. A DID is a representation of an identity and links to a DID document that contains information about authorized public keys to this DID and service endpoints that are necessary to establish a connection. A DID Method describes how a DID is generated on a specific blockchain. Today, almost 100 of these DID Methods are registered – among those are popular Blockchains like Bitcoin and Ethereum as well as blockchains like Hyperledger Indy which are solely focused on Self-Sovereign Identity.
Figure 1: A simple example of a Decentralized Identifier according to the DID Data Model (Source)
Verifiable Credentials is the second standard in the SSI ecosystem which enables attesting information to a specific DID. A classic example of a Verifiable Credential could be a digital version of an ID. A governmental authority issues a credential to the user, that contains the name, address, date of birth and further details about the person. This document is then signed and issued to the holder of the credential who stores it in their device. A third-party verifier, for instance, a bank requests this information to open a bank account for the user in the form of a verifiable credential. The user accepts the requests and presents the requested information to the verifier. The verifier automatically validates the signature and the shared attributes and if all criteria are met, open the bank account for the user.
The figure below displays the three roles in an SSI ecosystem and its major processes:
Figure 2: Verifiable Credential Roles and Processes according to the W3C Verifiable Credential Data Mode (Source)
Unfortunately, humans have the habit to lose their private keys and everything that could help them recover it. A loss of a private key would result in a loss of digital identity which should be prevented. This is still an unsolved issue even though some promising approaches exist.
Further, there is a need to protect private keys by law as it is a crucial piece of infrastructure. Private Keys cannot be sent securely over the internet as only one bad actor is enough to compromise the identity and make it useless. According to Christopher Allen, one way of protecting the private key is to create a law that prohibits the state from compelling a person to produce a private key.
Private keys also deserve special protection within SSI wallets. They should not be stored unencrypted in an SSI Wallet architecture’s storage but in a safe container where only the wallet has access. This is a functionality that targets producers of smartphones and computers to provide ways to securely store private keys in.
Public adoption is also yet an unsolved issue. Most parts of the technology are ready for public adoption, but it is left to the government to provide trustful information in form of verifiable credentials and up to the market to adopt it into their solutions.
Self-Sovereign Identity has all it needs to be the missing identity layer on the internet. It builds upon standards like DIDs and related formats and Verifiable Credentials that are specially developed for the SSI ecosystem and allow the user to create an arbitrary number of identifiers and to assert information to it. Users will have the chance to get in control over their identifiers and their asserted information which is an innovative and privacy-preserving way to interact on the internet.
However, a completely secure key backup- and recovery mechanism is still missing, as well as critical private key storage infrastructure on the user’s device. Once these barriers are out of the way, it is up to the users and websites to accept and support SSI technology.
For more insights on SSI, please also see Martin’s presentation at the Israeli Chamber of Information Technology:
Want to learn more about blockchain? Now’s the moment: