What is Self-Sovereign Identity?

Disclaimer: Expert advice for this material was provided by the author of the Telegram channel CryptoEssay Stepan Gershuni.

What is sovereign identity?

Self-Sovereign Identity (SSI) is a set of personal information that she can manage, share with any individual or public institution, and revoke access to them at any time she wishes.

The SSI system is based on decentralized technological architectures and is designed to prioritize security, privacy, individual autonomy and the ability of self-realization of the user.

What opportunities does sovereign identity offer?

SSI enables universal lifetime digital identities and identities independent of centralized providers. The economic benefits of this technology can be derived from the following unique features of SSI:

• Reducing the cost of issuing and verifying documents.
• Standardization of information – introduction of universal data standards.
• Fraud fraud prevention – Cryptographic signatures are hundreds of times more secure than physical signatures.
• Decentralized storage of encrypted data is less vulnerable than giant centralized databases.
• Context unification is the ability to programmatically combine and combine data from different sources for content verification and auditing purposes.
• Instantly validate data against privacy requirements – Users control access to their information, enabling SSI systems to meet information protection requirements.
• Personalization – users can create a portfolio of preferences or achievements and use it to receive individual services.

What problems does SSI solve?

Data Silos

The digital world, with its many interconnections, requires a new type of document – open and accessible to every user, natively digital, available on a personal computer or phone, permanent, provable and not requiring the user’s dependence on the supplier.

As an alternative to social media, banks, and government agencies, SSI offers a one-size-fits-all solution that can bring together applications and allow you to share data.

The pre-established nature of standards facilitates their adoption and reduces the cost of maintaining and developing them. Unlike traditional installation models of hundreds and thousands of APIs, SSI allows only once to install the document schema, after which it is immediately available to any third party. Although the schemes are public, any personal data can only be shared with the express permission of their owner.

Another advantage of combining isolated storage systems is that it allows you to benefit from raw data. For example, a worker who always arrives at the factory on time can confirm his punctuality to the future employer. A student who has completed thousands of homework assignments can build a personalized learning strategy by the time he enters the university.

Inefficient document processing 

As a rule, the value of any certificate (certifying document) lies not in the content of the document, but in the services, products and opportunities that open up to its owner. For example, to find a job or get a research grant, you may need a diploma of education; to get a credit card or create a corporate bank account, financial data is required, etc.

To increase the speed of service delivery and make them more convenient, it is necessary to automate bureaucratic systems. Verification and accumulation of identification data, as well as work with documents should be carried out by an algorithm, not a person. Automation streamlines, modernizes, standardizes and speeds up the process, as well as solves the problems of corruption, discrimination and personal bias.

As the number of bureaucratic systems using verifiable identities and SSIs grows, trust in the process will increase. For example, after the bank has completed a review of business reputation and KYC compliance, the client can use the results to receive another service from another organization, provided that this organization trusts the bank.

Data Standardization

To scale and automate existing trust systems even more, it is necessary to implement a standard that is native to both humans and machines. With the increasing number of documents that are produced and verified using software, the need for standardized machine-readable data formats increases.

Data standardization also solves the problem of integrating different data providers and verification parties. Instead of creating mutually unambiguous API integrations — an expensive and time-consuming process — the entire industry or country can adopt a shared data format backed by verified identities.

Confidentiality

End users and regulators are attaching increasing importance to data protection. Business is forced to take into account the requirements of regulators – the California Consumer Data Protection Act, the General Data Protection Regulation of the European Union, the US Federal Law on Information Security Management and many others.

Compliance with the EU General Data Protection Regulation will cost Fortune Global 500 companies $ 7.8 billion a year, and compliance with the California Consumer Data Protection Act will cost American businesses $ 55 billion.

SSI technology allows you to implement all the functions of privacy protection: transparent use of data, the right to be forgottat, audit of data use, management of regulatory approvals through version control systems.

In the digital age, the SSI may be the solution to the problem of “supervisory capitalism.” If the user is able to control his personal data and choose with whom to share it and when to revoke access, then this data will not be able to be used for criminal purposes. Internet companies will not be able to monetize their users without unequivocal permission from the latter. In addition, they will be obliged to share profits with users. Online business will change the paradigm: from the desire to get the maximum amount of user data, it will move to providing the best service.

How did sovereign identity come about?

According to a number of researchers, the concept of sovereign identity appeared as a result of an attempt to implement the Westphalian system of international relationsat the individual level. This system arose in Europe on the basis of the Peace of Westphalia as an agreement that summed up the Thirty Years’ War, which ended in 1648. The key principles of the Peace of Westphalia — sovereign statehood, self-determination and direct self-government — are still in force.

The ideological progenitor of SSI was the concept of self-sovereign authority. The bearers of the concept believed that the possibility of independent (sovereign) self-government is an “innate” distinctive feature of human nature. It was present even before the “registration” process that makes participation in public life possible. The act of “registration” implies that a publicly controlled process of administration is necessary for identity to exist. At the same time, society is considered as the owner of identity, and the individual as a kind of product of socio-economic administration.

Identity management is key to achieving digital sovereignty, i.e., the ability of individuals to take actions and make decisions in an informed and independent manner, as well as control over their own data, devices, software, computing and other technologies.

Often, the term “sovereign identity” is used interchangeable with expressions such as “decentralized identity” and “digital identity.”

Digital identity, which is expressed and stored in digital form, began to develop simultaneously with the invention of the Internet. Domain names, e-mail addresses, social media accounts are samples of digital identity, without which the daily life of a modern person is impossible.

How does the SSI architecture work?

Digital identity consists of three elements: a decentralized identifier (DID), an authentication system and a certification system through Verifiable Credentials.

In addition to these elements, SSI includes DKMS, a Decentralized Key Management System. It manages private keys by using a digital signature.

Decentralized Identifier (DID)

A DID is a machine-readable identifier for any person, organization, or item. With it, you can confirm control over digital identity and issue or receive verifiable identification data.

A user can have many identifiers (for business, for government, for close friends). As a rule, identifiers are free, they are easy to generate and control.

Verifiable Credential

Verifiable identification documents are documents and facts issued by one DID issuer and then sent to another (owner). The issuer and the owner may be the same entity, although this is usually not the case. Depending on the use case, the identifiable documents to be verified can be either the simplest piece of data (confirmation of an email address, phone number, or physical address) or a relatively complex structure such as a bank statement.

Four SSI elements form the stack architecture:

• at the first level, identity is fixed;
• at the second level – interaction with the basic distributed registry and storage of user data and private keys;
• at the third level, the use of second-level data to authenticate the user’s identity.

After successful authentication at the Verifiable Credentials level, you can send various identification documents to confirm the user’s identity. Layer interoperity resembles the operation of a set of TCP/IP protocols. Each layer has its own protocols and specifications.

Which SSI organizations exist?

Because SSI requires close interoperability and coordination of a series of protocols, the progress of the technology depends on a unified specification and a well-developed protocol. They can be provided by non-profit specialized organizations, such as:

• Rebooting Web of Trust (RWoT);
• W3C Credential Community Group (W3C CCG);

• Decentralized Identity Foundation (DIF);
• Internet Identity Workshop (IIW).

These organizations have been working fruitfully over the past five years. The most active of them is RWoT. Since 2016, the organization has published 56 white papers, as well as many technical specifications and open source.

The RWoT technical specifications were submitted to the W3C and IETF for further specification. The draft DID specification is largely based on the work of RWoT (even the term SSI itself was created in RWoT).

What specifications are used in the SSI architecture?

1. Decentralized identifier (DID)

DID is the lowest and most critical layer of the SSI architecture. It is responsible for writing/reading the identity in the distributed ledger. Consisting of letters and numbers, the decentralized identifier is unique and tied to a DID document in a specific distributed ledger.

DID consists of the following components:

• DID methods are identifiers placed in a decentralized identifier and used to resolve each DID. Each registry has a specific DID method and corresponding rules for creating/transferring a document. For example, an identifier registered in Ethereum will be in the format did:eth:12345. For a resolution engine to determine a DID method, it must be registered with the W3C.

• Document DID. A distributed ledger can be thought of as a key-value database. A DID is a key, and a DID document written to the distributed ledger serves as the corresponding value. A DID document contains a public key representing an identity, an authentication method, service endpoints capable of interacting with that identity, and so on.
• The DID transformation engine. It helps the higher-level protocol to easily challenge a DID document. The transforming party can analyze various DID methods and then return the analysis results to a higher level. The upper protocol does not need to know the details of document analysis.

2. Decentralized Key Management System

DKMS is the primary interface that allows you to use SSI. In addition to communicating with the underlying DID, it should provide identity data storage, a duplicate of private keys, and so on.

In terms of specifications, DKMS can be divided into three subleaves:

• The DID level is responsible for communicating with the downstream distributed ledger to perform a DID lookup.

• The cloud layer is responsible for storing personal data for use by upstream protocols
• The boundary layer is responsible for managing private keys.

3. DID authentication

There is no single standard for the DID authentication specifications yet, but RWoT has published many documents that address standardization.

The DID authentication system performs one task: it allows the user to confirm that he has an identity. All that is required is to prove that the user owns the private keys that correspond to the SSI public keys. Once authentication is complete, it is possible to create a communication channel through which individuals can exchange verified identities and other resources.

There are various authentication protocols – OAuth, OpenID and others. Similar to these protocols, the DID authentication system uses a question-and-answer model: the verifying party makes a request, the ID owner responds, the party confirms the authenticity of the answer.

4. Verifiable Credential (VC)

VC is the earliest and most mature specification in the SSI architecture. As a high-level SSI protocol, it has only one purpose: it replaces all identification documents in the user’s wallet.

A VC is a cryptographically secure digital certificate that can be used in a variety of applications. With VC, identity is a single entity. It is fully controlled by the owner, who, depending on the use case, can present certain identification documents.

VC consists of three parts:

• A statement about the subject that describes the relationship of the subject-property-content. For example, the phrase “Alice is a student is a school” describes Alice as a schoolgirl.
• Certificate metadata contains additional information about the certificate: type, issuer, issuer, issue time, and so on.
• Proof: A digital signature certifying the issuer’s content.

How is SSI evolving?

Over the past few years, the SSI ecosystem has been developing rapidly – new applications, protocols, specifications are emerging.

Products and pilot projects based on this technology are launched by government agencies, corporations and universities: the US Department of Homeland Security, the Commission of the European Union, Europass, the World Bank, the World Economic Forum, the Massachusetts Institute of Technology, Harvard University, the University of Berkeley, the National Health Service of Great Britain, the Immigration and Border Protection Authority of Singapore, IBM, Microsoft, SAP, Oracle, governments Finland, Canada, South Korea and many others.

In March 2021, Microsoft launched the ION decentralized identity solution on the open-source Bitcoin blockchain. The technology will allow users to identify them personally to gain access to certain information. If you delete your account, you will continue to have access to the services associated with your account. By analogy with signing transactions on the network of the first cryptocurrency, DID is proof of ownership. Individual ION nods are responsible for monitoring identifiers and entering timestamps into the blockchain.

In April 2021, the company behind the Cardano cryptocurrency, IOG (formerly IOHK), and the Government of Ethiopia entered into agreements to deploy the Decentralized Identification System Atala PRISM in this country. The solution will be implemented in 3500 schools in Ethiopia to protect against unauthorized access to the records of the academic performance of 5 million students. The IOG believes that Cardano and Atala Prism will “democratize social and financial services for 1.7 billion Africans.”

Cooperation with IOG will launch the implementation of the government’s strategy “Digital Ethiopia 2025”, within the framework of which the authorities have introduced a national identification standard. Atala PRISM was the first system for issuing certificates based on it.

The number of end-user applications is not yet as large as one would expect from a technology potentially targeting billions of users.

What are the obstacles to the development and adoption of SSI?

The following obstacles arise on the way to the mass adoption of sovereign identity technology:

• There is no flexible integration of digital wallets and support services, which is necessary so that the user can control the process of restoring certificates and data in case of their loss.
• Existing data protection regulations do not apply to SSI. Lawyers, notaries and regulators often have a vague understanding of this technology, which hinders the creation of a regulatory framework.
• An underdeveloped ecosystem of digital wallets designed to connect users to the decentralized SSI infrastructure.
• Mass adoption of SSI requires convenient and intuitive solutions from private business and government agencies.
• There is no full market for SSI-compliant applications.
• Governments are in no hurry to facilitate the transition to SSI: they do not issue SSI-compliant national ID-documents, do not create the necessary technological frameworks and regulatory frameworks.
• Currently, the key recovery process is not independent, fast and efficient enough.
• Because the SSI depends on an immutable and decentralized ledger that stores cryptographic proofs of data, privacy can suffer if not only the evidence is stored in that public ledger, but also the data itself. Decentralized registries and blockchain networks do not have to store documents and sensitive information in the same way as traditional databases do. They can only be used to store evidence of such data.
• The use of public, decentralized and immutable data registers requires considerable efforts to ensure the pseudonymity of data and identifiers. Personal data should not be placed in public registers.
• The development of DID and VC standards must continue to be adopted and recommended by standards development organizations (SDO) such as IEEE, ISO, ITU and NIST.
• An adequate regulatory policy is needed for electronic signatures, transactions and digital certificates.
• The right to be forgottat must be respected. According to Article 17 of the EU General Data Protection Regulation (GDPR), in certain circumstances, “the data subject should have the right to erasure of data concerning him by the party controlling them.”
• Scaling SSI solutions requires efficient decentralized ledgers. The modern ecosystem of unregulated decentralized registries and blockchain networks, devoid of interoperability, is far from ideal. Attempts to create public regional networks – EBSI in Europe and LACChain in Latin America – have been quite successful.
• Framework trust programmes: National and private framework programmes should be developed to establish the level of safeguards for e-services. Qualified identity providers should also be certified – for example, eIDAS in the European Union.
• Biometrics has great potential in the context of identity verification and authentication, but is not yet widely used.

Reasons why traditional business models don’t work in SSI:

• You can’t sell data. In the case of SSI, the user’s verification data, documents and personal data do not belong to the platform – they do not even belong to the issuers and verifisers. It is necessary to obtain permission from the verifying party for any operations with data, which cannot be done without the permission of the user – this violates the principles of SSI.
• The sale of online advertising depends mainly on the quality and quantity of user data owned by the platforms. The amount of advertising revenue generated by Google, Facebook and Twitter is determined by the reliability of user profile data and the effectiveness of algorithms that determine the target audience of advertising. Adopting SSI will make such a relationship impossible.
• While many SSI applications generate data that can be used to create different markets (for example, labor markets in which employers are interested in applicants for diplomas based on digital certificates), in practice there is an obstacle – the need to obtain the consent of the data owner for their use by a third party.
• Since the industry is only developing, SSI companies should not charge users for a number of operations – creating DID documents, signing digital certificates, etc. Otherwise, the level of demand for data and their supply will decrease, which will slow down the process of adopting the technology.
• You should not charge for absolutely all SSI user interactions. Ideally, the provider should be able to distinguish between operations and transactions that are of value to users and receive commission fees only from them.