In a previous blog post, we gave an introduction to Self-Sovereign Identity (SSI), a principal approach for how to create digital identity systems that protect and safeguard individual identity while allowing trustful interactions, not relying on centralized identity management systems.
In this article, we follow up on this by exploring the foundational elements of a concept that is aimed more at facilitating the practical implementation of decentralized identities and decentralized identity systems.
Self-Sovereign Identity (SSI) is in itself technology neutral and does not give the answers on how to implement identity technology that meet the SSI objectives. What it does is setting a high bar to aspire to for any identity system or framework that wants to put user integrity and self-determination at the center.
In the realm of blockchain-based developments, there is a growing movement to realize the objectives of Self-Sovereign Identity (SSI), using the advantages that Blockchain brings in terms of e.g. immutability (tamper-proof data), decentralized coordination and secure transactions, all of which have been instrumental when creating cryptocurrencies and other distributed ledgers.
The movement has created many relevant technologies and there is a growing movement that attempts to create standards for the key building blocks within a unified framework.
This movement is often referred to as Decentralized Identity. It is still not a set paradigm and there are important challenges remaining until we can expect widespread adoption. However, it is likely that at least some of the building blocks forming the current iteration of Decentralized Identity will be relevant for future digital identity systems.
As already mentioned, Decentralized Identity is conceived of as an integrated system built on blockchain technology. However, it is made up of separate building blocks that can create value when managing identity, even if not leveraging an actual blockchain to store and share immutable data.
There are also different actors operating in this system to prove and share identity data and other relevant data about individuals, organizations, objects and similar.
The main actors in the Decentralized Identity system are:
The actors engage in the Decentralized Identity system using a set of building blocks: Private and Public keys, Verifiable Credentials, Decentralized Identifiers and blockchains. Decentralized identity systems may contain some or all of these building blocks today, interacting to form decentralized identity solutions.
A fundamental concept of any blockchain system is the existence of cryptographic keys, that together make it possible to create tamper-proof connections between the public ledger and privately held information stored in a Holder's wallet.
These may for example serve as a protection against data breaches and identity theft. It stops personally identifiable information from ending up in the wrong hands, since data cannot be accessed without use of the right cryptographic keys.
An actor in the system can use the blockchain to establish contact with other actors who want to access privately held resources, e.g. data. The Public key will point to the specific Holder of a resource and the Private key will be used by the Holder to give access to the resource. This gives actors in the system the ability to securely do transactions, e.g. transferring tokens, sharing data, giving access.
A core part of building an identity is to have external, trusted authority that issue Verifiable Credentials, i.e. verify claims about the person. Such a credential can be any type of personally identifiable information, e.g. a name, a diploma, a license or similar.
The Issuer creates a Verifiable Credential for the Holder by compiling the relevant identity information, signing the credential with its own Private Key and then sharing it with the Holder. The Holder stores its Verifiable Credentials in a personal Identity Wallet. These digital credentials can then be used as digital identifiers and as such also give rights to users for example to prove eligibility or sign transactions.
A Decentralized Identifier is an emerging standard with which a user can choose parts of the identity held in the decentralized identity wallet and then create a document (pointed to via a URL) that sets rules for how this information can be retrieved. When a Decentralized Identifier points to a Verifiable Credential signed by an Issuer it becomes proof that the user has possession of this Credential.
A user can create a Decentralized Identifier, point a Verifier to it, and then give access to the data via the Decentralized Identifier, e.g. with the user’s Private Key. Properly, a Decentralized Identifier does not contain sensitive information such as Verifiable Credentials but only work as a method and rule set for how a Verifier can find and request access to data.
Decentralized Identifiers work as globally unique identifiers for specific data sets for Holders, but a Holder can have many Decentralized identifiers in parallel for different data sets and Verifiers.
Neither Verifiable Credentials nor Decentralized Identifiers require a Blockchain to be useful, but they are designed to be compatible with Blockchain technology. Decentralized Identifiers can be stored on a Blockchain with a Public Key that allows Verifiers to find and request access to the information that the Holder has and wants to share, and also makes it possible for Issuers to revoke Verifiable Credentials directly.
The advantage of using Blockchain is that it creates transparency and a tamper-resistant system for identity data, without centralized authorities. Done right, it also allows different parties who engage in contracting to prove that the other parties have acted in a certain way, e.g. signed a document or given consent to sharing data (a feature called non-repudiation).
To illustrate the previous discussion let's take a look at an example of decentralized identity management in issuing diplomas of education. This will show how the different actors and building blocks mentioned above can interact around decentralized digital identity.
Let's assume that a university is using decentralized identity technology to create Verifiable Credentials as digital diplomas of completed education. The university is thus an Issuer in the decentralized identity system.
Blockchains were not originally designed to manage identity but as decentralized ledgers for e.g. verifiable proof of ownership. The original use case developed around, in relative terms, relatively few transactions of stores of value (coins, property) where the key challenge to overcome was how to ensure who owns what when no central authority in the form of a bank account, or other safeguarding is possible.
Blockchains are much more versatile than only as ledgers for property, but the origins of the technology still imply that there are challenges to overcome for full, blockchain-based decentralized identity systems to reach mass adoption. Some of these challenges are transaction cost, interoperability and trust.
To have a truly decentralized identity system, it cannot run on centralized systems like e.g. a centrally managed Blockchain. This also implies that, at least with the current generation of blockchain technology, it is expensive to create the blocks that are used to store the decentralized identifiers, in the same way that other decentralized blockchains for e.g. cryptocurrencies are expensive (e.g. high amounts of energy needed to build blocks).
Identity management involves core use cases such as identity verification and authentication, with and without data sharing. These are high-volume use cases, especially authentication, and to work smoothly and securely require many Decentralized identifiers per user and use case, which becomes expensive.
With the current iteration of Decentralized Identity, there are several initiatives in place to build blockchains, systems for Verifiable Credentials and DIDs, for example World Wide Web Consortium (W3C), and Decentralized Identity Foundation (DIF). However, existing standards are not automatically interoperable, and holding a wallet in one ecosystem does not necessarily allow for access to other systems.
A larger obstacle comes from data structure and identity ontology. As long as there are no standards for how Verifiable Credentials are structured from a data and assurance perspective, it becomes difficult to harmonize identity management.
Each Decentralized Identity ecosystem risks becoming an island rather than a universal access point. Just transferring single Verifiable Credentials also creates data challenges on the part of Verifiers, who need to compile, assess and normalize data to create the rich user profiles that are required to manage authentication and authorization systems.
Although the Decentralized Identity system is tamper resistant, the input to the system must still be true for the system to create trust. In a large system with many Issuers, Holders and Verifiers, it can become difficult to securely identify Issuers, and a Holder could in theory use fake Issuers to create fake Verifiable Credentials.
Verifiers need a system to check and trust Issuers that is not in itself a part of the Decentralized Identity Blockchain and its different parts. In fact, all of the advantages of Self-Sovereign Identity in terms of user integrity and complete control also makes it easier for bad actors to use the system to fake who they are. This can be solved in private blockchains that control access, but then the promise of Decentralized Identity is not realized.
It is possible to manage Issuer credibility through trust chains with top Issuers guaranteeing the identity of other Issuers within the system, so it is not technically an impossible task to solve. However, it does require coordination outside of the Decentralized Identity system itself to happen, even though the Decentralized Identity building blocks can be used to create the trust chains.
During the last year, there have been many scandals in the cryptocurrency space that have impacted the general trust in blockchain-based technology and led to questioning of the viability of blockchain-based ecosystems.
Challenges in competing blockchains, question marks on immutability, transaction cost economics and large-scale fraud have all been identified as problems with applying blockchain technology for different purposes.
However, the movement continues and the promises of the emerging technology are still seen as attractive enough by many enough to ensure continued momentum. There is no question that there are clear advantages of decentralized, immutable systems to manage sensitive transactions, even though further safeguards are needed.
The same goes for Decentralized Identity. There are many challenges that need to be solved and the current iteration of the technology is not fit for mass adoption, neither from a transactional nor data and interoperability perspective.
Still, the building blocks being developed within Decentralized Identity have clear utility, with or without Blockchain, and as a way of realizing the ambition of Self-Sovereign Identity, it is very likely to play an important part.
What is required is continued standardization work coupled with at least one large-scale use case that can drive reach and adoption. In the meantime, actors working with digital identity are wise to follow the developments and start employing some of the evolving building blocks to further strengthen their systems and platforms.
Decentralized Identity has the potential to empower users, enhance privacy, and foster a more secure digital world. We will follow the developments closely and continue to publish insights as the landscape evolves.