Before we explain what is self sovereign digital identity, let us first define identity, then elaborate on digital identity which inherently leads to the final form of digital identity management where each user controls their own digital identity.
- Identity is a uniquely human concept. It is that ineffable “I” of self-consciousness.
- We all have a Social identity – the qualities, beliefs, personality, looks and/or expressions that make us a person
But how do we proof our identity when interacting with others? Lets look at an example:
You interact with a person who claims to be John Smith and wants to do some transactions with you. John gives you his passport (or a in some countries his driver’s license) as a proof of his identity claim. You attest John’s claim by looking at the passport, determining whether that it is authentic and then comparing attributes captured in the passport with the person in front of you.
This process includes the following concepts:
- claim – a claim that an actor would like to consider true
- proof(s)- evidence that something is true, often based on a trusted certificate
- attestation – verification by an independent party that a claim is true
You may now create a record in your system with a customer identifier, a copy of the passport and additional attributes such as address, date of birth by further verification either through utility bills or other formalized evidences. This record is a digital identity and represents relevant aspects of the social identity and is now the basis for your business interactions with John.
This may all sound simple and rather straight forward, but
- Attestation is typically a manual process where unstructured data is captured and verified against the available proofs which must be collected and stored
- Only a subset of the captured information is constant. The captured attributes may get out of sync with reality
- The presented proofs may be faked, and the quality of the attestation depends on your skills to identify such issues
- Wherever John wants to have additional interactions, a similar process is required leading to the creation and attestation of another digital identity
- Whenever information changes, John must provide updates to all relevant parties
- John has no control what happens with his data and who is accessing it
Juridical persons and things can also have a digital identity – however in this post, we will continue to only focus on natural persons and look at ways such digital identities can be managed.
Digital Identity Management started with centrally managed approaches. The authority, of such approach, that manages the digital identity data becomes the guardian and qualifies the digital identities. As networks evolved, federated approaches were adopted where multiple authorities jointly manage digital identities. User-centric identity is expanding where a user has more control over his digital identity and decides whether to share an identity from one service to another. Such sharing capability is based on standards like OpenID (2005), OpenID 2.0 (2006), OpenID Connect (2014), OAuth (2010), and FIDO (2013). It’s important to note that all these approaches are centralised but the user has more influence as to how the information is shared.
The concept behind self-sovereign digital identity is to give the user full control over his/her digital identity. It is a distributed identity management approach where a person creates a unique identifier for their digital identity, places claims and asks others in the network to perform attestation. Claims and attestations can be secured using cryptography with the public and private keys of the involved parties.
- An actor can encrypt a claim with his private key
- The actor can use the public key of the attestation authority to keep attestation private
- The attestation authority can decrypt the message with its private and the users public key
- The attestation authority can verify the presented proof and sign if using its own private key
- The attestation is then sent securely back to the user
The user now has an attribute with a digitally secured attestation and with proof of a verified authority claim(s). Over time network of users builds up, where identities are maintained and trusted through attestation of proofs given by others in the network. Attestation authorities can be official authorities, organizations and other users. The quality of an identity in such a system depends on the quality of the involved authorities. Ideally this approach will introduce a single user-managed digital identity which can be used in the network when required and becomes the core of the genuine digital self (please see Be your digital self)
Christopher Allen has defined ten principles to ensure the user control that’s at the heart of self-sovereign identity
- Existence – users must have an independent existence
- Control – users must control their identities
- Access – Users must have access to their own data
- Transparency – Systems and algorithms must be transparent
- Persistence – Identities must be long-lived, ideally last forever
- Portability- Information and services about identity must be transportable
- Interoperability – Identities should be as widely usable as possible
- Consent – Users must agree to the use of their identity
- Minimalization- Disclosure of claims must be minimized
- Protection – the rights of users must be protected
It is important that the private keys need to be well protected as they grant full control of the digital identity.
So far, this post discusses the creation of a digital identity. In a future post we will look at how do we bridge between the real and the digital world. How can a system verify the user is who they claim to be?
As the world becomes hyperconnected (please see “No ‘OFF’ Switch“), digital identity and security will continuously gain importance. As there will be, in the foreseeable future, no worldwide authority to manage digital identities, the world will converge towards a self-sovereign identity system where users own their data and various actors perform attestation in a mutual way. The system, in its nature, follows paradigms of earlier times where trust was the result of a social network. The introduction of Digital changes the proximity requirements allowing applicability of such system on a global scale.