This is a topic I’ve come across a while ago, but didn’t fully understand. It doesn’t have a token and thus does not receive as much attention as other blockchain applications or infrastructure components. That’s probably also why there aren’t a ton of good explanations on what it is and what it is used for. Yet the topic is a fundamental building block and will change the way we interact on the internet. Companies like Microsoft are investing heavily in this area so let’s have a look at what’s behind this technology.
The way we currently use our identity online is quite annoying. Every service requires a unique login of username and password, tech giants tried to tackle this problem with social logins, which makes it slightly less bad, but does not completely solve it. Plus they get all of your data for providing this slight improvement.
If you think of other areas where we use identities, you will notice that not a lot has changed in the last few years. Most countries still use a piece of plastic to issue a driver’s license, which then can be used by the holder to prove his identity. But a piece of plastic doesn’t work very well on the internet.
Look at applying for a new apartment, where you are typically required to prove your income, financial situation and renting history in a tedious and burdensome paper based process, costing you and the landlord time to complete. Information that somehow exists in a digital form can’t be used to prove, but needs to be printed and often verified by a third party. Additionally the printed documents with your sensitive information might end up on some guy’s computer who hardly knows how to use it.
Self Sovereign Identity (SSI) might be able to help.
What is SSI?
Self Sovereign Identity or SSI is the digital representation of the identification process we know from the physical world. Things like showing our driver’s license to prove we are allowed to drive, or sending a bank statement to a real estate agent to prove our income and account balance. This physical process is made up of many different parts and so SSI is made up of different parts. The two most important building blocks are decentralised identifiers (DID) and verifiable credentials (VC).
— > SSI describes the whole process.
As part of the SSI process, verifiable credentials represent the digital version of physical credentials. Think of a driver’s license. The driver’s license is issued by an institution, using a stamp and other fancy stuff to prove that it was issued by them. The digital version uses cryptographic signatures to prove whom it was issued by. It is important to understand how digital signatures work (Docusign does a good job explaining the concept). The signature makes the credentials verifiable i.e. a verifier can verify if a credential was signed by the signer. Bear with me on this, we’ll get to the process in a bit.
— > Verifiable credentials are signed digital credentials and thus verifiable.
Decentralized identifiers (DID) are identifiers and as such can be used to uniquely identify a person or object without sharing any personal information. It’s similar to a wallet that uses an address to generate public and private keys to sign and verify transactions (see image below). A DID is typically stored on a decentralized network like a blockchain ensuring the information is tamper proof. The DID is used to publish public keys onto the network, so that in a decentralized setting others can verify information signed by the related private key. They can be used as identification in verifiable credentials.
— > Decentralised Identifiers are used to uniquely identify a person or object, similar to a cryptocurrency wallet.
How does SSI work
Now that we’ve gone through the basics, let’s look at how it all comes together. It’s good to start with something familiar like the physical drivers license. It is issued by the government of a country and generally everybody trusts the government body that the information on the license is correct (i.e. the person is allowed to drive).
The license is held by a driver and can be shown to anybody who requires proof of his identity and his legal ability to drive. The entity requesting this proof will then verify whether the information is correct by checking the document and potentially checking back with the issuer that the document hasn’t been revoked.
The chart describes the process of SSI and is described in detail in the sections below.
Who issues credentials ?
Issuing credentials is not much different when done digitally. In the case of the drivers license it would still be the government, but in theory anybody can issue any sort of credential. Like in the physical world it is important that you still need to trust the issuer of the credential, this is nothing SSI will change or help with.
The important thing in SSI is that instead of a stamp on the plastic card, the credential is signed cryptographically by the issuer, enabling anyone to verify who issued the credentials. This makes verification much easier than in the physical world.
The issuer creates a decentralised identifier (DID) containing information about himself. The DID is then stored on the blockchain, so that everybody can review this information and have insights into its history. The DID also allows creation of private and public keys. Private keys sign a credential and public keys allow verification of who signed the credential.
The issuer of the credential can also revoke the credential, by updating a revocation register with the credential that has been revoked. When verifying the verifier can check this register to ensure the credential has not been revoked.
How do you show credentials
Once a credential is issued, it belongs to the holder and is stored in his wallet. Let’s say a bank wants a proof of identity and requests the document. The holder of the credential presents the credential to the verifier (bank) by giving access to the document. The verifier then only needs to check the related information stored on the blockchain to find out if the signature the document was signed with belongs to the issuer and if it hasn’t been revoked. Again, the verifier will need to trust the issuer here, but at least he can be certain who signed the credential.
More advanced concepts use zero knowledge proofs to hide the actual information and only present that a certain threshold was met. The drivers license could reveal that the driver is above the age of 21, without revealing the exact age.
Credentials can be combined into a credentials presentation, showing multiple credentials to a verifier in one go. A good example is applying for an apartment, where the landlord will typically want to see multiple payslips and other information.
The best thing? You don’t have to trust your landlord to store your confidential information in a safe place. He won’t actually get a copy to store on their potentially insecure systems, but just get to see the information and can verify without you giving them a copy.
What role does Blockchain play
It’s an open standard that has been designed to be used with or without blockchain, but some of the benefits only apply when using a distributed ledger. There are downsides of course and every use case needs to be evaluated against whether it makes sense to store information on-chain.
Decentralized identifiers (DIDs) are JSON files and it makes a lot of sense to store them on-chain. It allows anybody to access the information and the immutable ledger ensures that the information is tamper proof (it can be changed, but this creates a new version).
The actual certificate files however are not stored on-chain. A PDF of a university degree is way too big to reside on a blockchain. The inter planetary filesystem (IPFS) allows storage in a peer to peer network dicing a file into smaller chunks, hashing the content and referencing the files with an ID that can then be requested via a unique link. Only the link would be stored on-chain in this case.
The revocation register is another critical piece that should be stored on-chain so that a revocation cannot be altered and is available in one place on a distributed ledger.
While there are still not a lot of live implementations of SSI, one can imagine the pain of running this on Ethereum or Bitcoin where transaction costs for every change to a DID or revocation are high and transactions take time to settle.
Sidetree tries to solve this problem with a second layer. Allowing many transactions to be batched into one and submitted all at once as one transaction onto layer 1. Sidetree is the ledger agnostic specification of how this works and specific implementations exist for Bitcoin (ION) and Ethereum (Element).
Application in Business
Many companies see the potential of SSI. Microsoft is involved in the development of the Sidechain implementation ION based on Bitcoin. Obviously, they are planning to or already have added support for SSI to their Azure Active Directory.
IDunion is a group of German and European companies aiming to create an open ecosystem for decentralized identity management. Some big names participating will hopefully lead to more mainstream use of SSI and adoption to a level where end users can actually benefit from it.
Beyond this there are many other use cases and scenarios where SSI could play a role. W3C has a whole diagram and detailed explanation for every scenario on their website. This goes to show that SSI could turn out to be one of these very important pieces of infrastructure in a decentralised world.
With a whole host of different protocols and companies (Selfkey, Evernym, Sovrin, Tykn, Fractal, …) addressing and offering SSI solutions, it’s only a matter of time until some of the above scenarios will get built.
While SSI doesn’t have a coin and there is not nearly the hype we see around NFTs and other coins, it is nevertheless a very interesting and promising topic. Imagine a future where you hold all your data and don’t need any passwords to log into a website, you can quickly and discreetly share information about yourself with others without handing the actual data over to them. Forget about the long and tiresome process behind printing our documents or sending them to some real estate agency who doesn’t know the first thing about protected personal data. Exciting times ahead.