In a previous blog post, we gave an introduction to Self-Sovereign Identity (SSI), a principal approach for how to create digital identity systems that protect and safeguard individual identity while allowing trustful interactions, not relying on centralized identity management systems. In this article, we follow up on this by exploring the foundational elements of a concept that is aimed more at facilitating the practical implementation of decentralized identities and decentralized identity systems.
Decentralized Identity
Starting from Self-Sovereign Identity
Self-Sovereign Identity (SSI) is in itself technology neutral and does not give the answers on how to implement identity technology that meet the SSI objectives. What it does is setting a high bar to aspire to for any identity system or framework that wants to put user integrity and self-determination at the center.
In the realm of blockchain-based developments, there is a growing movement to realize the objectives of Self-Sovereign Identity (SSI), using the advantages that Blockchain brings in terms of e.g. immutability (tamper-proof data), decentralized coordination and secure transactions, all of which have been instrumental when creating cryptocurrencies and other distributed ledgers.
The movement has created many relevant technologies and there is a growing movement that attempts to create standards for the key building blocks within a unified framework.
Decentralized Identity - Probably Impacting the Future
This movement is often referred to as Decentralized Identity. It is still not a set paradigm and there are important challenges remaining until we can expect widespread adoption. However, it is likely that at least some of the building blocks forming the current iteration of Decentralized Identity will be relevant for future digital identity systems.
The Decentralized Identity Ecosystem
As already mentioned, Decentralized Identity is conceived of as an integrated system built on blockchain technology. However, it is made up of separate building blocks that can create value when managing identity, even if not leveraging an actual blockchain to store and share immutable data. There are also different actors operating in this system to prove and share identity data and other relevant data about individuals, organizations, objects and similar.
Key Actors in the Decentralized Identity Ecosystem
The main actors in the Decentralized Identity system are:
- Holders, who want to prove something about themselves. The Holder in Decentralized Identity typically wants to share important and sensitive information, e.g. legal name, age, nationality, diplomas.
- Issuers, who are authorities that issue Verifiable Credentials about Holders. Issuers can be eg. states, other trusted parties that check documents issued by states, universities, employers. The key thing is that the Issuer is a trusted party.
- Verifiers, who want to verify credentials, i.e. check that the digital credentials that Holders have are genuinely issued by trusted Issuers. Verifiers can be e.g. a company onboarding a new customer or looking to hire a new person.
Building Blocks in the Decentralized Identity Space
The actors engage in the Decentralized Identity system using a set of building blocks: Private and Public keys, Verifiable Credentials, Decentralized Identifiers and blockchains. Decentralized identity systems may contain some or all of these building blocks today, interacting to form decentralized identity solutions.
Public-Private Key
A fundamental concept of any blockchain system is the existence of cryptographic keys, that together make it possible to create tamper-proof connections between the public ledger and privately held information stored in a Holder's wallet. These may for example serve as a protection against data breaches and identity theft. It stops personally identifiable information from ending up in the wrong hands, since data cannot be accessed without use of the right cryptographic keys.
An actor in the system can use the blockchain to establish contact with other actors who want to access privately held resources, e.g. data. The Public key will point to the specific Holder of a resource and the Private key will be used by the Holder to give access to the resource. This gives actors in the system the ability to securely do transactions, e.g. transferring tokens, sharing data, giving access.
Verifiable Credentials
A core part of building an identity is to have external, trusted authority that issue Verifiable Credentials, i.e. verify claims about the person. Such a credential can be any type of personally identifiable information, e.g. a name, a diploma, a license or similar.
The Issuer creates a Verifiable Credential for the Holder by compiling the relevant identity information, signing the credential with its own Private Key and then sharing it with the Holder. The Holder stores its Verifiable Credentials in a personal Identity Wallet. These digital credentials can then be used as digital identifiers and as such also give rights to users for example to prove eligibility or sign transactions.
Decentralized Identifiers (DIDs)
A Decentralized Identifier is an emerging standard with which a user can choose parts of the identity held in the decentralized identity wallet and then create a document (pointed to via a URL) that sets rules for how this information can be retrieved. When a Decentralized Identifier points to a Verifiable Credential signed by an Issuer it becomes proof that the user has possession of this Credential.
A user can create a Decentralized Identifier, point a Verifier to it, and then give access to the data via the Decentralized Identifier, e.g. with the user’s Private Key. Properly, a Decentralized Identifier does not contain sensitive information such as Verifiable Credentials but only work as a method and rule set for how a Verifier can find and request access to data.
Decentralized Identifiers work as globally unique identifiers for specific data sets for Holders, but a Holder can have many Decentralized identifiers in parallel for different data sets and Verifiers.
Blockchains - Possible but not Necessary
Neither Verifiable Credentials nor Decentralized Identifiers require a Blockchain to be useful, but they are designed to be compatible with Blockchain technology. Decentralized Identifiers can be stored on a Blockchain with a Public Key that allows Verifiers to find and request access to the information that the Holder has and wants to share, and also makes it possible for Issuers to revoke Verifiable Credentials directly.
The advantage of using Blockchain is that it creates transparency and a tamper-resistant system for identity data, without centralized authorities. Done right, it also allows different parties who engage in contracting to prove that the other parties have acted in a certain way, e.g. signed a document or given consent to sharing data (a feature called non-repudiation).
.jpg)
Example: A Decentralized System for Educational Diplomas
To illustrate the previous discussion let's take a look at an example of decentralized identity management in issuing diplomas of education. This will show how the different actors and building blocks mentioned above can interact around decentralized digital identity.
Let's assume that a university is using decentralized identity technology to create Verifiable Credentials as digital diplomas of completed education. The university is thus an Issuer in the decentralized identity system.
- The university creates the Verifiable Credential in the form of a digital diploma for a specific student, who becomes the Holder.
- The student gets access to the diploma as a verifiable credential signed with the University's Private key and containing the University’s Public key and the Holder's own Public key.
- The student signs the verifiable credential with her own Private key to confirm ownership, and stores the verifiable credential in her decentralized identity wallet.
- The student creates a Decentralized identifier, which contains the student’s Public key and a method for requesting authentication to get access to the data signed by the Issuer. The Decentralized identifier is published as a URL and can be put on a Blockchain to ensure immutability.
- A company looking to hire the student wants to verify the student’s academic record. The student points the company to the URL containing the Decentralized identifier, and the company thus becomes a Verifier in the system.
- The Verifier requests access to the verifiable data that the Decentralized identifier points to and that is stored as a verifiable credential in the student’s decentralized identity wallet. The student as Holder accepts the request by signing with her Private key. The Verifier can now see the data in the verifiable credential and that it has been created by the university Issuer, since the data has been signed by the University.
Challenges with Blockchain-based Decentralized Identity
Blockchains were not originally designed to manage identity but as decentralized ledgers for e.g. verifiable proof of ownership. The original use case developed around, in relative terms, relatively few transactions of stores of value (coins, property) where the key challenge to overcome was how to ensure who owns what when no central authority in the form of a bank account, or other safeguarding is possible.
Blockchains are much more versatile than only as ledgers for property, but the origins of the technology still imply that there are challenges to overcome for full, blockchain-based decentralized identity systems to reach mass adoption. Some of these challenges are transaction cost, interoperability and trust.
Blockchain-Based Transactions are Expensive
To have a truly decentralized identity system, it cannot run on centralized systems like e.g. a centrally managed Blockchain. This also implies that, at least with the current generation of blockchain technology, it is expensive to create the blocks that are used to store the decentralized identitifiers, in the same way that other decentralized blockchains for e.g. cryptocurrencies are expensive (e.g. high amounts of energy needed to build blocks).
Identity management involves core use cases such as identity verification and authentication, with and without data sharing. These are high-volume use cases, especially authentication, and to work smoothly and securely require many Decentralized identifiers per user and use case, which becomes expensive.
Interoperability between Identity Providers is Difficult
With the current iteration of Decentralized Identity, there are several initiatives in place to build blockchains, systems for Verifiable Credentials and DIDs, for example World Wide Web Consortium (W3C), and Decentralized Identity Foundation (DIF). However, existing standards are not automatically interoperable, and holding a wallet in one ecosystem does not necessarily allow for access to other systems.
A larger obstacle comes from data structure and identity ontology. As long as there are no standards for how Verifiable Credentials are structured from a data and assurance perspective, it becomes difficult to harmonize identity management.
Each Decentralized Identity ecosystem risks becoming an island rather than a universal access point. Just transferring single Verifiable Credentials also creates data challenges on the part of Verifiers, who need to compile, assess and normalize data to create the rich user profiles that are required to manage authentication and authorization systems.
The Problem of Trusted Data Exchange Moved but not Removed
Although the Decentralized Identity system is tamper resistant, the input to the system must still be true for the system to create trust. In a large system with many Issuers, Holders and Verifiers, it can become difficult to securely identify Issuers, and a Holder could in theory use fake Issuers to create fake Verifiable Credentials.
Verifiers need a system to check and trust Issuers that is not in itself a part of the Decentralized Identity Blockchain and its different parts. In fact, all of the advantages of Self-Sovereign Identity in terms of user integrity and complete control also makes it easier for bad actors to use the system to fake who they are. This can be solved in private blockchains that control access, but then the promise of Decentralized Identity is not realized.
It is possible to manage Issuer credibility through trust chains with top Issuers guaranteeing the identity of other Issuers within the system, so it is not technically an impossible task to solve. However, it does require coordination outside of the Decentralized Identity system itself to happen, even though the Decentralized Identity building blocks can be used to create the trust chains.
Blockchain Technology Promising but not Mature
During the last year, there have been many scandals in the cryptocurrency space that have impacted the general trust in blockchain-based technology and led to questioning of the viability of blockchain-based ecosystems. Challenges in competing blockchains, question marks on immutability, transaction cost economics and large-scale fraud have all been identified as problems with applying blockchain technology for different purposes.
However, the movement continues and the promises of the emerging technology are still seen as attractive enough by many enough to ensure continued momentum. There is no question that there are clear advantages of decentralized, immutable systems to manage sensitive transactions, even though further safeguards are needed.
Decentralized Identity - a Welcome Attempt to Move Forward with Self Sovereign Identity
The same goes for Decentralized Identity. There are many challenges that need to be solved and the current iteration of the technology is not fit for mass adoption, neither from a transactional nor data and interoperability perspective. Still, the building blocks being developed within Decentralized Identity have clear utility, with or without Blockchain, and as a way of realizing the ambition of Self-Sovereign Identity, it is very likely to play an important part.
What is required is continued standardization work coupled with at least one large-scale use case that can drive reach and adoption. In the meantime, actors working with digital identity are wise to follow the developments and start employing some of the evolving building blocks to further strengthen their systems and platforms.
Decentralized Identity has the potential to empower users, enhance privacy, and foster a more secure digital world. We will follow the developments closely and continue to publish insights as the landscape evolves.