Several years ago, the Sovrin vision was introduced using a dot metaphor to describe a future whereby individuals would be able to take back control of their identity and participate at a peer-to-peer level with their online and offline relationships. Today the landscape of supporting open communities — network, code and standards — to achieve this vision has begun to mature at a rate whereby early adopters can begin to validate applicability and build that most important bridge across the technology adoption lifecycle chasm.
A typical inhibitor for adoption during this early phase is the lack of a common vernacular. While there are numerous documents outlining the various aspects of decentralized identity technology, there is an opportunity to provide additional clarity. My hope is that this article provides an insightful perspective on how the conceptual building blocks of self-sovereign identity (SSI) are rapidly coming together.
Scope of identity activities
As Blake Hall, Founder & CEO, ID.me so keenly observed, “Identity is a very difficult topical area to grasp as two or more people might be referencing ‘identity’ as a single term while meaning drastically different things.” The best place to start a discussion around terminology is to first explore the meaning of the word identity itself. An important observation is that your identity depends on your situational context. Interest in the data and events associated with identity differ based on the role of an individual or entity in a specific interactive setting.
Our personal identification information (PII) describes the unique traits associated with an individual or entity. These identity traits are core to our physical and digital lives. As expressed in this white paper, our daily life experiences tend to include a higher frequency of credential interactions as opposed to PII Management events. This implies we must consider how our identity traits are rendered and how those renderings are used for online and offline interactions. Identity instruments are the digital or physical, paper or plastic renderings of some subset of our PII as defined by the providers of the instruments. The traditional physical object is an identification card, your ID. Many physical identity instruments contain public and encoded information about an individual. The encoded information, which is often stored using machine readable technologies like magnetic strips or barcodes, are additional examples of rendering formats of an individual’s PII. Digital identity instruments, pertain to an individual’s PII in a form that can be processed by a software program. Identity interactions pertain to the situational usage — whether you are paying, being identified, participating in some event or entering somewhere — of our identity instruments.
As SSI solutions evolve they will deliver identity instruments that provide a unified identity interaction experience regardless of interaction type, either physical or online. During this maturation period, it is imperative that consideration be given to the tactical co-existence of the digital representations of our identity instruments and their interoperability with existing equipment readers. Depending on the situational context of an identity interaction concerning an identity instrument, there are existing and emerging standards that provide a means for the accessing, presenting and managing of identity information. Our daily lives are filled with a variety of identity interaction experiences. They may include a visit to the bank clerk, entering the airport, or a login to your utility company’s website. Each of these interaction experiences require you to present proof of your identity and may be face-to-face or online. As we migrate away from using physical identity towards digital instruments, we need to ensure that these new digital representations of our identity can seamlessly fit into our daily lives.
An identity reader can be a physical or programmatic device that understands how to process information contained within an identity instrument. Traditional readers interpret machine readable data formats available on a physical identity instrument. Emerging readers (or digital readers) focus on the programmatic processing of a digital identity instrument using peer-to-peer communications in a manner that assures privacy as well as document validity. These readers can be described as mobile applications that reside on a device that can communicate with an identity instrument. Unlike traditional readers, these emerging readers specialize in the processing of a digital representation of an identity instrument. These readers represent the whitespace area where standards are lacking. Since the digital identification industry is still emerging there will be a timeframe where interoperability between the possible digital representations is a challenge.
Where are the attributes?
Many English words carry perceived notions which cause concern when used in the context of identity. Confusion derived from the use of overloaded terms was very much evident in the Verifiable Credentials specification, originally named Verifiable Claims. The new specification provides much needed clarity. Building on the notion of an identity trait being the most granular data element in our vernacular discussion, the following image shows the concept of a claim, which is an attestation from an individual or organization which confirms that the entity has taken specific actions to establish truth about a specific identity trait. Examples of a claim include date of birth, height, social security or driver license numbers.
Depending on the situational context or the type of privileges to be granted, the complexity of the vetting process taken by an examiner to confirm the truth about a specific trait may vary. The required vetting, due diligence, regulatory compliance and other tasks needed to establish confidence in making a claim about an identity trait, will coincide with how the claim will be used. The role of an issuer pertains to the generation and delivery of a credential comprised of a set of claims in accordance with some predefined schema. A person’s physical trait or assigned attribute is examined to a degree whereby an entity can make a claim of truth about it. This then enables the same entity to issue a verifiable credential which takes a collection of claims in accordance with a well-defined schema for an identity instrument and delivers it to the subject associated with the identity traits referenced by the claims. Examples of a credential can include college transcripts, driver licenses, auto insurance cards and building permits.
A holder, such as students, employees and customers, may be in control of one or more verifiable credentials. As you can see to the right, an issued credential will have a value that varies based on two factors:
degree of vetting by the Examiner
importance of claims issued by Issuer
This concept is represented in our daily lives as the value of a government issued credential is higher than that of say the membership to your local fitness center.
Credentials can be used in many different situations where proof of identity is required by a verifier. A holder can use a specific credential or selectively disclose one or more claims from the corpus of held credentials to respond to a proof request. The verifier will process the response data to verify the authenticity of the issuer and holder before consuming the data. A verifier can be an employer, security personnel or a website.
Agencies, agents, edge and cloud layers
As we continue our vernacular focused discussion for a self-sovereign identity ecosystem, each entity will establish a collection of infrastructure components to manage their identity relationships in a peer-to-peer network.
A virtual identity vault refers to a collection of edge and cloud layer instances that make up an entity’s self-sovereign identity infrastructure. Analogous to the ubiquitous use of cloud-based file synchronization tools like Dropbox, people and organizations select an agency to host cloud layer software that is synchronized with the edge layer identity software on their edge devices. An individual’s vault is used to manage the keys and credentials associated with the person’s identity across all his or her edge devices. Conversely, an organization uses the vault to manage the keys and credentials associated with the devices of employees who are authorized to work on behalf of the company to carry out credential acquisition or verification activities.
A cloud service provider, referred to as an agency, associates one or more edge layers with an individual or organization cloud layer. Cloud and edge layers are comprised of agent software that manages the endpoint user experience (UX) and functional control plus wallet software that manages local storage. The cloud layer portion of an individual or organization is hosted by an agency. It provides the public endpoint for interactions with the agents of peer connections for the individual or organization. Each cloud layer instance would have a backup that may not be hosted within the same agency environment. A cloud agent is designed to be available 24/7 to send and receive communications on behalf of an entity. It manages communications, encryption, key management, data management and backup processes for the virtual identity vault. These agents use decentralized identifiers (DIDs) and DID documents to automatically negotiate mutually authenticated secure connections with the agents associated with their relationships. A cloud wallet manages keys, recovery shares and data storage.
Each of the entity’s devices run software referred to as the edge layer. Each edge agent is bound and synchronized to an associated cloud layer agent. These edge agents also act as an endpoint for offline interactions with edge layers of peer connections. An edge agent manages the generation and operational use of cryptographic keys and other secret artifacts. It communicates directly, peer-to-peer, via a protocol such as Bluetooth, NFC, or another mesh network protocol. Edge agents may also establish secure connections with cloud agents. An edge wallet manages key and data storage. It is the primary storage handler for private keys using a secure element or trusted platform module.
Bringing all together
As you can see below, the ecosystem of components comes together to establish a peer-to-peer exchange of verifiable credentials. Individuals can interact directly with organizations or other individuals while organizations can additionally interact with other organizations.
The network is comprised of distributed private agents working in parallel with the distributed ledger. Each entity can use the public ledger to register and verify public DIDs. The cloud agents
provide the public endpoint for interactions with the agents of peer connections, or relationships. These connections are used for the swapping of private pairwise DIDs and the exchange of verifiable credentials. Edge agents can swap private pairwise DIDs and exchange verifiable credentials using offline connections.
Hopefully this collection of terms and concepts has helped you in your investigative journey into the self-sovereign identity ecosystem. Continue your exploratory endeavor today with hands-on tutorials for verifiable credentials.
Identity and control of personal identity is top of mind, given recent events as well as the European Union’s General Data Protection Regulation (GDPR). A lot of our identity is shared without our explicit consent, gets stored in locations we are unaware of, and when compromised creates tremendous setbacks. Almost everything we do in the […]
Identity theft is an all too common occurrence. Our personal information is not under our control and lives in repositories that are targets for hackers. The Identity Theft Resource Center recorded 1,339 breaches impacting over 170 million records in the U.S. in 2017 alone. The global numbers are so staggering that no one has been able to […]