Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

Identity is Changing:
The rise of Self-Sovereign Identity
Infrastructure using Blockchain
Kaliya Young
InteropITX May 2, 2018

What is Infrastructure?

What are Standards? Protocols?

Some Early Identity Eﬀorts

MAIN ACT: Self-Sovereign Identity
Questions
Outline

Physical Infrastructure
Roman Roads

Physical Infrastructure
Roman Roads
Centralized Road System in 1850
Book about their impact : Roads to Power

Time Infrastructure
Before 1883 Every City had its own Time

Communications Infrastructure
Telegraph

1865
International Telecommunications
Union Formed

What really makes it work?
Standards & Protocols

What are the Protocols for People?

Don’t we have protocols for
this already……

Employers
Have Employees
Enterprise Identity
Enterprise Single Sign On
Provisioning
Authentication - AuthN

Employers
Have Employees Contractors
Business Partners
Enterprise Identity

Provisioning
Termination
Enterprise Identity
Access Control
Authorization - AuthZ
Roles
Attributes
Authentication - AuthN

Directory Wars of the 1990s
LDAP

Development of SAML
New Protocols like SCIM
SSO with the enterprise
Enterprise Federation between them

Civic Records
Citizen Identity
Birth
Death
Marriage
Divorce
Parent
Drivers License
Voting
Other Licensing
Health Care
Social Insurance
Taxation

Almost no effective systems for government asserted claim
about in a trusted digital form

What were the choices?
In 2003 when I got started with all this?

Building Identity and
Trust into the Next
Generation Internet

Underlying this report is the assumption that every individual ought
to have the right to control his or her own online identity. You should
be able to decide what information about yourself is collected as part
of your digital profile, and of that information, who has access to
different aspects of it. Certainly, you should be able to read the
complete contents of your own digital profile at any time. An online
identity should be maintained as a capability that gives the user many
forms of control. Without flexible access and control, trust in the
system of federated network identity will be minimal.

A digital profile is not treated [by corporations who host
them] as the formal extension of the person it represents.
But if this crucial data about you is not owned by you,
what right do you have to manage its use?
A civil society approach to persistent identity is a
cornerstone of the Augmented Social Network project.

Big Co.
Web 1.0 Web 2.0
Drawn by Johannes Earnst - reﬂects User-Centric Identity Community Vision

The Frist Internet Identity Workshop 2005
We gathered together

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
You get to have Different Accounts at Every single site you go to.

Relying Party
Identity Provider
User

FACEBOOK

How can I own my own

digital identity?

RENT-A
MYURL.COM
#
** Special NAME-SPACE
for People? **
Ways you “could” own your own identity:

Presenting:
Self-Sovereign
Identity
(using the block chain)
I think we ﬁnally ﬁgured it out

Decentralized IDentiﬁer - DID
did:sov:3k9dg356wdcj5gf2k9bw8kfg7a
Method
Scheme
Method-Specific Identifier
Slide credit: Drummond Reed, Sovrin Foundation

did:sov:3k9dg356wdcj5gf2k9bw8kfg7a
047d599d4521480d9e1919481b024f29d2693f2
72d19473dbef971d7d529f6e9
Private 
Key
Public
Key
cc2cd0ffde594d278c2d9b432f4748506a7f9f2
5141e485eb84bc188382019b6

67
{ “Key”: “Value” }
DID
Decentralized
Identifier
DID Document
JSON-LD document
describing the
entity identified by
the DID

1. DID (for self-description)
2. Set of public keys (for verification)
3. Set of auth protocols (for authentication)
4. Set of service endpoints (for interaction)
5. Timestamp (for audit history)
6. Signature (for integrity)
68
The standard elements of a DID doc

Example DID Document (Part 1)
69
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],

Example DID Document (Part 2)
70
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
"signature": {
"type": "RsaSignature2016",
"created": "2016-02-08T16:02:20Z",
"creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1",
"signatureValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0
yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2C4STOWF+83cMcbZ3CBMq2/
gi25s="
}
}

In summary, a DID is…
1. A permanent (persistent) identifier
– It never needs to change
2. A resolvable identifier
– You can look it up to get metadata
3. A cryptographically-verifiable identifier
– You can prove ownership using cryptography
4. A decentralized identifier
– No centralized registration authority is required
71Slide credit: Drummond Reed, Sovrin Foundation

Where does it go?
How can I ﬁnd it if its Decentralized?

But the Ledgers are
Different?
They have different
DID methods

75
A DID method specification
defines how to read and write
a DID (and its DID document)
on a specific blockchain or
distributed network

76
Method DID prefix
Sovrin did:sov:
Bitcoin Reference did:btcr:
Ethereum uPort did:uport:
Blockstack did:stack:
Veres One did:v1:
IPFS did:ipld:
Active DID Method Specs

1. The syntax of the method-specific identifier
2. Any method-specific elements of a  
DID document
3. The CRUD (Create, Read, Update, Delete)
operations on DIDs and DID documents for
the target system
77
A DID Method spec defines…

You can look them up
https://w3c-ccg.github.io/
did-method-registry/

Back to the Humans
How can they use this?

The decentralized identity “stack”
Identity Owners

Identity Owners
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent

Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Identity Owners
Edge Layer

DID Layer
Cloud Layer
Identity Owners
Edge Layer

Public-Private Cryptographic Keys
Public Key Infrastructure = PKI

DID Layer
Cloud Layer
Identity Owners
Edge Layer
Encrypted P2P Interaction

I get different DIDs for
different parts of my life

I get to prove things
about my self

What do we mean by Credential?
93Slide credit: Manu Sporny Veres One

W3C Verifiable Credentials
94
The mission of the W3C Verifiable Claims Working Group:
Express credentials on the Web in
a way that is cryptographically
secure, privacy respecting, and
automatically verifiable.Slide credit: Manu Sporny Veres One

Anatomy of a Verifiable Credential
Verifiable Credential
Issuer Signature
ClaimsClaimsClaims
Credential Identifier
Credential MetadataCredential MetadataCredential Metadata
95
Slide credit: Manu Sporny Veres One

Verifiable Credentials Ecosystem
96
Issuer
(Website)
Government,
Employer, etc.
Verifier
(Website)
Company,
Bank, etc.
Holder
(Digital Wallet /
Personal Data Store)
Citizen, Employee,
etc.
Issue
Credentials
Present
Profiles

HOW DO YOU KNOW ITS TRUE?
Without…

HOW DO YOU KNOW ITS TRUE?
Without…
Phoning Home to Governments or other Institutions that issue Credentials

Decentralized Identifiers
101
Decentralized Identifiers
(Identifiers are owned by individuals)
Blockchains / DHTs
(Decentralized Ledger)
Veres One, Sovrin, Bitcoin, Ethereum, etc.
Issuer
(Website)
Government, Employer,
etc.
Verifier
(Website)
Company, Bank, etc.
Holder
(Digital Wallet /
Personal Data Store)
Citizen, Employee, etc.
Issue
Credentials
Present
Profiles

HolderIssuer Verifier
Issues  
Claim
Presents 
Claim
Decentralized Identifiers (DIDs)
Public Blockchain or other Decentralized Network
Signs
Claim
Countersigns
Claim
Verifies
Signatures
Wallet
Relying PartyIdentity Provider User
Going back to the IdP/Relying party model from earlier the roles have new names
and the architecture means they operate differently.

Graphic Co-Created with Kaliya Young and Dan Greening
These are the different DID methods, their ledgers,
wallets and companies behind them.

Decentralized Identity Foundation

110
A simple standard way for a
DID owner to authenticate by
proving control of a  
private key
DID Auth is…

DID Layer
Identity Owners
Cloud Layer
Edge Layer
DID Auth

HOW CAN YOU RESOLVE FOR THEM?
They are Distributed right?

Bitcoin, 
Ethereum, IOTA, 
Veres One
Permissionless Permissioned
Public
Private
Validation
Access
Hyperledger Sawtooth*
Sovrin,
IPDB
Hyperledger (Fabric,
Sawtooth, Iroha), 
R3 Corda, 
CU Ledger
Blockchain Types / Governance
* in permissionless mode
115Slide credit: Drummond Reed, Sovrin Foundation

SPEED
116
DID Creation
DID Ledger Operations / day Consensus delay
Bitcoin 0.6M / day ~3,600 seconds
Ethereum 2.1M / day ~375 seconds
Veres One 18M / day ~30 seconds
Sovrin 2.6M / day ?

COST
117
DID Creation
Bitcoin ~$15-$73
Ethereum ~$4-$14
Veres One* ~$1-$2
Sovrin ? doing ICO
* Commodity prices guaranteed due to strong downward pressure on operational costs

The Core Problem, Restated
119
How does a verifier determine
whether they can trust an issuer
without the whole world needing
to rely on a single root of trust?

120
Sovrin Web of Trust Model
Identity Owner Trust Anchor Trust Hub*
* Inspired by the British Columbia Government’s “TheOrgBook” service  
and concepts from Infocert about the evolution of Certificate
Authorities

SWoT Core Design Principles
1. Decentralized
– No single root of trust
2. Secure
– Immune as possible to gaming and Sybil attacks
3. Privacy-respecting
– Identity owners may remain private and yet still
prove they are trusted
4. As simple as possible
– Everyone can understand it (not just cryptogeeks)
121

Sovrin Web of Trust Roles
122
Identity Owner Trust Anchor Trust Hub
DID Private Public Public
Holds SWoT Claims
About Self
Yes Yes Yes
Issues SWoT Claims
About Other Issuers
No Yes Yes
Holds SWoT Claims
About Other Issuers
No No Yes

123
In this model, the Sovrin
Foundation is simply one Trust
Hub for Sovrin stewards— 
each steward may serve as either a
Trust Anchor or a Trust Hub

124
Sovrin Trust
Framework
Sovrin
Powered
Trust
Frameworks

Build this New Infrastructure With Us

127
VERES ONE
A Globally Interoperable
Blockchain for Identity

A world where people and organizations
create, own, and control their identifiers
and their identity data
VISION

129
Utilize Blockchain technology and
multistakeholder governance to create a public
good for self-administered identity management.
SOLUTION

130
ECOSYSTEM
Veres One Project
Maintainer
Community advises Board
of Governors, which
ensures proper execution
of the mission.
Ensures technical operation
of the Network and
implements new
features.
Can quickly create
identifiers on the Veres One
Blockchain.
Accelerators
provide compute and
storage resources that keep
the Network  
secure.
Nodes
Pay fees  
Manages
Rewards

GLOBAL

Four Emerging Open Standards for SSI
DID (Decentralized Identifier)
DKMS (Decentralized Key Management
System)
DID Auth
Verifiable Credentials

Internet Identity Workshop
#27 October 23-25
Get Involved Building This Infrastructure

135
DID Specification Links
Current version https://w3c-ccg.github.io/did-spec/
Github Issues https://github.com/w3c-ccg/did-spec/issues/
Discussion Forums
https://w3c-ccg.github.io/
http://forum.sovrin.org/c/technical/did
• W3C Verifiable Claims Working Group
– https://www.w3.org/2017/vc/charter.html

Learn More from Me
Get the SSI Scoop
bit.ly/ssiscoop
kaliya@identitywoman.net

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

Similar to Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain (20)

More from Kaliya "Identity Woman" Young

More from Kaliya "Identity Woman" Young (17)

Recently uploaded

Recently uploaded (20)

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain