Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

311 views

Published on

Identity can seem deceptively simple. We know who we are. Sometimes we have to convince others of that fact and confirm other characteristics: our age, our qualifications, or our right to access some services or tools. This happens every day over the Internet, but in ways that are disorganized, redundant, and risky. The lack of reliable, universal standards puts our private information at risk of public dissemination, fraud or worse.

The pioneers developing the internet didn’t define nuanced standards for identity -- most everything was just username and passwords. Over the past 20 years we have seen a range of standards that solve some identity challenges, including SAML, LDAP, OpenID Connect, OAuth, SCIM, Information Cards, and FIDO. None of them have comprehensively addressed the challenge of identity at internet scale.

A new set of standards is emerging that creates an infrastructure for self-sovereign identity that can scale. This talk looks forward to help you think ahead and prepare for this new infrastructure. We will walk through standards that together create a new identity infrastructure that leverages the blockchain. This isn’t about what you can implement tomorrow to solve your employee identity challenges or manage customer accounts. It will instead prepare you for the coming changes and help you play a role in shaping them.


Published in: Internet
  • Be the first to comment

  • Be the first to like this

Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure using Blockchain

  1. 1. Identity is Changing: The rise of Self-Sovereign Identity Infrastructure using Blockchain Kaliya Young InteropITX May 2, 2018
  2. 2. What is Infrastructure? What are Standards? Protocols? Some Early Identity Efforts MAIN ACT: Self-Sovereign Identity Questions Outline
  3. 3. Physical Infrastructure Roman Roads
  4. 4. Physical Infrastructure Roman Roads Centralized Road System in 1850 Book about their impact : Roads to Power
  5. 5. Europe in 1850
  6. 6. Time Infrastructure
  7. 7. Time Infrastructure Before 1883 Every City had its own Time
  8. 8. Standard Time
  9. 9. Standard Time
  10. 10. Communications Infrastructure Telegraph
  11. 11. Telegraph Cables in Europe
  12. 12. Telegraph Cables Globally
  13. 13. 1865 International Telecommunications Union Formed
  14. 14. Internet Infrastructure
  15. 15. What really makes it work? Standards & Protocols
  16. 16. Where is Layer 8?
  17. 17. What are the Protocols for People?
  18. 18. Don’t we have protocols for this already……
  19. 19. Employers Have Employees Enterprise Identity Enterprise Single Sign On Provisioning Authentication - AuthN
  20. 20. Employers Have Employees Contractors Business Partners Enterprise Identity
  21. 21. Provisioning Termination Enterprise Identity Access Control Authorization - AuthZ Roles Attributes Authentication - AuthN
  22. 22. Directory Wars of the 1990s LDAP
  23. 23. Development of SAML New Protocols like SCIM SSO with the enterprise Enterprise Federation between them
  24. 24. Civic Records Citizen Identity Birth Death Marriage Divorce Parent Drivers License Voting Other Licensing Health Care Social Insurance Taxation
  25. 25. Almost no effective systems for government asserted claim about in a trusted digital form
  26. 26. What were the choices? In 2003 when I got started with all this?
  27. 27. ?
  28. 28. Building Identity and Trust into the Next Generation Internet
  29. 29. Underlying this report is the assumption that every individual ought to have the right to control his or her own online identity. You should be able to decide what information about yourself is collected as part of your digital profile, and of that information, who has access to different aspects of it. Certainly, you should be able to read the complete contents of your own digital profile at any time. An online identity should be maintained as a capability that gives the user many forms of control. Without flexible access and control, trust in the system of federated network identity will be minimal.
  30. 30. A digital profile is not treated [by corporations who host them] as the formal extension of the person it represents. But if this crucial data about you is not owned by you, what right do you have to manage its use? A civil society approach to persistent identity is a cornerstone of the Augmented Social Network project.
  31. 31. Big Co. Web 1.0 Web 2.0 Drawn by Johannes Earnst - reflects User-Centric Identity Community Vision
  32. 32. The Frist Internet Identity Workshop 2005 We gathered together
  33. 33. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186 You get to have Different Accounts at Every single site you go to.
  34. 34. Back then: Now:
  35. 35. WHO OWNES YOUR SOCIAL GRAPH?
  36. 36. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
  37. 37. Relying Party Identity Provider User
  38. 38. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186 FACEBOOK
  39. 39. How can I own my own digital identity?
  40. 40. RENT-A MYURL.COM # ** Special NAME-SPACE for People? ** Ways you “could” own your own identity:
  41. 41. IIW #25
  42. 42. Presenting: Self-Sovereign Identity (using the block chain) I think we finally figured it out
  43. 43. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
  44. 44. Decentralized IDentifier - DID did:sov:3k9dg356wdcj5gf2k9bw8kfg7a Method Scheme Method-Specific Identifier Slide credit: Drummond Reed, Sovrin Foundation
  45. 45. did:sov:3k9dg356wdcj5gf2k9bw8kfg7a 047d599d4521480d9e1919481b024f29d2693f2 72d19473dbef971d7d529f6e9 Private
 Key Public Key cc2cd0ffde594d278c2d9b432f4748506a7f9f2 5141e485eb84bc188382019b6 Slide credit: Drummond Reed, Sovrin Foundation
  46. 46. 67 { “Key”: “Value” } DID Decentralized Identifier DID Document JSON-LD document describing the entity identified by the DID Slide credit: Drummond Reed, Sovrin Foundation
  47. 47. 1. DID (for self-description) 2. Set of public keys (for verification) 3. Set of auth protocols (for authentication) 4. Set of service endpoints (for interaction) 5. Timestamp (for audit history) 6. Signature (for integrity) 68 The standard elements of a DID doc Slide credit: Drummond Reed, Sovrin Foundation
  48. 48. Example DID Document (Part 1) 69 { "@context": "https://w3id.org/did/v1", "id": "did:example:123456789abcdefghi", "publicKey": [{ "id": "did:example:123456789abcdefghi#keys-1", "type": "RsaSigningKey2018", "owner": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn" }], "authentication": [{ "type": "RsaSignatureAuthentication2018", "publicKey": "did:example:123456789abcdefghi#keys-1" }], "service": [{ "type": "ExampleService", "serviceEndpoint": "https://example.com/endpoint/8377464" }], Slide credit: Drummond Reed, Sovrin Foundation
  49. 49. Example DID Document (Part 2) 70 "created": "2002-10-10T17:00:00Z", "updated": "2016-10-17T02:41:00Z", "signature": { "type": "RsaSignature2016", "created": "2016-02-08T16:02:20Z", "creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1", "signatureValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0 yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2C4STOWF+83cMcbZ3CBMq2/ gi25s=" } } Slide credit: Drummond Reed, Sovrin Foundation
  50. 50. In summary, a DID is… 1. A permanent (persistent) identifier – It never needs to change 2. A resolvable identifier – You can look it up to get metadata 3. A cryptographically-verifiable identifier – You can prove ownership using cryptography 4. A decentralized identifier – No centralized registration authority is required 71Slide credit: Drummond Reed, Sovrin Foundation
  51. 51. Where does it go? How can I find it if its Decentralized?
  52. 52. Shared Ledgers
  53. 53. But the Ledgers are Different? They have different DID methods
  54. 54. 75 A DID method specification defines how to read and write a DID (and its DID document) on a specific blockchain or distributed network Slide credit: Drummond Reed, Sovrin Foundation
  55. 55. 76 Method DID prefix Sovrin did:sov: Bitcoin Reference did:btcr: Ethereum uPort did:uport: Blockstack did:stack: Veres One did:v1: IPFS did:ipld: Active DID Method Specs Slide credit: Drummond Reed, Sovrin Foundation
  56. 56. 1. The syntax of the method-specific identifier 2. Any method-specific elements of a 
 DID document 3. The CRUD (Create, Read, Update, Delete) operations on DIDs and DID documents for the target system 77 A DID Method spec defines… Slide credit: Drummond Reed, Sovrin Foundation
  57. 57. You can look them up https://w3c-ccg.github.io/ did-method-registry/
  58. 58. Back to the Humans How can they use this?
  59. 59. The decentralized identity “stack” Identity Owners Slide credit: Drummond Reed, Sovrin Foundation
  60. 60. The decentralized identity “stack” Identity Owners Edge Layer Edge Wallet Edge Wallet Edge Agent Edge Agent Slide credit: Drummond Reed, Sovrin Foundation
  61. 61. The decentralized identity “stack” Cloud Layer Cloud Wallet Cloud Wallet Cloud Agent Cloud Agent Identity Owners Edge Layer Edge Wallet Edge Wallet Edge Agent Edge Agent Slide credit: Drummond Reed, Sovrin Foundation
  62. 62. DID Layer The decentralized identity “stack” Cloud Layer Cloud Wallet Cloud Wallet Cloud Agent Cloud Agent Identity Owners Edge Layer Edge Wallet Edge Wallet Edge Agent Edge Agent Slide credit: Drummond Reed, Sovrin Foundation
  63. 63. Public-Private Cryptographic Keys Public Key Infrastructure = PKI
  64. 64. DID Layer The decentralized identity “stack” Cloud Layer Cloud Wallet Cloud Wallet Cloud Agent Cloud Agent Identity Owners Edge Layer Edge Wallet Edge Wallet Edge Agent Edge Agent Encrypted P2P Interaction Slide credit: Drummond Reed, Sovrin Foundation
  65. 65. Directed Identifiers
  66. 66. I get different DIDs for different parts of my life
  67. 67. I get to prove things about my self
  68. 68. Verifiable Credentials
  69. 69. What do we mean by Credential? 93Slide credit: Manu Sporny Veres One
  70. 70. W3C Verifiable Credentials 94 The mission of the W3C Verifiable Claims Working Group: Express credentials on the Web in a way that is cryptographically secure, privacy respecting, and automatically verifiable.Slide credit: Manu Sporny Veres One
  71. 71. Anatomy of a Verifiable Credential Verifiable Credential Issuer Signature ClaimsClaimsClaims Credential Identifier Credential MetadataCredential MetadataCredential Metadata 95 Slide credit: Manu Sporny Veres One
  72. 72. Verifiable Credentials Ecosystem 96 Issuer (Website) Government, Employer, etc. Verifier (Website) Company, Bank, etc. Holder (Digital Wallet / Personal Data Store) Citizen, Employee, etc. Issue Credentials Present Profiles Slide credit: Manu Sporny Veres One
  73. 73. HOW DO YOU KNOW ITS TRUE? Without…
  74. 74. HOW DO YOU KNOW ITS TRUE? Without…
  75. 75. HOW DO YOU KNOW ITS TRUE? Without… Phoning Home to Governments or other Institutions that issue Credentials
  76. 76. 100
  77. 77. Decentralized Identifiers 101 Decentralized Identifiers (Identifiers are owned by individuals) Blockchains / DHTs (Decentralized Ledger) Veres One, Sovrin, Bitcoin, Ethereum, etc. Issuer (Website) Government, Employer, etc. Verifier (Website) Company, Bank, etc. Holder (Digital Wallet / Personal Data Store) Citizen, Employee, etc. Issue Credentials Present Profiles Slide credit: Manu Sporny Veres One
  78. 78. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
  79. 79. HolderIssuer Verifier Issues 
 Claim Presents
 Claim Decentralized Identifiers (DIDs) Public Blockchain or other Decentralized Network Signs Claim Countersigns Claim Verifies Signatures Wallet Relying PartyIdentity Provider User Slide credit: Drummond Reed, Sovrin Foundation Going back to the IdP/Relying party model from earlier the roles have new names and the architecture means they operate differently.
  80. 80. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
  81. 81. Graphic Co-Created with Kaliya Young and Dan Greening These are the different DID methods, their ledgers, wallets and companies behind them.
  82. 82. A full identity system
  83. 83. Decentralized Identity Foundation
  84. 84. 108
  85. 85. working on: DID Auth
  86. 86. 110 A simple standard way for a DID owner to authenticate by proving control of a 
 private key DID Auth is… Slide credit: Drummond Reed, Sovrin Foundation
  87. 87. DID Layer The decentralized identity “stack” Identity Owners Cloud Layer Cloud Wallet Cloud Wallet Cloud Agent Cloud Agent Edge Layer Edge Wallet Edge Wallet Edge Agent Edge Agent DID Auth Slide credit: Drummond Reed, Sovrin Foundation
  88. 88. HOW CAN YOU RESOLVE FOR THEM? They are Distributed right?
  89. 89. Building: UNIVERSAL RESOLVER
  90. 90. Differences Between Ledgers
  91. 91. Bitcoin,
 Ethereum, IOTA,
 Veres One Permissionless Permissioned Public Private Validation Access Hyperledger Sawtooth* Sovrin, IPDB Hyperledger (Fabric, Sawtooth, Iroha),
 R3 Corda,
 CU Ledger Blockchain Types / Governance * in permissionless mode 115Slide credit: Drummond Reed, Sovrin Foundation
  92. 92. SPEED 116 DID Creation DID Ledger Operations / day Consensus delay Bitcoin 0.6M / day ~3,600 seconds Ethereum 2.1M / day ~375 seconds Veres One 18M / day ~30 seconds Sovrin 2.6M / day ? Slide credit: Manu Sporny Veres One
  93. 93. COST 117 DID Creation Bitcoin ~$15-$73 Ethereum ~$4-$14 Veres One* ~$1-$2 Sovrin ? doing ICO * Commodity prices guaranteed due to strong downward pressure on operational costs Slide credit: Manu Sporny Veres One
  94. 94. The Core Problem, Restated 119 How does a verifier determine whether they can trust an issuer without the whole world needing to rely on a single root of trust? Slide credit: Drummond Reed, Sovrin Foundation
  95. 95. 120 Sovrin Web of Trust Model Identity Owner Trust Anchor Trust Hub* * Inspired by the British Columbia Government’s “TheOrgBook” service 
 and concepts from Infocert about the evolution of Certificate Authorities Slide credit: Drummond Reed, Sovrin Foundation
  96. 96. SWoT Core Design Principles 1. Decentralized – No single root of trust 2. Secure – Immune as possible to gaming and Sybil attacks 3. Privacy-respecting – Identity owners may remain private and yet still prove they are trusted 4. As simple as possible – Everyone can understand it (not just cryptogeeks) 121 Slide credit: Drummond Reed, Sovrin Foundation
  97. 97. Sovrin Web of Trust Roles 122 Identity Owner Trust Anchor Trust Hub DID Private Public Public Holds SWoT Claims About Self Yes Yes Yes Issues SWoT Claims About Other Issuers No Yes Yes Holds SWoT Claims About Other Issuers No No Yes Slide credit: Drummond Reed, Sovrin Foundation
  98. 98. 123 In this model, the Sovrin Foundation is simply one Trust Hub for Sovrin stewards—
 each steward may serve as either a Trust Anchor or a Trust Hub Slide credit: Drummond Reed, Sovrin Foundation
  99. 99. 124 Sovrin Trust Framework Sovrin Powered Trust Frameworks Slide credit: Drummond Reed, Sovrin Foundation
  100. 100. Build this New Infrastructure With Us
  101. 101. 127 VERES ONE A Globally Interoperable Blockchain for Identity Slide credit: Manu Sporny Veres One
  102. 102. A world where people and organizations create, own, and control their identifiers and their identity data VISION 128Slide credit: Manu Sporny Veres One
  103. 103. 129 Utilize Blockchain technology and multistakeholder governance to create a public good for self-administered identity management. SOLUTION Slide credit: Manu Sporny Veres One
  104. 104. 130 ECOSYSTEM Veres One Project Maintainer Community advises Board of Governors, which ensures proper execution of the mission. Ensures technical operation of the Network and implements new features. Can quickly create identifiers on the Veres One Blockchain. Accelerators provide compute and storage resources that keep the Network 
 secure. Nodes Pay fees 
 Manages Rewards Slide credit: Manu Sporny Veres One
  105. 105. GLOBAL 131Slide credit: Manu Sporny Veres One
  106. 106. Here is Layer 8
  107. 107. Four Emerging Open Standards for SSI DID (Decentralized Identifier) DKMS (Decentralized Key Management System) DID Auth Verifiable Credentials Slide credit: Drummond Reed, Sovrin Foundation
  108. 108. Internet Identity Workshop #27 October 23-25 Get Involved Building This Infrastructure
  109. 109. 135 DID Specification Links Current version https://w3c-ccg.github.io/did-spec/ Github Issues https://github.com/w3c-ccg/did-spec/issues/ Discussion Forums https://w3c-ccg.github.io/ http://forum.sovrin.org/c/technical/did • W3C Verifiable Claims Working Group – https://www.w3.org/2017/vc/charter.html
  110. 110. Learn More from Me Get the SSI Scoop bit.ly/ssiscoop kaliya@identitywoman.net

×