Identity is Changing:
The rise of Self-Sovereign Identity
Infrastructure using Blockchain
Kaliya Young
InteropITX May 2, 2018

What is Infrastructure?
What are Standards? Protocols?
Some Early Identity Efforts
MAIN ACT: Self-Sovereign Identity
Questions
Outline

Physical Infrastructure
Roman Roads

Physical Infrastructure
Roman Roads
Centralized Road System in 1850
Book about their impact : Roads to Power

Europe in 1850

Time Infrastructure

Time Infrastructure
Before 1883 Every City had its own Time

Standard
Time

Standard
Time

Communications Infrastructure
Telegraph

Telegraph
Cables in
Europe

Telegraph
Cables
Globally

1865
International Telecommunications
Union Formed

Internet Infrastructure

What really makes it work?
Standards & Protocols

Where is Layer 8?

What are the Protocols for People?

Don’t we have protocols for
this already……

Employers
Have Employees
Enterprise Identity
Enterprise Single Sign On
Provisioning
Authentication - AuthN

Employers
Have Employees Contractors
Business Partners
Enterprise Identity

Provisioning
Termination
Enterprise Identity
Access Control
Authorization - AuthZ
Roles
Attributes
Authentication - AuthN

Directory Wars of the 1990s
LDAP

Development of SAML
New Protocols like SCIM
SSO with the enterprise
Enterprise Federation between them

Civic Records
Citizen Identity
Birth
Death
Marriage
Divorce
Parent
Drivers License
Voting
Other Licensing
Health Care
Social Insurance
Taxation

Almost no effective systems for government asserted claim
about in a trusted digital form

What were the choices?
In 2003 when I got started with all this?

?

Building Identity and
Trust into the Next
Generation Internet

Underlying this report is the assumption that every individual ought
to have the right to control his or her own online identity. You should
be able to decide what information about yourself is collected as part
of your digital profile, and of that information, who has access to
different aspects of it. Certainly, you should be able to read the
complete contents of your own digital profile at any time. An online
identity should be maintained as a capability that gives the user many
forms of control. Without flexible access and control, trust in the
system of federated network identity will be minimal.

A digital profile is not treated [by corporations who host
them] as the formal extension of the person it represents.
But if this crucial data about you is not owned by you,
what right do you have to manage its use?
A civil society approach to persistent identity is a
cornerstone of the Augmented Social Network project.

Big Co.
Web 1.0 Web 2.0
Drawn by Johannes Earnst - reflects User-Centric Identity Community Vision

The Frist Internet Identity Workshop 2005
We gathered together

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
You get to have Different Accounts at Every single site you go to.

Back then:
Now:

WHO OWNES YOUR SOCIAL GRAPH?

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186

Relying Party
Identity Provider
User

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186
FACEBOOK

How can I own my own
digital identity?

RENT-A
MYURL.COM
#
** Special NAME-SPACE
for People? **
Ways you “could” own your own identity:

IIW #25

Presenting:
Self-Sovereign
Identity
(using the block chain)
I think we finally figured it out

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186

Decentralized IDentifier - DID
did:sov:3k9dg356wdcj5gf2k9bw8kfg7a
Method
Scheme
Method-Specific Identifier
Slide credit: Drummond Reed, Sovrin Foundation

did:sov:3k9dg356wdcj5gf2k9bw8kfg7a
047d599d4521480d9e1919481b024f29d2693f2
72d19473dbef971d7d529f6e9
Private
Key
Public
Key
cc2cd0ffde594d278c2d9b432f4748506a7f9f2
5141e485eb84bc188382019b6
Slide credit: Drummond Reed, Sovrin Foundation

67
{ “Key”: “Value” }
DID
Decentralized
Identifier
DID Document
JSON-LD document
describing the
entity identified by
the DID
Slide credit: Drummond Reed, Sovrin Foundation

1. DID (for self-description)
2. Set of public keys (for verification)
3. Set of auth protocols (for authentication)
4. Set of service endpoints (for interaction)
5. Timestamp (for audit history)
6. Signature (for integrity)
68
The standard elements of a DID doc
Slide credit: Drummond Reed, Sovrin Foundation

Example DID Document (Part 1)
69
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],
Slide credit: Drummond Reed, Sovrin Foundation

Example DID Document (Part 2)
70
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
"signature": {
"type": "RsaSignature2016",
"created": "2016-02-08T16:02:20Z",
"creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1",
"signatureValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0
yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2C4STOWF+83cMcbZ3CBMq2/
gi25s="
}
}
Slide credit: Drummond Reed, Sovrin Foundation

In summary, a DID is…
1. A permanent (persistent) identifier
– It never needs to change
2. A resolvable identifier
– You can look it up to get metadata
3. A cryptographically-verifiable identifier
– You can prove ownership using cryptography
4. A decentralized identifier
– No centralized registration authority is required
71Slide credit: Drummond Reed, Sovrin Foundation

Where does it go?
How can I find it if its Decentralized?

Shared Ledgers

But the Ledgers are
Different?
They have different
DID methods

75
A DID method specification
defines how to read and write
a DID (and its DID document)
on a specific blockchain or
distributed network
Slide credit: Drummond Reed, Sovrin Foundation

76
Method DID prefix
Sovrin did:sov:
Bitcoin Reference did:btcr:
Ethereum uPort did:uport:
Blockstack did:stack:
Veres One did:v1:
IPFS did:ipld:
Active DID Method Specs
Slide credit: Drummond Reed, Sovrin Foundation

1. The syntax of the method-specific identifier
2. Any method-specific elements of a
DID document
3. The CRUD (Create, Read, Update, Delete)
operations on DIDs and DID documents for
the target system
77
A DID Method spec defines…
Slide credit: Drummond Reed, Sovrin Foundation

You can look them up
https://w3c-ccg.github.io/
did-method-registry/

Back to the Humans
How can they use this?

The decentralized identity “stack”
Identity Owners
Slide credit: Drummond Reed, Sovrin Foundation

The decentralized identity “stack”
Identity Owners
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
Slide credit: Drummond Reed, Sovrin Foundation

The decentralized identity “stack”
Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Identity Owners
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
Slide credit: Drummond Reed, Sovrin Foundation

DID Layer
The decentralized identity “stack”
Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Identity Owners
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
Slide credit: Drummond Reed, Sovrin Foundation

Public-Private Cryptographic Keys
Public Key Infrastructure = PKI

DID Layer
The decentralized identity “stack”
Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Identity Owners
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
Encrypted P2P Interaction
Slide credit: Drummond Reed, Sovrin Foundation

Directed Identifiers

I get different DIDs for
different parts of my life

I get to prove things
about my self

Verifiable Credentials

What do we mean by Credential?
93Slide credit: Manu Sporny Veres One

W3C Verifiable Credentials
94
The mission of the W3C Verifiable Claims Working Group:
Express credentials on the Web in
a way that is cryptographically
secure, privacy respecting, and
automatically verifiable.Slide credit: Manu Sporny Veres One

Anatomy of a Verifiable Credential
Verifiable Credential
Issuer Signature
ClaimsClaimsClaims
Credential Identifier
Credential MetadataCredential MetadataCredential Metadata
95
Slide credit: Manu Sporny Veres One

Verifiable Credentials Ecosystem
96
Issuer
(Website)
Government,
Employer, etc.
Verifier
(Website)
Company,
Bank, etc.
Holder
(Digital Wallet /
Personal Data Store)
Citizen, Employee,
etc.
Issue
Credentials
Present
Profiles
Slide credit: Manu Sporny Veres One

HOW DO YOU KNOW ITS TRUE?
Without…

HOW DO YOU KNOW ITS TRUE?
Without…

HOW DO YOU KNOW ITS TRUE?
Without…
Phoning Home to Governments or other Institutions that issue Credentials

100

Decentralized Identifiers
101
Decentralized Identifiers
(Identifiers are owned by individuals)
Blockchains / DHTs
(Decentralized Ledger)
Veres One, Sovrin, Bitcoin, Ethereum, etc.
Issuer
(Website)
Government, Employer,
etc.
Verifier
(Website)
Company, Bank, etc.
Holder
(Digital Wallet /
Personal Data Store)
Citizen, Employee, etc.
Issue
Credentials
Present
Profiles
Slide credit: Manu Sporny Veres One

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186

HolderIssuer Verifier
Issues
Claim
Presents
Claim
Decentralized Identifiers (DIDs)
Public Blockchain or other Decentralized Network
Signs
Claim
Countersigns
Claim
Verifies
Signatures
Wallet
Relying PartyIdentity Provider User
Slide credit: Drummond Reed, Sovrin Foundation
Going back to the IdP/Relying party model from earlier the roles have new names
and the architecture means they operate differently.

https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186

Graphic Co-Created with Kaliya Young and Dan Greening
These are the different DID methods, their ledgers,
wallets and companies behind them.

A full identity system

Decentralized Identity Foundation

108

working on:
DID Auth

110
A simple standard way for a
DID owner to authenticate by
proving control of a
private key
DID Auth is…
Slide credit: Drummond Reed, Sovrin Foundation

DID Layer
The decentralized identity “stack”
Identity Owners
Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
DID Auth
Slide credit: Drummond Reed, Sovrin Foundation

HOW CAN YOU RESOLVE FOR THEM?
They are Distributed right?

Building:
UNIVERSAL RESOLVER

Differences Between
Ledgers

Bitcoin,
Ethereum, IOTA,
Veres One
Permissionless Permissioned
Public
Private
Validation
Access
Hyperledger Sawtooth*
Sovrin,
IPDB
Hyperledger (Fabric,
Sawtooth, Iroha),
R3 Corda,
CU Ledger
Blockchain Types / Governance
* in permissionless mode
115Slide credit: Drummond Reed, Sovrin Foundation

SPEED
116
DID Creation
DID Ledger Operations / day Consensus delay
Bitcoin 0.6M / day ~3,600 seconds
Ethereum 2.1M / day ~375 seconds
Veres One 18M / day ~30 seconds
Sovrin 2.6M / day ?
Slide credit: Manu Sporny Veres One

COST
117
DID Creation
Bitcoin ~$15-$73
Ethereum ~$4-$14
Veres One* ~$1-$2
Sovrin ? doing ICO
* Commodity prices guaranteed due to strong downward pressure on operational costs
Slide credit: Manu Sporny Veres One

The Core Problem, Restated
119
How does a verifier determine
whether they can trust an issuer
without the whole world needing
to rely on a single root of trust?
Slide credit: Drummond Reed, Sovrin Foundation

120
Sovrin Web of Trust Model
Identity Owner Trust Anchor Trust Hub*
* Inspired by the British Columbia Government’s “TheOrgBook” service
and concepts from Infocert about the evolution of Certificate
Authorities
Slide credit: Drummond Reed, Sovrin Foundation

SWoT Core Design Principles
1. Decentralized
– No single root of trust
2. Secure
– Immune as possible to gaming and Sybil attacks
3. Privacy-respecting
– Identity owners may remain private and yet still
prove they are trusted
4. As simple as possible
– Everyone can understand it (not just cryptogeeks)
121
Slide credit: Drummond Reed, Sovrin Foundation

Sovrin Web of Trust Roles
122
Identity Owner Trust Anchor Trust Hub
DID Private Public Public
Holds SWoT Claims
About Self
Yes Yes Yes
Issues SWoT Claims
About Other Issuers
No Yes Yes
Holds SWoT Claims
About Other Issuers
No No Yes
Slide credit: Drummond Reed, Sovrin Foundation

123
In this model, the Sovrin
Foundation is simply one Trust
Hub for Sovrin stewards—
each steward may serve as either a
Trust Anchor or a Trust Hub
Slide credit: Drummond Reed, Sovrin Foundation

124
Sovrin Trust
Framework
Sovrin
Powered
Trust
Frameworks
Slide credit: Drummond Reed, Sovrin Foundation

Build this New Infrastructure With Us

127
VERES ONE
A Globally Interoperable
Blockchain for Identity
Slide credit: Manu Sporny Veres One

A world where people and organizations
create, own, and control their identifiers
and their identity data
VISION
128Slide credit: Manu Sporny Veres One

129
Utilize Blockchain technology and
multistakeholder governance to create a public
good for self-administered identity management.
SOLUTION
Slide credit: Manu Sporny Veres One

130
ECOSYSTEM
Veres One Project
Maintainer
Community advises Board
of Governors, which
ensures proper execution
of the mission.
Ensures technical operation
of the Network and
implements new
features.
Can quickly create
identifiers on the Veres One
Blockchain.
Accelerators
provide compute and
storage resources that keep
the Network
secure.
Nodes
Pay fees
Manages
Rewards
Slide credit: Manu Sporny Veres One

GLOBAL
131Slide credit: Manu Sporny Veres One

Here is Layer 8

Four Emerging Open Standards for SSI
DID (Decentralized Identifier)
DKMS (Decentralized Key Management
System)
DID Auth
Verifiable Credentials
Slide credit: Drummond Reed, Sovrin Foundation

Internet Identity Workshop
#27 October 23-25
Get Involved Building This Infrastructure

135
DID Specification Links
Current version https://w3c-ccg.github.io/did-spec/
Github Issues https://github.com/w3c-ccg/did-spec/issues/
Discussion Forums
https://w3c-ccg.github.io/
http://forum.sovrin.org/c/technical/did
• W3C Verifiable Claims Working Group
– https://www.w3.org/2017/vc/charter.html

Learn More from Me
Get the SSI Scoop
bit.ly/ssiscoop
kaliya@identitywoman.net