Identity can seem deceptively simple. We know who we are. Sometimes we have to convince others of that fact and confirm other characteristics: our age, our qualifications, or our right to access some services or tools. This happens every day over the Internet, but in ways that are disorganized, redundant, and risky. The lack of reliable, universal standards puts our private information at risk of public dissemination, fraud or worse.
The pioneers developing the internet didn’t define nuanced standards for identity -- most everything was just username and passwords. Over the past 20 years we have seen a range of standards that solve some identity challenges, including SAML, LDAP, OpenID Connect, OAuth, SCIM, Information Cards, and FIDO. None of them have comprehensively addressed the challenge of identity at internet scale.
A new set of standards is emerging that creates an infrastructure for self-sovereign identity that can scale. This talk looks forward to help you think ahead and prepare for this new infrastructure. We will walk through standards that together create a new identity infrastructure that leverages the blockchain. This isn’t about what you can implement tomorrow to solve your employee identity challenges or manage customer accounts. It will instead prepare you for the coming changes and help you play a role in shaping them.
43. Underlying this report is the assumption that every individual ought
to have the right to control his or her own online identity. You should
be able to decide what information about yourself is collected as part
of your digital profile, and of that information, who has access to
different aspects of it. Certainly, you should be able to read the
complete contents of your own digital profile at any time. An online
identity should be maintained as a capability that gives the user many
forms of control. Without flexible access and control, trust in the
system of federated network identity will be minimal.
44. A digital profile is not treated [by corporations who host
them] as the formal extension of the person it represents.
But if this crucial data about you is not owned by you,
what right do you have to manage its use?
A civil society approach to persistent identity is a
cornerstone of the Augmented Social Network project.
45. Big Co.
Web 1.0 Web 2.0
Drawn by Johannes Earnst - reflects User-Centric Identity Community Vision
67. 67
{ “Key”: “Value” }
DID
Decentralized
Identifier
DID Document
JSON-LD document
describing the
entity identified by
the DID
Slide credit: Drummond Reed, Sovrin Foundation
68. 1. DID (for self-description)
2. Set of public keys (for verification)
3. Set of auth protocols (for authentication)
4. Set of service endpoints (for interaction)
5. Timestamp (for audit history)
6. Signature (for integrity)
68
The standard elements of a DID doc
Slide credit: Drummond Reed, Sovrin Foundation
69. Example DID Document (Part 1)
69
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],
Slide credit: Drummond Reed, Sovrin Foundation
71. In summary, a DID is…
1. A permanent (persistent) identifier
– It never needs to change
2. A resolvable identifier
– You can look it up to get metadata
3. A cryptographically-verifiable identifier
– You can prove ownership using cryptography
4. A decentralized identifier
– No centralized registration authority is required
71Slide credit: Drummond Reed, Sovrin Foundation
72. Where does it go?
How can I find it if its Decentralized?
74. But the Ledgers are
Different?
They have different
DID methods
75. 75
A DID method specification
defines how to read and write
a DID (and its DID document)
on a specific blockchain or
distributed network
Slide credit: Drummond Reed, Sovrin Foundation
76. 76
Method DID prefix
Sovrin did:sov:
Bitcoin Reference did:btcr:
Ethereum uPort did:uport:
Blockstack did:stack:
Veres One did:v1:
IPFS did:ipld:
Active DID Method Specs
Slide credit: Drummond Reed, Sovrin Foundation
77. 1. The syntax of the method-specific identifier
2. Any method-specific elements of a
DID document
3. The CRUD (Create, Read, Update, Delete)
operations on DIDs and DID documents for
the target system
77
A DID Method spec defines…
Slide credit: Drummond Reed, Sovrin Foundation
78. You can look them up
https://w3c-ccg.github.io/
did-method-registry/
93. What do we mean by Credential?
93Slide credit: Manu Sporny Veres One
94. W3C Verifiable Credentials
94
The mission of the W3C Verifiable Claims Working Group:
Express credentials on the Web in
a way that is cryptographically
secure, privacy respecting, and
automatically verifiable.Slide credit: Manu Sporny Veres One
95. Anatomy of a Verifiable Credential
Verifiable Credential
Issuer Signature
ClaimsClaimsClaims
Credential Identifier
Credential MetadataCredential MetadataCredential Metadata
95
Slide credit: Manu Sporny Veres One
101. Decentralized Identifiers
101
Decentralized Identifiers
(Identifiers are owned by individuals)
Blockchains / DHTs
(Decentralized Ledger)
Veres One, Sovrin, Bitcoin, Ethereum, etc.
Issuer
(Website)
Government, Employer,
etc.
Verifier
(Website)
Company, Bank, etc.
Holder
(Digital Wallet /
Personal Data Store)
Citizen, Employee, etc.
Issue
Credentials
Present
Profiles
Slide credit: Manu Sporny Veres One
103. HolderIssuer Verifier
Issues
Claim
Presents
Claim
Decentralized Identifiers (DIDs)
Public Blockchain or other Decentralized Network
Signs
Claim
Countersigns
Claim
Verifies
Signatures
Wallet
Relying PartyIdentity Provider User
Slide credit: Drummond Reed, Sovrin Foundation
Going back to the IdP/Relying party model from earlier the roles have new names
and the architecture means they operate differently.
110. 110
A simple standard way for a
DID owner to authenticate by
proving control of a
private key
DID Auth is…
Slide credit: Drummond Reed, Sovrin Foundation
111. DID Layer
The decentralized identity “stack”
Identity Owners
Cloud Layer
Cloud Wallet Cloud Wallet
Cloud Agent Cloud Agent
Edge Layer
Edge Wallet Edge Wallet
Edge Agent Edge Agent
DID Auth
Slide credit: Drummond Reed, Sovrin Foundation
112. HOW CAN YOU RESOLVE FOR THEM?
They are Distributed right?
115. Bitcoin,
Ethereum, IOTA,
Veres One
Permissionless Permissioned
Public
Private
Validation
Access
Hyperledger Sawtooth*
Sovrin,
IPDB
Hyperledger (Fabric,
Sawtooth, Iroha),
R3 Corda,
CU Ledger
Blockchain Types / Governance
* in permissionless mode
115Slide credit: Drummond Reed, Sovrin Foundation
116. SPEED
116
DID Creation
DID Ledger Operations / day Consensus delay
Bitcoin 0.6M / day ~3,600 seconds
Ethereum 2.1M / day ~375 seconds
Veres One 18M / day ~30 seconds
Sovrin 2.6M / day ?
Slide credit: Manu Sporny Veres One
117. COST
117
DID Creation
Bitcoin ~$15-$73
Ethereum ~$4-$14
Veres One* ~$1-$2
Sovrin ? doing ICO
* Commodity prices guaranteed due to strong downward pressure on operational costs
Slide credit: Manu Sporny Veres One
118.
119. The Core Problem, Restated
119
How does a verifier determine
whether they can trust an issuer
without the whole world needing
to rely on a single root of trust?
Slide credit: Drummond Reed, Sovrin Foundation
120. 120
Sovrin Web of Trust Model
Identity Owner Trust Anchor Trust Hub*
* Inspired by the British Columbia Government’s “TheOrgBook” service
and concepts from Infocert about the evolution of Certificate
Authorities
Slide credit: Drummond Reed, Sovrin Foundation
121. SWoT Core Design Principles
1. Decentralized
– No single root of trust
2. Secure
– Immune as possible to gaming and Sybil attacks
3. Privacy-respecting
– Identity owners may remain private and yet still
prove they are trusted
4. As simple as possible
– Everyone can understand it (not just cryptogeeks)
121
Slide credit: Drummond Reed, Sovrin Foundation
122. Sovrin Web of Trust Roles
122
Identity Owner Trust Anchor Trust Hub
DID Private Public Public
Holds SWoT Claims
About Self
Yes Yes Yes
Issues SWoT Claims
About Other Issuers
No Yes Yes
Holds SWoT Claims
About Other Issuers
No No Yes
Slide credit: Drummond Reed, Sovrin Foundation
123. 123
In this model, the Sovrin
Foundation is simply one Trust
Hub for Sovrin stewards—
each steward may serve as either a
Trust Anchor or a Trust Hub
Slide credit: Drummond Reed, Sovrin Foundation
127. 127
VERES ONE
A Globally Interoperable
Blockchain for Identity
Slide credit: Manu Sporny Veres One
128. A world where people and organizations
create, own, and control their identifiers
and their identity data
VISION
128Slide credit: Manu Sporny Veres One
129. 129
Utilize Blockchain technology and
multistakeholder governance to create a public
good for self-administered identity management.
SOLUTION
Slide credit: Manu Sporny Veres One
130. 130
ECOSYSTEM
Veres One Project
Maintainer
Community advises Board
of Governors, which
ensures proper execution
of the mission.
Ensures technical operation
of the Network and
implements new
features.
Can quickly create
identifiers on the Veres One
Blockchain.
Accelerators
provide compute and
storage resources that keep
the Network
secure.
Nodes
Pay fees
Manages
Rewards
Slide credit: Manu Sporny Veres One
133. Four Emerging Open Standards for SSI
DID (Decentralized Identifier)
DKMS (Decentralized Key Management
System)
DID Auth
Verifiable Credentials
Slide credit: Drummond Reed, Sovrin Foundation
135. 135
DID Specification Links
Current version https://w3c-ccg.github.io/did-spec/
Github Issues https://github.com/w3c-ccg/did-spec/issues/
Discussion Forums
https://w3c-ccg.github.io/
http://forum.sovrin.org/c/technical/did
• W3C Verifiable Claims Working Group
– https://www.w3.org/2017/vc/charter.html
136. Learn More from Me
Get the SSI Scoop
bit.ly/ssiscoop
kaliya@identitywoman.net