Introduction to Self Sovereign Identity

SSI: The New Paradigm
INTERNET IDENTITY WORKSHOP | May 2019
Kim Hamilton Duffy & Heather Vescent

Who are we?
Kim Hamilton Duffy
• Co-Chair, W3C Credentials
Community Group
• Principal Architect, Blockcerts
• Lead Developer, BTCR Method
• Steering Committee, RWOT & DIF
• @kimdhamilton
Heather Vescent
• CEO, The Purple Tornado
Strategic Intelligence Consultancy
• Author, SSI Report
• Author, Cyber Attack Survival Manual
• Researcher, Future of…
• Filmmaker, 14 Films
• @heathervescent

How we got into SSI
Kim Hamilton Duffy
• Blockcerts
– jointly developed by Learning Machine
and MIT Media Lab
– Open source, open standard
ecosystem
– Recipient-owned, long-lived,
blockchain-anchored credentials
• Open Badges and Verifiable
Credential Alignment
• DID Method Specification
implementation
Heather Vescent
• Account Linking & SNS@AOL in 00s
• Digital Asset Grid – SWIFT
– Scenario Films
• IIW for over a decade
– IIW Films
• CCG W3C Group
• SSI Report

• Identity Models
• Glance at DIDs
• Emerging standards of the SSI stack
• Example DID Method: BTCR
• Recap + Ecosystem
• Use Cases
• Q&A
Agenda

Identity remains an unsolved problem
Digital identity has been one of the biggest problems of the
Internet, and while there have been many solutions developed
over the decades, it remains an unsolved problem.
The Internet was not built
with an identity layer.
Kim Cameron, Identity Architect, Microsoft & Author, 7 Laws of Identity
“
”

Solutions create new problems
• Centralized data is an attack surface
• Username/password is insecure
• Who owns the data?
• Hard to delegate and share data
• No user control over how data is secured
(or notified if there is a breach)

An idea ahead of its time:
Digital Asset Grid
Slices of Life, short film
• SWIFT, 2012 https://vimeo.com/52354667

Introducing Self Sovereign Identity
A decentralized identity layer that gives
individuals and companies the ability to
assert their own identity, ask for and
receive credentials from companies,
governments and educational institutions,
and securely and privately share data.
“
”- A Comprehensive Guide to Self Sovereign Identity

Self Sovereign Identity
A layer of standards and protocols used to
implement a common technology language.
• Assert an identity (DID)
• Ask for & receive credentials (VC)
• Securely share data (PKI)

Converging Technologies
Distributed Ledgers
Decentralized
Identifiers (DIDs)
Personal Cloud
Computing
DPKI
Infrastructure
Smart Phones

DECENTRALIZED IDENTIFIERS (DIDS)
Fundamental Building Blocks of the SSI Stack

What is a Decentralized Identifier?
• New type of identifier for verifiable, "self-sovereign" digital identity
• Fully under the control of the DID subject, enabling independence from any
specific:
– centralized registry
– identity provider
– certificate authority
• URL enabling trustable interactions with DID subject

DIDs and DID Documents
• DIDs resolve to DID Documents
• DID Documents contain verification methods and service endpoints for interacting with
the DID subject
• A verification method is a way of verifying a particular type of DID interaction, such as:
– performing authentication
– Secure service endpoint

DID Document{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"type": "RsaSignature2018",
"created": "2016-02-08T16:02:20Z",
"creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1",
”proofValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0
yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2C4STOWF+83cMcbZ3CBMq2/
gi25s=”
}
}

DID Document – DID{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – public key{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – service endpoint{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – date{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – proof{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

A wallet putting a DID & DID Doc on a Ledger

No PII on the Blockchain
Where is the PII?

STANDARDS & SPECIFICATIONS
Under Incubation

Ideas
(2-10 years)
Incubation
(6-18 months)
Refinement
(1-3 years)
Standardization
(~18-24 months)
Conversations Papers
Experiments,
Specifications, &
Pilots
Standards
W3C Community
Groups
Rebooting the Web
of Trust

DID Specification
DID Method Specs
Universal Resolver
DID Auth
Verifiable Credentials
Common data model, format, and operations
Rules for how a DID is registered, resolved, updated, and
revoked on a specific ledger or network
How to look up a DID Document from a DID
How to authenticate with a DID
Credentials associated with a subject, issuer Decentralized Identifiers
DID Specification
DID Method Specs
Universal Resolver
DID Auth
At various phases in the incubation pipeline
Highlighted SSI Standards and Specs
(Incubating)

did:btcr:8kyt-fzzq-qqqq-ase0-d8
DID Specification
DID Document
DID
DID Specification
Universal Resolver
DID Auth
DID Method Specs

{
"@context": "https://w3id.org/veres-one/v1",
"id": "did:v1:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD",
"publicKey": [{
"id": "did:v1:test:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD#authn-key-1",
"type": "Ed25519VerificationKey2018",
"publicKeyBase58": "DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD"
}],
"type": "Ed25519SignatureAuthentication2018",
"publicKey": “did:v1:test:nym:DwkYwcoyUXHNkpj3whn4DgXB4fcg9gj95vKxYN2apkZD#authn-key-1”
}],
"service": [{
"type": "ExampleMessagingService2018",
"serviceEndpoint": ”https://example.com/services/messages”
}],
… more DID-specific information here …
}
2. Authentication
Mechanisms
3. Service Discovery
1. Public Key Material
DIDs Resolve to DID Documents
DID Specification
Universal Resolver
DID Auth
DID Method Specs

{
"@context":"https://w3id.org/veres-one/v1”,
"id":"did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv",
"publicKey":[{
"id":"did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#authn-key-1",
"type":"Ed25519VerificationKey2018",
"owner":"did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv",
"publicKeyBase58":"5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv"
}, {
"id":"did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#ocap-grant-key-1",
...
}, {
"id":"did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#ocap-invoke-key-1",
}],
"authentication":[{
"type":"Ed25519SignatureAuthentication2018",
"publicKey": "did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#authn-key-1”
}],
"grantCapability":[{
"type":"Ed25519SignatureCapabilityAuthorization2018",
"publicKey": "did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#ocap-grant-key-1”
}],
"invokeCapability":[{
"type":"Ed25519SignatureCapabilityAuthorization2018",
"publicKey": "did:v1:test:nym:5YSwjvBZqDbYQkoRG7jD7bCKifVdHBtxHMrATZyTX8xv#ocap-invoke-key-1”
}]
DID Specification
Universal Resolver
DID Auth
DID Method SpecsDID Method Specs
DID Method Spec
{
"id": "did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a",
"publicKey": [{
"id": "did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a#owner",
"type": "Secp256k1VerificationKey2018",
"owner": "did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a",
"ethereumAddress": "0xb9c5714089478a327f09197987f16f9e5d936e8a"
}],
"authentication" : [{
type: "Secp256k1SignatureAuthentication2018",
publicKey: "did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a#owner"
}],
"service" : [{
type: "HubService",
serviceEndpoint: "https://hubs.uport.me"
}]
}
Veres One
ETHR

• Syntax
• CRUD (Create, Read, Update, Delete)
operations
• Applies to DIDs and DID documents
• Specifies distributed ledger (or blockchain)
• Any method-specific elements
Universal Resolver
DID Auth
DID Method SpecsDID Method Specs
DID Method Spec Defines
DID Specification

did:btcr:xkyt-fzgq-qq87-xnhn
Example: BTCR DID

Why BTCR is Interesting
•Simple
•Relies on Bitcoin blockchain (fit-for-purpose blockchain
not needed)
•Simple implementation, minimal feature set => easy to
reason about
•Useful baseline from which to understand with more
advanced DID capabilities

Example DID Methods
Active DID Method Specs
Method DID Prefix
Bitcoin did:btcr
Blockstack did:stack
Ethereum uPort did:ethr
IPFS did:ipld
Sovrin did:soc
Veres One did:v1

• Different use cases
• Different capabilities
• Different economic model
Results in different
implementation choices
~25 Different registered DID
Methods on a different
ledgers, so far
• Ethereum, Bitcoin,
• IPFS
• Fit-for-purpose: Sovrin,
Veres One
• Thought experiments
Why so many methods?

Universal Resolver
Universal Resolver
DID Auth
DID Specification
DID Method Specs

did:btcr:xkyt-fzgq-qq87-xnhn
Universal Resolver
DID Method Spec
DID Document
DID
DID Specification
DID Method Specs
Universal Resolver
DID Auth
Resolution Process, example

Here is my decentralized
identifier
Prove you own it!
Here’s my proof!
Come on in!
Resolves the DID
Document
Creates proof DID Specification
DID Method Specs
DID Auth
Verifiable CredentialsDID Auth
Anthropomorphized
Universal Resolver

Here is my decentralized
identifier
Prove you own it!
Here’s my proof!
LGTM
I want to rent a car
Prove you’re
allowed to drive
Here you go!
Resolves the DID
Document
Creates proof
Checks
DID Specification
DID Method Specs
DID Auth
= Car rental agency
Finds VC from DL
Issuer
Anthropomorphized
Universal Resolver

Verifiable Credentials and DIDs
{
"type": ["VerifiableCredential", "UniversityDegreeCredential"],
"issuer": "did:example:2ec211f712ebc6e1ebfeb6f1c27",
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science in Mechanical Engineering"
}
},
"proof": {
"created": "2017-06-18T21:19:10Z",
"creator": "did:example:2ec211f712ebc6e1ebfeb6f1c27#keys-1",
"nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e",
"signatureValue": "BavEll0/I1zpYw8XNi1bgVg/sCneO4Jugez8RwDg/+
MCRVpjOboDoe4SxxKjkCOvKiCHGDvc4krqi6Z1n0UfqzxGfmatCuFibcC1wps
PRdW+gGsutPTLzvueMWmFhwYmfIFpbBu95t501+rSLHIEuujM/+PXr9Cky6Ed
+W3JT24="
}
}
Recipient DID
Issuer DID

Verifiable Credentials and DIDs
• Can cryptographically prove ownership of credentials
• Layered approach
• Key lifecycle is a first-class concern
• Robust privacy/security spectrum

Digitally Native Credentials
British Columbia VON Project

From paper based credentials

To digital credential

Digital Credentials using SSI

52
• Universal DID Resolver (DIF)
• Identity Hubs (DIF)
• Authorization Capabilities (Veres One)
• Social Key Recovery (#RebootingWebOfTrust)
• Petnames (#RebootingWebOfTrust)
• Anonymous & Web Of Trust Reputation (BTCR Team)
Other Incubations

Let’s recap
Wallet
(Private Key)
Agent/Hub
(End points)
Distributed
Ledger
(DID + DID Doc)
DID + DID
Document +
Endpoints
(Public Key)
Verified
Credential
Issuers &
Verifiers

Spec Status
W3C TPAC
(Oct 2018)
DID WG Charter Vote W3C DID WG
W3C Strong Auth and Identity Workshop
(Dec 10th-11th, 2018 - Redmond, WA)
WG Launch
(May 2017)
FPWD, WDs
(Aug 2017-today)
Implementations
(Nov 2017-today)
Complete Test
Suite
(October 2018)
CR
PR
(Mar 2019)
Decentralized Identifiers

DID Progress: CCG
• DID Draft Spec and WG charter submitted
• Simplifying and fine-tuning spec language
• Refining use cases
• Progressing on DID Explainer

DID Progress: Implementations and
Pilots
• IBM: substantial commitment to
Sovrin network enabling DIDs
• CULedger: credit unions issuing
millions of VCs this year
• BC Gov and Ontario: ~10 million
credentials based on DIDs issued
so far

Many Proof of Concepts
Proof of Concept Use Case Who’s Involved
VON Business Credentials British Columbia Government
CU Ledger Credit Union Banking
Security
Sovrin + Credit Union National
Association
Building Blocks Food Aid World Food Programme
(Syrian Refugee Aid)
Dutch Digital ID Digital ID TU Delft + Dutch Gov + Others
Walmart Supply Chain Food Supply Tracking Walmart + Hyperledger Fabric
TradeLens Shipping Shipping + Tracking IBM + Maersk
+ government funded POCs, various countries under NDA.

Government Support
• Improve Supply Chain Management
• Combat Counterfeit Goods
Source: DHS Science and Technology Directorate's
Testimony before the US House of Representatives,
May 8, 2018

Community Support: DIF Members

Why SSI?
• The public demands better security
• Data regulations are going to increase
• Cyber attacks aren’t decreasing
• We need digitally native credentials
• Opportunity to build new infrastructure
• US Government has funded $2+M
• It’s already happening

Final Thoughts
Identity isn’t a product – it’s how you do it.
– Allan Foster, Forgerock
We are now a digital society – we need a digital identity.
– Johan Pouwelse, Associate Professor at Delft University of Technology
The most impactful social and economic applications will be in the
digital identity ecosystem.
– David Fields, Venture Capitalist, PTB Ventures

Join Us
W3C Credentials Community Group
https://w3c-ccg.github.io/
DIF
http://identity.foundation/
Rebooting the Web of Trust
https://www.weboftrust.info/
Internet Identity Workshop
https://www.internetidentityworkshop.com
Guide to Self Sovereign Identity
https://ssiscoop.com/

Thank you & Questions
Kim Hamilton Duffy
• www.blockcerts.org
• www.okimsrazor.com
• kimdhamilton@gmail.com
• @kimdhamilton
Heather Vescent
• www.ssiscoop.com
• www.heathervescent.com
• www.thepurpletornado.com
• heathervescent@gmail.com
• @heathervescent

Introduction to Self Sovereign Identity

More Related Content

What's hot

Similar to Introduction to Self Sovereign Identity

More from Heather Vescent

Recently uploaded

Introduction to Self Sovereign Identity