# Introduction

# Identity Remains an Unsolved Problem

"The Internet was not built with an identity layer."

Digital identity has been one of the biggest problems of the internet, and while there have been many solutions developed over the decades, it remains an unsolved problem.

# Human Identity

There are 7.5 billion humans on Earth currently. At a bare minimum, an identity system must be capable of supporting identities for all of them. Each person may have multiple identifiers, each requiring their own PKI lineage.

# Identity of All Things

Human identity is just the tip of the iceberg - there is an entire world containing hundreds of billions of devices, machines, apps, and other entities, both tangible and virtual.

# Introducing Self Sovereign Identity

A decentralized identity layer that gives individuals and companies the ability to assert their own identity, ask for and receive credentials from companies, governments, and educational institutions, and securely and privately share data.

It is a layer of standards and protocols used to implement a common technology language.

• Assert an identity (Decentralized Identifier (DID))
• Ask for and receive credentials (Verifiable Credentials (VC))
• Securely share data (Decentralized Public Key Infrastructure (DPKI))

# Decentralized Identifiers

Decentralized Identifiers (DIDs) and the accompanying DID Documents enable individuals to share abstract identifiers (DIDs) with an associated public key and a resolution end-point.

# Verifiable Credentials

Verifiable Credentials can represent all of the same information that a physical credential represents. The addition of technologies, such as digital signatures, makes verifiable credentials more tamper-evident and more trustworthy than their physical counterparts. Holders of verifiable credentials can generate presentations and then share these presentations with verifiers to prove they possess verifiable credentials with certain characteristics. Both verifiable credentials and verifiable presentations can be transmitted rapidly, making them more convenient than their physical counterparts when trying to establish trust at a distance.

# Decentralized Public Key Infrastructure

# Problems with Centralized PKI

The centralized PKIs such as the CA-based system has its problems and limitations generally because it relies on a central trusted party. In a centralized PKI system, you don’t get to choose your own online identity; instead, your identity is defined by trusted third parties the CAs, sometimes private companies and sometimes governments.

The PKI design poses high-security risks because a single point of failure can be used to open any encrypted online communication. Centralized PKI systems are struggling to keep up with the evolving digital landscape; the modern world is desperate for a better designed, decentralized approach to PKIs.

# What is DPKI

Decentralized Public Key Infrastructure, or DPKI, is an alternative approach to designing better PKI systems. In decentralized PKI, the blockchain acts as decentralized key-value storage. It is capable of securing the data read to prevent MITM attacks and to minimize the power of third parties. By bringing the power of blockchain technology to the systems, DPKI resolves the issues with traditional PKI systems.

The decentralized nature of the management framework can tackle the problems with the CA systems through certificate revocation, eliminating single points of failure, and reacting fast to misuses of CAs. Blockchain is able to make the process transparent, immutable, and prevent attackers from breaking in, thus effectively avoiding the MITM attacks.

# Requirements for DPKI

• Global, immutable, append-only log
• No central providers or authorities
• Censorship and tamper resistant

# IDIN Platform

IDIN Platform is as a Self Sovereign Identity Platform built on Decentralized Public Key Infrastructure or DPKI that consists of two main components.

• IDIN Blockchain - a decentralized ledger for decentralized identifier documents
• IDIN SDK - a software development kit for submit a transaction to IDIN blockchain and exchange a valid verifiable credentials

# IDIN Blockchain

IDIN blockchain is built with tendermint which perform Byzantine Fault Tolerant (BFT). Tendermint is a software for securely and consistently replicating a deterministic state machine to many nodes. Tendermint works even if up to 1/3 of nodes fail in arbitrary ways includes explicitly malicious behaviors. Which means it requires at least 3 nodes for reliable usage. ABCI is written in Golang.

Here is a list of what is stored in the tendermint's ledger

• Decentralized Identifier (DID) aka entity's unique id.
• DID Document consists of one or more entity's public keys.
• Hash of verifiable credentials

# IDIN SDK

Software development kit in many languages such as javascript, golang, python, swift and kotlin for ease of development. Used as a helper to submit a transaction to IDIN Blockchain without manually building any transaction and to issue a valid verifiable credentials schema linked to the decentralized identifier on IDIN Blockchain and exchange them.

# Credential Flow

The steps for using credential is outlined as follows:

1. User registers with a trusted organization in order to obtain verifiable credential (human trust).
   1. Organization issued the verifiable credential signed by the organization's private key. (cryptographic trust)
   2. Organization registers the verifiable credential on IDIN Blockchain.
   3. Organization gives the verifiable credential to the user.
2. User presents the credential to the relying party that accepts the trusted organization’s credential. (online or offline)
   1. User issued a verifiable presentation from the verifiable credential.
   2. User countersigned the verifiable presentation with his private key.
   3. User gives the verifiable presentation to relying party.
3. The relying party takes the verifiable presentation for authentications, in order to verify that the credential has been issued by the trusted organization and has not been tampered with.
   1. The relying party could check the issuer's digital signature with IDIN Blockchain for cryptographic trust.
   2. Then check the holder's digital signature with IDIN Blockchain for presentation cryptographic trust.
4. After successful authentication, the relying party is certain that the identity issued by the trusted organization is valid and authentic, and therefore trusts the user for business transactions.

# Supported public / private key types

Currently, we supported only ECDSA secp256r1(P-256) which can be seen on IOS secure enclave and Android hardware backed keystore. RSA support is coming soon.

Key	Format	Size (chars)
Public key	hex	130
Private key	hex	64
Signature	hex	128

You can use our tools to create the key pair.