Introduction to SSI
"The Internet was not built with an identity layer."
Digital identity has been one of the biggest problems of the internet. While there have been many solutions developed over the decades, internet identity remains an unsolved problem.
There are currently 7.5 billion humans on Earth. At a bare minimum, we need an identity system that is capable of supporting identities for all individuals. A person could also have multiple identities, where each requires its own management.
Human identity is just the tip of the iceberg. There is an entire world of both tangible and virtual entities that need identities. This includes pets, building, organizations, devices, machines, softwares and much more.
So far, the internet has been dominantly relying on usernames and passwords for identifying and authenticating individuals. However, usernames and passwords are managed by centralized authorities, such as governments and corporates. This model presents a single point of failure that is often exploited by hackers and identity thieves. More importantly, usernames and passwords also cannot be shared with others, leaving individuals no option to freely and independently assert online identities.
​Self-sovereign identity (SSI) is a concept that individuals should be the one controlling their digital identities without intervening authorities. SSI decentralizes the identity layer in the digital world and empowers individuals to (i) assert, (ii) own and (iii) share their digital identities, as follows:
The ability to assert identity with a Decentralized Identifier (DID).
The ability to own identity in the form of a Verifiable Credential (VC).
The ability to securely and privately share identity in a decentralized manner with a Decentralized Public Key Infrastructure (DPKI).
A Decentralized Identifier (DID) is a new type of globally unique identifier (URI) that enables a verfiable and decentralized digital identity. A DID could identifies any entity—including a human, an organization, an animal and a device—without a centralized registration authority.
As formalized by W3C, a DID consists of three parts: (i) URL scheme identifier (did), (ii) Identifier for the DID method, (iii) DID method-specific identifier. Here, we call our DID method idin and use a SHA-256 hash as an identifier, i.e. with 64 characters in hexadecimal. A example DID address in a IDIN platform is shown below:
did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370
A DID is also accompanied by a DID document that describes the DID. This includes its DID address, the list of its public keys and its registered VCs. An example DID document in the JSON-LD format is shown below:
{"@context": "https://www.w3.org/ns/did/v1","id": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370","authentication": [{"id": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370#keys-1","type": "Ed25519VerificationKey2018","controller": "did:idin:76a6t0465cd3bd268163eee1927bfb99efe03e3cbf279f6b1772aaae09e09fqw","publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"}],"service": [{"id":"did:idin:03e450465cd3bd268163dde7223bfb99efe03e3cbf279f6b1772050e09e09fbf#vcs","type": "VerifiableCredentialService","serviceEndpoint": "https://example.com/vc/"}]}
In the physical world, we receive, own and share our identities in the form of paper/plastic credentials such as national ID cards, driving licenses, birth certificates, university transcripts, etc. However, these physical credentials are often easy to fake and difficult to verify.
A Verifiable Credential (VC) is a digitized credential that can be easily and accurately verified. A VC can represent all of the same information that a physical credential holds. In the IDIN platform, all VCs are digitally signed and verified by digital signatures, making VCs tamper-evident and more trustworthy than their physical counterparts.
An example VC for a digital transcript is shown below. It contains, for example, the credential ID, its issuer DID, issurance date, expiration date, etc. The field "credentialSubject" contains the credential's details such as the GPA, university and department.
{"@context": ["https://www.w3.org/2018/credentials/v1"],"type": ["Education Transcript"],"id": "c498bdd8a72811eabca70242c0a82004","credentialSubject": {"GPA": "3.64","university": "Example University","department: "Example Department"},"expirationDate": "2024-05-12T13:38:08+07:00","issuanceDate": "2020-05-13T13:38:08+07:00","issuer": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370","proof": {"created": "2020-05-13T13:38:08+07:00","proofPurpose": "assertionMethod","signature": "deb250d461d724d5bf69ef0a380df8a763c94460b4bf8ee36b631f8bab358a6bfd8deb44ae021cc687bf89952d8c56ed3e5eb10e73751e2d23286914dd94b16e","type": "Secp256r1Signature2018","verificationMethod": "did:idin:03e450465cd3bd268163dde7223bfb99efe03e3cbf279f6b1772050e09e09fbf"}}
A VC can be shared in the form of a verifiable presentation (VP). Holders of VCs can generate VPs and then share them with others. VCs and VPs can be rapidly shared and verified over a distance, making them more convenient than their physical counterparts.
Secure communications over the internet require effcient processes of encryptions and decryptions with cryptographic keys. In hypertext transfer protocol secure (HTTPS), for example, secure communications are achieved by using public and private key pairs. Private keys are used for decryption and are always kept secret. On the other hand, public keys are used for encryption and are kept in public domain. As a result, public keys are prone to impersonation by hackers, leaving internet communications vulnerable to, e.g., man-in-the-middle (MITM) attacks. Secure communications, hence, require an entity to manage and assure the validity of public keys. Such a system is called a public key infrastructure (PKI).
Traditionally, PKI systems are centralized and rely on trusted thrid-party authorities—such as governments and big corporates—for managing public keys. In a centralized PKI system, digital identities are defined and owned by those trusted authorities, not the users. This design poses a high security risk and presents a single point of failure that can be exploited by hackers. As a result, centralized PKIs are struggling to keep up with the ever evolving technological landscape. The modern society is in a desperate need for a revolutionary approach to PKIs.
A Decentralized Public Key Infrastructure (DPKI) is an alternative approach to designing better a PKI system by utilizing the blockchain technology. A blockchain provides a immutable storage for public keys and could distribute ledgers of public keys over a decentralized network. As a result, the blockchain technology enables a decentralized management and assurance of public keys, eliminating the need for centralized authorities.
An identity platform built upon a DPKI establishes a common trust point—called an Identity Trust Fabric (ITF)—in the digital world. This allows individuals to share their identity securely and privately in a decentralized manner.
