Introduction to SSI
"The Internet was not built with an identity layer."
Digital identity has been one of the biggest problems of the internet. While there have been many solutions developed over the decades, internet identity remains an unsolved problem.
There are currently 7.5 billion humans on Earth. At a bare minimum, we need an identity system that is capable of supporting identities for all individuals. A person could also have multiple identities, where each requires its own management.
Human identity is just the tip of the iceberg. There is an entire world of both tangible and virtual entities that need identities. This includes pets, building, organizations, devices, machines, softwares and much more.
So far, the internet has been dominantly relying on usernames and passwords for identifying and authenticating individuals. However, usernames and passwords are managed by centralized authorities, such as governments and corporates. This model presents a single point of failure that is often exploited by hackers and identity thieves. More importantly, usernames and passwords also cannot be shared with others, leaving individuals no option to freely and independently assert online identities.
​Self-sovereign identity (SSI) is a concept that individuals should be the one controlling their digital identities without intervening authorities. SSI decentralizes the identity layer in the digital world and empowers individuals to (i) assert, (ii) own and (iii) share their digital identities, as follows:
The ability to assert identity with a Decentralized Identifier (DID).
The ability to own identity in the form of a Verifiable Credential (VC).
The ability to securely and privately share identity in a decentralized manner with a Decentralized Public Key Infrastructure (DPKI).
A Decentralized Identifier (DID) is a new type of globally unique identifier (URI) that enables a verfiable and decentralized digital identity. A DID could identifies any entity—including a human, an organization, an animal and a device—without a centralized registration authority.
As formalized by W3C, a DID consists of three parts:
URL scheme identifier (
did).Identifier for the DID method.
DID method-specific identifier.
Here, we call our DID method idin and use a SHA-256 hash as an identifier, i.e. with 64 characters in hexadecimal. A example DID address in a IDIN platform is shown below:
A DID is also accompanied by a DID document that describes the DID. This includes its DID address, the list of its public keys and its registered VCs. An example DID document in the JSON-LD format is shown below:
{"@context": "https://www.w3.org/ns/did/v1","id": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370","authentication": [{"id": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370#keys-1","type": "Ed25519VerificationKey2018","controller": "did:idin:76a6t0465cd3bd268163eee1927bfb99efe03e3cbf279f6b1772aaae09e09fqw","publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"}],"service": [{"id":"did:idin:03e450465cd3bd268163dde7223bfb99efe03e3cbf279f6b1772050e09e09fbf#vcs","type": "VerifiableCredentialService","serviceEndpoint": "https://example.com/vc/"}]}
In the physical world, we receive, own and share our identities in the form of paper/plastic credentials such as national ID cards, driving licenses, birth certificates, university transcripts, etc. However, these physical credentials are often easy to fake and difficult to verify.
A Verifiable Credential (VC) is a digitized credential that can be easily and accurately verified. A VC can represent all of the same information that a physical credential holds. It is also defined to always answer the following questions:
Who is the credential issuer?
Who is the credential owner?
Is the credential valid?
Has the credential been tampered with?
In the IDIN platform, all VCs are digitally signed and verified by digital signatures, making VCs tamper-evident and more trustworthy than their physical counterparts.
An example VC for a digital transcript is shown below. It contains, for example, the credential ID, its issuer DID, issurance date, expiration date, etc. The field "credentialSubject" contains the credential's details such as the GPA, university and department.
{"@context": ["https://www.w3.org/2018/credentials/v1"],"type": ["Education Transcript"],"id": "c498bdd8a72811eabca70242c0a82004","credentialSubject": {"GPA": "3.64","university": "Example University","department: "Example Department"},"expirationDate": "2024-05-12T13:38:08+07:00","issuanceDate": "2020-05-13T13:38:08+07:00","issuer": "did:idin:9cd19d4cbab9ca1d6f4c6a4b9117fb8904f250b47307cf4f484424f44e0c8370","proof": {"created": "2020-05-13T13:38:08+07:00","proofPurpose": "assertionMethod","signature": "deb250d461d724d5bf69ef0a380df8a763c94460b4bf8ee36b631f8bab358a6bfd8deb44ae021cc687bf89952d8c56ed3e5eb10e73751e2d23286914dd94b16e","type": "Secp256r1Signature2018","verificationMethod": "did:idin:03e450465cd3bd268163dde7223bfb99efe03e3cbf279f6b1772050e09e09fbf"}}
A VC can be shared in the form of a verifiable presentation (VP). Holders of VCs can generate VPs and then share them with others. With the help of a blockchain, VCs and VPs can also be rapidly shared and verified over a distance, making them much more convenient than their physical counterparts.
Secure communications over the internet require effcient processes of encryptions and decryptions with cryptographic keys. In hypertext transfer protocol secure (HTTPS), for example, secure communications are achieved by using public and private key pairs. Private keys are used for decryption and are always kept secret. On the other hand, public keys are used for encryption and are kept in public domain. As a result, public keys are prone to impersonation by hackers, leaving internet communications vulnerable to, e.g., man-in-the-middle (MITM) attacks. Secure communications, hence, require an entity to manage and assure the validity of public keys. Such a system is called a public key infrastructure (PKI).
Traditionally, a PKI relies on a centralized third party, called certification authority (CA), to issues digital certificates that certify the ownership of public keys. In this model, digital identities are owned by trusted authorities, not the users.
There are in fact two types of centralized PKIs, namely public and private PKIs. A public PKI relies on a publically accessible root CA that is hosted by a trusted external organization. Although a public root CA helps offload the cost for purchasing and maintaining relevant hardware and software, issuing digital certificates at a large scale is often inflexible and expensive. On the other hand, a private PKI hosts an internal root CA that provides flexibility in terms of issuance and deployment. However, the cost for maintaining relevant hardware and software is often cost-prohibitive for small businesses.
A centralized PKI also poses a single point of failure that can be exploited. As a result, centralized PKIs are struggling to keep up with the ever evolving technological landscape. The modern society is in a desperate need for a revolutionary approach to PKIs.
A Decentralized Public Key Infrastructure (DPKI) is an alternative approach to designing better a PKI system by utilizing the blockchain technology. A blockchain provides a immutable storage for public keys and could distribute ledgers of public keys over a decentralized network. The blockchain technology also enables a decentralized management and assurance of public keys that eliminates the need for centralized authorities. Hence, a DPKI offers flexible and affordable solutions to digital identities for enterprises of all sizes. It also allows interoperability between different networks of blockchains, combining the advantages of both private and public PKIs.
An identity platform built upon a DPKI establishes a common trust point—called an Identity Trust Fabric (ITF)—in the digital world. This allows individuals to share their identity securely and privately in a decentralized manner.
