This post is from my series of short essays on cybersecurity.

In this post, we explore a distinct perspective from previous essays. While we’ve witnessed advancements in the control and verification of identity, the journey toward fully placing identity control in the hands of its owners is still underway. Today’s digital identity system still follows the decade old established principles. A centralized system or authority maintains the list of identities with attributes that uniquely identify the individual and user’s permissions. Verifiers reached out to this centralized authority to validate the identity (authentication) and what is allowed (authorization). 

Let’s take a real world example, you went to buy a bottle of wine. The cashier at the counter had to verify the minimum age requirement. You showed your driver’s license for verification, unintentionally you just revealed your name, date-of-birth, address etc, where the requirement was simply to confirm that your age meets the minimum number. In the digital world, identity owners and verifiers face the same challenge everyday, they depend on a centralized authority to verify and how much information is revealed.  Enormous trust is placed on centralized authorities to make the right decisions, execute the authorization rules, and only reveal the relevant information. While authentication and authorization protocols have evolved over time, improving security through advanced cryptography and convenience with features like token exchange and OAuth, the core principle remains unchanged. Users still maintain manage numerous distinct identities without any control over who all has access to their identity. Authorization policies are fully controlled by centralized authorities to grant and deny permissions. No surprise that these centralized identity authorities are frequent targets of hackers to steal sensitive information.

The question at hand is how to establish an identity system that empowers users to determine who can perform their identity verification, and the extent of information disclosed in verification process. Blockchains introduce innovative methods for achieving consensus in distributed systems. Thanks to the surge in cryptocurrency, blockchain technology is consistently gaining popularity, enabling next generation of applications. The concept of self-sovereign identity also leverages blockchain to construct a sovereign identity system, granting users full control over their identities. In this system, users manage verification without disclosing any additional information, while verifiers have access to a secure, verifiable mechanism to validate user claims. You can it as a live, append-only ledger of transactions, where transactions are validated by a distributed network of participants rather than relying on a central authority.

The diagram above illustrates the typical data flow of a self-sovereign identity (SSI) implementation.  Users maintain a secure and encrypted digital wallet to store, manage, and control their digital identities. When a user seeks access to a service, the user utilizes the wallet credential to generate the proof requested by the verifier. The user’s digital wallet can house credentials issued by multiple granting authorities. These credential issuing authorities grant permissions by adding a signed permission to the blockchain (DL – distributed ledger) that is countersigned by the user. Policy enforcement points can simply verify the user’s presented proof from the blockchain (distributed ledger). The beauty of this consensus system lies in the fact that authorities are responsible for granting the level of access to the user, the user retains control over whom and what proofs they need to present to verifiers, and verifiers have a distributed system for verifying the proofs presented by the users. 

In 2017, W3C established the Verifiable Claims Working Group (VCWG) to simplify the credential exchange and verification by a third party. Development of machine readable identity data models is critical to enable collaboration among owners, issuers, and verifiers to automate the claims provisioning and simplify the credentials deployment. Here are some of the ongoing attempts making progress in this direction. They are built on different variations of blockchain technologies with some variations in implementation.

uPort is an SSI solution developed by ConsenSys, a blockchain company. it allows individuals to create and control their digital identities on the Ethereum blockchain. Individuals can use their uPort identity to access financial services, such as opening a bank account, without having to provide traditional forms of identification. Over the period it’s involved into two independent platforms. First one is Serto Suite that is aimed to provide Self Sovereign Identity (SSI) and verifiable credentials managed by the owners without intermediaries. Second component of the uPort ecosystem is Veramo, an API framework that helps in integrating it in applications. You can consider Veramo as a supplement to the Serto for identity verifiers. 

Sovrin is an open source identity network built on permissioned DLT. Sovrin identity networks can be thought of as a public service utility. Trusted institutions called Steward operate the network by running validator nodes which read and write on Sovrin ledger. Sovrin Network makes use of different distributed ledger blockchain technology – Hyperledger Indy. The Sovrin Network is a public-permissioned blockchain designed exclusively to support self-sovereign identity and verifiable claims.

ShoCard (acquired by ping identity in 2020) is a digital identity card on a mobile device that binds a user identifier, an existing trusted credential like passport, driver license, and additional cryptographic hashes stored in Bitcoin transactions. You can think of this as a wallet of digital credentials users can carry in their mobile devices. After acquisition by Ping Identity, it is now offered as a personal identity digital wallet solution. A user-friendly method of storing and accessing personal information on a smartphone device. This leverages the Hedera public ledger to cryptographically secure credential records. It makes use of public ledgers to manage revocation and changes to credentials. This process allows an issuer to revoke the status of the claim if anything has changed. 

While blockchain and distributed ledger technologies aimed to remove centralized authority and intermediaries.But it actually leverages decentralization only to a certain degree, for example centralized authorities are still needed as trusted attributes (or credential) providers. Bootstrapping the provisioning and recovering from the loss of digital wallet are still in the evolution phase. Overall process is still going through evolution to determine the right balance between centralization and decentralization. Latency in the verification is also a challenge in some cases. I feel it is too early to say how it will evolve and how much time it will take to reach at the widespread adoption level. But as a technology and at the protocol level it is definitely showing a silver-line in bringing identity control in the hands of identity owners.

References  – In addition to products listed in this post.
Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction – Book on introduction of blockchain technologies.
Verifiable Credentials Data Model v1.1 – Verifiable Credentials Working Group – W3C.
Distributed Self-Sovereign-Based Access Control System – IEEE Security & Privacy Magazine (Nov/ Dec’ 2022).
A First Look at Identity Management Schemes on the Blockchain – IEEE Security & Privacy Magazine (Jul/ Aug’ 2018).