Much has been written about self-sovereign identity (SSI) — the ability to gain control over one’s own identity — and how this is going to become a cornerstone of our interactions in the future. Work has been going on is this field for many years, but it is the emergence of distributed ledger and blockchains technologies that has re-energized the field and brought it into focus. This is timely, as it coincides with a general mood against centralized services taking ownership of our identities, and compromising our privacy.
As a newcomer, it can be tricky to get oriented in such a rich area, particularly when there aren’t really any services to sign up to or things to download and readily tinker with. I’ve been looking into this area for around a month now, and wanted to share what I’ve learned in the hope that it will help others to find their feet — I’m sure there are some inaccuracies or errors here, please be kind enough to let me know and I’ll correct them!
At the basic level, there are two components to consider — Decentralized Identifiers (DIDs) and Verifiable Credential (VCs) — these go hand-in-hand. There are very good documents from the W3C community which go into a lot of detail about DID’s and VC’s, and are essential reading when digging deeper into this area.
If we consider using these from a personal context, then typically a DID would be created for each service I want to interact with (actually, it’s a DID pair — as I have one, and the service has one), and then a VC would be issued which included my DID. The DID’s role is to prove that I have control of the identity, and the VC’s role is to make some claim about the skills, attributes or other credentials of the identity. For example, I might take an online course, and be given a certificate to show that I have passed the tests. The course provider (the issuer) and I (the subject) would generate a DID to use for this relationship (and it’s good practice to use a fresh DID for any activity like this that I take part in, so that data miners can’t build a profile of me — as they can easily do when I use the same email address for all my online activities as I do now) and then they would issue me with a Verifiable Claim of my new skills. This would be stored in a digital wallet, likely on my phone. If someone (the verifier) wanted me to prove that I had been trained, I would be able to unlock my wallet, and show them the credentials. The VC protocols provide mechanisms to verify the credentials, which takes two forms — first to prove that the claims relate to me (or really, to the DID that I control) and second to prove that the claims haven’t been tampered with, revoked, or expired. There’s a subtlety in that they don’t say anything about the validity of the credential — so it would remain on the issuers shoulders to check the reputation of the online course provider, for example.
In terms of the landscape of SSI, the personal space is currently dominated by the Sovrin Foundation, who contribute significantly to the Hyperledger Foundation — in particular the Indy, and Aries projects — and Evernym, who’s connect.me demo provides a good visualisation of the ecosystem. On the Ethereum side, there are some technical documents ERC725 & ERC735 which are well discussed in KC Tam’s post, along with UPort.
But DIDs and VCs aren’t just for use with people, they can be applied to any entity which needs to either prove that it is “who” and “what” it claims to be, which could include IOT devices, or data. On the IOT side, Ockam provide excellent documentation on the use of DIDs and VCs to provide trustworthy data from devices. Other projects use DIDs to underpin their services, including the Ocean Protocol data marketplaces.
Further reading and resources to watch or review include: