Self-Sovereign Identity

26 February 2018

Self-Sovereign Identity

What is a Self-Sovereign Identity?

In short, self-sovereign identity is an identity that you generate, control and share on your own terms and is the solution to many of the digital age identity challenges experienced today. These challenges include:

  • Static Identity - Current systems, such as social security and ID numbers are static, easy to forge and do not contain the dynamic data required for identity purposes. This 50+-year-old system was not designed for the digital age and is constantly showing itself to be below par and out of sync with modern identity requirements.
  • Centralised Identity - Identity data is generated and stored in centralised locations, prone to hacks and leaks. This leaves us unnecessarily vulnerable.
  • Privacy Protection - Consent to use our identity data is only becoming regulated and enforced in patches around the world. Soon, your identity data will only be available, legally, if you’ve consented to the collection, storage, use and dissemination of it.
  • Cost - The cost in time and money to verify and authenticate identities across all spheres is rising and has become even more restrictive for those who are not connected to the digital world.
  • Speed - The time it takes to create and use identity systems is too slow and cumbersome. Similarly, for institutions needing to verify your identity, the process is prohibitively slow and increases inefficiencies in adding value to you, the customer.
  • Universally Accepted - There is a huge gap with the interoperability and transportability of the necessary identity data in current systems. If you’ve ever tried immigrating and opening up new lines of credit in your new country of origin, you’ll understand the depth of this problem.
  • Trustworthiness - Most identity systems aren’t trustworthy and easily forged using various methods, despite ostensible anti-forgery mechanisms being put in place.
  • Scaling Identity - Developing a trusted identity for a business or institution is expensive and is only used in that one instance and/or for that one institution - this makes it hard to scale trusted identities.
  • Proximity Problem - The longer the distance the more challenging it becomes to generate a trusted identity.

Self-sovereign identity dictates that you, the user/the individual, are the ruler of your identity and all of the data associated with it. You generate, control and manage this identity data on your own terms.

Your identity is made up of data that you generate and own. The self-sovereign principle also allows for trusted third party data sources can attest to the data as being correct, also know as a “verifiable claim”.  Eventually, when the system matures, you’ll gain authentication via multi-party attestation, or even “Oracle AI” type tech, without the need for traditional trusted 3rd parties.

Ultimately, the evolution from user-centric identities that are consent drive and interoperable to self-sovereign identities that are also transportable. To understand the concept in greater detail, Christopher Allen has summarized the 10 Principles that define what self-sovereign identity is:

1. Existence

Users must have an independent existence. Any self-sovereign identity is ultimately based on the ineffable "I" that's at the heart of identity. It can never exist wholly in digital form. This must be the kernel of self that is upheld and supported.

A self-sovereign identity simply makes public and accessible some limited aspects of the "I" that already exists.

2. Control

Users must control their identities. Subject to well-understood and secure algorithms that ensure the continued validity of an identity and its claims, the user is the ultimate authority on their identity.

They should always be able to refer to it, update it or even hide it. They must be able to choose celebrity or privacy as they prefer. This doesn't mean that a user controls all of the claims on their identity: other users may make claims about a user, but they should not be central to the identity itself.

3. Access

Users must have access to their own data. A user must always be able to easily retrieve all the claims and other data within his identity. There must be no hidden data and no gatekeepers.

This does not mean that a user can necessarily modify all the claims associated with his identity, but it does mean they should be aware of them. It also does not mean that users have equal access to others' data, only to their own.

4. Transparency

Systems and algorithms must be transparent. The systems used to administer and operate a network of identities must be open, both in how they function and in how they are managed and updated.

The algorithms should be free, open-source, well-known and as independent as possible of any particular architecture; anyone should be able to examine how they work.

5. Persistence

Identities must be long-lived. Preferably, identities should last forever, or at least for as long as the user wishes. Though private keys might need to be rotated and data might need to be changed, the identity remains. In the fast-moving world of the Internet, this goal may not be entirely reasonable, so at the least identities should last until they've been outdated by newer identity systems.

This must not contradict a "right to be forgotten"; a user should be able to dispose of an identity if he wishes and claims should be modified or removed as appropriate over time.

To do this requires a firm separation between an identity and its claims: they can't be tied forever.

6. Portability

Information and services about identity must be transportable.

Identities must not be held by a singular third-party entity, even if it's a trusted entity that is expected to work in the best interest of the user. The problem is that entities can disappear -- and on the Internet, most eventually do.

Regimes may change, users may move to different jurisdictions. Transportable identities ensure that the user remains in control of his identity no matter what, and can also improve an identity's persistence over time.

7. Interoperability

Identities should be as widely usable as possible. Identities are of little value if they only work in limited niches. The goal of a 21st-century digital identity system is to make identity information widely available, crossing international boundaries to create global identities, without losing user control.

Thanks to persistence and autonomy these widely available identities can then become continually available.

8. Consent

Users must agree to the use of their identity. Any identity system is built around sharing that identity and its claims, and an interoperable system increases the amount of sharing that occurs.

However, sharing of data must only occur with the consent of the user. Though other users such as an employer, a credit bureau, or a friend might present claims, the user must still offer consent for them to become valid. Note that this consent might not be interactive, but it must still be deliberate and well-understood.

9. Minimalization

Disclosure of claims must be minimized. When data is disclosed, that disclosure should involve the minimum amount of data necessary to accomplish the task at hand.

For example, if only a minimum age is called for, then the exact age should not be disclosed, and if only an age is requested, then the more precise date of birth should not be disclosed.

This principle can be supported with selective disclosure, range proofs, and other zero-knowledge techniques, but non-correlatability is still a very hard (perhaps impossible) task; the best we can do is to use minimalization to support privacy as best as possible.

10. Protection.

The rights of users must be protected. When there is a conflict between the needs of the identity network and the rights of individual users, then the network should err on the side of preserving the freedoms and rights of the individuals over the needs of the network.

To ensure this, identity authentication must occur through independent algorithms that are censorship-resistant and force-resilient and that are run in a decentralized manner.


Why is it Relevant?

As we evolve in this digital epoch, we need our systems to evolve with us. With the rise of nascent technologies such as AI, blockchain, cloud computing, big data and mobile, we’re now in a position to leverage these technologies to solve the anachronistic nature of identity as it stands.

Without a next step in identity, we will continue to suffer the pains and losses associated with the outdated mode currently in widespread use.


When will it Become Pervasive

Timing the transition to self-sovereign identity systems is the key to positioning yourself and your business for this new wave of identity management. There a few key factors that will influence timing that include:

  1. Regulation - Examples include POPI (in South Africa) and the GDPR (EU & UK) whereby the protection of your data is enforced by regulators. The more pervasive these regulations are and the more they’re effectively enforced, the more demand for self-sovereign identity systems will increase.
  2. Education - Raising awareness of identity data rights and the tools that exist to protect and manage this data is essential for increasing adoption rates. When we start to see schools providing education on this subject, it’ll be a good indicator that times are changing.
  3. Adoption & Cost - The cost to access and manage a self-sovereign identity and the areas where it can be applied (government, business, social etc) will dictate how rapid adoption is likely to be. What we can expect is a specific use case to prove it’s veracity and validity, upon which the case for self-sovereign identity will be built.

Transportability - This speaks to adoption, in that there needs to be a universal acceptance of this form of identity for it to be truly successful and effective.

The concept of self-sovereign identity has recently entered the zeitgeist and is sure to capture the imaginations of many. As with all new concepts, the incentives for building it out need to be strong enough for progress to be made. Based on the current MO, the incentives are certainly strong enough to propel this revolutionary new way of representing ourselves in the digital age forward into existence.

Back to Blogs