The next Identity Management evolution: Self Sovereign Identity
“One general law, leading to the advancement of all organic beings, namely, multiply, vary, let the strongest live and the weakest die.”
This article introduces the decentralized ledger identity approach. It starts by explaining the evolution of Identity Management (IdM) Systems and then details the main concepts and standards to be applied in a Self Sovereign Identity (SSI) solution based on state-of-the-art literature and initiatives. A real use case on applying this disruptive paradigm is provided.
A walk through the evolution of IdM
The IdM Systems are in constant evolution trying to improve and enhance services offered incorporating the latest technological advances available. Initially, IdM systems were designed to provide solutions to small and close environments, relying on a central authority, e.g. directory services (Active Directory, LDAP, etc.) or a public key infrastructure (PKI) with registration/validation authorities to manage the identity lifecycle. With the popularization of the internet, the business flow environments started to become bigger and needed more interconnections; it was clear that an evolution of this initial approach was necessary. Therefore concepts as Single Sign-On (SSO) and Federation Identity were coined and, with them, a new plethora of standards and protocols (Kerberos, Radius, SAML, OIDC, OpenID, OAuth, etc.) were created to support these new approaches.
However, with time the use of social networks started to be widely accepted and the improvement of technical capacities (hardware and software) to treat data (especially the personal data) have been improved notably. It is worth highlighting that these new capabilities not only allow an exponential rise of the volume of data stored but also extract information from the data thanks to the perfecting of IA technologies. Consequently, it became more and more obvious that a user-centric control approach was necessary in the design of a new IdM paradigm. In this regard, new standards such as UMA supported by the Kantara Initiative were defined to tackle this issue.
It has been only after the popularization of the use of blockchain technology when a completely new and disruptive approach has been applied to the IdM domain. This new approach implies superseding the traditional central authority with a distributed ledger which gives overall control of data access to the end user. In addition, it resolves some issues that the traditional central IdM implies such as: data owner’s liability (hacker/cybersecurity risks), single point of failures, jurisdictional policies (data sharing), vendor lock-ins (monopoly), etc.
Decentralized Identity main concepts and standards
The concept of the use of a decentralized identity model is not new; during the last two decades there are examples in literature addressing decentralized trust models and decentralized identity management [GJ17, BFL06, AR17] and some examples of standards are ClaimID, MicroID and DANE [HS12], although they never became widely accepted. But it was with the breakthrough of Bitcoin that blockchain technology improved considerably and popularised new protocols and standards in the IdM domain which have become widely adopted. Overall it is worth mentioning the following standards:
l Decentralized Identifier (DID) is the keystone on which the whole IdM will rely and defines how to manage the identifiers in a central authority-less environment.
l Verifiable Credentials provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. It also allows the credential owner to generate zero-knowledge proof of the credential, providing them with a privacy preserving mechanism for sharing data..
l Decentralized Key Management System (DKMS), cryptography is one of the pillars on which the blockchain technology is based hence it is imperative to have a standard which defines cryptographic management for decentralized environments where a central authority is not available.
Under the umbrella of this new set of standards, new open source implementations of the decentralized identity are becoming broadly used. Some examples are: Onename, uPort, Sovrin and Hyperledger Indy.
Furthermore, there are also some initiatives devoted to evangelize and disseminate the Self-Sovereign Identity paradigm divulging what standards are available and how to apply them into a real system, such as SSIMeetup and the Dencentralized Identity Foundation (DIF). SSIMeetup publishes very interesting webinars that introduce the main concepts associated with this paradigm while DIF goes one step beyond, creating a collaborative community for the creation of tools and services to adopt this paradigm. It is worth highlighting the work that DIF is doing on developing an Universal Identifier, which, based on the implementation of the W3C DID standard will decouple a SSI solution from the use of a specific ledger. So the final SSI implementation does not need to be tied to a specific solution or ledger (Etherium, Sovrin, etc)