What are self-sovereign identities?
Digital identities play a key role in any digital transformation initiative launched by an organization or government, and raise the essential question of trust — or more precisely, digital trust. Digital trust refers to the technology and procedures implemented to securely identify a person and enable authentication, non-repudiation, confidentiality and privacy.
When dealing with citizen-centric digital identity use cases, the traditional approach constitutes a hierarchy model, in which a government or other central authority issues credentials to each individual. As a result, trust is conveyed through the acceptance by all parties involved (i.e. issuers, holders, relying parties) of the highest authority as the reference.
Alternative models have recently emerged that allow citizens to regain control as the unique credential subject. This approach is based on a concept called self-sovereign identity (SSI), which empower individuals to decide which credentials, attributes or minimal data sets to present as verifiable information for requested services.
As shown in the diagram above, the holder manages their credentials through a digital wallet application which interacts with the issuer and verifier. The generated credentials are linked to decentralized identifiers (DIDs), which are resource locators pointing to a set of information characterizing the credential (cryptographic key, metadata, etc.). The DIDs are stored in a registry, typically a distributed ledger. After receiving the verifiable credential (VC), the holder presents it to the verifier (relying party), which accesses all the relevant cryptographic information required for verification via the DIDs.
It’s important to emphasize that SSI concepts do not create trust “ex nihilo” but implement a decorrelation between issuer and relying party as far as the use and scope of the issued credentials is concerned. All credential management is controlled by the holder through selective disclosure, which allows verification of only specific attributes.
Self-sovereign identities and ongoing revision of the eIDAS regulation
The EU’s electronic identification, authentication and trust services (eIDAS) regulation was established to enable mutual acceptance of national electronic identification systems in Europe, and to propose EU-wide trust services such as electronic signatures. Recognizing the lack of concrete cross-border eID use cases, the current version of the eIDAS regulation aims to push for EU-wide usage of digital identities through a mobile-based digital wallet application which can endorse self-sovereign identity management schemes.
This initiative is an excellent opportunity to create European leadership in secure, trusted digital identities coupled with meaningful use cases like mobile drivers’ licenses, diplomas, digital travel credentials, online authentication and qualified digital signatures. In addition, it enables countries to interact with existing and future national electronic identity solutions at the highest level of security.
The European digital identity wallet (EDIW) plays a key role as the technical specifications currently being developed by expert groups between the European Commission and member states, will set a common standard in Europe. Another major driver for eIDAS revision is the willingness to promote private use cases. Therefore, we can expect that the digital wallet will have a real impact on citizen’s daily online experience and not just government-to-citizen applications.
Examples of use cases
Combining self-sovereign identity schemes with everyday applications enables critical mass and frequent usage, which has always been a key issue for citizen-centric eID deployments. As mentioned above, verifying critical attributes implies that they are trustworthy, i.e. authentic. This can be achieved by referring to government issued documents.
Let’s say a user wants to access online applications requiring proof of age, for example. Any additional personal private data like name, address or gender may not be disclosed. Since the user’s age is considered sensitive information, the claim to access it must be trustworthy. This can be achieved by interacting with official documents and authentic sources.
- First, we presume that the citizen has uploaded his or her government issued documents into the digital wallet through an online process, depending on the type of document and the enrollment workflow. The national eID cards are of particular interest, as they can propagate the highest level of assurance to all authentic attributes in a convenient and automated way.
- Next, the user must select the specific attribute (e.g. age) and refer to the authentic source. The VC corresponding to the claim “adult” will then be sent to the service provider and verified.
Another example could be the verification of health attributes like vaccination status, combined with the need to ensure that they are linked to the right individual. Here again, including health attributes in the digital wallet represents an interesting solution.
We can also imagine that for a certain type of data element or service, the citizen will interface his or her wallet with trusted third parties in order to produce verifiable information. This could include the validity of certain credentials, digital signatures or electronic timestamps.
Coupling the citizen digital wallet with cloud-based issuance, verification and usage scenarios deserves a particular focus. Locally, the citizen possesses a physical device (i.e. the smartphone) under his or her control, including a highly secure application which allows secure management of credentials and attributes, since eIDAS will certify digital wallets at the highest level. Remotely, other critical operations like backing up sensitive information, key management, remote digital signature or validation can be performed.
Combined with initiatives promoting European sovereign cloud infrastructures, this approach builds a coherent trust model that guarantees data privacy and offers a user friendly digital transformation.
Just as the General Data Protection Regulation (GDPR) generated a great deal of interest worldwide, Europe can set the standard for new digital trust models, putting the citizen at the center. Common specifications for digital wallets are an opportunity for SSI concepts to be deployed in daily life, where acting as a citizen, as an employee or as a customer simply means:
“As a user I decide what minimal required information will be disclosed to whom by controlling my digital credentials and attributes.”
Along with the European cybersecurity ecosystem, Atos is ready to support this trend with expertise, innovation and solutions.
 Regulation (EU) N°910/2014
About the author
Senior Advisor Digital Identity, Atos
Dan is Senior Advisor Digital Identity, working in the “Digital ID” Business Unit, part of the Atos BDS Cybersecurity Products division, which develops products for PKI, electronic signature, smart card operating systems, and related solutions.
As Senior Expert with almost 30 years of professional experience in the fields of digital identity, cryptography, public key infrastructure, e-banking and smart cards, Dan Butnaru has sound knowledge in eGovernment projects, such as e-ID and e-Passport infrastructures.