Decentralized digital identity is an emerging digital identity model that is enabled by the development of the blockchain technology. The decentralized identity model is at the core of self-sovereign identity (SSI), which grants individuals full control of their own personal data. A decentralized identity platform for SSI consists of three essential components, namely an identity trust fabric, an identity wallet and an identity management system.
Core Functionality
A decentralized identity platform facilitates interaction between three parties: an individual user (holder), a service provider (verifier) and a trusted third party (issuer). It provides the following core functionality:
Core Strengths
References
Authentication is a mechanism that proves and authenticates the identity of an entity. A successful authentication enables the entity to access a system.
Authorization occurs after a successful authentication. Authorization determines what permissions or rights an authenticated entity has and then grant it access to authorized services and resources.
A blockchain is a list of immutable records, called blocks, that are cryptographically linked. Each block contains a cryptographic hash of the previous block. Integrity of the whole blockchain can be verified by iteratively verifying the hash values all the way back to the original genesis block. A blockchain that is distributed over a network is called a distributed ledger.
Cryptography is a study of techniques for secure communication over insecure channels such as the internet. Two major categories of cryptography are symmetric-key cryptography and asymmetric-key cryptography. Symmetric-key cryptography uses a single key for both encryption and decryption. On the other hand, asymmetric-key cryptography uses two separate keys: a public key for encryption and private key for decryption.
A decentralized identifier (DID) is a globally unique identifier (URI) that does not require a centralized registration authority because it is registered with a decentralized network.
A digital identifier is a unique information used to identify people, organizations, or things within a context. Examples of digital identifiers are social security numbers (SSN), e-mail addresses and decentralized digital identifiers.
A digital identity of an entity is a unique fact of who or what the entity is in the digital world. A digital identity that is connected to a real-world Identity is called a digital twin.
A digital signature is a cryptographic scheme for verifying authenticity of digital messages and documents. A digital document that is cryptographically signed is tamper-evident. In asymmetric cryptography, a private key is used for signed a document whereas a public key is used for verifying the document.
A distributed ledger is a blockchain that is distributed across several nodes in a network. To record a new transaction into a distributed ledger, the nodes in the network must vote by a consensus protocol. Once a consensus is reached, all nodes update themselves with the copy of the new ledger. Examples of consensus protocols include Proof of Work, Proof of Stake and practical Byzantine Fault Tolerance.
An entity is any singular, identifiable and separate object, e.g. an individual, an organization, a system, etc.
A hardware security module (HSM) is a physical computing for managing and safeguarding cryptographic keys. A HSM contains a secure storage for cryptographic keys and crypto-processor chips for executing cryptographic operations such as key generation and digital signature.
A cryptographic hash function is a one-way function for converting a digital message into a seemingly random bit array of a fixed size. For a given hash value, it is infeasible to reverse-engineer the hash function and obtain its original message, called the hash preimage.
A holder is a role of an entity that holds a verifiable credential, created by an issuer. A holder can present her verifiable credential in the form of a verifiable presentation to a verifier.
An identity of an entity is a unique fact of who or what the entity is.
An identity management (IM) is a framework of policies and technologies for ensuring that the people in an enterprise have appropriate accesses to resources.
Identity proofing is a process of verifying and authenticating the identity of an individual accessing an application or a service. It prevents fraudsters from gaining an access to sensitive data of legitimate users. Identity proofing includes, for example, verifying that uploaded credentials such passports and driving licenses are valid.
An identity trust fabric (ITF) is a storage for cryptographic proofs of decentralized identities and verifiable credentials. An ITF enables decentralized trust between credential issuers, credential holders and service providers without relying on a centralized authority. An ITF can be built on a distributed ledger. A decentralized public key infrastructure (DPKI) is a component of an identity trust fabric.
An issuer is a role of an entity that asserts claims about itself or another entity. An issuer creates a verifiable credential from these claims and send to a holder.
A public key infrastructure (PKI) is a system for managing cryptographic public keys. A PKI system includes hardware, software, policies and roles, such as a certificate authority, for creating, managing distributing, storing and revoking public key certificates. A public key infrastructure that is built on a distributed ledger is called a decentralized public key infrastructure (DPKI) and forms a component of an identity trust fabric.
Self-Sovereign Identity (SSI) is a concept where individuals are empowered to own, control and manage their digital identities without an intervening authority. An SSI platform can be implemented by using the blockchain technology as an identity trust fabric.
A verifiable claim is an assertion made about an entity, which is tamper-evident and can be cryptographically verified.
A verifiable credential is a set of one or more verifiable claims about an entity. A verifiable credential is created by an issuer and held by a holder.
A verifiable presentation is a presentation of a verifiable credential, which is tamper-evident and can be cryptographically verified. A verifiable presentation is created by a holder and verified by a verifier.
A verifier is a role an entity that verifies a verifiable presentation from a holder. A verifier is also known as a relying party or a service provider.
A zero-knowledge proof (ZKP) is a cryptographic protocol by which one party (called the prover) can prove to another party (the verifier) that she knows something without revealing its underlying information or content. One application of a ZKP is selective disclosure for minimal revealing information in a credential.
Digital identity is information on an entity that is used by computer systems such as the internet. Here, an entity does not limit to a person and could also be, e.g., an organization, a device or even software. Since the beginning of the internet, digital identity has been continuously changing through time. Starting as centralized identity silos, digital identity has gradually evolved toward more and more decentralization, as outlined below.
1. Centralized Identity
Digital identity started with the centralized identity model where organizations establish point-to-point trust with each user. In this model, the organizations own and manage all digital identities, leaving the users themselves almost no control over their own digital identities. Since information is siloed, this model causes significant redundancy and inefficient storage of personal information. Storing and protecting personal information is also a liability that requires large operating costs.
2. Federated Identity
The next stage of the identity model is known as the federated or server-centric model where digital identity is shared between trusted organizations, enabling domain-to-domain trust. This model breaks the identity silos and reduces redundancy with, e.g., Single Sign-on (SSO). The federated model was promoted by the invention of several protocols, including Security Assertion Markup Language (SAML), OAuth and OpenID Connect (OIDC).
3. User-Centric (Mobile) Identity
In recent years, smartphones have emerged as persistent devices that can be digitally protected by, e.g., biometric information. This enables delegation of trust from organizations to mobile personal devices. In online banking, for example, SIM cards in mobile devices have been utilized as an identity tool for legally binding authentication and transaction signing.
4. Self-Sovereign Identity
With the rise of the blockchain technology, the self-sovereign identity model has emerged as the most recent stage of digital identity. A blockchain serves as a decentralized and distributed tamper-evident log for digital identity and provides a common trust domain, known as the Identity Trust Fabric (ITF). This model enables full control and management of their own personally identifiable information (PII) without the need for a centralized authority.
References