Self-Sovereign Identity: a Primer

Hartmut Obendorf
5 min readSep 3, 2021

--

Trust is an important requirement for many forms of communication, and without trust, many services and businesses would not be able to operate. Digital trust is often centralised, with select, well-known entities providing an anchor of trust that is propagated to everyone else; you are using this mechanism as you read this paragraph, having accessed a https: URL to find this article on your trusted platform, Medium. Your browser tells you you are on the right site; it can do so because it trusts Cloudflare, the issuer of medium.com’s certificate — and one of the Web’s central trust anchors.

Today, the Web is used for a lot more than reading; e-commerce and digital services require additional trust; trust in you: they need to be sure you are who you claim you are, and you really have what you claim you have (e.g. the bank account they will get their payment from). This trust is centralised, too. If you log in with Apple, Google, Facebook and others, you are using your existing digital identity to create that trust.

But there is a price: you are no longer in control of your identity—Apple, Google and Facebook are. And if someone accesses your data, Apple, Google and Facebook will know, and they can add a data point describing your behaviour to their vast collection.

Self-Sovereign Identity is one approach to decentralise trust, and giving you ownership of your own data. SSI is also

  • a W3C standard for identities (DIDs¹) and verifiable credentials (VCs²), built on IETF standards, and a central achievement for the Decentralised Identity Foundation³ (including its member Microsoft)
  • “Chefsache” for chancellor Merkel⁴, the winning technology in all four digital identity projects started by the BMBF in 2021, and an important building block for identity in the European Union⁵.
  • the identity layer for the internet — a privacy-conserving, data-protecting disruption of identity provisioning and trust management.

Right, but what can SSI do for you? There are at least two answers: (1) for personal identities, (2) for corporate identities and identities of things.

For personal identities, you can think of self-sovereign identities as a wallet app on your phone: *you* carry the wallet, and if someone asks you for credentials, such as a driver’s license, you show that license, perhaps covering some confidential data with your hand but allowing the verification of your credential. SSI does the same – with your decentralised identifier (DID) you can store all the verifiable credentials (VCs) you need. And if someone asks you for them, your wallet will ask you if you want to show them. This can be as convenient as using Google Pay or Apple Wallet, only that no information leaves your phone without your consent.

In the Internet of Things (IoT), and for corporate identities, self-sovereign identities could unlock future applications, e.g. self-driving cars that are also self-charging, and perhaps self-sharing when not needed. SSI would enable you to authorise devices, and enable services to verify these authorisations without having to ask you, or a third party—very useful for connected edge devices. However, the logistics here are a little more complicated as there is no user who can make decisions about whom to show what data. This is where agents come into play, and I plan to cover that in another story.

Self-sovereign identities are a standard, not a technology — this means that there are several possible and actual implementations that more or less cover the standard. Technically, an SSI system consists of three ingredients⁶:

1. A standard, open protocol for establishing unique, private and secure connections between two parties. In SSI, this is the DIDComm standard⁷ allowing you to initiate a private exchange that nobody else can participate in with a public DID address. It is possible to have separate DIDs for each digital relationship, further decreasing the data shared publicly. DIDs can be created by everyone, without a central approval—they provide secure connectivity, not trust.

2. A standard, open cryptographic protocol for issuing, holding, and verifying digital credentials. Credentials are created by trusted identities, such as the state for driver’s licenses, shops for membership cards, airlines and trusted agencies for plane tickets, and so on. Public key cryptography⁸ is used to digitally sign each data element, and techniques such as zero-knowledge proofs⁹ can be used to “hide” information that isn’t relevant to the verification (such as “I can prove am allowed to drink, but won’t tell you my birth date”).

3. A trusted directory for the public verification keys of credential issuers. In order to verify credentials, and to enable anyone to verify the source, integrity, and validity of any data, a globally accessible and trustworthy storage for the public keys of the issuers of credentials is required. In order to ensure the trust in this storage, malicious changing of data should be prevented, the data should be chronologically ordered, so you can retrieve current keys, and no single provider should be trusted with its control. Which is why a distributed ledger, often called a blockchain, is the natural choice as a storage medium.

For now, if you want to learn more, make sure to check out the links below, and feel free to drop your questions in the comments below. There is also a rather extensive list of standards and implementations¹⁰ if you feel like it.

I am a software architect, and built Design teams for Nokia, HERE, XING and mytaxi / FREE NOW. I am CTO for Chainstep. We are consulting companies from different industries who want to explore real applications for complex technologies such as blockchains and SSI. And we can run a seminar and/or workshops for you if you want to learn more about SSI.

--

--

Hartmut Obendorf

CTO @ Chainstep, Ex-FREE NOW, Ex-XING, Ex-HERE, Ex-Nokia. PhD. Designer. Developer.