DID Auth and the little I-am-me

Markus Sabadello
Sep 4, 2018 · 4 min read

We recently published a report on “DID Auth” (PDF, MD), which summarizes ideas and possible architectures that allow you to prove that you control a certain Decentralized Identifier (DID). This report originated at the sixth Rebooting-the-Web-of-Trust workshop and is the result of a collaborative effort by several authors and contributors. There is also a webinar.

But before further discussing DID Auth, let’s first start with a story.

The story of a cute little creature:

One day, a frog asks “Who are you?”, and the little creature realizes that it has a severe identity problem: It doesn’t know what kind of animal it is, and it doesn’t know its own name. So it ventures out into the world to find other animals — horses, fish, hippos, parrots, dogs — hoping that one of them would be able to tell what kind of animal it is. However, none of the other animals know the answer. Eventually, the little creature gets sad and desperate, almost starts to cry, and it asks itself, “Is it possible that I don’t exist at all? That I am no one?”. But then, after a few moments it suddenly stops and realizes “Of course I exist. I am me!”.

This story about the little I-am-me is from a 1970s children’s book. For young children, the moral of the story is that you are an independent person, and it doesn’t matter what your parents or other children say about you. For those of us who work on self-sovereign digital identity technologies however, the story of the little I-am-me also represents the essence of what we are aiming for: Identity that is inherent to us and that cannot be taken away.

The little I-am-me went to many identity conferences in 2018, including Identiverse, the Internet Identity Workshop, European Identity Conference, Decentralized Web Summit, MyData, and others.

This takes us back to DID Auth. I would claim that with the advent of DID Auth, now for the first time in the history of digital identity, we will have ways to prove online that “I am me”. In earlier identity protocols, we have only ever been able to express statements like “according to identity provider X, my identifier is Y”, but never truly “I am me”. You will notice that the architecture diagrams in the DID Auth paper only show two participants (identity owner and relying party), whereas diagrams of earlier identity protocols typically contained three participants (identity provider, relying party, user). This is a fundamental shift.

In today’s emerging self-sovereign identity community, there is strong interest in a relationship-based understanding of identity. This idea, also described by Joe Andrieu as Functional Identity, proposes that “identity is how we keep track of others, and how others keep track of us”, i.e. identity always depends on who we are interacting with. This approach tends to model identity mostly as a set of Verifiable Credentials. This model however ignores the inherent aspect of our identity that does not depend on others. The little I-am-me had talked to all the other animals, but none of them was able to issue a Verifiable Credential about who it is. Still, it definitely has its own independent existence (= the very first principle of Christopher Allen’s famous blog post).

While working on the DID Auth paper, the most interesting topic for me was that of semantics, i.e. what data format could actually be used to represent the seemingly simple statement “I am me”.

  1. One approach used by several communities is based on the classic JSON Web Token (JWT) format. DID Auth could use a profile of this format where the issand sub fields are the same, i.e. a self-signed token asserting one’s DID. But even though the JWT can contain an assertion of an identifier, it still remains plain JSON, which means it is limited in its ability to express semantically meaningful statements.
  2. Another approach is to use the same format as Verifiable Credentials, i.e. the JSON-LD serialization format of the RDF semantic graph model. In this approach, a self-signed Verifiable Credential like the following can demonstrate control of a DID:
{
  "type": ["VerifiablePresentation"],
  "issuer": "did:example:123456789abcdefghi",
  "issued": "2018-09-04",
  "claim": {
    "id": "did:example:123456789abcdefghi",
    "publicKey": "did:example:123456789abcdefghi#keys-2"
  }
}

But wait a second. While RDF is a semantic data model, does this piece of data really say “I am me”? No, it doesn’t. It only says “did:example:123456789abcdefghiis claiming that did:example:123456789abcdefghi‘s public key is #keys-2”. That’s maybe close, but not what we are looking for.

I would argue that it is impossible to formulate an RDF statement that actually says “I am me”, because RDF lacks the ability to express context and relativity. The only data model I am aware of that can do this is the XDI graph model with its built-in constructs for contextual statements, root nodes, and relative identifiers.

An XDI statement that expresses “I am did:example:123456789abcdefghi“ would look like this:

/$is/(=!:did:example:123456789abcdefghi)

And then finally, to express “I am me”, the following trivial statement describes an XDI local root node linking to itself via an $isequivalence arc.

/$is/

There is much more to explore as we build out data models and protocols for the self-sovereign identity vision, but proving control of identifiers, and the associated semantics will be key pieces in this journey.

(This article about DID Auth and the little I-am-me was inspired by a conversation with Joachim Lohkamp and Shermin Voshmgir in late 2017.)

Markus Sabadello

Written by

Sovereign Digital Identity, Decentralization, Peace and Conflict.