Trusted Digital Identity — Implementation Approaches
Please note: This posting for the purposes of formulating my thoughts-in-progress and gaining constructive feedback from the community. It does not reflect an official position.
Our current draft policy definition for a trusted digital identity is an electronic representation of a person, used exclusively by that same person, to receive valued services and to carry out transactions with trust and confidence.
This policy definition is intended to convey the overall policy intent (making sure you have the right person with confidence before carrying out a transaction) but it is a bit vague from a technical perspective.
A more technical definition of trusted digital identity is required for implementation, so here is my first crack at one that is a bit more math-y and logical. In developing this definition, I have kept in mind that there are numerous approaches and schemes in implementing a trusted digital identity (centralized, decentralized, hybrid, etc.)
A trusted digital identity is the set of identifiers and verifiable claims accompanied by proofs of: 1) ownership, 2) control, and 3) agreement.
Unpacking this more technical definition:
- Identifier: Anything (name, numbers, symbols, etc.) that uniquely distinguishes a member of a population from another member.
- Verifiable Claim: a qualification, achievement, quality, or piece of information about an individual such as a name, government ID, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an individual which establish its existence and uniqueness.
Identifiers and verifiable claims are broken out as separate considerations, because while a claim can be verifiable, to be useful, it needs to be attributable to someone (or something) who needs to be identified in some way or another.
Accompanying identifiers and verifiable claims are proofs:
- Proof of Ownership: the ability to prove the right to create, transfer or revoke something (e.g., an identifier, a digital or physical asset, etc.).
- Proof of Control: the ability to the prove the right to use, or authorize the use of something.
- Proof of Agreement: the ability to prove something that has been agreed to— either by an authority (by fiat) or a community (by consensus)
Similarly, the proofs are broken into separate considerations of ownership, control, and agreement allow for the possibility of hybrid schemes. For example, you might not ‘own’ your Social Security Number (as it is issued by the government) , but you do ‘control’ it (according to SSN policies).
The table below summarizes and cross references the options, showing the centralized and decentralized implementation options:
So how does this work for trusted digital identity? Going back to the definition: a trusted digital identity is the set of identifiers and verifiable claims accompanied by proofs of: 1) ownership, 2) control, and 3) agreement.
A example scheme could use comprise as trusted digital identity
- Fully Centralized Scheme: Use a centralized identifier such as the Social Security Number/Social Insurance Number (SSN/SIN). Since the the SSN/SIN is centrally administered, it is actually owned by the SSA (in the US) or ESDC (in Canada). The SSN/SIN is issued to an individual who the needs to prove control before it can be used by a service. For the verifiable claims, the central authority issues the claims, determines the rightful user, and determines the accuracy.
- Fully Decentralized Scheme: Use a Decentralized Identifier (DID) that is registered on a consensus platform (e.g., distributed ledger). The individual proves control of the DID through decentralized cryptographic challenge/response methods. The individual asserts whatever they wish. Proof of agreement is done by means of a consensus platform, in this case, the individual asserted something at some point in time.
- Hybrid Scheme. Use a centralized identifier such as the Social Security Number/Social Insurance Number (SSN/SIN). The individual proves control of the SSN/SIN through decentralized cryptographic challenge/response methods. For verifiable claims, they could be self-asserted by the individual, through agreement by the community, and provided by a central authority.
To conclude, a trusted digital identity, as a policy concept is intended to achieve the objective that you are dealing with the right person with confidence. As a technical concept, a trusted digital identity can be implemented using a centralized, decentralized, or hybrid scheme.
This is still a work in progress, however, the ultimate goal is to develop a simple coherent approach that allows for different architectural and technology options in developing solutions for trusted digital identities.
Comments and feedback welcome!