7 Myths of Self-Sovereign Identity

Timothy Ruff
Oct 30, 2018 · 7 min read

Dispelling misunderstandings around SSI (Part 1 of 2)

Image by David Travis on Unsplash

Here are seven myths of SSI that I repeatedly hear and will address across two posts. Myths 1–3 will be discussed here, myths 4–7 here.

  1. Self-sovereign means self-attested.
  2. SSI attempts to reduce government’s power over an identity owner.
  3. SSI creates a national or “universal ID” credential.
  4. SSI gives absolute control over identity.
  5. There’s a “main” issuer of credentials.
  6. There’s a built-in method of authenticating.
  7. User-centric identity is the same as SSI.

Note: readers should have a basic understanding of how SSI works before reading this. For a primer, review the third and final section of The Three Models of Digital Identity Relationships.

The self-sovereign identity model.

Background

We heard first-hand examples of the pains caused by broken identity systems around the world, some of which were truly heartbreaking. Most of us take for granted that we can prove things about ourselves, unaware that over a billion people cannot, leaving them unable to obtain desirable work or advanced education, open a bank account, hold title to property, or even travel. As noted by the World Bank’s ID4D, identity is a prerequisite to financial inclusion, and financial inclusion is a big part of solving poverty.

That means improving identity will reduce poverty, not to mention what it could do for human trafficking. Refugees bring another troubling identity dilemma where the need is critical, and where we are commencing efforts through our partnership with iRespond.

The Culprit

If SSI really was what these skeptics thought, I wouldn’t favor it either. And if they knew what SSI really is, I think they’d embrace it wholeheartedly.

The perception problem begins with the very term, “self-sovereign.”

At one point on the main stage, the venerable Kim Cameron, Microsoft’s Principal Identity Architect and author of the seminal 7 Laws of Identity, quipped:

“The term ‘self-sovereign’ identity makes me think of hillbillies on a survivalist kick.”

Kim went on to clarify that he is strongly in favor of SSI, he just dislikes the term and the negative perceptions it conjures up.

Me, too.

Self-sovereign identity is not a great term — for lots of reasons — but until we have a better one, (“decentralized identity” is a serious candidate) let’s clarify the one we’ve got.

Myth 1: Self-sovereign means self-attested.

Third-Party Credentials

I can claim I went to Harvard, but when a prospective employer needs to know for sure, my claim is no longer sufficient. Saying my credit is great won’t get me a loan, and claiming I’m a pilot won’t get me into the cockpit. I need proof, and it must come from a source that the relying party will trust.

SSI is no different. You can make all the claims you want about yourself, but when a relying party needs to know for sure, you need to show them credentials provably issued by a source the relying party trusts.

Self-Attested Credentials

So, to prove Timothy Ruff has given his consent — which only Timothy can give — you must be confident that you’re dealing with the real Timothy Ruff, which is only provable with third-party attestations.

This means that self-attested credentials, including consent, still rely indirectly on third-party credentials. (Unless it’s something like pizza preferences, where who you are doesn’t matter much.)

Bottom line: the foundation of SSI, as with any strong identity system, is third-party issued credentials, not self-attested credentials. SSI supports both, and each type can add value to the other.

Myth 2: SSI attempts to reduce government’s power over an identity owner.

SSI makes possible a private, encrypted, peer-to-peer connection between government and each citizen that can, with mutual consent, be used for powerful mutual authentication (preventing phishing), communication, data sharing, and more. This connection wouldn’t be affected by changes in email address, postal address, phone numbers, and so on. And since both sides of the link would be self-sovereign, either side could terminate it, too.

From the perspective of government, the initial function of SSI is straightforward: take existing credentials, whether physical or digital, and begin issuing them cryptographically secure in the form of digital, verifiable credentials. These credentials can then be held independently by the individual, and verified instantly by anyone, anywhere, including government, when presented.

The secondary function of SSI is even more interesting: use the encrypted connection that was created during credential issuance for direct, private, ongoing interaction with the constituent.

From the perspective of the individual, we’ve actually had some central features of SSI for hundreds of years, using the global standard known as paper. Today, government gives you a passport which you carry and present anywhere you wish, with broad acceptance. SSI simply makes the same thing possible digitally, and with significant advantages (zero-knowledge proofs/selective disclosure, revocation, mutual authentication, etc.).

This digital transformation of credentials simply hasn’t been possible until now, at least interoperably and on a global scale.

Myth 3: SSI creates a national or “universal ID” credential.

SSI actually does not replace the trust of government or any other organization; it is simply a means for connecting and exchanging instantly authenticatable data. SSI is set of protocols, not an actor, and it has no inherent basis for trust other than the cryptographic properties that ensure the privacy and integrity of the data exchanged and the connection used to exchange it. What parties exchange over that connection, and whether to trust what was exchanged, is up to them.

Some governments already understand SSI and are leading out on its implementation. My prediction: all governments will eventually use SSI to issue credentials digitally, to better communicate with and interact with constituents, to streamline internal processes where slow verification bogs things down, to more strongly authenticate the people, organizations, and things they deal with, and to reduce the printing of paper and plastic.

SSI in the Developing World

Quite possibly.

In some parts of the world, trust within a community is established by obtaining from a trusted individual a signed attestation that you’re worthy of obtaining a loan, for example. With SSI this could be done digitally rather than on paper, it could involve biometrics that strongly attach the attestation to the attestee and attestor, and it could include attestations and other potential credit scoring data from multiple sources.

I can imagine a baby born in a remote village and receiving her first “credentials” from her family and friends, who each give her attestations about her birth and their recollections of it. Pictures, videos, songs, and other precious memories could be added to her brand new digital wallet — which is now so much more than a wallet — and with guardianship of it tied to her parents. Who knows how such a set of credentials issued by loved ones might later be used, but my sense is that it could be vitally important some day.

I love the fact that SSI is powerful for both developed and developing worlds. I can’t wait to explore this topic more in the future.

Part 2, Myths 4–7, can be read here.

Footnotes:

¹ Consent is a rich topic that will be covered in greater detail in the future. See here for an eye-opening perspective about how elusive, and practically impossible in many cases, consent can be.

Founded in 2013, Evernym helps organizations implement self-sovereign identity, and individuals to manage and utilize their self-sovereign identity. Learn more at evernym.com.

Evernym

Founded in 2013, Evernym develops software solutions that…

Evernym

Founded in 2013, Evernym develops software solutions that leverage distributed ledger technology to provide every individual, organization and connected device with secure and irrevocable identity. Learn more about Evernym and its self-sovereign identity solutions at evernym.com.

Timothy Ruff

Written by

GP, Digital Trust Ventures

Evernym

Founded in 2013, Evernym develops software solutions that leverage distributed ledger technology to provide every individual, organization and connected device with secure and irrevocable identity. Learn more about Evernym and its self-sovereign identity solutions at evernym.com.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store