Dispelling misunderstandings around SSI (Part 2 of 2)
Here are seven myths of SSI that I repeatedly hear and will address across two posts. Myths 1–3 were discussed here, myths 4–7 will be discussed in this post.
- Self-sovereign means self-attested.
- SSI attempts to reduce government’s power over an identity owner.
- SSI creates a national or “universal ID” credential.
- SSI gives absolute control over identity.
- There’s a “main” issuer of credentials.
- There’s a built-in method of authenticating.
- User-centric identity is the same as SSI.
Note: readers should have a basic understanding of how SSI works before reading this. For a primer, review the third and final section of The Three Models of Digital Identity Relationships.
Myth 4: SSI gives absolute control over identity.
SSI gives its owner sovereign control over some aspects of identity, but not all. The digital wallet, DIDs, interaction history, consent receipts, private keys, and self-attested credentials are all self-sovereign, and can only be taken away with consent of the owner.
However… connections, relationships, and third-party issued credentials are not entirely self-sovereign, nor should they be. They represent (at least) two-sided relationships, and the other party to the relationship has some degree of control, too.
For example, if Abbott and Costello form a peer-to-peer SSI relationship and then subsequently break up, either Abbott or Costello can terminate the digital relationship — it’s not completely sovereign for either of them. As long as they both opt to keep it, the digital connection remains.
For third-party credentials, it is more nuanced. I recognize that some implementations of SSI do not allow for revocation, and that some people believe that credentials, once issued, should not be revocable, they should simply expire and be re-issued. We feel strongly that revocation is an essential component of credentialing in general — even if only to undo a mistaken issuance — and have implemented our thinking into Sovrin.
In the real world, I carry around my driver’s license and insurance card. If I drive drunk or neglect my premiums, these credentials can be revoked, but I still possess the plastic cards and can still use them to prove my age or address. Issuers don’t usually track someone down to confiscate the physical artifact after revoking it. (I recognize that this may not be true in some countries.)
Sovrin-style SSI makes this same balance possible with digital credentials, and usable in both meatspace and cyberspace: digital credentials such as licenses, permits, and the like can be held by the SSI owner in a self-sovereign digital wallet, and can still be revoked by their issuers, without the credentials themselves being removed from the wallet, and without verifiers needing to “phone home” (see below).
Importantly, revocation is optional, as it’s up to each issuer to build in the revocation ability during the issuance process. Without revocation, if the wrong Timothy Ruff undeservedly receives a Harvard diploma as a result of a clerical error, there would be no recourse other than asking the unintended recipient to destroy it or waiting for it to expire. (Good thing I’m honest.)
An Identity Game-Changer: Solving the “Phone Home” Problem
One very important (and exciting!) capability of Sovrin-style SSI credential revocation that’s not possible in the physical world: the ability of a verifier to instantly determine whether a presented credential has been revoked without contacting the issuer.
In the real world, physical credentials (e.g. a driver’s license) can be instantly checked for revocation against the issuer’s database. This introduces a problem, however, called the “phone home” problem: for every verifier of drivers licenses to have access to the official database from every state and every country, it would require a large, messy, many-to-many architecture, which introduces undesirable security, privacy, interoperability, and other complications, which is why it doesn’t happen often.
With Sovrin-style revocation, issuers can update anonymous revocation registries stored on the public ledger as often as every few minutes, where the updates become instantly available to verifiers anywhere¹. Doing this in a privacy-preserving manner is an important technological breakthrough that we have open-sourced and made freely available in the Hyperledger Indy codebase, implemented and running on the Sovrin network.
Revocation is an important topic that will be treated more fully in upcoming papers.
Myth 5: There’s a “main” verifier of credentials.
I am often asked how identity is verified with SSI. The presumption seems to be that SSI has some designated actor or intermediary who does the authenticating, which conflates the IDP model of identity with SSI.
With true SSI there is no designated actor in the middle who verifies identities. Identity proofing services can provide a valuable service, but when government and financial institutions begin issuing verifiable credentials directly to identity owners, things get rather… simple.
With SSI, my bank or credit union, for example, first ensures that they’re dealing with me, then connects with me and issues one or more verifiable credentials that I can keep in my SSI digital wallet. Later, when I call in, walk in, or login, I present these credentials back to the institution, which they instantly verify and we’re done. No username or password, with all the attendant usability and security problems, is needed. See this excellent blog and video from IBM, Workday, ATB Financial and the province of British Columbia for how it all comes together.
And no intermediary is required. And no answering of silly questions about my birthday or mother’s maiden name, which are probably already in the public domain anyway thanks to Equifax.
If I later want to use that financial credential somewhere other than my financial institution — such as a website that would LOVE to onboard genuine humans who are provably banked — it can be strongly and instantly verified by any relying party I share it with, without having to check with the issuing financial institution.
ID Proofing & A Market for Credentials
Until government issuers begin issuing their credentials digitally, there is an opportunity for existing identity proofers to provide a valuable service for SSI owners.
Today, identity proofing work — typically verifying a person’s identity by verifying their government-issued credentials — is performed solely for the benefit of the organization that hired the proofer. For example, when Airbnb does identity verification of a new user, Airbnb is the only entity that benefits from the proofing work performed.
With SSI, that proofing work can result in a digital credential issued by the proofing service directly to the person being proofed, where he/she can use it with Airbnb or anywhere else, for as long as that proof is considered current. Future verifiers who accept this credential will benefit even though they didn’t originally pay for the proofing work, but they could remunerate the original proofing service each time the credential is verified, creating an interesting recurring business model for quality identity proofers.
This is just one example of what a market for verifiable credentials might look like.
Myth 6: There’s a built-in method of authenticating.
Real SSI doesn’t dictate a specific means of authentication, either. It offers a protocol that supports any authentication method that two (or more) parties opt to use. One implementation might use facial or voice biometrics while another uses proof of location, and another simply exchanges digitally signed attestations, which are incredibly strong.
When it comes to usernames and passwords… I wish shared secrets would go away forever, and thankfully SSI absolutely does have the potential to eliminate usernames and passwords, as we saw in IBM’s video above.
Innovation in biometrics — a big part of everyone’s digital future — is moving at a breakneck speed. With SSI there’s no need to lock into one biometric modality, or even to the entire category of biometrics; it’s possible to abstract the means of authentication as a pluggable type of verifiable credential, leaving flexibility for future technologies.
I’m particularly interested in authentication modalities involving location or state such as velocity, temperature, or other calculations, which will have broad implications for the Internet of Things. The possibilities are exciting, and the required puzzle pieces now exist to make this a reality.
Myth 7: User-centric identity is the same as SSI.
I addressed one aspect of this myth in my last post: some identity services call their offerings self-sovereign, when they’re really still siloed and dependent on a single organization. Turn off the servers on that organization, and it all goes away.
I first saw the term “user-centric identity” in Christopher Allen’s seminal post, The Path to Self-Sovereign Identity, which describes it in greater detail than I will here. Basically, user-centric identity gives the user greater control than before, and that’s a good thing, but it never realized its original intent — user independence — and it actually left large intermediaries with even more power than before. Facebook and Google, the biggest beneficiaries of the move to user-centric identity, would call their services user-centric.
Even the term gives it away: you’re still a user and not the owner, and that means the underlying service is siloed or federated, not self-sovereign. Of course with SSI there are services provided by third parties, such as cloud agent hosting and relationship management apps and tools, but they are modular and replaceable.
In simple terms, with SSI you can fire your service providers without losing your data or relationships, which you can’t easily do when you are a user. Before long we’ll see Facebook without Facebook and Twitter without Twitter, as SSI makes possible completely decentralized alternatives to those services: you can fire them and switch providers without losing your friends, followers, etc.
Why is the independence that SSI affords so important? Two primary reasons:
- Permanent, vendor-independent control of data, including credentials, consent, history, and more;
- Permanent, vendor-independent control of relationships, including discrete, encrypted, peer-to-peer connections with each.
Imagine changing your address in only one master place (finally!), and only those you allow to subscribe to it automatically getting the update. Imagine having one master set of contacts (finally!), each with a persistent, encrypted communication link that only you and that party have the keys to, and no vendor in the world can take them away.
I get excited every time I think about it.
User-centric identity may seem on the surface to be similar to SSI, but under the hood, where it counts most, it suffers from all the disadvantages of siloed or federated/IDP-based identity.
In sum, there are many myths about SSI that need to be cleared up, not just seven. There are also many new capabilities that SSI brings that I have barely touched on so far. It is a watershed event in digital identity — such a different way of thinking that we will need to experiment with the messaging until we can achieve accuracy with brevity when describing it.
If there are specific issues you’d like to see covered in greater detail, by me or anyone else on the Evernym team, please leave a comment below or tweet @RuffTimo.
Part 1, Myths 1–3, can be read here.
¹ With Sovrin SSI, only credentials that have been explicitly shared with a verifier by their owner can be verified.
Founded in 2013, Evernym helps organizations implement self-sovereign identity, and individuals to manage and utilize their self-sovereign identity. Learn more at evernym.com.