Aries and ION: Two Different Perspectives of Decentralized Identity in Blockchain Applications
Identity is one of the key foundational elements of blockchain applications. In an ecosystem that has its basics on trustless, anonymous computations, building a notion of identity is far from trivial. Furthermore, the technical building blocks of identity are relatively different whether we are talking about private of permissioned blockchains. The challenge only contributes to make this area more fascinating. This week both IBM and Microsoft released new technologies focus on tackling the challenge of identity on permissioned and public blockchains respectively. The approaches are different but they give us a glimpse of how innovation is evolving in this space.
The challenge of identity can’t be constrained to a single technology building block. If we think about the lifecycle of an identity in a decentralized application(DApp), there are several key elements that should be considered:
· Representation: Portable representation of the assertions describing the identity of a subject.
· Persistence: Mechanisms to store and retrieve the identity of subjects while ensuring its privacy.
· Privacy: Models to protect the identity of subjects in decentralized ledgers.
· Assertions: Specific claims that constitute unique statements about the subject’s identity.
· Resolution: Mechanisms for resolving and validating the identity of a specific subject.
Those elements are common to both permissioned and public blockchain identities. However, its material implementation are fundamentally different. Public blockchains enjoy the benefit of larger networks that can be used to publish and assert identities via consensus while the have some limitations in terms of access control and privacy. Permissioned blockchains operate under safer topologies in which capabilities such as access control policies are relatively simple to implement but have the limitation that identities will still be controlled by a handful of centralized issuers.
Both Microsoft and IBM have been pushing the boundaries of innovation in the blockchain space. Recently, both tech giants unveiled different initiatives focus on enabling the building blocks of identity in permissioned and public blockchains.
Aries is the latest addition to the Hyperledger family of projects and focus specifically on identity. Conceptually, Hyperledger Aries enables peer to peer messaging of controlled exchange of data, and the support of interaction with different blockchains and other decentralized ledgers. How is that related to identity? Well, although Aries provides generic secured messaging capabilities, the core implementation focuses on the portability of identity assertions. More specifically, Aries is based on the following goals:
- Provide code for peer-to-peer interaction, secrets management, verifiable information exchange, and secure messaging for different decentralized systems.
- Foster practical interoperability in support of ongoing standards work and extend the applicability of technologies developed within Indy beyond its current community components from the Hyperledger stack into a single, effective business solution.
In the context of Hyperledger, Aries builds upon two other initiatives that have been building different elements of a decentralized identities.
· Hyperledger Indy: A distributed ledger framework purposely built to enable decentralized identity capabilities.
· Hyperledger Ursa: A framework that includes cryptographic primitives for protecting information using different mechanisms such as digital signatures or zero-knowledge-proofs.
Using Indy and Ursa as the foundation, Hyperledger Aries built a very interesting architecture which is illustrated in the following diagram:
The previous architecture includes some key building blocks of decentralized identity solutions including the following:
- A blockchain interface layer (known as a resolver) for creating and signing blockchain transactions.
- A cryptographic wallet for secure storage of cryptographic secrets and other information used to build blockchain clients.
- An encrypted messaging system for off-ledger interactions between clients using multiple transport protocols.
- An implementation of ZKP-capable W3C verifiable credentials using the ZKP primitives found in Ursa.
- An implementation of the Decentralized Key Management System (DKMS) specification currently being incubated in Hyperledger Indy.
- A mechanism to build higher-level protocols and API-like use cases based on the secure messaging functionality.
In some content, Hyperledger Aries can be seen as a resolver for Hyperledger Indy that expands its functionality to other blockchain technologies but Aries is much more than that. The frameworks includes an entire set of components such as Decentralized Key Management Standards (DKMS) that allow the integration of different identity capabilities into the platform.
Microsoft has been actively researching the are of decentralized identities for the last couple of years. Initially, the research materialized solely as a few research papers but now the tech giant has unveiled the first component of its ambitious vision. Identity Overlay Network(ION) enables nothing less than decentralized identities in the Bitcoin blockchain. Foundationally, ION is a public, permission-less, open network anyone can use to create DIDs and manage their Public Key Infrastructure (PKI) state.
The ION platform was implemented on top of the Sidetree protocol. Sidetree is a blockchain-agnostic, layer2 protocol for PKI identifiers and metadata. ION is a specific implementation of Sidetree for the Bitcoin blockchain. The architecture of ION includes several key building blocks of decentralized identity systems outlined in the following figure:
Following the Sidetree architecture , ION is a combination of the core Sidetree logic module, a chain-specific read/write adapter, and a content addressable storage protocol (e.g. IPFS) that replicates data between nodes. Together, these components enable the creation of Layer 2 DID networks that run atop existing blockchains at thousands, or even tens of thousands, of PKI operations per second. ION neither requires a specific tokens or incentive mechanisms nor new forms of consensus. The initial release of ION was accompanied with the first group of live nodes in the network.
Both ION and Aries represent remarkable milestones towards a vision of decentralized identities. Through their cloud platforms, Microsoft and IBM has the opportunity of introducing this transformational identity architectures to millions of users and customers. It’s also encouraging to see both companies engaging the developer community and embracing open source distributions The battle to decentralized identity is going to be a long one but the foundations seem strong.