Autonomic Decentralized Identifiers (AID):
You control, therefore you are, and you get to decide
by: Henk van Cann
The Decentralized Identity space is often associated with blockchains, cryptography and crypto currency. However, it’s mainly cryptography, that is going to save your digital ass.
Get used to self sovereignty and practise deciding for yourself about your digital ‘you’ today.
What exactly do we mean by identity and what does “Cryptography is going to save my digital me” mean? What is cryptography, besides sounding like some boring tech thing? Who is digital me? Why do we need to be ‘saved’?
There isn’t any problem with digital me, right? I’ve got nothing to hide…
‘I’ve got nothing is to hide’ is so 2010. Of course you’ve got something to hide. Let’s investigate what this is. The main question about this is: Do we need — and can we get — more trust and more privacy over the internet?
The simple answer is ‘Yes, we can’. The answer to why we need more trust and privacy and how can we get this, is much more complex. Buckle up and come on an exciting journey.
My only goal in writing this article is to put you to work getting your digital freedom and self sovereignty back, starting today. But, please hold on for a minute, autonomic decentralized identifiers aren’t up and running yet. We have to develop our understanding and practice on dry land before we get our feet wet. If we do, and the going gets tough, we’ll be better prepared — the tough get going. But you can expect the introduction and acceptance of autonomic DIDs sooner or later.
Let’s first take a look at the terminology. (Experts can skip this section). Wording like Identity — Identifiers — Attestations — Roles causes a lot of confusion in the context of decentralized identity. They are often used interchangeably. According to Wikipedia Cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. For digital identity, cryptography is our last resort to regain privacy, security and self-sovereignty.
Identity is how we keep track of people and things, and in turn, how they keep track of us. It comes from a philosophical approach:
“I think, therefore I am” — René Descartes — 1637
To pimp up things a little bit, I’d like to rephrase this wisdom from a few centuries ago:
“I control, therefore I am” — Henk van Cann*— 2021
- It’s a also the title of a 2011 article about mortality and perceived control
Identity is often confused with Identifier. For example my e-mail address is not my identity, it’s an identifier. Just like my Twitter handle, Medium handle and my social security number: these are identifiers, not identity.
Identifiers point to Identity, they point to people and things.
An Attestation is also often confused with Identity. An Attestation is a statement made by some authority that says that an identifier has certain properties (also “attributes”), rights, or licences.
For example my drivers license is not an identity. A driver’s license has identifiers on it (like a driver’s license number) but it’s not an identifier in itself, instead it’s an attestation. An attestion that attests that I have certain competences and might have passed the regulatory scrutiny and now have the right to drive a certain road vehicle by myself.
An Attestation also implies a Role, a role played in a certain context. For example I can be a father, a driver in my country, and a manager at work at the same time. A Role is not identity, it’s an expression of identity. Attestations connect authorized statements about these expression to my identifiers, which in turn might point to my identity.
When I control this wild party, then — I am!
Two additional points:
1. Identifiers are unique within some namespace or domain. The namespace gives context to the identifiers since the same string of characters might be a phone number in one system and a product ID in another.
2. Root-of-trust is a replacement of human basis-of-trust with cryptographic root-of-trust. In identity systems we mostly use so called public private key pairs to incept and establish the root-of-trust. What that means is authentication is done by presenting the private key (or sign with the key). Just like in crypto currencies like bitcoin or ethereum: The account address is your public key, which you control with the matching private key in your digital wallet.
Now that the terms are clear, we can continue. What is a digital Identifier? Examples? What do they mean to us? To others?
Before answering those questions and showing their relevance, let’s take a small detour first.
Youngsters on social media sometimes get confronted with bullying, hate and exclusion. On the web it’s hard to change your mind, to delete what you’ve said or remove a photo you’ve submitted. So much choice in apps but yet so little freedom of being yourself, of having control over your digital me. For example, your digital profile and your social score seem to keep haunting you forever. Sometimes you’d like to hide, to feel safer, to erase data, to revoke your association with a certain phenomenon. You’re locked into your role within certain domains like Instagram, Twitter, Facebook, Tiktok, etc.
If you can relate to this somehow, keep reading, because the only thing I’d like to achieve today is that you start to act self-sovereignly on the internet from today and maybe those kinds of experiences will become history soon.
Now what exactly is Decentralized Identity (DIDs) and why should you care?
You should care because with DIDs:
- It’s easier to stay in control
- We get a more trustworthy internet
- There’ll be more privacy for all us
Hold on, I know, these are not the most overwhelming reasons for changing your life. But, before you start yawning and say ‘swipe!!’, let me tell you this story from my own experience. — In 1999, I sold my first firm to a large company listed on the stock-exchange. As a 36 year old I received a large amount of money in my bankaccount. Over 20 yrs ago, so that’s all gone ;)
There was no public statement issued about the sale of my firm. Yet, in the days after the sale (remember the web was only just emerging), I received post mail with various offers to spend funds. They knew that I’d sold my firm! I felt abused. Who dunnit? My bank, my notary, maybe my colleagues. Who leaked or sold my data?
I suspect who but, to this day, I still can’t know for sure.
Do you think this experience is just history? Or do you think that, maybe, methods of exploitation of valuable private data have been refined over the years? Could exploitation of personal data happen to you too?
There is a fairly new protective law in place: The GDPR (AVG in The Netherlands). Will this law protect our digital privacy? It intends to do so, yes, but to what extent will it work?
How the GPDR came to be is an interesting story. -> Anecdote: Romeo, Juliet and the Jeweller.
Somebody, obviously Romeo, wanted to propose to his girlfriend Juliet and bought a pair of wedding rings at a webshop. The webshop of this particular jeweller made the customer agree to general terms where the smallprint said “you allow us to share your purchase on the web”, which of course Romeo had not seen nor read and, by default, he agreed….
The result: before Romeo had even proposed, Juliet was getting congratulations from all over the world. So when that became public the EU “thought” enough is enough.
So, there’s the first answer to the question ‘have you got something to hide on the internet?’. More will follow, stay tuned and have your pencil ready to take notes.
Digital Identifiers are more than just about having more control and more privacy. They’re also about your characteristics, your reputation and the unique values that reside in you as a human being.
Let’s have a look at how that could evolve in the future, starting from how identifiers work nowadays.
Today, in our society only government IDs and credit cards are widely accepted. But there is no real equivalent for digital credentials:
1. No mechanism for issuing digital cards
2. There are no universally accepted means of expressing, exchanging and verifying digital credentials across organisational boundaries
3. We can’t own our identifiers and our personal information independently. For example, to access websites, our access is at the mercy of service providers, That means they have the power to shut your digital you down anytime. Look at what happened to the most powerful role in the world, the President of the US, on Twitter recently. Regardless of what you think of people and their politics, in my opinion
It’s a fundamental right to control your digital identifiers, the associated personal data and the attestations you’ve collected in that role.
The internet is broken in this sense. Our identifiers are locked to a domain and although we are the subject of statements about the identifiers and we’re supposed to keep the matching personal information complete and up-to-date, we don’t control access…
Not our keys, not our identifiers!
This is is all about to change.
New forms of digital identities based on emerging standards, such as verifiable credentials and decentralized identifiers, can enable such digital credentials to:
- Work everywhere
- Be more trustworthy, and
- Respect privacy
How this works in detail is expressed in the illustrations.
Moving on: What are the most important of all the aspects of decentralized identifiers?
Security. Trustworthiness. The common denominator of what these new identity systems do is to secure attribution to identifiers, so that we always, everywhere and anytime with certainty know ‘who said what’.
In the second part of this article we’ll further focus on public digital Identifiers that secure some sort of value. For the time being, we will rest our case about:
- Identity, because the term is too broad and too vague
- Private identifiers, because these are too obvious and mostly ephemeral (short-lived)
- Identifiers that are associated with organisations and devices (iOT), because we’ve only got an hour.
- Key management, because we might need a day or two.
Digital uniqueness and informational security / control over our data is key to feeling more free and getting to decide more.
What types of public digital Identifiers do we have? And how is the distinction between them relevant? Would we better understand the fundamental benefits if we knew? Or are we entering a one-way street to ‘nerdsville’?
To condense the design choices there are with a digital identifier system, the illustration shows us what we do not stricly need to establish self sovereignty and control. Take it for granted: we do not need blockchains.
Remember: My only goal is to put you to work on gaining your digital freedom and self sovereignty from today. Yes, we know that it’s coming, No, it’s not there yet, Yes, we can prepare on dry land before entering the water. And Yes, I am eager to get you going.
A brief recap: forget about the details, but realize that we don’t need blockchains (or ledgers) to establish control over — and solve secure attribution problem to— our identifiers.
Secure attribution means that we can be sure about what was said and who said it over the internet. Because, only when it’s secure can it have value. What type of value could that be? For example a certificate only has value if it’s authentic and signed. Are we a more complete human being if we collect these type of assets more carefully and consistently ourselves?
In real life we have domains (e.g. second life, second love :) ) In every domain you might want to invest in and nurture your digital identifiers, you want to do it your way and only your way.
Example: guilty pleasures. A bank director might not want his hobby of playing at being a medieval nurse at Saturday fairs to be associated with his other personas. He might not want to mingle the two identifiers: his LinkedIN profile as a director and his performer name/screen name/username or e-mail address on the site of his drama group. He gets to decide.
‘Oh, yes’, I hear you say, ‘but we’ve got the GDPR and privacy laws.’
What that means, theoretically, is that both websites (i.e. LinkedIN site and drama group site) are not allowed to do anything else with my digital data other than what their service is set up to do. So combination and correlation is strictly forbidden?
Yes, this is true, but anything can still go wrong with all these databases: theft, hacking, false positive conclusions, and false negative conclusions. For example you might drive your car to the exit of a fully automated car park and be stopped, even though you’ve paid or, vice versa (and more rarely!), exit without paying.
Would it be a change for the better if we controlled our digital identifiers more? Most probably yes, but it doesn’t matter how familiar you are with digital IDs — with great freedom comes great responsibility! Fortunately the digital identifiers of the future will have excellent ways to delegate control without losing control, and be open to third party services to help you manage your keys and your identifiers. This means we’re also at the brink of great business opportunities in this area for the current go-betweens, like governments, banks, notaries, the big corps and also entrepreneurs.
Login names and Passwords? What’s the analogy with a public private key pair?
What is the common denominator of all current digital identifiers, such as URLs, IP addresses of your site, login names? They are not secure, they are not portable, they can be censored and they need someone else to make them function.
Now we know it is important to change that. Or are you still in doubt?
Why should I be concerned about having to fill out forms on my bank’s website? I’ve got nothing to hide!
You need to decide. The extent to which a human being feels that they are in control over his/her life is called loci-of-control. With a decentralized identifier this plays out as follows:
In my opinion, what has happened with the invention of algoritmic and autonomic identifiers is that they will cause a major paradigm shift among people, because cryptography, and to a lesser extent blockchains, now enable people to be their own intermediary for their digital self.
How can companies still make money? Does business come to a grinding halt if people control their own data?
How can we better, fairer and more efficiently shape our society by retaking control over our data and over our identifiers?
The answer in short: personal data management is hard, key management is worse. We need attestations and claims that result in virtual credentials to nurture the value of our identifiers.
So there’ll be a whole new economy emerging where the old go-betweens can become new service providers.
You might think “So what’s the big issue? You’ve only created a digital version of those and we Iive happily ever after? Nothing has changed, has it? Done, ready, good night.”
No, not at all! A major paradigm shift has taken place because, in the new autonomic identifier age, we’ll get to decide about all this:
1. Binding
2. Control
3. Delegation
4. Interaction
5. Revocation
6. Security
7. Permissioned or permission-less
The progress made so far in (Decentralized) Identity System architecture can be summarised: Administrative Identifiers -> Ledger based IDs -> Autonomic IDs.
Anecdote: Prof. Bart Jacobs of the University of Nijmegen waved goodbye to blockchain as a ‘hype’ in 2016. And he was right. It was and still is a hype.
But at the same time he underestimated the effect of open public blockchains in the longer term. Public blockchain-anchored identities inherit the features of those platforms: permission-less, global, decentralized to a certain extent. Those characteristics were new to the administrative identity systems of 2016.
However, in Ledger based IDs, portability still is a problem, because these blockchain identities are literally ledger-locked. Privacy law makers are critical too: it is a public ledger and it’s data is immutable. The most fundamental flaw of blockchains for decentralized identity is that they have to rely on third parties’ operations.
Fortunately the latest development include KERI*, which i.m.o is a Swiss army penknife for decentralized identities. KERI can operate in various modes, can cooperate with blockchains, but does not depend on them. KERI’s autonomic identifiers are portable and implementation will become provably portable, able to solve the secure attribution problem over the internet and thereby rescue the internet from that flaw.
*There are similar developments like Sidetree and ADS.
Who laughs last, laughs best? No, we’ll all be laughing because we’ll pick the best of option to tackle Zooko’s trilemma.
Zooko’s triangle defines the three desirable traits of a network protocol identifier as Human-meaningful, Decentralized and Secure.
I support Phil Windley’s, and others’, belief that a hybrid system that combines algorithmic public identifiers with autonomic private identifiers can provide a universal identity layer for the Internet, increasing security and privacy, reducing friction, and providing new and better online experiences.
The disadvantage becomes an advantage: we’ve got time to adapt. And that’s what I want you to do after this presentation: start to flight test your autonomic “you” from today.
What can we do today?
Let’s practise and test a bit with an ephemeral old style identifier that we treat in the new way!
A. Binding: Find out how to create a digital identifier that is not bound to your real self. Steps:
- Secure element SIM
2. Safe connectivity
3. Safe location
4. Meaningless identifiers
5. Nicknames
6. Subscribe to social media with all of the above in practise.
Hints: prepaid mobile number, paid cash — conceal your IP-address — hide your GPS location always, everywhere — use a free e-mail service with a new e-mail address
7. Don’t become a troll. Behave well.
B. Transfer value: Try to buy or sell something with this new identifier. What kind of problems do you meet?
Hints: receive or pay in bitcoin.
C. Gradually associate yourself with this new identifier. Take off the mask and covers and feel what it does for you and your social network. Do you feel the control, the fairness, the privacy? Is there still trust?
D. Kill the identifier. Experience what it takes to get rid of this ephemeral experimental identifier. What parts of the preparatory work could we reuse for a new identifier?
Anecdote: What is it like when somebody dies and we try to get their internet presence removed? One of my best friends died unexpectedly last year. He was an expert programmer, well aware of internet privacy, pseudonimity and strong passwords. His honest and loving family tried to manage his identifiers on all his devices and on all domains where they thought he had a presence, for example, the bank, the internet provider, social media. Well, wish them luck! It’s nearly impossible and most certainly a strenuous job nowadays.
I control, therefore I am stretches beyond one’s lifetime. Happily, autonomic identifiers are even able to provide functions to establish control in these situations. For example so called ‘kill switches’, which make decisions for you, when you’re not able to authorize them yourself anymore.
Further reading / watching that I advise:
- The social dilemma documentary on Netflix
- KERI.one resources to knowledge about the emerging autonomic identifiers
Acknowledgements
Text
Wikipedia page Cryptography
The Path to Self-Sovereign Identity - Christopher Allen — 2016
KERI.one resources — Samuel M. Smith 2016–2021
The architecture of identity systems — Phil Windley — 2020
I control, therefore I am — Willes et al. — 2011
How Identity can-enable-a-People-Centered-Internet — Joe Andrieu — 2017
Chapter 10 — Drummond Reed/Alex Preukschat/Samuel Smith — 2020
Video (9m:45s–13m:00s) of Andreas M. Antonopoulos explaining the confusing terms in the context of decentralized identifiers — 2020
Video Decentralized identity explained-Microsoft-2020
Wikipedia page Zooko’s trilemma
Images
Loci-of-control — Tim Bouma — 2019
Architectural types of identity systems; Image adapted — Phil Windley — 2020
Table 2 — Chapter 10 of the upcoming Manning publication Self-Sovereign Identity by Drummond Reed and Alex Preukschat — 2021
Figure 1 — Phil Windley — 2020
