Developing a DID Aggregator on Blockchain (Part Ⅰ)
In this article, we are introducing a DID Aggregator which provides liquidity, interoperability, and consistency for the multi-layer identity data querying based on the forming standard of Decentralized Identifiers (DIDs) v1.0 from the W3C.
Introduction
DID aggregation is the process of integrating a wide range of digital identities from multiple networks. Our definition of decentralized identity is conforming to the W3C standard, which specifies that “a decentralized identity is a globally unique persistent identifier that does not require a centralized registration authority because it is generated and/or registered cryptographically.” Because different decentralized systems have different DID standards, it’s critical to well integrate these standards when linking digital identities. The demand for integrated identities data is expected to largely come from decentralized applications that are fueled by personal identity data. Besides interoperability, the identifier plays a critical role in scenarios where the server requests the client for identity data, such as KYC, credit scores, or credentials, in an attempt to provide services. In the past and present, many applications require users to provide their information from third-party applications or directly track user activities to obtain the information they need. This inevitably compromises users due to privacy invasion and personal data breach.
With decentralized identifiers and privacy-preserving storage, we have successfully protected data sovereignty in a decentralized system. However, identity data is scarce and scattered, making the corresponding application scenarios too narrow. It’s a huge challenge in a decentralized system where we attempt to introduce broader scenarios, such as credit lending in DeFi, personal reputation in chain governance, and decentralized customized recommendation algorithms in social media. Currently, we don’t have an adequate amount of data to support such broad scenarios. As for collecting data from other networks, reading this data involves complex work of DID verification and code parsing, which is beyond inconvenience especially if there are multiple data sources.
Specifically, as regard reliable DID data, we’re facing problems as below:
- Lack of data source
- Lack of relative APIs to interact with data registries
- Need to resolve every DID methods and validate credentials
- Need to learn and comply with new data format
- Need to bear single point of failure from centralized service endpoints
Today, we see plenty of decentralized applications have an independent DID mechanism for collecting user identity data, which often serves the same purpose and is repetitive. For example, to prove the ownership of a Twitter account, typically we make the account owner send a particular message to the platform. It’s commonly seen that this same verification mechanism is developed repeatedly for other applications. I.e. Keybase, Polkadot Registrar social network identity authentication. For many development teams, building their own functional components for identity data takes lots of time, effort, and money, as well as distracting the team from their main goals. It would bring great convenience if we have a validated and trustable source of data.
As people have already generated massive amounts of data in various decentralized systems, a way must be found to connect this data so that they can flow across different systems and platforms, while user privacy and data sovereignty are preserved. This approach can truly reflect the core value of Web3. Meantime, the advent of blockchain provides an effective underlying data registry infrastructure that enables data to be indexed and retrieved, as well as bolstering the growth and adoption of DID.
What is DID data?
In a decentralized system, we consider data that prove the ownership of identity as DID data. These data are likely strongly associated with identities in nature, but also could be data that get associated with identity after computational analysis. For example, data in DID service applications are generally strongly associated with identity, which include driver's license, COVID-19 Nucleic Acid Test result, and more. Alternatively, some data become identity-related after certain calculations, which include one’s code contribution to a decentralized collaboration system, and voting activity in a decentralized autonomous organization (DAO).
All of these types of data are worth indexing. We firmly believe that a cross-system index of DID data will be an essential component of the Web3 network. It will provide a powerful database for the Web3 network and accelerate the application explosion. Furthermore, the index provides unprecedented value for the Internet — — the Web of Trust. Because all data in a decentralized system is verifiable, tamper-proof, the data is trustable in reflecting the fact of its generation and existence. Conversely, the existing network is composed of centralized systems, where user data is controlled and dominated by the owner of the system. Their data is not verifiable and can be tampered with at any time.
Demand for DID Data
As decentralized applications rapidly emerge, the demand for DID data continues to grow. In the early stage, we expected strong demand for DID services from decentralized credit lending, decentralized autonomous organizations, and decentralized personalized recommendation systems. In order to stay decentralized and avoid a single point of failure, dApps ought to decentralize their sources when acquiring DID data, However, there is no ready-made decentralized identity data source in the current network.
A potential solution is to create a standardized common language. For example, Presentation Exchange is a protocol that provides standardized data formats for different systems to exchange credentials. As they proposed, the protocol helps create a “common language” for different identity systems to exchange identity proofs so that a third-party will be informed how to write requirements for proofs in their application, and the proof-holder will know how to submit the proof. Such a protocol can significantly reduce data friction between systems and enhance consistency. But it takes long for a computer language to become widely adopted.
The DID Aggregator
In a continuous exploration of one-stop solutions for the arbitrary DID data problems, we introduce the DID Aggregator — a model that enables open, decentralized DID resolving. The DID Aggregator is compatible with all DID standards, and powered by a reliable DID data interface. The model features a Substrate built blockchain, a distributed DID verification network, and an algorithm-exchanging protocol.
The DID Aggregator allows anyone to upload their identity-verification algorithms and share them on the network. It also provides a one-stop service for DID data indexing, DID authentication and linking, as well as DID data aggregation. The protocol ensures that people can easily obtain integrated identity data on the Web3 network, and also guarantees reliability, security, and integrity of the data.
Open Protocol
This aggregator is an open-sourced protocol that allows anyone to upload DID verification algorithms, and to generate decentralized credentials through the network. All DID verification algorithms processed by the network will be recorded to a blockchain, and if elected by a DAO the algorithm will be labeled as trusted.
Decentralized
To make the protocol available for people with/without a technical background to interact with all kinds of DIDs, and for dApp to verify agnostic DID mechanisms, we will need a third party to undertake the verification process, but this will soon lead to a single point of failure.
In order to remove centralized authorities or any single point failure in the DID verification system, we’re building a Decentralized Validator Network over a Proof of Stake blockchain, which will restructure the business model between validators and service demanders. The network guarantees the honesty of validators with contracts executed on-chain.
The Validator Network processes DID verification requests from a service demander and return a trustable credential of the DID among other information. The verification process will be implemented by a random set of validators in the network, featuring a BFT consensus algorithm to secure the verification result.
Easily-Verifiable
To verify a credential, one can simply verify the signatures of the validators in the credential document. All qualified validators are registered on a blockchain and governed by the PoS protocol and a council elected by the community.
The network will recognize the trusted DID verification mechanisms that are integrated into its codebase and consider others as agnostic. Agnostic mechanisms cannot be trusted unless the service demander trusts the mechanism. In this case, validators will use the selected DID mechanism to compute a result.
For example, after the DID aggregator compiled verification methods of Ethereum accounts, one can prove their account ownership while others can easily verify it by verifying the signatures of the network validators (validators’ IDs are recorded on a blockchain). Similarly, If the person needs to prove a Polkadot account ownership, a developer can add another verification mechanism to the aggregator, upload, and request network validation. A community referendum is required for the codes to be considered trusted and accepted by the network. Otherwise, a third party will have to gauge the credibility of a code publisher before they trust the result.
Minimum data on-chain
Minimum user data is stored on-chain, which is DID-account relationships under encryption by large. Other DID data is directly returned to the service demander in real-time, instead of being stored on network servers. We store DID relationships on-chain so that users don’t have to prove or link their identities every time they visit the network.
Privacy-Preserving
In the process of decentralized verification, DID-account relationships might inevitably be exposed to the validators. We believe that there should be a balance between privacy and convenience. Under the premise of providing functional and decentralized service, we will apply confidential computing methods (such as TEE implementation and zero-knowledge proof) and to ID obfuscation technology the protocol. The ID obfuscation technology hides the ID of the credential owner or ID of the service demander. The validators won’t know the true owner of the DID data or where the data is going so that they lose malicious motives to send advertisements or fraud.
Interoperability
The DID aggregator is well designed to integrate DID mechanisms from different identity systems, no matter if they implement centralized or decentralized DID resolver. On the other hand, we adopt interoperable standards so that the DID infrastructure can integrate with the existing tools and software libraries that support interoperability.
Democracy
To generate a trustable credential upon aggregated DIDs, we need all network validators to coordinate and produce a credible result output. Since validators are also service providers and will be rewarded for their work, they are obliged to provide more optimized services. Credential consumers as service demanders have the right to participate in the iteration of the protocol.
All functions in the aggregator can be changed by a decentralized autonomous organization (DAO). The community can vote on protocol upgrade proposals and implement them to the network. For instance, the community can decide which DID verification method is trusted through DAO voting, then the network will recognize this method as trusted. This approach provides a trustable, efficient environment where the users can unquestionably believe that their credentials are effectively verified.
As a whole, the DID Aggregator is a super DID resolver. It allows developers to add DID verification methods and provide decentralized credential service through the network. It also avails itself as a tool to compute deeper level decentralized identity credentials using a combination of the DID resolving methods uploaded by developers. The aggregator is like a docker of trusted DID methods and allows anyone to use the decentralized network validation service to generate trustable credentials for all kinds of application use.
About Litentry
Litentry is a Decentralized Identity Aggregator that enables linking user identities among multiple decentralized networks. Litentry provides a trustable way for dApps to obtain real-time DID data of an identity owner across multiple blockchains and dApps. Featuring a DID indexing protocol and a Substrate built distributed DID validation blockchain, Litentry provides a decentralized, verifiable identity aggregation service that removes the redundancy of code and the hassle involved in resolving agnostic DID mechanisms. Everyone can build and submit DID methods to Litentry, making identity data easily accessible in the Web3.
