Identity for User-Centric Web
One of the big fallacies that people propagate when talking about SSI is that it’s “Blockchain Identity”. While traditional identity is based on knowledge based identity , self sovereign identity is built around possession based identity. Knowledge Based Identity is when your identity is actually maintained by someone else, and they allow you access to it if you know some secret, usually a password. Possession Based Identity is when you prove your identity based on something you have, usually a set of cryptographic keys.
While the various implementations of SSI generally do use some form of distributed ledger, that’s only one piece of a much larger puzzle. Here is a succinct summary of these pieces as they apply for Hyperledger Indy & Sovrin.
1. P2P Agents
P2P Agents are the foundation of decentralized identity. They can take many forms and have many responsibilities but the simplest of which is managing a user’s keys and signing messages. SSI solutions focus on most interactions happening between peers, as such, all confidential and personally identifiable information (PII) is stored on an agent and not on the distributed ledger.
A simple example of an agent can be wallet apps the user downloads on their phone, such as Streetcred.id or uPort Mobile App, or custody wallets such as those provided by Spaceman.ID
A common framework for wallets is Hyperledger Aires, which aims to be a ledger agnostic agent framework. It includes an agent-to-agent messaging protocol, called DIDCOMM, which allows agents to talk to each other with encrypted messages.
An important format of the Aries Agents is the invitation protocol. This set of messages exchanges a set of signing keys and service endpoints between two agents. The keys are used to encrypt and sign messages between the two parties to keep communication confidential. Service Endpoints are like electronic mailing addresses, letting each agent know where to send the message for the receipt to be able to retrieve them.
These agents can store digital credentials and fulfill cryptographic challenges using their credentials (more on this in Verifiable Credentials).
2. Distributed Ledgers
Distributed Ledgers in a Self Sovereign Ecosystem serve as a DKMS, or Decentralized Key Management Service. Essentially, they act like a yellow book for issuer public keys, and very little information is actually kept on the ledger.
The pieces of information that go on the ledger
- Schemas & Credential Definitions
- Revocation Registries
- Agent Authorization Policies
To learn about each of these pieces, I highly recommend reading this paper
3. Verifiable Credentials
Verifiable Credentials are an W3C open standard. The simplest way to explain them is that a Verifiable Credential is a digital document that attests something about you, such your name, your membership at your coworking space, your age, etc and is signed by the issuer of that document. The cryptographic signature provides proof that this credential could not have been forged.
4. Decentralized Identifiers (DIDs)
DIDs are another W3C open standard. DIDs are links that resolve to a DID Document, usually somewhere on a distributed ledger. Their purpose varies based on the implementation, but generally they contain information about their owner, for example, what is their owner’s service endpoint for various services. A DID document you may own might have service endpoints for your Agent, for what email service you use, and for what your preferred social network is. It’s like a listing of the various electronic addresses you have control of over the internet.
DIDs also very importantly contain your public key, which anyone can use to verify that messages you sent were in fact sent by you and not an imposter, and can be used to send you encrypted messages.
Of these four pieces, the different platforms generally focus on the same standards when it comes to Verifiable Credentials and Decentralized Identifiers to provide interoperability while innovating on their P2P Agents and Distributed Ledger implementations.