How Open Standards get made
Or, How I learned to stop worrying and trust open governance
[This is the final entry in our #SSI101 series. See the Table of Contents or the previous entry if you landed here otherwise.]
Having covered all the basic principles and building blocks of SSI, there is still one very delicate question I have studiously avoided answering directly until now: “says who?” Unlike other topics in software engineering and architecture, there is no definitive formula for how to build an SSI system, or even precise and authoritative definitions for most of the terms I’ve been defining for you in the least controversial way possible through these pages. I would like to end my introductory “course” on SSI explaining how consensus and co-development has gotten this far through decentralized and open processes, and where it will go from here in the years to come.
The Past, Present, and Future of a Community-driven Technology
As the framing concepts of self-sovereign identity evolved out of communities of practice and featured many IT industry veterans, it carries up through its earliest days a distrust for industry orthodoxies, market power, and a way of setting technical standards that can lead to entrenched large players. There is no single source of truth or official body defining decentralized identity, as the name would imply. Rather, a constellation of communities has defined it thus far, stretching out the experimentation phase as long as possible to gather a maximum of inputs for building a truly global meta-platform.
One key biannual technical conference that has historically incubated a large share of SSI ideas and technologies, “Rebooting the Web of Trust” (#RWOT), is organized by Joe Andreiu and Christopher Allen, whose work since his involvement with the Pretty Good Privacy (PGP) end-to-end encryption system in the 1990s has centered on blockchain and privacy-preserving technologies. The latter’s essay, “The Path Towards Self-Sovereign Identity” (2016), is often taken as the most canonical formulation of SSI’s “10 principles.”
Allen’s essay draws much inspiration from an older work, Kim Cameron’s “The Seven Laws of Identity” (2005). This essay also inspired another influential IAM conference, the “Internet Identity Workshop” (#IIW), the first installment of which discussed the actionability of Cameron’s proposals. The IIW conference, organized by Kaliya Young, Doc Searls, and Phil Windley, still occurs twice a year and serves a broader IAM business and technical community, including more representatives of major IT and IAM conglomerates.
Another major community bringing ideas about privacy and personal data coheres around the MyData conference, which skews more towards civil society and data rights advocacy. As the technologies involved grow more mature and the governance of SSI systems assumes more political power and visibility, we can expect more fruitful exchange between the SSI community cybersecurity professionals and the communities around data rights as a policy issue and a social cause. As adoption and experimentation spread globally, we can expect other regional conferences on other continents to gain in importance as coordination and cooperation become pivotal to adoption.
The Governance of the Standards
One core aspect of self-sovereign identity, as much in Cameron and Allen’s abstract and ideological formulations as in the business and technical practices driving all the pragmatic community work above, is that standards, formats, protocols, and portable data formats cannot be proprietary or even substantially favor one company or community above others. For an individual’s identity to be self-sovereign, it cannot be beholden to the lock-ins and market-power maneuvers that have made the information technology sector less competitive than other sectors of the international economy. Indeed, even for a legal person’s or a machine’s identity to be self-sovereign vis-a-vis the humans governing them, data and identities cannot be locked into information controlled by any one public or private agency.
Whereas traditionally, international standards are almost as important as patents in the roadmap of a software business, decentralized identity has been far more open-source and far more slow to concretize standards to avoid the creation of any easily defensible market positions tending towards monopoly or centralization. But then, even if a standard is open and free from centralized control, someone needs to define it for any kind of stable, formal market to emerge, and someone much judge whether a given system is compliant or not with that definition. While this definition could have come years earlier, it is just now arriving at “stable beta” now that a healthy amount of [largely friendly] competition has been established.
The main technical specifications for standardizing SSI practice and interoperability are those produced by editorial working groups in the Worldwide Web Consortium (W3C), a standards body which has long standardized global web protocols. Many key participants in these editorial groups are also frequent and central contributors to the RWOT conferences and whitepapers. For a detailed overview of the current state of the DID Working Group of the W3C, see my guide to the documentation of their recent face-to-face meeting. To join the broader (and more credential-oriented) conversation without being a W3C member, join the mailing list or weekly teleconference calls of the Credential Community Group (W3C CCG).
At time of press, most of the reference implementations, testing, and pre-standards collaborative incubation are done in the Hyperledger Aries open source community (which skews towards participants in the Sovrin network and other Hyperledger projects) and/or through the Decentralized Identity Foundation (DIF, which skews towards smaller and more independent networks). Particularly since the formation of the former and the incorporation of the latter to the Linux Foundation in Q2 of 2019, interoperability and cross-platform communications have been increasingly foregrounded as priorities of the standards community.
The W3C specifications for Verified Credentials and their data model have been official W3C recommendations for about half a year, while the equivalent specifications for Decentralized Identifiers (which control, sign, and anchor VCs in most, but not all, SSI systems) are still over a year away from the same final status. The collaborative development and interoperability testing happening in the industry bodies and communities mentioned above mostly focused on credential exchange, but the low-level protocol and resolution work has also been making great progress well to identify any remaining roadblocks to translation and exchange, well in advance of the explicit finalization process in a few months.
Two recent movements are worth noting as parallel processes moving towards the same goal of finalizing a core language of interoperability. First, the movement into the Hyperledger Foundation of the Aries “Protocol” work has been of great utility. This elaboration of an abstraction layer and naming convention for interoperable “protocols” seeks to bridge and harmonize the sometimes divergent Sovrin-based systems and makes the Indy ledger easier for newcomers to read to and write from. This has allowed us to quickly integrate Indy-based functionality into our truly ledger-agnostic and SSI architecture-agnostic cloud wallet, as we will detail in a separate article (forthcoming). Secondly, a simplified, core subset of the protocol work for DID-encryted wallet-to-wallet communications (“DIDComm”) in Aries was moved from the Hyperledger Foundation to the even leaner, faster incubation process of the Decentralized Identity Foundation — this makes it likely that Sovrin and Ethereum-based wallets could be communicating and sending each other VCs well before May in a stable reference implementation.
Adoption and the Governance of Everything Else
The next stage for self-sovereign identity is clearly real-world production-grade trials and focal adoption in specific industries, sectors, and markets. As with many ambitious, revolutionary technologies before it like blockchain, achieving this real-world adoption at scale will indisputably require complex multi-stakeholder governance, deep user researcher across many unconventional user types, and a patient, rich conversation with regulators. Having developed this technology in the context of such a broad and heterogeneous community without the organizing influence of traditional investment and organizations, however, the decentralized community of identity decentralizers is particularly well-suited to this next stage!
At Spherity, we bring to bear on our particular market niche a wealth of enterprise IT experience, particular in highly-regulated and high-tech industries. We believe this gives us a native insight into the governance idiosyncrasies and business needs of these large enterprises, which are uniquely positioned to leverage pre-existing coalitions for validating these technologies. The German and European governments might be closer behind than many would expect, with their own existing multi-shareholder consortia and laboratory-like conditions for experimenting with technologies that allow data governance to be as sophisticated as real-world governance.
Self-sovereign identity is not a technological solution to specific technological problems around internet security or addressing. It is a toolkit for governing data with as much power, granularity, and auditability as you would need to do complex real-world tasks, including many that are not even on our collective radar yet, such as
- Carbon accounting
- Total visibility into cross-sections of supply chains and international business practices
- Direct consumer-manufacturer relations
- Lifetime material information for verifiably circular manufacturing
These topics all sound like science fiction today because we have so thoroughly naturalized hierarchical and siloed data-flows, and because we are habituated to all-or-nothing opacity for trade secrets and corporate knowledge.
Both the real-world governance of humans and the digital-world governance of their data needs an upgrade, and quickly, if we are going to progress into a more sustainable way of life. But this progress will not come from the top down, in any one place, government, or market. Instead, each industry and sector has its own particular pain points, governance traditions, and data flows, skewing what capabilities they would need to make progress worth investing in and promoting. We have been researching many of these, and we have a whole series of essays planned to tour you through some of those particularities. Beyond that, we can glimpse a future economy dawning after the adoption and industry-wide governance changes that we think SSI will bring.
