By Pat Santos – Han Santos, PLLC
The Context of Self-Sovereign Identity
Today our identity is in the hands of third parties that we have no control over. Maybe we manage our passwords and accounts on paper, or on a spreadsheet. But presently, the services we log on to have our credentials, and those services can be – and have been – hacked.
Use of a password manager service to get single sign on (SSO) capability doesn’t help. Neither does making use of identity management services such as offered through Meta/Facebook or Google. In fact, such services compound the problem. What happens if Meta/Facebook or Google get hacked? Or go out of business? In a worst-case scenario, you might be obliged to reconstruct your credentials.
Self-Sovereign Identity (SSI) is a set of technologies that allow end users to have full control of their credentials. Credentials are locally managed. When credentials are presented, the service to be accessed verifies that the credential was properly issued, and crucially does not rely on a local copy of the credential. In this way, credentials are decentralized – there is no central storage of a large number of user credentials. Rather, only the end users have their own credentials.
Decentralization is often, but not always, accomplished via the use of a distributed ledger, generally via a blockchain. Blockchains enable data representations on one computer to be faithfully reflected on another computer, regardless if the computers are owned or controlled by the same party. This feature of blockchains is called “consensus”. This feature along with rules that a blockchain cannot be changed (immutability) and can be seen by third-parties (transparency), means that electronic activities, such as issuing credentials, can be independently verified, and therefore trusted.
The notion of SSI is an attractive one. However, the use of blockchains for many is an open question. What exacerbates the situation is that there are many misconceptions around blockchains and SSI, and whether SSI even needs a blockchain. We hope this article addresses some of those misconceptions and encourages to actively investigate SSI.
SSI is just another blockchain technology looking for a problem to solve.
No. Recall that EU privacy laws, including the General Data Protection Regulation (GDPR), as well as privacy laws in other jurisdictions, are forcing onerous penalties on enterprises that lose personal data or place personal data at risk. And the law of privacy keeps changing.
SSI allows a way to perform credentials where the user is the storer of the credentials.
Put another way, SSI is a way for issuers and authorizers not to store credentials, thereby mitigating GDPR and other privacy liability. In fact, the EU’s own website proposes the European SSI Framework (ESSIF) as a mitigation to GDPR (https://www.eesc.europa.eu/sites/default/files/files/1._panel_-_daniel_du_seuil.pdf).
Anyone that uses credentials should seriously consider SSI.
SSI will force me to use cryptocurrency.
SSI does not require blockchains. It just happens to be a common implementation.
But say that a blockchain is used for SSI. While blockchains are indeed used for cryptocurrency, note that blockchains are used for other things.
As stated earlier, a blockchain is just a data structure that enforces “consensus” i.e., ensures that a representation on one computer is the same as on another computer. It happens to use a distributed base and stores a chain of hashes. But there just because you have a blockchain does not mean you have a cryptocurrency. In fact, most enterprise applications using blockchain use or otherwise have anything to do with cryptocurrency.
As a side comment, some blockchains for cryptocurrency, such as BitCoin use “proof of work” to verify transactions. This evokes images of massive crypto-mining server farms consuming vast amounts of electricity and the concomitant effects on climate. To reiterate, we need not use cryptocurrency. In SSI trust is established through a trust model of issuer holder and verifier which does not require the use of excessive CPU cycles for verification. In other words, no proof of work is needed for verification and the fears of excessive electricity requirements (at least on the scale of proof of work based cryptocurrency) are a non-issue.
SSI does continue to evolve, and it may be worthwhile to see whether the industry moves more towards blockchain solutions or to others. If you use blockchains, technologies to cross over between different blockchains are becoming common, and therefore you will not have to fear being locked into a particular technology stack. In short, investigation of SSI should not be delayed because of blockchain worries, let alone worries about being tied to cryptocurrency.
SSI is not ready to investigate technically or adopt.
On the contrary. Indeed, there is an embarrassment of riches of options. Here are three.
There are several open source and commercial repositories to try out SSI and related frameworks such as ESSIF https://essif-lab.eu/ .
If you are seeking to be vendor neutral, consider the following: https://trinsic.id/open-source-ssi-codebases/ .
Another stack currently being investigated is the Veramo stack https://veramo.io which is being developed by members of the SSI standards community.
The flip side of investigation is adoption. To answer the claim that SSI is not ready to adopt, it’s indeed still early, but no earlier than usual for technology and early adoption.
Specifically, SSI is standardized, including W3C verifiable credentials (e.g., DIDs). Note that large parties such as Microsoft and IBM are part of the Decentralized Identity Foundation which are developing solutions around DIDs.
Also, the Linux foundation has established the DizmeID foundation https://linuxfoundation.org/press-release/linux-foundation-announces-dizmeid-foundation-to-develop-and-enable-a-self-sovereign-identity-credential-network/ with active backers to develop open source SSI.
In short, the industry is quite active in productizing in the verifiable credentials and the SSI spaces.
SSI Verifiable Credentials are Like Non-Fungible Tokens (or other cryptographic tokens).
Verifiable credentials are often improperly conflated with non-fungible tokens (NFTs) or other blockchain tokens. These are two different things. Verifiable credentials are cryptographic tokens that ensure more control and flexibility and can be reissued by the issuer (along with containing one or several proofs). NFTs on the other hand are blockchain tokens that represent and may be used as proof of uniqueness.
Verifiable credentials have developed into a field of their own. As stated above, the W3C has a Verifiable Credentials group, ANSI X9 is investigating their use in their Natural Person Identification efforts, and third parties such as Visa and MasterCard are investigating developing third-party identification services based on these concepts.
In general, it is important to treat SSI on its own terms. Because of the association of blockchain with crypto, and now the association of NFTs with crypto, there is always the risk that all these notions will muddy the waters in a discussion around SSI. SSI is sovereign identity; it just happens in some cases that SSI makes use of technologies used for other purposes.
SSI is just another technology that we’re being to adopt.
It depends on your point of view.
Cybersecurity and privacy are very real issues facing enterprises today. Present solutions are either not secure, or burden enterprises with regulatory liability. SSI is something even governments are suggesting as a solution, so in our opinion it bears investigation.
Our take is that blockchain (distributed ledgers, not crypto) are going to be a part of our technological toolkit for some time. Perhaps, SSI will be the beginning of investigating not just identity solutions, but consensus solutions for your enterprise moving forward.
But from our perspective, the core issue is that people will not use services if they don’t trust the security. In a time of ransomware and identity theft, cybersecurity should be at the forefront of any enterprise, because without it, we lose customer, and give bad experiences to the customers we have. SSI eliminates large databases of accounts that attract hackers. Accordingly, SSI also addresses regulatory issues such as GDPR. And from the perspective of making comprehensive solutions, SSI provides the present missing layer of trust to the internet and returns the management of private data back to the users, where it belongs, and where users want it.
We all have a cybersecurity problem, and SSI represents the most current thinking to address it. For that reason, we believe that SSI is not just another technology.
Do you think that this list should be changed? Do you have other questions? Are you trying out a particularly promising SSI implementation? Regardless, if you are already using SSI or just investigating, please let us know! If interested, we would welcome conversations around SSI and related technologies.
For more information about our company please visit: https://hansantos.com
About Han Santos, PLLC
Han Santos, PLLC is a full-service Business and IP law firm with a long history of participating in standards and industry groups on behalf of their clients. They have expertise in representing clients in standards groups, participating in legal issues such as patent pools, participating in tech transfer, submissions, and disclosures, and in establishing standards groups. They find that actively participating in these organizations allows them to better serve their clients and partners.
Han Santos decided to join the DSC this year for the same reason – anticipating that clients will express an interest in digital stationery and therefore wanting to actively engage within the community.