This article highlights and describes five aspects, which are crucial for the adoption of self-sovereign identity (SSI).
Every new technology, which aims to change the way we live requires certain aspects to be fulfilled. This article provides an overview of five critical requirements to achieve mass-adoption of SSI. While they are ranked from “least important” to “essential” all of them need to be in place to gain a significant market share for the technology.
1. The Business of SSI
To be successfully adopted on a commercial side, companies need an economic incentive to adopt SSI. Current identity solutions aren’t satisfactory for consumers and companies alike. This obviously varies from country to country, but is still an issue for our society. There are plenty of reasons for European businesses to adopt SSI. Firstly, identity access management (IAM) solutions are very costly. The aspect of cost reduction alone is a valid reason to explore SSI. However, there are more important aspects why SSI makes business sense. SSI makes business sense when:
- Verifying assertions is costly or important
- Credentials are useful in another context
- Streamlining workflows
- Personal data is a liability
- Missing data & communication
- Customer-driven Workflow
The content of the image is the outcome of a collaborative effort organised within the Sovrin working group: “Business of SSI”.
When we consider meaningful innovations based on their impact on society than technology is just a tool. The real innovation happens on the business side. New business models such as Pay-per-use, freemium or subscription models are oftentimes the driving forces of innovation. The SSI community still has to explore these options. Probably the most innovative business model hasn’t been found yet.
2. Technology implementation: Interoperability and Standardization
To be used on a wide scale the technological implementation needs to fulfil certain requirements too. These include, but are not limited to Interoperability, reliability and adaptability. It should leverage standardized components, is preferably open-source and enables easy developer onboarding. Current SSI implementations use verified credentials (VC) and decentralized identifiers (DID), which are standardized by the world wide web consortium (W3C). The Sovrin network, which is in a productive state, and therefore leading the SSI movement, is based on Hyperledger Indy & Aries. These are open-source frameworks, which are governed by the Linux foundation and already have a considerable developer community. Indy is one of the base-layer implementations for the distributed ledger registries, which handle public DIDs and the revocation of credentials. Hyperledger Aries enables the standardized usage of the communication of Agents/Wallets via a DID connection. The Hyperledger project is already supported by hundreds of industry leaders as their member page illustrates. Similar protocols, such as DIDcomm, which enables connecting and maintaining relationships, issuing credentials, providing proof etc. is standardized by the Decentralized Identifier Foundation (DIF).
While we already have self-custody wallets for identity management, (SSI wallets for end-users — also referred to as “edge agents” and “non-custodial”) these applications will need more time to enter the market on a broader scale. Institutional agents, which are used to manage the issuance and verification of verified credentials will also be necessary from a business side. SSI solution providers such as Evernym, Streetcred, Lissi or esatus already have their applications in place for further business development. Nevertheless, SSI implementations will require more time to enter the big stage. The technological groundwork is in place. Now it’s time for industry and government stakeholders to leverage existing software libraries and providers for their use-cases.
3. User adoption, trust and inclusivity
This is a difficult category because we give people their keys and they somehow have to ensure they stay in control of them. With great power comes great responsibility. Though, most people just want a convenient solution and they don’t care why the tech is better. If it is too complicated they won’t use it. The total costumer journey is long. How do we get the trust and inclusivity of all our society? Our community has to ensure people don’t need to care about key management. It’s quite likely that the bulk of people will have the desire to use a trusted third party, which helps them to manage their keys while still being in control.
If there isn’t an abundance of knowledge and service providers available to educate and secure one’s digital identity we won’t see any meaningful degree of user-adoption. This is a critical aspect we have to consider. Nevertheless, we already have a sizeable amount of early adopters, who are familiar with key management and the concept of digital ownership due to the proliferation of cryptocurrencies.
But we also need to earn the trust of the public. Like every technology, verified credentials can also be abused for surveillance purposes as some suspect from the World Economic Forum (WEF) with their Known traveler digital identity specification. Allegedly it is a “surveillance-by-design” approach. It’s not — most of describes the ToIP stack, zero-knowledge proofs, selective disclosure and Hyperledger frameworks. But it also mentions a “risk-based security”. This sounds great on one hand, when the privacy preserving ToIP Stack gets considered for travellers. But it also sounds scary when not knowing the “risked-based security” approach taken for proof-requests.
The question is how high do we want to set the bar to get access to services and infrastructure for foreign citizens? What information do I have to prove when I visit one of the European member states the next time, because don’t only have an eID as travel document, but also plenty of other verified credentials? As a traveller I want to be protected by european law from unnecessary strict assessments. Unfortunately, closed borders and demands for a proof for virus resistance via immunisation or vaccination make it even more complicated and give reason for the fear of living in an increasing Orwellian society. ‘Guilty until proven innocent’ isn’t desirable.
We also have to ensure that the whole costumer journey is barrier-free. Accessibility and inclusivity for disabled people or minors requires our active attention. A good resource to start is the guardianship Whitepaper by Sovrin.
4. Government support & regulatory compliance
In the context of digital identity legal contracts need to be in place to ensure binding relationships with defined rights and duties. Governments are the primary source of foundational identities. “A foundational identity is an identity that has been established or changed as a result of a foundational event (e.g. birth, name change, immigration, legal residency, death, organisational legal name registration (…)” PCTF
For the European Union, there are two laws, which have a significant influence on identity frameworks. The General Data Protection Regulation, better known as GDPR, determines how personal data from EU citizens can be collected and used. While there is a general assumption that current SSI implementations are GDPR compliant, ultimately courts have to decide if that’s the case.
The other important law is the Electronic IDentification, Authentication and trust Services (eIDAS) provision specified in N°910/2014. It constitutes the main electronic identification trust framework in the EU and is an elemental building block of the digital single market. It is a technology-neutral approach, which has a strong influence on the international regulatory space. The main goal of mutual recognition of electronic identification (eID) is to enable EU citizens to do cross-border interactions with their own national eID means by proving their identity.
There are three levels of assurance specified under eIDAS, which include detailed criteria allowing member states to map their eID means against a benchmark (low, substantial and high). Current SSI implementations have the objective to be recognized with a level of assurance specified as ‘substantial’.
National SSI implementations, which have a high degree of government support are more likely to get adopted. While we need to respect the demand of sovereign nations to have a say on how the digital identities of their citizens are managed, governments should not be able to take over control of the governance structures. This could have devastating consequences for free societies as Christopher Allen argued with a #foremembrance for victims of misuse of identity-data by German Nazis in the second world war. *Looking at my fellow Germans here…*
5. The Governance framework
Governance is the establishment of policies, and continuous monitoring of their proper implementation. Their objective is to ensure alignment, interoperability, and confidence in digital identity solutions that are intended to work across organizational, sectoral, and jurisdictional boundaries.
The governance model, which is most known and specialized in the realm of SSI is the Sovrin governance framework. “The Sovrin Governance Framework (SGF) is the legal foundation of the Sovrin Network as a global public utility for self-sovereign identity.” (Sovrin Foundation). The Sovrin foundation originally planned to issue a native token for its network to cover its operational costs. However, due to difficulties of getting legal approval and the current circumstances of the pandemic, the foundation adjusted its mission. Now its primary objective has evolved from governing the current Sovrin ledger to governing the Sovrin Ecosystem as a decentralized global network of networks that interoperate according to the Trust over IP stack. ToIP describes a stack of protocols, which are used to archive a holistic identity approach.
The stack consists of four layers. Two of which guarantee technical trust. The public utilities like DID registries and the DIDcomm protocol, which handles the peer to peer communication between agents. Layer three and four offer a framework for human trust. They contain the trust triangle as well as the access to the ecosystem. With a DPKI (decentralized public key infrastructure), the initial “root of trust” for all participants is any distributed ledger or decentralized protocol that supports a new form of root identity record aka. DID.
The governance of an DID registry (layer 1: Utility) for the public keys of issuers is executed by a legal entity consisting of different organs controlling each other and functions as a central organ for all stakeholders. In an optimal case, this legal entity can’t be bought and all the participating members have equal rights while being highly inclusive. For the governance of the other layers, structures for providers, credential schemas and ecosystem governance are currently done by international standard organisations like the W3C. But ultimately we will have plenty of governance frameworks on different levels for local communities or merchant associations. Some decentralized autonomous organisations (DAO) will probably participate too.
Another well-known governance framework is the PCTF (Pan-Canadian Trust Framework), which is technology agnostic. “It is not a “standard” as such, but is, instead, a framework that relates and applies existing standards, policies, guidelines, and practices, and where such standards and policies do not exist, specifies additional criteria. It’s a tool to help assess a digital identity program that puts into effect the relevant legislation, policy, regulation, and agreements between parties.” PCTF
The governance of SSI implementations can vary depending on the access to the network. There are two categories of utility networks (layer 1).
Utilities with permissioned write access:
Utilities with permissionless write access:
Fore further information take a look at the DID Method registry of the W3C.
Governance frameworks need to respect social norms and regulatory compliance of their target audience. It is easier to establish the structures within national borders between stakeholder, which already know each other compared to an international arena of different jurisdictions and social structures. This is one of the reasons why some implementations use a DID-Registry with permissioned write access, since this facilitates regulatory compliance with GDPR or similar data protection regulations. Furthermore, government intervention is also required in the context of electronic identification trust frameworks like the eIDAS regulation. Organisations or institutions, which have a significant stake in the network should be selected to run one of the multiple nodes. The nodes store the record of the data written into the ledger and execute other necessary functions of the network. However they don’t control the network since they have to follow the guidelines set by the governance frameworks.
Governance frameworks not only need ethical principles, but also need to include human rights NGOs and privacy-focused associations to avoid a misuse of the technology and inform the public about potential dangers.
The path ahead
Time is running, surveillance capitalist gain more power as we speak and a global pandemic boosted the need for digital identification and authentication. However, it doesn’t make sense to put all eggs in one basket, since a multitude of governance frameworks and technology implementations will increase the overall resilience and provide communities with the opportunity to choose a network according to their needs.
The inclusion of all stakeholders especially public bodies, industry representatives who issue credentials, as well as associations, focused on human rights and data protection need to be part of the conversation.
But where will this lead to? Will we have a combination of permissioned national SSI implementations together with more international and censorship-resistant approaches based on permissionless blockchains? Maybe — We will we probably abandon blockchains as anchor and move towards “linked cryptographic data structures for registering key rotation events” as Carsten Stöcker predicts or similar cryptographic infrastructures like KERI.
While the technology evolves we should use the time to build technology agnostic governance structures for self-sovereign identity and have debates about the set of legal, business, technical and ethical rules necessary to protect the values of our societies.
Disclaimer: This article does not represent the official view of any entity, which is mentioned in this article or which is affiliated with the author. It solely represents the opinion of the author.
Own your keys