If you work in the area of identity you will have noticed a lot of talk about self-sovereign identity (SSI). As a concept, it applies the goal of placing the user at the center of digital identity management and control. User-centric digital identity is not a new idea. I first came across it back in 2008 when I read Kim Cameron’s Laws of Identity — the piece itself going back to 2005. Law 1 states that “No one is as pivotal to the success of the identity metasystem as the individual who uses it.”
SSI is user-centric, but you don’t need to have a self-sovereign ID system for it to be user-centric.
On paper, I like the idea of a self-sovereign identity. After all, digital identity is about what you do with the information that makes up who you are — surely that should be under your control. Yet still, I have lingering questions that make me question the ability of SSI to fulfill my identity needs.
What is self-sovereign identity?
Self-sovereign identity uses blockchain to register the attributes of a person’s identity. What does that mean? Your identity data (attributes or claims) — the stuff that determines your digital you, or that thing is that thing — are registered to a block on a blockchain. The blockchain is a distributed ledger (i.e., it has no central authority controlling it, it is decentralized); the subsequent decentralized claims are then part of a person’s identifying data that they can share, under their control, with a requesting party like a bank or a government service, etc.
The substance of the SSI is based on the idea of verifiable claims. If you follow my blog you’ll know that verification is a thorny issue in the digital identity space. It is certainly not straightforward and can do with a sprinkle of “user friendly” if you ask me. But organizations like Sovrin, who are offering a backbone for SSI, are built upon the notion of verifiable claims being managed through a distributed ledger technology backbone specifically attuned to digital identity.
What is a verifiable claim?
I just want to talk a little about the notion of a verifiable claim. For a piece of data on an individual to carry any weight it has to be true or at least have a probability of truth that satisfies the service provider. Claims that are checked (verified) by a trusted third party are deemed to be verifiable. Web standards custodians, W3C, have looked at the issues around standards for verifiable claims. The research findings of the group come down heavily on the side of user-centric and privacy enhanced. There is a very strong value statement driving their work “No User-Centric, Privacy-Enhancing Ecosystem Exists for Verifiable Claims.”
The research concludes several things including:
Trust is decentralized. Consumers of verifiable claims decide which issuers to trust.
Users may share verifiable claims without revealing the intended recipient to the software agent they use to store the claims.
But, in the context of this article, do you need a decentralized identity system to have decentralized verifiable claims? Are the two mutually exclusive?
Three critical questions about self-sovereign identity
Who will pay?
We live in a world that is built upon certain commercial structures. These structures are pretty much universally driven by money. I want to understand how we can fit an identity framework, that is based on presenting verifiable claims, to a service. Who will pay for the verification? If one organization pays, will they be happy if that data is then shared with a competitor to build up a trusted relationship with them?