Evolution of Self-Sovereign Identity (SSI)
Trust in Governments, the UN, or Corporations has eroded to the point where most people know that online privacy protection is an empty promise. Very few people trust the intent or purpose for collecting data because they don’t trust the people mandating the collection. However, the pandemic caused the necessity of better digital identification systems, and almost like it had been planned all along, it’s now impossible to travel without Self-sovereign Identity.
Thus, balancing the utilization and protection of digital identity has become a global social issue. In this context, personal data management regulations, such as GDPR (General Data Protection Regulation) in the EU and CCPA (California Consumer Privacy Act) in California, are being strengthened in many countries.
Current identity models: centralized and federated
Until recently, the main methods of managing digital identity have been the centralized identity model and the federated identity model.
In the centralized identity model, each service provider manages users’ identity. Users access the service using authentication information, such as user identifier and password, that varies by services. The centralized identity model is widely used today. However, from the user’s perspective, there are various disadvantages such as the need to manage authentication information for each service, fragmentation of identity for each service, and giving control of identity to the service operator.
In the federated identity model, several identity providers establish agreements between each other and operate under a common trust framework, or “federation”. Anyone who has an identity in an identity provider can access other identity providers. For example, logging into new services using a Google or Facebook account. However, most of the current federated identity services rely only on one service provider to serve as the trusted identity verifier.
Compared to centralized identity model, the federated identity model improves user convenience because less authentication information needs to be managed, but the sovereignty of the identity remains with the identity service providers. It also creates the risk that a piece of authentication information can be leaked, leading to unauthorized logins to multiple services.
New self-sovereign identity model
To address these problems, the concept of self-sovereign identity has been proposed. Although a universal definition of self-sovereign identity is difficult to find, the core notion is arguably that users are given control and autonomy over their identity data, how it is used and who it is used by.
In self-sovereign identity, the user has his or her identity information digitally signed by a trusted third party. When the user provides the identity information, he or she also digitally signs the information before providing it to the user of the identity information. The public keys of the user and the third-party organization for verifying the digital signature are recorded in a distributed ledger, and the user of the identity information verifies the provided information using them. In this way, users can control their own identity information without relying on a specific central administrator.
The 3 models of Digital Identity
Demonstrations of services using this technology are already underway. For example, Kiva is building an identity protocol based on self-sovereign identity for building credit history in Sierra Leone. Another example is the COVID Credentials Initiative (“CCI”). They are working on a digital certificate based on self-sovereign identity that lets individuals prove they have recovered from the COVID-19, have tested positive for antibodies or have received a vaccination.
The use of self-sovereign identity is being promoted in a variety of fields, but there are still various issues that need to be addressed. One of the challenges is to ensure interoperability. Self-sovereign identity will likely not replace existing all identity management systems but be used and coexist with them. It is also expected that various self-sovereign implementations will appear in the future. Therefore, interoperability with existing identity management systems and other self-sovereign identity systems is required.