Digital self sovereign identity Image
15.07.2020 Originally published on July 15, 2020 at

If you build an island, you’ll need a boat

Emily Fry and Tobias Looker

Image for post

Emerging technology is incredibly stimulating, yet so often it is idealistic in nature and seemingly theoretical. The self sovereign identity (SSI) conceptual architecture has existed in the ‘idealistic’ bucket for some time. This is familiar territory — to win hearts, souls, and break new ground, it’s proponents must be prepared to set fire to ingrained foundations. If the SSI community had incepted too close to traditional archetypes it would have risked a constrained imagination. The only real option for emerging technology is to build a far, faraway island, and beat your drum loud enough for people to hear. With that comes an obligatory hype cycle, and the requirement to at some point close the technical chasm. The SSI community has built that isolated island (all a little too familiar for us kiwis), and now it’s time to build the boat.

SSI offers an opinionated shift in the way traditional Identity Management (IdM) is architected, which often results in the two models being pitted against each other — as if one must disappear for the other to exist. This dogmatic framing overlooks the potential which exists to extend traditional IdM protocols (think boat…) towards a more user-oriented SSI model.

OpenID connect, and its advantages

When it comes to interactions that involve expressing a digital identity, the web takes the lion’s share. In relation to IdM on the web today, one core protocol that has consistently grown in popularity is OpenID Connect (OIDC). For those unfamiliar, OIDC provides the pipes that enable the use of a third party login service (eg. “Login with Facebook”) rather than creating a new account with every website you visit. OIDC provides many practical benefits — it is a pervasive, simple login service. It has reduced administrative overhead, allowing individuals to simplify the number of accounts (or distinct digital identities) they have to maintain.

OpenID Connect — what’s missing?

With all of its success, OIDC has failed users in ways that were likely unforeseen at the time. It does not provide users with a way to organise their digital existence in one place, and fails to provide complete transparency over where and how their information is used. Keeping track of, and being able to utilise our digital information to access services shouldn’t be difficult in the first place. The currently constrained (and damaging) user experience is symptomatic of broader problems with how traditional IdM and protocols like OIDC are architectured — best illustrated by the identity NASCAR problem.

Image for post
The Identity Nascar Problem

The term was coined to describe the assemblage of third party icons on a websites login page, which resemble the crammed sponsorship decals covering NASCAR racing cars. This has long been lamented by designers because it creates an overwhelming and crowded user experience. The logos impose a cognitive burden on users who have to choose an Identity Provider (IdP), and keep track of which one they use and where.

This style of federation also has distinct market consequences. In order for a website to reduce the crowd of logos on their login screens, they have to pick (say, two or three). To ensure sufficient user coverage, the websites will pick the most well known (say, Facebook and Google), creating a predictable cycle where the popular become more popular. Like in NASCAR, it is now near impossible to break in, as a few large oligopoly-like brands are incumbent. This can hinder the progress and adoption of emerging technologies, particularly if they threaten incumbent business models. But the evidence is showing us we need a better way — entrusting something as fundamental as how users identify on the web to a select few sets up a dangerous environment, one where even brands like Apple who pride themselves on privacy are unable to avoid massive mistakes.

In addition, because users converge around a few main IdPs, the amount of data accumulated is colossal (known as the relying party tracking problem) — this includes what sites you visit and services you use. They do not have in place measures to minimise their data collection or reduce correlation. Many Governments legally forbid the assignment of national identifiers. Good digital identity will exist only when corporations operate in frameworks where global identifiers aren’t assigned to us either.

How do we make things better?

SSI advocates for a component between the issuer/IdP and the relying party that acts on behalf of the user. This independent piece of software infrastructure acts to better preserve a user’s privacy and improve their experience. The component is often referred to as a ‘digital wallet’ or in other terminology circles as the ‘holder’)

The digital wallet in the SSI model

What makes an ecosystem that features a digital wallet more resilient against problems described above?

A couple of key points:

1. Separation of Authority and Facilitation

  • In traditional IdM, the IdP is both the issuer of the user’s identity information, AND the facilitator of services around how the user expresses their identity. This necessitates a close relationship between the issuer and the relying party (and the aforementioned tracking and correlation).
  • In SSI, the digital wallet is an intermediary that acts on behalf of the user — akin to their agent. The facilitator component is removed from the IdP and is reassigned to the digital wallet. This means that the relying party doesn’t need to ‘phone home’ to validate the information from the authoritative source. Kim Cameron calls this “the separation of claims and recognition”, acknowledging it as SSI’s biggest value.

2. Portable Identity

  • With today’s IdM technology, whether a user likes the practices of the IdP or not, it is incredibly difficult to switch to another provider. For example if you have an identity with a service that is dependent on your google account (centered around an address) and you would like to keep that identity but use another provider instead of google, this is virtually impossible.
  • In SSI, digital wallets utilise underlying technologies such as Decentralised Identifiers (DIDs), which enable users to seamlessly move between different wallets — without losing their identity.

3. A single view for where and how your information is being used

  • In traditional IdM, individuals have no single place to go to view and organize the different dimensions to their digital identity. They have different siloed apps and website accounts, sure, but no way to view and manage this in one place. This leads to fragmentation and lack of transparency for users. A digital wallet represents a new opportunity to fill in these gaps and provide users with greater visibility into the digital presence.

4. Finally, a note on standards

  • Behind the glossy and simple user interface (isn’t this just a simple app?), digital wallets are incredibly complex technical beasts. This can’t really be understated. There is a robust standardisation progress occurring around the SSI community. Standards compliance and interoperability is a requirement (albeit not easy). This takes time and effort, and arm-waving is incredibly detrimental to progress. We hope to see emphasis on standards compliance show up in trust framework accreditation processes.

Did someone mention a boat?

Little known to many, when OIDC Core was being standardised (back in 2014), a chapter in the original specification alluded to a world similar to that put forth by SSI proponents. The Self-Issued OpenID Provider (SIOP) chapter sets out a way (albeit incomplete) on how something akin to a “digital wallet” component could fit into infrastructure based around OIDC.

The diagram shows the introduction of an intermediary piece of software which acts on behalf of the subject/user facilitating interactions involving their identity. SIOP introduced the idea that the user could have a role to play between the two parties, and that there could be multiple issuers of claims that could be provided to a relying party to access services. Unfortunately at the time there was no concept of Decentralised Identifiers (DIDs), so whilst the idea was good, it was found wanting.

Now that we have technologies like DIDs, Verifiable Credentials, decentralized ledgers, and a thriving SSI community progressing and aligning to the standards, the idea is back on the table. There is a laundry list of things to bring this to reality. Client Bound End-User Assertions is one contribution we have made to this effort. This specification addresses the need for a more formal binding mechanism between the issuer and the digital wallet.

What’s next?

There are lots of organisations involved in the effort to bring SSI and existing IdM closer together, and it is spawning momentum. To get involved look out for the second SIOP virtual meetup, and initiatives occuring in OpenID and DIF. As always, reach out to us if you want to chat. This particular effort just might be the sail for our boat.

You may also be interested in.