Building blocks for Self-Sovereign Identity
- A standard, open protocol for establishing unique, private and secure connections between multiple parties without requiring the assistance of an intermediary “connection broker,” like Google, WhatsApp, an email provider, or a phone carrier. Secure connections are created by two or more peers creating and exchanging decentralized identifiers or “DIDs.” There are a variety of different implementations of DIDs, known as DID methods, available in the market, each with fundamentally different properties. Regardless of DID method, once two parties have exchanged DIDs, they can communicate securely as though through a private tunnel that nobody else can see or enter. This secure communication is facilitated by an umbrella of protocols known as DIDComm, which are based on a standard format known as JSON Web Message. DIDs can be created by anyone at any time, and you can have a different DID for each of your digital relationships to keep them separate. DIDs provide secure connectivity; they do not by themselves provide trust — that’s where the second layer comes in.
- A standard, open “digital data watermarking” protocol for issuing, holding, and verifying protected data, including verifiable credentials or “VCs.” This enables anyone to verify the source, integrity, and validity of any data that is presented to them, and to do so robustly and securely. This watermarking mechanism uses well-proven public key cryptography to digitally sign each data element. Additionally, there are many interesting things we want to do with secure data, so this layer includes protocols for delegation of data, encryption, secure data storage, and approaches to revocation.
- Somewhere to store the public verification keys of connections and data owners. This allows anyone to locate and retrieve public keys at any time in order to verify the source, integrity, and validity of any data that adheres to the protocols in the previous layers. These keys and other cryptographic data are typically held in DID documents and credential definitions. While these could be stored in any database, in order for it to be globally trusted, many distributed identity systems have chosen distributed ledgers for their unique properties:
- no backdoor or admin access for surreptitious or malicious changing of data;
- no reliance on a single monopolistic provider that can turn it off, and;
- it is chronologically ordered so you know you are retrieving current keys.
For more information on this mental model, reference the 3 Pillars of SSI by Andy Tobin.
There are a number of organizations working towards standardization of technologies that span across the web. Of these, a handful are particularly important for those involved in building open standards for digital identity.
DIF is an engineering-driven organization acting as the center for development, discussion, and management of all activities required to create and maintain an interoperable & open ecosystem for the decentralized identity stack. DIF has the capability to set up IPR protected working groups, deliver specs and standards, and offer infrastructure for the community.
Notable Specifications: DIDComm 2.0, DID-to-Domain Linkage, Universal Resolver & Registrar, Identity Hubs, Sidetree Protocol, Self-Issued OpenID
Hyperledger is an organization run by the Linux Foundation which promotes collaboration from a variety of industry stakeholders building implementations around DLTs/Blockchains for a variety of use cases.
- Infrastructure for blockchain-agnostic, off-ledger, peer-to-peer interactions
- Consumes Ursa to provide decentralized key and secret management
- Shared cryptographic library enabling people (and projects) to avoid duplicating other cryptographic work and increase security
- Provides tools and libraries for building digital identity blockchains
- Sovrin is an instance of Indy
Notable Specifications: Anoncreds, DIDComm 1.0, DID Exchange, DKMS, Interop Test Suite, Delegated Authority Credentials, Rich Schemas, Data Overlays, Biometric Service Providers
At a high level, the W3C has been working on building web standards since the early 2000s. They’ve primarily focused on the development of the browser and have been instrumental in making browser interoperability possible. The organisation was founded by Sir Tim Berners-Lee, who is widely regarded as one of the founding fathers of the internet.
Notable Specifications: CSS, HTML, XML, SVG, RDF, SOAP, DIDs, VCs, JSON-LD, ZCAP-LD
Internet Engineering Task Force is a standards development organization responsible for the general purpose standardization of core internet technologies. In particular, they focus on standards comprising the Internet protocol suite, often known as TCP/IP.
Notable Specifications: URL, URI, URN, OAuth, JOSE (JWS/JWE/JWT)
OASIS is a non-profit consortium that brings people together to agree on intelligent ways to securely exchange information over the Internet and within their organizations.
Notable Specifications: SAML, XDI, KMIP, DKMS
OpenID Foundation is a special-purpose standards organization that was formed due to industry collaboration around digital identity technologies. OpenID Foundation has standardized several specifications around web-based digital identity technology.
The Kantara Initiative is a nonprofit organization giving people agency over their personal data and the confidence to transact in the digital economy. Its goal is to offer service providers conformity assessment and assurance against well known standards and specifications while taking a user-centric approach to emerging industry and marketplace needs.
Notable Specifications: Identity Assurance Trust Framework, User Managed Access, Consent Receipts
RWOT is a twice annual design workshop focused on producing technical whitepapers to address issues impacting the future of decentralized identity systems and decentralized web of trust, including authentication & verification, certificate validation, and reputation assessment. It is a vendor-neutral setting open to participation from different tech groups and non-tech civil society members.
IIW is a bi-annual unconference taking place in Mountain View, California every year since 2005. They have been finding, probing and solving identity issues in an open forum and serving as a breeding ground for collaboration around core identity technologies, including but not limited to OAuth, OpenID Connect, User-Managed Access, FIDO, DIDs, VCs, SSI, and decentralized identity systems.
Specs, Protocols, and Standards
Most specifications related to decentralized identity follow a similar path on the road towards standardization. Typically the stages are:
- Draft → serves as a proposal for a new standard, typically done by one entity
- Community Group → developed by multiple parties in an open environment
- Working Group → dedicated and chartered group with a mandate to complete a specification
- Editor’s Draft → completed draft emerging from a working group
- Standard → widely adopted and used by many industry partners
This process is more or less the same regardless of the organization hosting any particular standardization effort.
In addition, we can think of each specification as belonging to one of the three building blocks of SSI that we described above. In some cases a standard may be a bridge between layers, enabling a closer link between connections, data, and keys, making the ecosystem more secure as a whole. What you will find below is a list of all relevant standards, links to every spec, the organizations they belong to, their relationship to the ecosystem, and their relative maturity as internet technologies.
This list will be maintained as a living document, capturing the current state of the decentralized identity ecosystem as it evolves.
Noteworthy SSI Projects
In addition to standards and specifications, there are a number of ongoing open-source projects built to demonstrate the impact of a truly decentralized, interoperable ecosystem. Some of the most relevant projects are listed below, however, this list will also serve as a living document, highlighting interesting new projects as the ecosystem matures.
If you have any feedback, e.g. comments, questions, or additions to this list, please reach out to the MATTR team at firstname.lastname@example.org or contact DIF at email@example.com. We encourage involvement from the broader web community in any of the organizations covered in this article. If you are interested in learning more about these topics, you can subscribe to DIF’s monthly newsletter and stay tuned for more news.
Thanks to Balázs Némethi.