Agencies, agents, edge and cloud layers

In a decentralized identity ecosystem, each entity will establish a collection of infrastructure components to manage their identity relationships in a peer-to-peer network.

agents

A virtual identity vault (or Sovereign Domain) refers to a collection of edge and cloud layer instances that make up an entity’s self-sovereign identity infrastructure. Analogous to the ubiquitous use of cloud-based file synchronization tools like Dropbox, people and organizations select an agency to host cloud layer software that is synchronized with the edge layer identity software on their edge devices. An individual’s vault is used to manage the keys and credentials associated with the person’s identity across all his or her edge devices. Conversely, an organization uses the vault to manage the keys and credentials associated with the devices of employees who are authorized to work on behalf of the company to carry out credential acquisition or verification activities.

A cloud service provider, referred to as an agency, associates one or more edge layers with an individual or organization cloud layer. Cloud and edge layers are comprised of agent software that manages the endpoint user experience (UX) and functional control plus wallet software that manages local storage. The cloud layer portion of an individual or organization is hosted by an agency. It provides the public endpoint for interactions with the agents of peer connections for the individual or organization. Each cloud layer instance would have a backup that may not be hosted within the same agency environment. A cloud agent is designed to be available 24/7 to send and receive communications on behalf of an entity. It manages communications, encryption, key management, data management and backup processes for the virtual identity vault. These agents use decentralized identifiers (DIDs) and DID documents to automatically negotiate mutually authenticated secure connections with the agents associated with their relationships. A cloud wallet manages keys, recovery shares and data storage.

Each of the entity’s devices run software referred to as the edge layer. Each edge agent is bound and synchronized to an associated cloud layer agent. These edge agents also act as an endpoint for offline interactions with edge layers of peer connections. An edge agent manages the generation and operational use of cryptographic keys and other secret artifacts. It communicates directly, peer-to-peer, via a protocol such as Bluetooth, NFC, or another mesh network protocol. Edge agents may also establish secure connections with cloud agents. An edge wallet manages key and data storage. It is the primary storage handler for private keys using a secure element or trusted platform module.

Bringing it all together

The ecosystem of components comes together to establish a peer-to-peer exchange of verifiable credentials. Individuals can interact directly with organizations or other individuals while organizations can additionally interact with other organizations.

peer-to-peer exchange

The network is comprised of distributed private agents working in parallel with the distributed ledger. Each entity can use the public ledger to register and verify public DIDs. The cloud agents provide the public endpoint for interactions with the agents of peer connections, or relationships. These connections are used for the swapping of private pairwise DIDs and the exchange of verifiable credentials. Edge agents can swap private pairwise DIDs and exchange verifiable credentials using offline connections.