SSI Ecosystem

Our personally identifying information (PII) describes the unique traits associated with an individual or entity. These identity traits are core to our physical and digital lives. Our daily life experiences tend to include a high frequency of credential interactions. This implies that as we move forward in the digital world, we must consider how our identity traits are rendered and how those renderings are used for online and offline interactions.

Identity instruments are the digital or physical, paper or plastic renderings of some subset of our PII as defined by the providers of the instruments. We are all familiar with an identification card, the traditional physical instrument that is your ID. Many physical identity instruments contain public and encoded information about an individual. The encoded information, which is often stored using machine readable technologies like magnetic strips or barcodes, are additional examples of rendering formats of an individual’s PII. Digital identity instruments pertain to an individual’s PII in a form that can be processed by a software program. Identity interactions pertain to the situational usage — whether you are paying, being identified, participating in some event or entering an access-controlled area — of our identity instruments.

As Self-Sovereign Identity (SSI) solutions evolve, they will deliver identity instruments that provide a unified identity interaction experience regardless of interaction type, either physical or online. During this maturation period, it is imperative that consideration be given to the tactical co-existence of the digital representations of our identity instruments and their interoperability with existing equipment readers. Depending on the situational context of an identity interaction concerning an identity instrument, there are existing and emerging standards that provide a means for the accessing, presenting and managing of identity information. Our daily lives are filled with a variety of identity interaction experiences. They may include a visit to the bank clerk, entering the airport, or a login to your utility company’s website. Each of these interaction experiences require you to present proof of your identity and may be face-to-face or online. As we migrate away from using physical identity towards digital instruments, we need to ensure that these new digital representations of our identity can seamlessly fit into our daily lives.

Standards

The SSI movement seeks to define and enable a future whereby individuals would be able to take back control of their identity and participate at a peer-to-peer level with their online and offline relationships. Today the landscape of open communities that support the necessary infrastructure — the network, code and standards — to achieve this vision has begun to mature.

openssi-stack

Foundational to this vision are open standards for the exchange of verifiable credentials anchored by distributed ledgers, such as Hyperledger Indy, that manage decentralized identifiers. The Sovrin Foundation oversees the Sovrin Network which provides an early model for such an SSI network based on Hyperledger Indy. It is important to note that the SSI initiative is not limited to digital identities as our PII can be expressed and used in a variety of verifiable credential use cases.

As the SSI ecosystem matures, individuals will eventually need to be able to manage their private keys. Work is already underway in OASIS on a Decentralized Key Management [DKMS] specification to address this.

Traits, Claims and Credentials

The Verifiable Credentials Specification describes three key stakeholders in an ecosystem that manages digital credentials: Issuers, Holders and Verifiers.

vc-stakeholders

Building on the notion of an identity trait being the most granular data element, the following image shows the concept of a claim, which is an attestation from an individual or organization which confirms that the entity has taken specific actions to establish truth about a specific identity trait. Examples of a claim include date of birth, height, and social security or driver license numbers.

credential-lifecycle

Depending on the situational context or the type of privileges to be granted, the complexity of the vetting process taken by an examiner to confirm the truth about a specific trait may vary. The required vetting, due diligence, regulatory compliance and other tasks needed to establish confidence in making a claim about an identity trait, will coincide with how the claim will be used. The role of an issuer pertains to the generation and delivery of a credential comprised of a set of claims in accordance with some predefined schema. A person’s physical trait or assigned attribute is examined to a degree whereby an entity can make a claim of truth about it. This then enables the same entity to issue a verifiable credential, a process which takes a collection of claims, structured in accordance with a well-defined schema for an identity instrument, and delivers it to the subject associated with the identity traits referenced by the claims. Examples of a verifiable credential can include college transcripts, driver licenses, auto insurance cards and building permits.

A holder (identity owner), such as students, employees and customers, may be in control of one or more verifiable credentials. A holder's trusted reputation increases as he/she gathers more and more credentials that are based on a higher degree vetting by each Examiner and higher importance of claims issued by each Issuer. This concept is represented in our daily lives as the trust value of a government issued credential is higher than that of say the membership to your local fitness center.

lcm-vcreds

Credentials can be used in many different situations where proof of identity is required by a verifier. A holder can use a specific credential or selectively disclose one or more claims from the corpus of held credentials to respond to a proof request. The verifier will process the response data to verify the authenticity of the issuer and holder before consuming the data. A verifier can be an employer, security personnel or a website.