Blockchain technology is the missing piece necessary to allow Self Sovereign Identity (SSI) to become a reality. Within the SSI framework, blockchain technology solves several problems that have been obstacles to the establishment of the “new world of digital identities.”
Self Sovereign Identity and Blockchain.
By leveraging Distributed Ledger and Blockchain technologies, users can generate an identifier autonomously that can demonstrate control through cryptographic mechanisms similar to those used in Bitcoin or Ethereum. What the user reports, or the attributes, are made up of a set of claims, statements that other entities make about the same thing. These are digital representations that are signed and allow anyone to verify their integrity and origin.
In essence, the Self Sovereign Identity (SSI) model based on blockchain allows those who have their own dedicated wallet to not delegate the custody and control of personal information to third parties, being able to decide which certificates to expose. The public and decentralized network in the SSI context can also be very useful for managing credential revocations.
The revocation lists (lists where all revoked credentials are marked) are currently centralized and therefore unknown to most. In order to fully and effectively implement SSI, it is necessary to have transparent access to these revocation lists. In this context, the blockchain is a perfect combination of openness and transparency, where Verifiers can independently verify the validity (or invalidity) of a credential on such a distributed network. The use of a network such as the blockchain certainly appears to be an enabling factor of Self Sovereign Identity.
Self-Sovereign and GDPR.
Existing digital identity models to date are not fully compliant with the European legislator’s adopted regulations on personal data. The arrival of SSI could represent a real revolution: the protection, limitation, and minimization principles inherent in the SSI protocol are aligned with those of GDPR, which is intended to protect citizens’ personal data.
GDPR identifies six basic principles related to the protection of personal data:
- Fairness and transparency in the processing of users’ personal data.
- Limitation in the processing of data with respect to the purposes for which they are collected: this means that users’ personal data can only be used by different companies for necessary purposes.
- Minimization of the personal data processed. As above, data must be processed in the minimum way possible based on the purposes of the processing;
- Accuracy and updating of the processed personal data, including the timely deletion of those that are useless or incorrect based on the purposes of the processing;
- Storage of data for a period not exceeding that necessary with respect to the purposes for which the processing was carried out;
- Ensure the integrity and confidentiality of personal data subject to processing.
To evaluate compliance with GDPR, it is necessary to verify how the concept of SSI behaves with respect to these principles:
- Accuracy and Transparency: the technologies used by SSI allow users to know exactly how personal data is being sent to third parties.
- Limitation: SSI allows users to decide which data they want to share with third parties at that moment and therefore know which data is in the hands of those third parties.
- Minimization: SSI allows for what is technically defined as selective disclosure. This means that the user can send only the necessary data, by design.
- Update: as with limitation, SSI allows data to be verified by third parties without the latter necessarily having to store it. In this way, online services and companies can be sure they have verified the necessary data without having to worry about managing and protecting personal data.
- Preservation: SSI allows users to personally preserve their own information without having to trust third parties. It can be said that SSI could bring several benefits compared to current data preservation practices for all stakeholders involved.
- Confidentiality: the confidentiality of data in SSI is allowed thanks to selective disclosure and the fact that users’ personal data can be stored only if necessary and only after the user’s approval.
Through this analysis, we can affirm that Self Sovereign Identity perfectly overlaps with the data protection principles expressed in the GDPR. As highlighted, SSI seems to be a really interesting paradigm for protecting users’ personal data. In this perspective, according to the nomenclature proposed by the GDPR, the individual/user would not only be a “data subject” but would even become the “controller” of their own identity and the information connected to it. The Identity Working Group of the German Blockchain Association identifies in Self-Sovereign Identity the potential to trigger a concrete alignment with the principles of the General Data Protection Regulation at a global level. Specifically, as the GDPR focuses on strengthening the right of individuals to the protection of their personal data, so Self-Sovereign Identity gives individuals/users full control over their own information. Furthermore, as the GDPR aims to ensure the free movement of personal data within the European single market, Self-Sovereign Identity promotes the free movement of information by building, by design, an additional level of trust and autonomy around transactions.
Self Sovereign Identity is finding application in some important projects, the main characteristics of which are summarized below.
Sovrin – Evernym.
Sovrin is a public identity network based on distributed ledger technology (DLT).
Sovrin allows its users to have an autonomous identity, which means that users have full ownership of their identity for their entire life and do not rely on any central authority to store it. In addition, the identity is private, which means that they can manage it autonomously and choose whom to reveal information to.
A Sovrin identity uses decentralized identifiers (DIDs) to enable the identity and links them to a user through asymmetric cryptography.
DIDs do not require issuance by a central authority and allow users to create identifiers that are permanent, globally unique, and cryptographically verifiable, allowing the identity owner to maintain full control over such identifiers.
DIDs are then inserted into the blockchain along with a DID document object (DDO) that includes the public key assigned to the identity owner and other information that the identity owner wants to reveal, as well as the network addresses necessary for interaction.
The identity owner owns the DDO as they possess the corresponding private key. Therefore, anyone with access to the Internet can verify their control of the private key and, consequently, the DID.
Sovrin identities have the advantage of reducing transaction costs, protecting people’s personal data, limiting the risk of cybercrime, and simplifying identity issues in sectors ranging from healthcare to banking to the Internet of Things.
The argument in favor of reducing transaction costs is that since the potential vendor can have more “certified” information about a customer, the risk of fraud is reduced, and therefore, they can offer a lower price without charging users for that risk. The claim that this limits the likelihood of cyber-attacks can be linked to the fact that Sovrin improves identity and access management by providing certainty about the identity of the subject. This results in fewer crimes due to the prior verification of the subject’s digital identity. Additionally, Sovrin enables a vendor to sell only to buyers who have shown their identity and whose identity is validated by someone the seller can trust.
Finally, the Sovrin platform will simplify identity issues in various sectors. This is mainly due to the number of people who will use the Sovrin identity. If a significant number of participants are reached, Sovrin identities can be introduced in different areas to address identity-related challenges.
Dizme – Infocert
DIZME is Infocert’s digital identity platform based on blockchain technology, designed and created to integrate SSI (Self-Sovereign Identity) in compliance with EU eIDAS1 regulations, resulting in a fully valid distributed digital identity.
Interoperability between SSI and TRUST services defined by the eIDAS regulation is made possible by InfoCert’s dual role, acting not only as the Founding Steward of the Network (as well as the Governance Authority of DIZME) but also as a QTSP (Qualified Trust Service Provider) under the eIDAS regulation.
Currently, the DIZME platform is available in BETA version, and the ecosystem partner-building phase – composed of leading companies in the financial, industrial, and academic worlds – has already begun, and the first pilot projects have been launched.
The Governance Authority (InfoCert) defines the identity credential scheme managed by DIZME and the mapping of the three levels of reliability (differentiated in terms of identity verification and resulting “confidence levels”).
Additional schemes and types of credentials (Context-Specific Credentials) can be defined on the proposal of individual issuers, relating, for example, to personal preferences, credit or income information, certifications, and so on. Such credentials – not limited by specific data types or implementation modes, nor imposed by a central hub – are immediately accessible and verifiable without complex integration procedures or commercial contracts.
Identity or specific context attribute verification can be Full Disclosure (with a request to share a series of Credentials provided to the Verifier by the Holder, who must explicitly consent) or Zero-Knowledge (with the Holder guaranteeing the Verifier a certain requirement without fully disclosing their Credentials).
Depending on the Identity Credential offered by the Holder, the Verifier can issue a different level of confidence, i.e., an Advanced or Qualified SignRequest – one-shot and eIDAS compliant – to obtain a digital signature with which the Holder can confirm a specific transaction, fully guaranteeing compliance and legal value.
The advantages for economic operators using DIZME are numerous and tangible. For example, banks and financial institutions can “share” KYC (Know Your Customer) credentials collected for anti-money laundering (AML) regulations and reuse them, avoiding the repetition of cumbersome procedures, facilitating the acquisition of new customers, and making it easier to subscribe to services. This scenario can be replicated in any sector with similar needs, such as telecommunications, utilities, and insurance.
Another primary area of application is digital certification of competencies based on Open Badge standards, which involves the issuance of virtual certificates for training or professional skills. With DIZME, these certificates are collected in the user’s portfolio and can be verified by entities such as employment agencies and recruitment companies, allowing for remote signing of employment contracts via digital signature.
Finally, the retail sector provides another example of SSI application. With DIZME, economic operators can manage loyalty programs by querying customer portfolios in Zero-Knowledge mode without obtaining sensitive data and avoiding the formalities required by GDPR regulations typical of paper-based data collection at the point of sale.