Due to the ID-Wallet project in Germany, some articles and comments have equated Self Sovereign Identity (SSI) with blockchain technology in the last few weeks. The impression is given that SSI only works in conjunction with a blockchain. Spoiler, that’s not the case.
In the following, I will try to explain why this is not the case in a simplified way.
The term blockchain is used in this article to represent all Distributed Ledger Technologies (DLT). Including all public blockchains such as Bitcoin or Ethereum, permissioned / public and permissioned / private Blockchains.
What does decentralized mean in Decentralized Digital Identities (aka SSI)?
The “decentralized” doesn’t refer to Blockchains. Decentralized means that a person’s data is stored with the person and is under their control. Most of the time, the information is stored on the smartphone, on a so-called wallet. An SSI wallet also has nothing to do with storing cryptocurrencies. Conventional Digital Identity systems store the data and information centrally on the server of the provider.
Private and public key, what is it?
SSI is only possible due to cryptography. One of the cornerstones is asymmetric encryption. A key pair is generated using a cryptographic method. The key pair consists of a public and a private key. As the names suggest, the private key must remain private, and the public key can be shared with the broader public You can do two things with the key pair:
- You can encrypt a message.
Encryption is done with the public key and decryption with the private one.
- You can sign a file.
The signature is made with the private key, and the signature is verified with the public key.
The signature function is essential for further explanation.
SSI and digital signatures.
In an SSI system, an issuer generates the data (e.g. a driver’s licence), digitally signs it and transfers it to the holder. The holder can send the signed data or only parts of it to a verifier. The verifier can use the issuer’s public key to check the authenticity of the data.
How does the verifier get the public key?
For the verifier to be able to check the data, he needs the issuer’s public key. But how does he get it? In conventional systems, such as SSL certificates, a central point is contacted. Our browser asks a registration authority whether the website’s certificate is registered. In this way, our browser ensures that we are not on a fake page. The disadvantage is that the process depends on a central service and collects information about the activities.
Blockchain, Blockchain, Blockchain.
A Blockchain can be used to store and query the public key. It should be emphasized that the Blockchain alone does not provide any security whether the stored key comes from the specified issuer. It must be guaranteed that the issuer is who he claims to be. This cannot be achieved by technology alone. In addition, organizational and process specifications must be defined. This is called governance or a trust framework. But this is a different topic and would go beyond the scope of this article.
The theoretical advantage of a Blockchain is that it is decentralized, and theoretically, every verifier can keep a copy of a Blockchain node, ensuring that he does not have to contact a central service. In reality, however, the query is usually made by a central service that itself operates a node and provides the information.
Can other storage locations than Blockchains be used for the public keys?
Yes, you can. It would even be possible to use existing PKIs (Public Key Infrastructures). It only has to be ensured that privacy of the holder is ensured and that no third party receives information about the use of the data. Another aspect is the dependence on a central service. If this stops the service or deletes individual keys, the key cannot be verified anymore. These aspects must be taken into account in the design of a trust framework. Here again, decentralized technologies could be helpful …
The following graphic shows an example in which 2 documents from 2 different exhibitors are checked by one auditor. The first issuer, in this case, a bank, uses a Blockchain network to store the public key. The second issuer, an authority, uses an existing PKI.
In the past two years, the SSI community has emancipated itself from Blockchain technology. It has been recognized that a Blockchain is not necessarily a prerequisite for realizing Self Sovereign Identity. And there is not “the one” Blockchain network on which an SSI system has to be built. It doesn’t matter which one, as long as it meets security and operational standards.
It is also difficult for authorities, for example, to abandon their current PKI implementations. Furthermore, it can therefore make sense to use existing PKIs.
Jolocom considers these requirements and develops its next generation of SSI technology independent of the underlying storage, PKI or Blockchain networks. Any storage location can be linked.
More important than the technology used is the definition of the organization and the processes so that a secure PKI and the highest level of privacy is guaranteed for the citizens.