Introduction to Self Sovereign Identity - IIW October 2019

INTERNET IDENTITY WORKSHOP | October 2019
Heather Vescent, Karyl Fowler, & Lucas Tétreault
SSI 101

• Heather Vescent, @heathervescent
CEO, The Purple Tornado & Author of Comprehensive Guide to SSI
• Karyl Fowler, @TheKaryl
CEO, Transmute
• Lucas Tétreault, @Ltetreault
VP, R&D Vivvo
Who are we?
+ How we got into Decentralized Identity

• Why SSI?
• Identity Models
• DIDs
• Emerging SSI stack standards
• Transmute & Vivvo examples
• Q&A
Agenda

The Vision: A Global Digital Rail
• Technology standards for interoperability
• Trans-National, goes beyond borders
• Governments supported development of new infrastructure by
private sector
• Government of Canada
• DHS investments
• Citizens access Government services without being tracked or
correlated
• Identity issuance and verification
• Digitally native identity and credentials
• What else is possible?

2: Federated Identity
You Identity
Providers
Standards:
Applications

Centralized vs Federated Identity
Centralized

Centralized vs Federated Identity
Federated

Today’s problems
• Data collected to create detailed profiles
• User doesn’t own data or decides how it’s used
• Difficult to delegate access and share data
• Users can’t control how their data is secured
(or how notified if there is a breach)
• + UN/PW databases are an attack surface

3: Decentralized Identity
Wallet
Blockchain or Distributed Leger

Wallet
ID
Consumer
(Verifier)

Wallet
ID Issuer
ID
Consumer
(Verifier)

Ideas
(2-10 years)
Incubation
(6-18 months)
Refinement
(1-3 years)
Standardization
(~18-24 months)
Conversations Papers Experiments,
Specifications, & Pilots
Standards
W3C Community
Groups
Rebooting the Web
of Trust

Interoperable standards to
implement a common
technology stack.
• DID Spec
• DID Methods
• Universal Resolver
• DID Auth
• Verifiable Credentials
Standards & Specs

What is a Decentralized Identifier?
• New type of identifier for verifiable, "self-sovereign" digital identity
• Fully under the control of the DID subject, enabling independence
from any specific:
– centralized registry
– identity provider
– certificate authority
• URL enabling trustable interactions with DID subject

DIDs resolve to DID Documents
• DIDs resolve to DID Documents
• DID Documents contain verification methods and service endpoints for interacting with
the DID subject
• A verification method is a way of verifying a particular type of DID interaction, such as:
– Performing authentication
– Secure service endpoint

DID Document{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
"publicKey": [{
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaSigningKey2018",
"owner": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----rn"
}],
"authentication": [{
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}],
"service": [{
"type": "ExampleService",
"serviceEndpoint": "https://example.com/endpoint/8377464"
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"type": "RsaSignature2018",
"created": "2016-02-08T16:02:20Z",
"creator": "did:sov:8uQhQMGzWxR8vw5P3UWH1j#key/1",
”proofValue": "IOmA4R7TfhkYTYW87z640O3GYFldw0
yqie9Wl1kZ5OBYNAKOwG5uOsPRK8/2C4STOWF+83cMcbZ3CBMq2/
gi25s=”
}
}

DID Document – DID{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – public key{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – service endpoint{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – date{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Document – proof{
"publicKey": [{
}],
}],
"service": [{
}],
"created": "2002-10-10T17:00:00Z",
"updated": "2016-10-17T02:41:00Z",
”proof": {
"created": "2016-02-08T16:02:20Z",
gi25s=”
}
}

DID Methods
Active DID Method Specs
Method DID Prefix
Bitcoin did:btcr
Blockstack did:stack
Element - Sidetree did:elem
Ethereum uPort did:ethr
Github DID did:github
IPFS did:ipld
Sovrin did:soc
Veres One did:v1

• Syntax
• CRUD (Create, Read, Update, Delete) operations
• Applies to DIDs and DID documents
• Specifies distributed ledger (or blockchain)
• Any method-specific elements
DID Method Spec Defines

• Different use cases
• Different capabilities
• Different economic model
Results in different
implementation choices
~25 Different registered DID Methods
on a different ledgers
• Ethereum, Bitcoin
• IPFS
• Fit-for-purpose: Sovrin, Veres One
• No blockchain: Github DID
• Ledger agnostic + scalable:
Sidetree (Element, ION)
• Thought experiments
DID Methods

did:btcr:xkyt-fzgq-qq87-xnhn
Universal Resolver
DID Method Spec
DID Document
DID
Universal Resolver

DID Auth Here is my decentralized
identifier
Prove you own it!
Here’s my proof! Come on in!
Resolves the DID
Document
Creates proof

Verified Credentials
Wallet
Issuer
Verifier

GitHub DID
BLOCKCHAIN NOT REQUIRED
41
• Development tool for working with DIDs that
leverages, github for easy setup without the need
to run a ledger.
• Supports fast development of DID Verifiable
credentials, and new signature suites
• Supports a CLI, Web App, API and standard
Library Providing useful templates for getting
started with DIDs.
• Supports OpenPGP Signature Suite, enabling
integration with Yubikey, and legacy mail systems
that use OpenPGP / GPG.
• Interest from GitHub and HyperLedger for use in
interoperable documentation.
• Supports demo’s for sign, verify, encrypt and
decrypt with DIDs.
• Supports a standard wallet file, with
interoperability with Element and Transmute ID.

Interop Project
TRANSMUTE LEADS THE
42
• Demonstrate Interoperability across DID
Methods, Websites, Agents, Hubs, Identity
Wallets and Verifiable Credentials
• Provides insight into gaps and opportunities for
partnership in the ecosystem.
• Transmute is the leader of this initiative, and
assists the working groups in providing clarity
around interoperability.

OUR PROBLEM
44
The Enterprise Identity Crisis
describes today’s environment where
as companies grow, their risk grows
disproportionately.

Collaborate Without Compromise
Transmute ID integrates with your existing infrastructure, grows with your business
and minimizes friction between you and your customers – the fastest path to new
revenue.
45
THE SSI-ENABLED ENTERPRISE

THE SOLUTION
Scalability of Cloud +
Security of Decentralized Public Key Cryptography
+ Automated Tracking on Blockchain
46

Enterprise IDP
Architecture
Transmute Workflow Engine: Open and Closed Source Components
Integrations
Enterprise Storage Decentralized Infrastructure
+ Add your
own
Major enterprise systems like… Major cloud providers like… Leading DLT solutions like…
+ Add you
own
+ Add your
own
47

Transmute Workflow Engine
48
48

FRAMEWORK FOR ADOPTION
1. Is selective disclosure or privacy a priority?
2. Is there high coordination burden?
3. Is traceability or auditability important?
Application Areas
Chains of Custody
Commercial + Defense Supply Chain Logistics
Cold Chain (pharma to agriculture)
Contract Management (Legal, HR, Real Estate)
Software
Data Infrastructure &
Governance_
Cloud roles + access management_
Microservices monitoring_
Telco
5G + IoT Enablement
Identity/Data-as-a-Service
Anti-Fraud (verification + roaming)
Healthcare_
Insurance + Billing_
Patient-centric data sharing + management_
49

LOGISTICS APPLICATION
Transmute ID combines the security advantages of user-
managed access and verified credentials to safely manage
identities across your enterprise ecosystem.
50

Kantara Initiative
PARTNERSHIPS
51
• Transmute engages with the
Kantara member network to
demonstrate implementations of
the mutual Consent Receipt
standard, which supports
emergent data and privacy
regulations like GDPR.
• Kantara’s Trust Services
Interoperability groups work “at
the intersection of digital identity,
personal data agency and
usability.”
CONSENT RECEIPT FLOW EXAMPLE

Ledger agnostic protocol for anchoring
batches of signed JSON Patch
Operations resulting in a DPKI CRDT.
Batching supports higher throughput &
lower cost, but paranoid users can still
anchor themselves.
Open Source Apache-2
Implementations for Bitcoin & Ethereum
supported by the Linux Foundation.
Sidetree Protocol
SCALABILITY
52
A javascript library implementing the
Sidetree Protocol on Ethereum and
IPFS.
Modular, portable and extendable with
support for both in browser (light client)
and full nodes (REST API).
Open Source Apache-2, Created by
Transmute, supported by Microsoft &
the Linux Foundation.
Scalable DPKI is the foundation of
enterprise security applications.
Element
S I D E T R E E
52

RESOLUTION
A kind of reverse anchoring:
ledger -> anchor -> batch -> operation
=> did document
Data Poisoning, Spam and Errors:
How do trusted nodes handle bad data?
Why resolve a DID?
Signature Verification, Service
Endpoints and the Future of SSI.
WALLET
Hardware, Mobile, Web, API, Trusted
Execution Environment?
JWS vs JSON-LD Signatures, the case
for JSON-LD.
Shamir, Recovery and Usability.
Not all keys need to be in the same
place!

ANCHORING
CRUD
Signed
Operation
Batch File
Anchor File
Signed Ledger Transaction
CRUD
Signed
Operation
CRUD
Signed
Operation
Server
Client

IPFS
Ethereum
PouchDB
NanoBus
Storage
Blockchain
SidetreeLight Node
Full Node
ServiceBus
DB
Firestore
Mnemonic
Key System
DID Wallet
Protocol
Functions
Element
A R C H I T E C T U R E
55
Server
Browser
Open Source DID Method
in collaboration with DIF
Members

VIVVO
Lucas Tétreault, VP R&D

Vivvo + SSI
• eGovernment platform that includes identity federation (SP and
IdP), identity proofing, consent and policy management, etc.
• Started hearing rumblings about SSI from Government of Canada
contacts in 2017
• Started investing in SSI in 2018 from a research perspective
• Came to IIW in the fall of 2018 with a pretty early prototype of DID-
Auth and collecting verifiable credentials in a wallet

SSI Use Case: Vivvo + ISED
Business Connect:
- In production with the province of
Saskatchewan since spring 2018
- Identity, business and relationship to
business proofing
- Access government services on behalf
of a business

Vivvo: What has worked well?
“I love the idea of authentication with my phone for all government services
not only for businesses.”
“I liked how the phone app notified me quickly about creating the
credentials in my digital wallet –it was almost instantaneous.”
“What I liked about the functionality tested - no remembering of usernames
and passcodes, information reusable with my consent, the digital wallet
concept.”

Vivvo: Industry Response
• Use of verified identity information on mobile device (i.e. digital wallet) is a
key enabler to easy and secure sharing of business identity among service
providers
• Need for common / standard technology platform to enable re-use of
verified identity information across digital identity providers and
applications.
• Need for education and paradigm shift to increase trust/confidence for
using mobile device for higher risk transactions.
• Perception that mobile device technology is not mature enough (at least in
North America) for digital wallet/payme

Vivvo: Outstanding Challenges
• did:vvo method backed by rest service / relational database
• Our PoC with ISED was more about passwordless auth and
portability of VCs than proving out a DID method and/or DLT
• We are betting big time on interoperability and standardization

Many Proof of Concepts
Proof of Concept Use Case Who’s Involved
VON Business Credentials British Columbia Government
CU Ledger Credit Union Banking
Security
Sovrin + Credit Union National
Association
Building Blocks Food Aid World Food Programme
(Syrian Refugee Aid)
Dutch Digital ID Digital ID TU Delft + Dutch Gov + Others
Walmart Supply Chain Food Supply Tracking Walmart + Hyperledger Fabric
TradeLens Shipping Shipping + Tracking IBM + Maersk

Novartis Pharmaceuticals
• Innovative Medicine Initiative Blockchain Enabled Healthcare
• Experimenting with DIDs & Verifiable Credentials since 2016
• Third party risk
– Qualified suppliers: environmental & labor practices + auditing
– IoT: temperature monitoring for data integrity
– Digitized documents: materials certifications, trade documents
• Sharing patient data
– Drug trials
– Patient experience w/ doctors, researchers, and companies

Government Support
• DHS SBIR & SVIP Grants
– Improve Supply Chain Management
– Combat Counterfeit Goods
• Canadian Government Innovation Challenge:
– https://www.ic.gc.ca/eic/site/101.nsf/eng/00068.html
Source: DHS Science and
Technology Directorate's
Testimony before the US House
of Representatives, May 8, 2018

SSI improves user experience
• Assert an identity or credential digitally
– Could be verified or not
• User collects, shares, controls their own data
– Fine toothed control, read, save, edit the data
– Share verified data anonymously
• Increases privacy, while enabling data sharing

SSI improves Business & Government
• Potential to reduce/eliminate database security risk
• More control over credentials issued, revocation
• Streamline onboarding, increase business efficiency
– Reduce fraud by confirming multiple data points
– Streamline confirmation of compliance data/documentation
• Increase trust of any verified data that must be shared
downstream
– Drug trials
– Compliance documents
– Provenance data

In conclusion
• Users control their identities & data
• Emerging technology for IoT identity
• Business opportunities for digitally native
credentials
• Opportunity to build interoperable infrastructure
• Many companies, governments & communities
are building & investing in it today

Resources
Guide to SSI: https://ssiscoop.com/
W3C Credentials Community Group
https://w3c-ccg.github.io/
W3C DID WG: https://www.w3.org/2019/did-wg/
DIF: http://identity.foundation/
IIW: https://www.internetidentityworkshop.com
SSI Meetup: http://ssimeetup.org
RWOT: https://www.weboftrust.info/

Introduction to Self Sovereign Identity - IIW October 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Introduction to Self Sovereign Identity - IIW October 2019

Similar to Introduction to Self Sovereign Identity - IIW October 2019 (20)

More from Heather Vescent

More from Heather Vescent (20)

Recently uploaded

Recently uploaded (20)

Introduction to Self Sovereign Identity - IIW October 2019