This article is also available in French, German and Spanish.
The history of the concept of Self-Sovereign Identity (SSI) is relatively short. At first, decentralized identity was a topic of concern only to highly specialized professionals, concerned about privacy issues related to identities on the Internet.
The interest in this phenomenon grew beyond this community, due a surge in data breaches. These breaches exposed millions of people’s personal data, stolen from large companies such as Yahoo, Equifax, eBay, Uber, among others. Blockchain technology followed, with its ability to create systems that are fraud-resistant and more secure than the ones created before. This led to the push for decentralization of identity.
Public concern about privacy and security reached such a level that governments began to regulate this area with laws such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA).
VIDidentity, the decentralized identity service offered by Validated ID, is based on the principles of Self-Sovereign Identity.
Pretty Good Privacy
In 1991, Phil Zimmermann's Pretty Good Privacy (PGP) program was one of the first implementations of a public key-based encryption scheme. This system, prior to the massive use of the Internet, laid the foundations for the concept of the decentralized trust model, which later served to create the self-sovereign or decentralized identity model.
To send encrypted messages, PGP required users to exchange cryptographic keys before communicating. In PGP, this key exchange process gradually builds a network of trust: users exchange their public keys to their friends and associates, who, in turn, pass them on to their friends and associates and so on.
This process eliminated the need for a third party to exchange information. The more people who sign a person's key, the greater the likelihood that the key is secure. This concept is the Web Of Trust concept. PGP became so popular that parties were held to meet people and exchange keys.
The seven laws of identity
The concept of self-sovereign identity began with The Seven Laws of Identity, written in 2005 by Kim Cameron, a systems architect at Microsoft. The theory of identity laws describes what a modern, flexible and secure identity model should look like.
For Cameron, this identity model should only reveal information about a user with their consent. In addition, as little information as necessary should be displayed. For example, if a user must prove that they are of legal age, they should be able to only show the year of their birth.
In this model, omnidirectional identifiers will be generated for public entities (such as Google.com) and unidirectional identifiers for private entities (such as an individual), in order to preserve privacy.
For the system to be universal, it must allow the interaction of multiple technologies and multiple identity providers. In addition, it should be designed to improve the user experience for people, not for technology or systems.
In the late 2000s, there were several initiatives to create an Internet identity model. The most relevant was OpenID, which we know as the "Login with Facebook and Google" models we have today. These models have several flaws: on the one hand, the lack of privacy and, on the other hand, the lack of identity verification that affect both users and companies.
At the same time, we have an official European identity model based on eIDAS (the European Union's Electronic Identity Act). Contrary to the previous model, this model has a strong identity, but with a practically residual use by the majority of citizens due to the great complexity of use.
The principles of self-sovereign identity
The concept of self-sovereign or decentralized identity arises from the explosion of Blockchain technology, which generated a strong impact on the digital identity sector.
The term Self-Sovereign Identity was coined by Cristopher Allen, in 2016, in his article The Road to Self-Sovereign Identity. In this article, Christopher Allen explains the principles that should guide any self-sovereign identity.
For Allen, it is necessary to understand that a person's identity, inevitably, can never exist as such in digital format. Self-sovereign identity simply makes some aspects of the person public and accessible. In this model, the user must be able to control their identity. They should always be able to view it, update it or even hide it.
The user must always be able to access their own data, there can be no hidden or inaccessible data of their own identity. On the other hand, you should only have access to your own identity and not to those of others.
Identities should last forever, or at least as long as the user wants them to last. This cannot contradict the "right to be forgotten": the user must be able to delete an identity if they wishes to do so.
Identity-related information and services should be easily portable to ensure that a user's identity can be transferred and stored in multiple locations as desired. The information must be available worldwide, without the user losing control of their identity.
The user must consent to the use of their identity. Although other users, such as the company you work for, health insurance or a friend can submit data, the user always has to give consent for this data to be valid.
When sharing user data, the disclosure of information should include as little information as possible in order to carry out the transaction.
Users' rights must be respected. Where there is a conflict between the needs of the identity network and the rights of users, the network must err in favor of preserving the freedoms and rights of individuals. Algorithms and systems must be transparent and open.
Rebooting Web Of Trust: the first initiative to organize the industry
Christopher Allen organized the RWOT (Rebooting Web Of Trust) events to create a new identity system based on the concept of a decentralized web of trust. The RWOT is a conference held every six months, where professionals from a wide variety of backgrounds discuss identity issues.
From the conversations that take place in this forum, white papers are subsequently prepared that have been key to boosting the identity sector. For example, the first paper that resulted from the first event, held in November 2015, was titled "Rebranding the Web of Trust," which redefined the term and created a new model for the elements of trust with a more modern definition. A list of all the whitepapers published can be accessed at this link: https://www.weboftrust.info/papers.html
DIF: the big think-tank of the SSI world
In addition to the RWOT, the IIW (Identity Internet Workshop) was the main forum for the identity industry. The first workshop was held in October 2005, with the objective of having a forum in which the issues of architecture, governance, etc. for Internet identity services and their underlying philosophies could be addressed. As a result of these events, the need arose to organize the various industry thinkers on SSI issues. Thus, both RWOT and IIW served as the basis for creating the DIF (Decentralized Identity Foundation) in 2017, the most relevant think tank in the SSI world. Hundreds of companies such as Microsoft, Hyperledger, Accenture, Sovrin, among others, are participating. DIF has led standardization efforts in the sector.
INATBA: the European association for blockchain issues
In 2019, the European Union is driving the creation of the international blockchain alliance INATBA (International Association of Trusted Blockchain Applications), with the aim of promoting the use of blockchain technology. It has more than a hundred members, such as Accenture, Everis, Fujitsu, IBM, Deutsche Telekom, Telefónica, BBVA, IOTA, Ripple, Sovrin, ConsenSys or Validated ID. They have a specific working group that deals with issues related to the identity sector. Of particular note is the whitepaper "Decentralised Identity: What's at Stake? published in November 2020, as well as the response to the public consultation on the draft eIDAS 2 regulation, which includes a proposal for improvement.
Sovrin: the first large SSI network
In parallel to the work of defining concepts, protocol and international standards, several initiatives and projects are emerging around decentralized identity. The Sovrin network is a distributed, public, permissioned network built specifically for identity. Sovrin was the first major decentralized identity network and has had a great influence on the current model. In Spain, the only Sovrin node is hosted by Validated ID. In 2020, as a result of collaboration between companies in international forums, Trust Over IP (ToIP) was born. The idea was hatched during 2019, due to the convergence of multiple efforts in the areas of digital identity, verifiable credentials, blockchain technology and secure communications. These efforts saw the need to converge and create an interoperable architecture for decentralized digital trust. More than 300 member organizations and individuals are part of the ToIP Foundation, such as Accenture, Avast, British Columbia, IBM, MasterCard, among others.
Alastria: the great national initiative
In Spain, Alastria is the leading network in the decentralized identity sector. Founded in 2017, it billed itself as "the world's first regulated national blockchain-based network." Backed by major Spanish entities such as BBVA, Banco Santander, Iberdrola, Repsol, among many others, it was created with the aim of accelerating the creation of digital ecosystems by providing a common collaborative platform. This initiative goes beyond the scope of identity, although with an important focus on identity. Based on Ethereum technology, it is the first initiative that focuses specifically in legal issues.
Europa and the eIDAS Bridge
All of the above players, except perhaps Alastria, are far removed from the regulatory world. Although there are many identity wallets in development and several companies like Validated ID are looking forward to this paradigm shift, the reality is that the legal framework is yet to mature. For the time being, we have the eIDAS regulation, focused mainly on PKIs and traditional certificates.
In June 2021, the European Commission approved a new draft of this regulation which states that the new identities of European citizens will be based on the principles of decentralized identity and will be supported by identity wallets. However, this regulation has yet to be formally approved and developed.
For this reason, the eIDAS Bridge project has emerged as an intermediate step. The eIDAS Bridge project is an initiative of the European Commission (EC) to promote eIDAS as a trusted framework for the ISS ecosystem.
Later, eSSIF Lab, another EU-funded project aimed at providing an eIDAS Bridge implementation and testing interoperability between different vendor implementations.
The technical deliverables of the project, developed by Validated ID, consist of using linked keys of qualified certificates for SSI operations. The legal deliverables, prepared by Nacho Alamillo, expose the parts of the current regulation that need to be modified to accommodate this new identity model, which is subsequently resolved by eIDAS 2.0.
EBSI: the great European project
The European Blockchain Services Infrastructure (EBSI) is a joint initiative of the European Commission and the European Blockchain Partnership. Born in 2020 to leverage blockchain technology to accelerate the creation of cross-border services for public administrations and their ecosystems to verify information and make services more reliable.
Since 2020, EBSI has deployed a network of distributed nodes across Europe, supporting applications focused on selected use cases. It has been the reference project in Europe in the ISS world. EBSI and eIDAS 2 were created independently and managed by different groups, although they have evolved to converge.
eIDAS 2.0: SSI's final horizon
The eIDAS Regulation on electronic identification and trust services for electronic transactions in the internal market was published in July 2014. This European initiative was a key milestone in the regulation of identification in electronic transactions. This regulation was aimed at increasing trust in electronic transactions to promote online commerce and was based on certificates, seals and electronic signature of documents (trust services).
The first eIDAS regulation serves as a global benchmark that lays the regulatory foundations replicated in the regulations of countries outside the European Union. Despite its high level of acceptance in terms of trust services, almost a decade later, the adoption of electronic identification systems in public administrations is still very low.
Therefore, a new proposal to amend the eIDAS Regulation (known as eIDAS 2) is published in June 2021. This regulation aims to provide European citizens with a digital identity for the entire EU territory, enabling them to share personal information in a wide variety of contexts, including the private environment .
EIDAS 2 is based on the concepts of decentralized identity. It is surprising that, with its origins in the alternative world of blockchain, this model has served as the basis for the new European identity regulation.
The next major milestone is the Toolbox, a set of common protocols and tools, which is being worked on by both the European Commission and the member states and whose first version is expected to be released in September this year.