Identity professionals continue to have questions about self-sovereign identity (SSI). In this post, I answer a few questions that Susan Morrow raised about the commercial viability, security, privacy, and desired user experience of SSI.
In Self-sovereign identity: 3 key questions (registration required), Susan Morrow asks some questions about the viability of self-sovereign identity (SSI). I actually found more than three. Here's some answers to Susan's questions.
After referencing Kim Cameron's Seven Laws of Identity (PDF), Susan states:
SSI is user-centric, but you don’t need to have a Self Sovereign ID system for it to be user-centric.
That's true. In fact, when we started Internet Identity Workshop, the mission was to explore user-centric identity. But, here's what I've found over the years: being about the user (user centric) doesn't necessarily mean that the user is structurally part of the flow, something Kim made central to his seven laws. I know there are plenty of people who hate the term, but "self sovereign" implies user control in a way that "user centric" does not.
Susan's first question concerns commercial use cases. She says:
I want to understand how we can fit an identity framework, that is based on presenting verifiable claims, to a service. Who will pay for the verification? If one organization pays, will they be happy if that data is then shared with a competitor to build up a trusted relationship with them?
The simple answer is "the same people who pay for it now." The world is full of things that can be represented as verifiable credentials. A passport, drivers license, and membership cards are all examples of verifiable credentials. Who pays for them now? The person who wants it. An employee ID is another example. Who pays for it now? The employer (who also pays for the I-9 verification, in the US at least, that could also be part of the employee ID). You have a bank statement that could be represented as a verifiable credential. It's backed by an expensive KYC check. Who paid for that? The bank (and ultimately the customer). I could go on, but you get the point. Most of the use cases for verifiable credentials are just digital forms of credentials that have long existed and making them digital doesn't change the business model.
A subtle point that Susan alludes to is that when these credentials become digital, they can be used more widely and the issuer might want a piece of the action. For example, if I use my bank-statement-as-verifiable-credential to prove that I'm real (since only real people get personal bank accounts because of KYC requirements), will the bank want to charge the verifier1? Will banks and others be able to rely on and re-use expensive KYC checks? Rather than seeing this as a problem, I see it as an opportunity. The Sovrin network anticipates use cases where one party in the credential exchange pays another. Sovrin is designed to support them. There are organizations in the Sovrin ecosystem working on these kinds of use cases now.
Bottom line: Sovrin hasn't seen lack of commercial use cases or business models as a problem over the last three years. In fact, just the opposite. There are dozens of commercial use cases and many pilots. One of the reasons I got involved in Sovrin 3.5 years ago was because of the enthusiastic support from the credit union industry. That has not waned. In fact it's gotten stronger. Why? Because SSI solves real problems that credit unions and other businesses have. For the first time since the Internet was invented, we now have a general-purpose protocol for proving things about ourselves based on credentials from third parties.
In kind of a throw-away comment at the end of the section on commercial use, Susan says:
And a last point before I move on. This was brought up by a government official in the UK—the data ownership—is a government verified identity document like a passport actually your data to own?
There's nothing about SSI that implies that people own their passport or other credentials. SSI implies that people hold them and control their use. Just like they do with their physical passport. SSI isn't about ownership and we need to dispel the myth that it is. In On Sovereignty, I say:
The key to sovereignty is that all entities are peers. I have the same rights you do. The beauty of sovereignty isn't complete and total control, but rather balance of power that leads to negotiations about the nature of the relationships between various entities in the system.
Sovereignty implies interactions between peers. Neither party is part of the other's administrative system. Instead, the parties form a relationship (via the exchange of decentralized identifiers) and interact using a common protocol.
Governance and Stewards
Susan labels her next question "This Governance Thing?" but the question is really about the Steward model that Sovrin uses to perform validation on the blockchain. She says:
I can see the positive aspect of [Stewards]. It extends the notion of decentralization to another layer. Good. I do, however, wonder if the steward will become a weak point in the system. Will cybercriminals target stewards to gain control of the nodes?
The Sovrin ledger is operated by known validators who are called Stewards. There are currently over 60 Sovrin Stewards who are located on six continents around the world. The Sovrin Governance Framework contains the requirements for operating a node and the agreements that the Stewards sign.
The ledger is an instance of Indy Plenum which implements a Redundant Byzantine Fault Tolerance (RBFT) algorithm. The details are important because they contain the answers to Susan's question. Plenum is a
3f+1 RBFT system. The implication of this is that an attacker would have to compromise
f+1 nodes to stop consensus and write progress and
2f+1 nodes to change what constitutes valid transactions.
So, making the math easy, assume there are 22 Stewards validating transactions on the mainnet. That makes
f equal to 7. To stop writes to the ledger, you would have to compromise 8 Stewards. To change a valid transaction, you'd need to compromise 15 Stewards. That means you can't just hack one Steward to successfully attack the ledger as a whole.
Still, if a hacker took over one node, they could potentially send back bad answers to queries that are different from what's on the ledger. Clients have several defenses against that. First, clients can send a ledger query to more than one node. Second, and better, clients can ask for a state proof of ledger state. State proofs can be used to check the answers from a node and are signed by
2f+1 nodes. Consequently, answers can have RBFT built in, allowing clients to easily check the validity of the answer.
In any computer system, there are opportunities for security issues. Sovrin employs algorithms, code, and governance to make the ledger as secure as possible.
Susan's third question involves the reality of the privacy claims of Sovrin. She says:
It is all well and good having minimal disclosure. But what if you want to buy a pair of shoes online. You have to allow the online vendor to know your address to send the shoes to. They will likely also want your name and other demographic data if they can get consent, for marketing purposes. Your data is then outside the SSI and held in a more traditional manner. And...it is now outside of your control too.
Susan is right. Minimal disclosure and zero knowledge proof can't keep companies from asking for too much information or storing that data in their systems. That's a human problem, not a technical one. Fortunately things like GDPR are starting to change the conversation on this.
Frankly, I'm not sure what point Susan is trying to make on this. Should we just give up? It's hopeless? I don't think so. What Sovrin's minimal disclosure does do is show that it's possible to limit information. Sovrin gives companies the means to ask for and use less data. I don't have to share my entire bank statement to prove that I have a bank account. And companies who don't want to handle my entire bank statement don't have to. Companies can no longer claim there's no choice. There is a choice and we can demonstrate that it works.
Zero knowledge proofs also allow credentials to be richer without compromising too much data. Here's an example: my employee ID credential could have lots of information (attributes) in it about not only my current role, but also all my past positions, salary history, and benefits. But I can choose to share only part of it to answer a specific request. I may prove to the bank that I've been employed greater than 3 years for a loan and then prove to the change control system that I'm authorized to deploy updates to the HR system—all from one credential. This makes it more flexible for the identity owner and easier to produce for the issuer since they don't have to create multiple credentials for the same person.
One more point: Sovrin's privacy stance is based on more than zero-knowledge proofs. It also relies on peer-to-peer relationships without correlating identifiers. This makes it harder for third parties to correlate information about me without my consent. Again, it doesn't make it impossible, but making it harder and showing that we can make working identity systems without a universal ID is a big improvement over where we've been, even with systems like social login.
As an aside, the ecommerce vendor doesn't actually have to have your address. They have to know what sales tax jurisdiction you live in (at least in the US) and they have to have a unique handle that the shipping company can turn into an address for delivery. You can imagine an ecommerce company that keeps no payment or address information on customers, but is still able to process their orders and send the merchandise. A universal protocol for exchanging verifiable credentials would be a foundation for this.
An Air of PGP to It
Finally, Susan says:
I get the same ‘techie’ feel of PGP within the SSI movement. I know that folks in SSI are working hard to get neat apps together to help with usability, but still, there is an air of PGP about it.
The best answer to this concern is to invite you to use a Sovrin wallet. Download Evernym's Connect.me from the app store and visit their demo site2. You won't see any keys. You won't see cryptocurrency addresses. You'll see relationships and credentials. Those are pretty common artifacts that almost any adult will have no problem understanding. Nothing could be further from the PGP user experience.
If you're an identity professional and trying to understand how it all works underneath the covers, you're going to see DIDs, credentials, public keys, zero-knowledge proofs, and all other kinds of technology. But none of that need be exposed to identity owners and it isn't.
A consistent user experience is, in Kim Cameron's view, a fundamental feature of an identity metasystem. That doesn't mean a single user interface—there will be multiple wallets. But the experience will be similar no matter which wallet you use.
SSI is not the only way to skin a cat. My own view is that a mix of technologies will, at least for the foreseeable future, be needed to accommodate the vast array of needs across the identity ecosystem. I can see use cases for SSI. But will it become the overarching way that humans resolve themselves in a digital realm?
While it may not be the only way to skin a cat, it's the only way that is universal. Other identity systems and protocols will continue to exist and interface to the identity metasystem. In an analogy, the Internet didn't do away with local area networks, but it connected them up and provided a universal protocol for exchanging messages between those networks. Sovrin will similarly impact and change existing, disconnected identity systems.
But it's bigger than just connecting systems that already exist. My argument is that Sovrin is an identity metasystem that serves as a foundation to support building any domain-specific identity system. Untold numbers of physical credentials can now be made digital—something that goes well beyond just connecting existing identity systems. The Sovrin identity metasystem gives rise to a universal trust framework that will impact almost every aspect of digital life. Yeah, I'm that bullish.
- See my recent blog post for a primer on verifiable credentials that defines terms and describes how they work.
- By the way, I point to Evernym's wallet simply because it has a nice credential demo they've created for it and it's the first to be commercially available. I'm aware of at least three other wallets in beta, including the StreetCred.id wallet I wrote about in DID Messaging: A Batphone for Everyone. For more on the coninually developing ecosystem of Sovrin, see Self-Sovereign Identity at IIW: We Have Liftoff.