Self-sovereign identity: Ideology & architecture
Christopher Allen
https://twitter.com/kanzure/status/1168566218040762369
Paralelni Polis
First I'd like to introduce the space we're in right now. Welcome to Paralelni Polis. It is an education organization. It's a first organization in the world that is running fully on crypto. It is running solely on cryptoeconomics and donations. I'd like to welcome you to the event called Rebooting the Web of Trust. This is the 9th event. This is its first time in Prague. We want to spread awareness and get communities around the world to focus on digital identity and to think differently about digital identity. I am really excited to weclome some of the world's leader in the topic of decentralized identity and self-sovereign identity.
Speaker intros
Hello. We're all very excited to be here in Prague. We were in Vienna yesterday and we took the train up to Prague this morning. It was a beautiful, wonderful trip through the country side. As you've heard, technology the topic we're talking about tonight is self-sovereign identity. This means different things to different people. There are many communities focusing on this concept. We try to cfommunicate with each other and ew'd like things to be interoperable. We're excited to have a number of speakers from these various different communities to try to give you a taste of what self-sovereign identity is about, and what it means for our digital lives.
There's a number of entities that go into creating this technology. You've heard about Rebooting Web of Trust which is a workshop where people from all over the world join us to write papers and build technologies. So they either write papers or write code. This is the 9th one, it has been going on for a while. The core thing that we're focused on with RWOT is just producing content so that we can communicate these ideas out to a broader audience.
The work is also happening in other venues, though. Like the internet identity workshop. The internet engineering task force. The W3C... It's really kind of a global thing at this point. The goal here is to give you a taste of what this self-sovereign identity thing is all about.
To introduce us to the topic is Christopher Allen. For those of you who don't know, Christopher Allen was the lead editor of the TLS/SSL specification, which is the cryptography technology that protects trillions of dollars of ecommerce. All of our ecommerce and communication are protected by this technology. He also worked on PGP and web of trust, and he is the originator of the term self-sovereign identity. He is going ot talk about these principles and how they became the foundation of what we're building today. Over to you, Chris.
My background
I am the executive director of Blockchain Commons. I am one of the founders of Rebooting Web of Trust. This is our 9th event for that.
Ideology
I am going to first speak about ideology. Let's meet Amira. She is going to improve the lives of millions of people with her work. She legally immigrated into the United States and she is now an engineer in Boston. But her extended family lives in Syria. The new anti-immigration policies in the US concern her. We want everyone, including Amira, achieve their absolute best potential. How do we do that in climates where there are challenges and fears? How does she participate fully with her skills to be able to help millions of people?
Self-sovereign identity is an ideology to reclaim human dignity and personal authority in the world. Along with this is an architecture and technology to enable that ideology or movement.
It will benefit both businesses and communities because it will allow people like Amira to achieve her full potential.
Principles of self-sovereign identity
Self-sovereign identity is based on the enlightenment and the universal declaration of basic human rights. You should be able to control your basic identity with your relationships and your interactions with different entities. You should have the same control over your digital life that you have over our physical lives.
We have a lot of autonomy as individuals. We can go to different places, we can choose what we do, we ought to have this level of autonomy and control in our digital lives, and often we don't. So we want to try to solve this and fix this.
This being said, this is not perfect control. We're not talking about absolute freedom, because we learn as participants in our cultures, that there are appropriate boundaries. As an adult, we're responsible to understand and respect those barriers. Because we all have the right and responsibility to find a line between areas that I control and areas that other people control, and we meet in the center.
We also have inherent dignity that is independent of our birth place, lineage or any labels, simply because we are human beings.
Digital identity today
Today, digital identity is administered by centralized authorities, like governments doing digital ID programs, corporations through your badge or your participation as an employee, or increasingly-- software platform providers like having a gmail address or an Apple identity etc.
All of them have a vested interest in managing people both online and offline because they want to enforce this social contract. I think this is an entirely legitimate thing. Governments care about their citizens and they want to make sure their citizens are respected and are able to benefit from the rule of law in their nation.
But because of this, they also have to lock out other authorities from changing or profiting from those social contracts. Facebook doesn't want twitter to profit from the work that Facebook has done. This is similar to Taiwan having a different idea about citizenship from say China.
This means centralized authorities are causing us a lot of relationship problems because we're part now of a global civil society. We're increasingly not solely a representative of one country or one company. We're involved with networks. I've been all over the world, I've talked with and consulted with governments, corporations and even individuals. The borders and social contracts between us are transnational, regional, there's also these indigenous and tribal relationships... And corporations and employers are also having to cross these boundaries as well.
All of these parties are re-negotiating what it means to be sovereign within those boundaries. But unfortunately they are ignoring the voice of ordinary people in this. Self-sovereignty gives individuals a voice as we renegotiate what it means to be human in the digital world.
Risks of centralization
There's a lot of risks related to centralized authorities. There's data silos making them targets for adversaries. Centralization is less resilient to attacks and damage. Often, central authorities don't give you recourse when there are problems. I know people have died in India because no recourse to some of the problems with their digital identity system. Abuse of powe rcan happen: there's an asymmetric relationship between a big country and an individual, and it gives them an advantage to potentially use power in a way that is against the interest of individuals, usually in a way that isn't transparent.
A lot of these centralized architectures around digital identity were created over 40 years ago, in the day of mainframes, and we're simply not in that world today. We're hitting the limits in terms of what centralized digital identity can provide.
Why now?
There's 1.1 billion people who have no legal identity around the world. There's tens of millions of people around the world that no nation state will acknowledge their existence. In europe, we have GDPR which requires privacy portability consent among other things. There's big mega digital identity projects, like India and China. India has registered over a billion citizens and this lets them do a lot of cool things, but unfortunately they are using centralized systems and some of the best practices over the past 20 years of work have not been adopted by them. This causes problems around discrimination, abuse by law enforcement, and the no-recourse problem. Xenophobia has been a problem around the world: people have discovered that you can use nationalism to create an us-vs-them narrative to enforce political power. We also have to deal with regime change. If your current government would never hurt you, what about your politician's successors? Holland had the best civil service in Europe, but the Nazis came in and confiscated the information and made a big mess of everything.
With bitcoin, we have learned that fixing this is possible. We can use these technologies to help individuals with their self-sovereignty.
Path to self-sovereign identity
http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html
A few years ago, I wrote an article on the path to self-sovereign identity. In there, I talked about 10 principles of self-sovereign identity: existence, control, access, transparency, persistence, portability, interoperability, consent, minimization, protection.
What about existence? Users have an independent existence. They are not just a digital persona. A digital persona will never fully represent you. You exist as a human independent of whatever bits there are about you. Our physical existence is our most fundamental fact and the control over ourselves is our most fundamental unalienable right. Also, human dignity is important because we can't just be entries in some ledger somewhere. People aren't just some problem that needs to be solved.
The second principle was about control: users must be able to control their identities, privacy or celebrity as they prefer. You are the ultimate authority on your identity and you should always be able to refer to it, update it, or hide it.
A free society demands that we be given voice in how we are represented in the world and how those representations are used. A lot of people are pushing us away from the idea of owning our own digital data. But humans are the only valid source of that moral authority. We have the moral authority over our digital representations.
Limits on self-sovereignty
You're not in total control, but self-sovereignty defines the borders where you are in control and outside of those borders you can negotiate with others not as a petitioner but as a peer where you negotiate. "Your right to swing your arms ends where the other man's nose begins". There are lines, and we're trying to figure out what those lines are.
Identity is not property
This is one of my new principles which is not embodied in those other 10 principles. There's a lot more here. I would really encourage you to look at Elizabeth Renariz who have written more than I have on this. In genreal, this community is trying to avoid the words "own" or "ownership" and instead we speak of an individual's right to control their digital identity. Making everything property means you need everything to be alienable, and there's a lot of things about alienability that you don't really want in your lives as individuals.
Balancing transparency and privacy
We tend to focus on preserving the rights of individuals over the needs of the group. There's a new way of looking at economics called erdogonomics... purely focusing on utilitarianism can go the wrong way for individuals. We should instead look at power imbalances and focus on rescuing the individual.
Credentials
The first solvable problem that we found was credentials, like licenses. It's all about a subject being authorized by some department of motor vehicles and here's some evidence they have collected and usage information and they basically issue a credential saying you can drive. Digital credentials are the same, but they can also add some claims about the license like-- they can be tamper-proof, and they can be combined with other kinds of digital credentials. They can allow for trusted dissonance trust at a distance.
We want the ability to create many identifiers for any person or organization, that are portable, no centralized authorities, etc. We created a new kind of url called a DID. It is a globally-unique, highly-available, cryptographically verifiable. We have a new approach for how to do identifiers. There are multiple DID methods and then here's an example of an individual method. This is not just for people, it's also for people and things. They resolve to DID documents that give applications all the keys and the info that they need to act on your behalf or communicate with you.
There's a bunch of different DID methods being proposed at this point.