Whether or not digital identity (DID) becomes a blockchain killer app remains to be seen. The intention is NOT to store your date of birth, passport and credit cards on a blockchain. It’s far simpler than that. Self-sovereign identity is the modern equivalent of user ids, a replacement for using your email address or telephone number as an identity. But the big idea is much more than that, and it’s not limited to consumers.
The current outrage over Facebook’s sharing of personal information with Cambridge Analytica highlights the centralization issue. There’s a question mark about whether companies take sufficient care of your data.
Equifax’s hack shows many companies don’t have adequate security and centralization makes them a target. A better digital identity solution isn’t going to resolve all cybersecurity issues, but it might help.
Then there are the identity verification costs. KYC (know your client) and AML (anti-money laundering) are both painful processes, and on the corporate side, there’s a significant cost. Here’s a problem ripe for a solution.
Another frustrating area is Identity and Access Management: How people log in. Whether that login identity is for a consumer application, a corporate login, or for integrating systems using an API.
In this day and age, the company whose system you’re logging into shouldn’t need to store your passwords. At a technical level, when system administrators access servers, they don’t use user ids and passwords, they use keys. Bitcoin has started to make the use of keys more mainstream.
SSL, DNS and identity analogies
Some of the building blocks that underpin the internet have inspired the latest identity designs.
At a technical level, the closest example to the proposed identity blockchain solutions is the SSL website certificate process that secures websites and gives the padlock in your browser. They’re the primary driver behind the current public key infrastructure PKI.
To add an SSL certificate to a website, the domain name owner creates a private key and sends the public key plus some additional information to a trusted Certificate Authority. The Certificate Authority takes basic steps to ensure this person has control over the domain and issues a certificate. The website owner installs the certificate on the server.
Web browsers will trust certificates signed by a list of Certificate Authorities. Five Certificate Authorities manage almost 95% of SSL requests.
There’s quite a lot of misunderstanding about SSL. Most certificates don’t verify the identity; they verify control over the domain. So if you owned the barclaybank.com domain (no S), you could still get an SSL certificate, even though BarclayS Bank does not own it. The primary purpose of SSL is to encrypt the data traveling between the server and your browser.
At a design level, Self Sovereign identity proposals are similar to the Domain Name System (DNS). A domain name owner controls where the domain points to, and a distributed system stores copies of the data. DNS is a distributed database with delegated authority.
The blockchain identity solution
With Self Sovereign identity solutions every individual has a private key and a Digital Identity (DID). A blockchain stores the DID and a document containing the public key. So the plan is for a distributed public key infrastructure PKI.
One of the leading solutions, Sovrin, proposes a public permissioned blockchain. That means the nodes are trusted or vetted, but the data is public.
If you’ve never seen a public key, it looks like a block of garbage text. Given there’s no private information on the blockchain, legislation like GDPR is a non-issue.
By moving away from easily readable and universal identifiers like phone numbers, email addresses, credit cards and government IDs it makes universal tracking harder. That said, Bitcoin has shown that pseudonymity and anonymity are vastly different and the authorities tracked several criminals using Bitcoin.
The obvious question is ‘what if one site gets hacked, will this compromise me everywhere?’. The answer is to have a separate DID for every organization you interact with. If there’s a hack, you revoke those credentials, and it only affects how you login to that one site.
Cryptocurrencies have shown that it’s hard for individuals to look after their private keys. Many computers and some mobile phones can be vulnerable.
But the real issues lie with software. Instead of hacking attempts on Facebook with their thousands of security professionals, the target becomes the app that stores your private keys. And that app is probably created by a startup. Cryptocurrencies have repeatedly demonstrated this problem.
Even a specialist company like Ledger that sells a secure hardware wallet can be vulnerable.
The user software will also need to prevent people from using the same DID in several places, to enable a user to revoke a DID easily and to prevent tracking.
The other question is whether Self Sovereign identities need a blockchain. It certainly needs a distributed system. Back to the DNS analogy, one of the weaknesses in DNS is the centralized points of control. Hacking one of the domain name registrars gives hackers control over substantial parts of the internet.
The counter-argument is that even with a blockchain there will be those vulnerable apps already mentioned. In future, it’s possible there could be server-based services for digital identities that fulfill a similar role to domain name registrars – with the convenience benefit and the centralization drawback.
From a security point of view, after teething problems, blockchain might win. From a performance point of view, it may not. Especially given the need to scale so that every person can have many IDs meaning an identity blockchain could have trillions of records.
This is the first in a series of articles about digital identity. We haven’t yet explored how this links to your date of birth, government ids and location. Future articles will look at the opportunities it enables and solutions under construction.