Blockchain

Self-Sovereign Identity: The Ultimate Guide 2022

Published
November 23, 2022
·

Dock has been a pioneer in the revolutionary Web3 space. Since 2017, our expert team has been building cutting-edge Verifiable Credentials and Self-Sovereign Identity technology. We created this complete guide on  Self-Sovereign Identity to explain its importance to organizations and individuals as well as how the tech works in a simple way.

TL;DR

  • As we access apps and websites, organizations by default are dominantly using centralized and federated identity management (e.g. signing in with a Google or Facebook account) systems. Centralized systems often make organizations vulnerable to large-scale hacks and data breaches. With federated systems, credential system providers like Google may use people’s personal data to store and track their online activity without their knowledge.
  • Because ID and credential verification processes are very slow, expensive, and outdated, certificate fraud and lack of product traceability are big problems around the world.
  • To solve many of these problems, Self-Sovereign Identity (SSI) was developed. Self-Sovereign Identity is a model that gives individuals full ownership and control of their digital identities without relying on a central authority. For organizations, SSI technology enables them to create fraud-proof Verifiable Credentials and instantly verify the authenticity of a credential.
  • Self-Sovereign Identity is made up of 3 pillars: blockchain, decentralized identifiers, and Verifiable Credentials.
  • Self-Sovereign Identity technology can be applied to diverse use cases including issuing fraud-proof certifications, supply chain product tracking, and speeding up workforce recruitment times.

Introduction

How would you feel if you found out that your doctor had a fake degree?

If you’re a food supplier, how would you contain a contaminated batch of products when you can’t trace it back to its origin?

And did you know that cybercriminals earn up to $2.2 million through formjacking attacks by stealing 10 credit cards per website?

While all of these situations seem completely unrelated, they actually all tie back to the recurring problems of outdated verification systems and reduced security with traditional identity management systems.

As we access apps and websites, organizations are dominantly using centralized and federated identity management systems (e.g. signing in with a Google or Facebook account) by default. The centralized system puts data at risk of large scale hacks and breaches while the federated model enables companies to track user data without their knowledge. Unsurprisingly, cybersecurity spending increases every year.

These problems are what motivated the development of the Self-Sovereign Identity model to manage digital identities. There are many advantages to Self-Sovereign Identity that we’ll dive into more detail later, including:

  • Fully owning and controlling your data
  • Increased security and privacy
  • Eliminating central points of failure
  • Data can’t be tracked and correlated (data that is used to trace back to someone’s identity or track online behavior)

What Is Self-Sovereign Identity?

Self-Sovereign Identity (SSI) is a model that gives individuals full ownership and control of their digital identities without relying on a third party. In contrast to centralized identity management, you are the boss of your identity and get to decide who gets to see your data. You can also remove access to your data any time.

Before diving into the details of Self-Sovereign Identity, it’s important to know what digital identity is first. A digital identity is any data that exists online that can be traced back to an individual or organization. Identifiable data includes passwords, user names, bank accounts, and social media photos.

SSI technology allows people to self-manage their digital identities without depending on third-party providers to store and manage the data. Currently, Self-Sovereign Identity is used interchangeably with the term decentralized identity.

There are three main participants in the SSI system:

A Self-Sovereign Identity system has holders, issuers, and verifiers.

The interactions between the holder, issuer, and verifier is sometimes called "the trust triangle." Every time information is requested by a verifier, the holder chooses whether to allow access to their data.

3 Pillars of Self-Sovereign Identity

3 pillars of Self-Sovereign Identity are blockchain, Verifiable Credentials, and decentralized identifiers
Verifiable Credentials, blockchain, and decentralized identifiers are 3 pillars of Self-Sovereign Identity.

Self-Sovereign Identity is made up of 3 pillars:

  1. Blockchain: A decentralized database that is shared among computers in the blockchain network that records information in a way that makes it very difficult to change, hack, or cheat the system.
  2. Decentralized Identifiers (DIDs): Cryptographically verifiable identifiers created by the user, owned by the user, and independent of any organization. DIDs contain no personal identifiable information.
  3. Verifiable Credentials (VCs): Digital cryptographically-secure versions of paper and digital credentials that people can present to verifiers.

For example, let's say a new gym opens and every employee must have a First Aid training certificate, which is valid for three years.

  • Holder: Sandy the job applicant
  • Issuer: First Aid training organization
  • Verifier: Gym

Here is how these roles interact in a Self-Sovereign Identity system:

  1. Sandy (holder) has a digital identity wallet app on her phone that stores her Verifiable Credentials.
  2. Sandy successfully passes her First Aid training and the training organization digitally issues her training certificate that she then keeps securely on her app. Her certificate is now fraud-proof.
  3. Sandy applies to the gym (verifier) and presents her Verifiable Credential (the certificate) and the gym can instantly verify her credential by simply scanning a QR code.

In this case, the gym trusts only the First Aid training organization as an issuer and Sandy wouldn’t be able to fake the certificate. The training organization’s DID is publicly known and only First Aid certificates issued by this issuer as Verifiable Credentials would be recognized as valid for verifiers.

If someone tried to make Sandy a fake digital certificate by changing the data, the verification would fail. The failed verification confirms that the certificate is not authentic because the signature wouldn’t match the issuer’s DID or the hash (acts like a digital fingerprint) would be wrong.

Principles of Self-Sovereign Identity

Verify eligibility within a Self-Sovereign Identity system
With a Self-Sovereign Identity system, users fully own and control their data and decide who to share it with.

Many people have written about the principles of identity, including Kim Cameron’s “Laws of Identity” and W3C Verifiable Claims Task Force FAQ. While there is no clear consensus on what Self-Sovereign Identity is among different thought leaders and organizations, there are 10 key principles that summarize the essential aspects of SSI.

1) Existence: A user must be able to exist in the digital world without the need of a third party.

2) Control: People must have ultimate authority over their digital identities and personal data.

3) Access: Users must have easy and direct access to their own data.

4) Transparency: The way an identity system and algorithms are managed and updated must be publicly available and reasonably understandable. The solution design should be based on open protocol standards and open software.

5) Persistence: Identities must be long-lasting. Solution developers should implement sufficient foundational infrastructure and design sustainable commercial and operational models.

6) Portability: People must be able to bring their identities and credentials anywhere, transport their data from one platform to another, and not be restricted to a single platform.

7) Interoperability: Identities should be as widely usable as possible by various stakeholders. Organizations, databases, and registries must be able to quickly and efficiently communicate with each other globally through a digital identity system.

8) Consent: Users must give explicit permission for an entity to use or access their data. The process of expressing consent should be interactive and well-understood by people.

9) Minimization: A digital identity solution should enable people to share the least possible amount of data that another party needs to minimize sharing of excessive and unnecessary personally identifiable information.

10) Protection: People’s right to privacy must be protected and safeguards should exist against tampering and monitoring information. Data traffic should be encrypted end-to-end.

Origins of Self-Sovereign Identity

Self-Sovereign Identity phone login
Self-Sovereign Identity was developed largely because governments and companies were sharing tremendous amounts of information and tracking people's online behavior without their knowledge.

There are a growing number of discussions about SSI around the world among citizens, companies, and governments. But where did this digital identity approach come from?

Christopher Allen is a standards and identity practice specialist at the blockchain development startup Blockstream and a veteran developer. He believes that SSI began in the early 90s when Pretty Good Privacy (PGP) mentioned the idea of “Web of Trust,” which is the first hint of what could become a Self-Sovereign Identity. PGP is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption.

The “Web of Trust” was an approach where trust could be established by allowing peers to act as introducers and validators of public keys and anyone could be a validator in the PGP model. While this approach was a great example of decentralized trust management, the limitation is that it focused on email addresses that depended on centralized hierarchies. This, in addition to other reasons, is why PGP never became broadly adopted.

In 1996, Carl Ellison wrote a paper on digital identity called “Establishing Identity Without Certification Authority.” He mainly argued that there was a need for a method to establish identity without using certificates from trusted certification authorities.

SSI really gained momentum in the 21st century as the internet developed more. In his article, “The Path to Self-Sovereign Identity,” Allen discussed his vision for Self-Sovereign Identity where digital identity can enable trust while preserving individual privacy. He says SSI is much needed during this time because governments and companies are sharing tremendous amounts of information and correlating everything from purchases, people’s locations, and who they associate with. SSI can help protect people from increasing control from people in power.

Countries, governments, and companies often associate people’s identity with state-issued credentials like driver’s licenses and social security cards. But for SSI advocates, this is problematic because it implies that people can lose their identity if a central authority removes it from them. With a Self-Sovereign Identity, no entity can remove your digital identity.

4 Key Phases in the Evolution of Digital Identity

The models of online identity have gone through these four main phases since the internet was invented:

  1. Centralized identity
  2. Federated identity
  3. User-centric identity
  4. Self-sovereign identity

Right now we are dominantly using centralized identifiers like emails, phone numbers, and user names to authenticate our identity to access websites and apps. As we create more accounts, our personal data is being spread more and more on the internet.

Phase 1: Centralized Identity (Administrative Control by a Single Authority or Hierarchy)

As the internet was first developing, centralized authorities became the issuers and authenticators of digital identity. IANA (1988) was an organization that determined the validity of IP addresses and ICANN (1998) arbitrated domain names. In 1995, certificate authorities helped commerce sites authenticate their identities.

Some organizations went beyond centralization and created hierarchies where the root controller would choose other organizations to each oversee their own hierarchy. But the root controller would always have more power. As the internet grew, centralized authorities and hierarchies gained more power as more people had to manage a growing number of digital identities while having no control over them.

This model is a siloed one where systems are isolated from each other as people have to create a digital identity account for every platform. The average person has 100 passwords and a study from the University of Sydney conducted a survey among social media users from Australia, UK, and US revealed that a third of people don’t trust social media companies with their data. This creates a bad user experience as they have to manage an increasing number of accounts.

Phase 2: Federated Identity (Administrative Control by Multiple, Federated Authorities)

Because of the problems that resulted from the first siloed digital identity model, federated identity was developed. A federated identity allows authorized users to access multiple applications and domains using a single set of credentials like when people can use their Google or Facebook to sign into websites or apps. A federated identity links a user’s identity across multiple identity management systems so they can access different applications efficiently.

Microsoft’s Passport initiative in 1999 was one of the first to offer a federated identity. But the problem is that Microsoft was at the center of the federation which made it almost as centralized as traditional authorities.

In federated identity systems, personal data is often being stored, tracked, and shared to other parties without people’s knowledge. In 2019, Facebook had 540 million user records exposed on the Amazon cloud server (CBS). Currently, there is a hacker attack every 39 seconds.

Phase 3: User-Centric Identity (Individual or Administrative Control Across Multiple Authorities Without Requiring a Federation)

Self-Sovereign Identity security

In 2000, the Augmented Social Network established the groundwork for a new kind of digital identity for the next generation of the internet. They recommended that a persistent online identity should be built into the architecture of the internet. The key advancement to digital identity is the assumption that every individual ought to have the right to control his or her own online identity.

The Identity Commons (2001-Present) began to compile the new work on digital identity with a focus on decentralization. Their most important contribution was their creation of the Internet Identity Workshop working group, or IIW (2005-Present), where they advance the idea of decentralized identity in a series of semi-yearly meetings. They focused on a new term: user-centric identity.

The user-centric identity model suggests that users are in the middle of the identity process, the user must have more control over their identity, and trust must be decentralized. IIW’s work supported different methods for creating digital identity including OAuth (2010) and OpenID Connect (2014). User-centric approaches tended to focus on user consent and interoperability.

However, powerful institutions prevented them from realizing their goals. Today, the ownership of user-centric identities remains with the entities that register them. Being user-centric isn’t enough.  

Phase 4: Self-Sovereign Identity (Individuals Have Full Control Across Any Number of Authorities)

Self-Sovereign Identity Web3 ID

Self-Sovereign Identity is the next step beyond user-centric identity. The term Self-Sovereign Identity was used more in the 2010s when people advocated not just that people be at the center of the identity process but that they are the rulers of their own identity.

There were a growing number of discussions of SSI within international policy that were largely driven by the refugee crisis in Europe. Many people lacked a recognized state-issued identity as they had to flee their homes.

Problems With Centralized Digital Identifiers, Credentials, and IDs

  • Centralized digital credentials, like health and safety training certificates and university degrees,  are easy to forge. The only way to check their authenticity is by contacting the issuing organization, which can take days to even months to confirm the information you need
  • Traditional IDs like a driver’s license or other government-issued IDs are not private as the verifier can access all the information on a credential that they often don’t need like date of birth and address
  • The verification of credentials is dependant on the issuer and if their service is offline or disappears, then people can’t prove the authenticity of their credentials to a verifier
  • Data can be stored, tracked, and shared by third parties
  • More than 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.
  • Data stored on an issuer’s centralized servers have an increased risk of becoming targets for hacks, breaches, or leaks

Examples of the Consequences of Data Breaches

In 2020, 33,000 unemployment applicants were exposed to a data security breach through the Pandemic Unemployment Assistance program

Benefits of Self-Sovereign Identity Management for Organizations, Individuals, and Developers

Organizations

  • Significantly reduce costs, inefficiencies, and resources by verifying credentials like nurse licenses or online course completion certificates instantly instead of days, weeks, and months
  • Issue fraud-proof Verifiable Credentials efficiently and at a much lower cost
  • Improve security with public-key cryptography
  • Reduce the risk of being targeted for cyber attacks, breaches, lawsuits, and fines by storing less user data

Individuals

  • Full ownership and control over your identity without relying on a third party
  • Create your own DIDs and fully manage your data with a digital wallet
  • You can choose which data to share and with whom to share it with while having the ability to remove access to the data at any time
  • Personal data is not stored on centralized servers
  • You don’t have to provide unnecessary and excessive information than what is requested like showing your full address if you only need to confirm your age

Developers

  • Build apps that eliminate the need for password, which creates a better user experience
  • Removes inefficient authentication processes like using text or email for secondary verification
  • Request data directly from users rather than a third party

A Self-Sovereign Identity platform like Dock enables people and organizations to create, manage, and store their data on a decentralized network.

How Does Self-Sovereign Identity Management Work?

We’ll go over the key details of the three pillars of SSI which are blockchain, Decentralized Identifiers, and Verifiable Credentials and how they work together.

SSI Pillar 1: Blockchain

Blockchain is a system of recording information on a digitally distributed database that is shared among computers in the blockchain network. These computers are called nodes. The way that blockchain is designed makes it very difficult to change, hack or cheat the system. Each block has unique data about the previous block and once the data on the blocks are verified, they are added to the blockchain.

Key Features of a Self-Sovereign Identity Blockchain:

  • Decentralized: Blockchain uses a peer-to-peer network where no one party can change or manipulate the way a blockchain should act. Nodes can be anywhere in the world as long as they have the required equipment to be part of the network. If it’s a permissionless blockchain, anyone can join the network.
  • Distributed ledger (record of transactions): Every node in the network gets a full copy of the blockchain and the information can be used to verify that it hasn’t been tampered with. When new data is verified, everyone adds this information to their copy of the blockchain.
  • High security with immutability: Blocks can’t be tampered with or backdated. Every block has a hash (string of letters and numbers) of the previous block, which acts like a unique digital fingerprint. If the hash changes on a block, everyone in the network will know that it has been tampered with and tampered blocks will be rejected by nodes and not be added to the blockchain.

Let’s consider a company where only one person has access to financial records and history. If they changed the numbers, who would know about it? There may be limited or no traceable evidence or record of this change so they can easily steal money or commit fraud. But if all transactions were recorded on a permissioned blockchain, other staff could audit and check the transactions to ensure they are accurate.

Here is how each party uses the blockchain in a Self-Sovereign Identity system:

  • Holder: Owner of the Verifiable Credential (e.g. driver’s license) has their public DID on the blockchain.
  • Issuer: When an issuer, like a government department, provides a Verifiable Credential to a holder like a driver’s license, they sign it with their DID and associated private key. The department’s DID and associated public key will be on the blockchain.
  • Verifier: A verifier, like an on-demand driving company, can check the blockchain to ensure that the government department they trust did in fact issue the license because the credential was signed by the issuer’s DID that is on the blockchain.

A blockchain allows the holder, issuer, and verifier to have the same source of truth about which credentials are valid and who authenticated the validity of the data inside the credentials.

The identity and credentials are not stored on the blockchain but rather on the holder’s digital wallet.

Centralized Identity Management Decentralized Identity Management
Increased risk of data breaches from storing data in a centralized system
Data is decentralized and stored by users in their wallets, which reduces the risk of large scale data breaches
Data may be collected, stored, and shared with other parties without your knowledge Data is only shared when you give authorization
Data is owned and controlled by organizations, apps, and services Data is fully owned and controlled by the user

SSI Pillar 2: Decentralized Identifiers (DIDs)

Everyone who has an online presence has a digital identifier like an email address or user name. Today, we mostly rely on centralized identifiers such as Google, Facebook, email providers, or mobile network operators to connect to websites and apps. But these digital identifiers are often used to tore, track, and share user data. Companies can know who we messaged, what we bought, where we live, our location, and so on.

Thankfully, decentralized identifiers (DIDs) allow people to create digital identities that they can securely connect to their Verifiable Credentials that don't reveal personal information without authorization. DIDs allow us to have full ownership and control of our data. Having multiple DIDs makes it harder for someone to correlate those DIDs together.

A DID is a globally unique identifier made up of a string of letters and numbers that is independent of any organization. DIDs are publicly known by relevant parties.

Here is an example of a Dock DID:

Example of a DID within a Self-Sovereign Identity system

A DID:

  • Is created by the user
  • Comes with one or many private key and public key pairs
  • Does not contain personal data or wallet information
  • Enables private and secure connections between two parties and can be verified anywhere at any time

People can make as many DIDs as they want for different purposes and interactions. For example, someone can generate three different DIDs:

  • DID 1: For their online shopping only
  • DID 2: For cryptocurrency-related services like trading and buying NFTs
  • DID 3: Professional purposes like holding their educational credentials such as a university degree and course certificates
Select a DID to authorize a verifier in the Self-Sovereign Identity system
Users can create as many DIDs as they want for different purposes and interactions.

Private and Public Keys That Come With DIDs

To learn how private and public keys work, it’s important to understand what encryption is. Encryption is the process of taking a message and scrambling its contents so only certain people can look at your message.

There are 2 types of encryption:

  1. Symmetric encryption: One key (password) is used to encrypt and decrypt data. Think about securing access to a document by choosing a password like “catsrule.” In order for someone to open the document, they need to type in “catsrule.” In this example, a single password (key) is used to encrypt and decrypt the document.
  2. Asymmetric encryption: The encryption key (also called the public key) and the corresponding decryption key (also called the private key) are different. Asymmetric encryption is also known as public-key encryption.

Let’s say Ellen has a confidential document she wants to share with her colleague Ken. She uses an encryption program to protect the document with a password that she chooses. She sends the message to Ken who can’t open the message because he doesn’t know the password in the same way that he doesn’t have a “key” to open the lock to access the document.

Ellen doesn’t want to share the password through email because other people can use it to decrypt any message between Ellen and Ken. This is the problem with symmetric encryption and what asymmetric encryption tries to solve.

With asymmetric encryption, Ellen and Ken have to generate a key pair on their computers. A public and private key will be linked to each other. A public key can be used to encrypt data and only the matching private key can be used to decrypt data. But if you know someone’s public key, you can’t access their private key.

Ellen and Ken can use asymmetric encryption to communicate securely with each other.

  1. They first exchange their public keys
  2. When Ellen sends her confidential document, she encrypts it with Ken’s public key
  3. Ken then uses his private key to unlock the document. Because of asymmetrical encryption, only Ken can decrypt the message. Even Ellen can’t decrypt it because she doesn’t have Ken’s private key.
  4. Ken and Ellen should never share their private key. If someone gets Ken’s private keys, a hacker can decrypt all messages intended for Ken. But the hacker can’t decrypt messages sent to Ellen because that requires her private key.

Asymmetric encryption is used where security is very important including a website with the address https://, secure emails, or cryptocurrency to make sure only the owner of a wallet can withdraw or transfer money from it.

Self-Sovereign Identity DID comes with one or many private and public keys
Every DID comes with one or many private and public keys

Every DID comes with one or many private and public keys.

  • Private key: Made up of a long string of letters and numbers that allows people to prove ownership, give consent to share selected data, and sign Verifiable Credentials. As an analogy, a private key is like a master key that can access all of your information and the owner should never share their private key with anyone.
  • Public key: Made up of a long string of letters and numbers that can safely be shared with anyone you choose to give specific information to.

Think about a mailbox on the street that is public and many people know the location. Anyone can drop in letters but only the owner can open it up. The mailbox’s address would be like the public key that is safe for everyone to know. The owner of the mailbox is the only one who has the private key that is needed to open up the mailbox.

For additional security, you can generate a new public key whenever you transact with a different party to reduce the chances of someone correlating data. This practice can be compared to having a different password for every new website you create an account for. It’s not safe to use “itsreallyme123” for every site. It’s better to have longer and complex passwords to reduce the risk of your information being hacked.

SSI Pillar 3: Verifiable Credentials (VCs)

ID cards, certificates, and degrees can easily be faked and organizations have few to no options of verifying their authenticity without doing a tedious, manual process of checking with the issuer of a credential like a university or licensing organization. But Verifiable Credentials allow verifiers like an employer, government department, or app to verify credentials in seconds!

Verifiable Credentials are a digital, cryptographically-secured version of paper and digital credentials that people can present to parties that need them for verification. An employer for example can simply use an app to scan a job candidate’s QR code to confirm that they have a bachelor’s degree without needing to spend days or weeks contacting a university to verify if someone’s degree is authentic.

W3C is an international community of member organizations, staff, and the public collaborating to set international standards for the World Wide Web. When digital credentials conform to the Verifiable Credentials Data Model 1.0 standards that they established, they can be referred to as Verifiable Credentials.

The Verifiable Credentials Data Model 1.0 is a “specification [that] provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable.” W3C created standards for Decentralized Identifiers, URL, and others.

Key Benefits of Verifiable Credentials

  • Issuing Organizations: Save money and time issuing Verifiable Credentials efficiently, including the option to issue in bulk, prevent fraud, and reduce manual work.
  • Verifying Organizations: Save time, resources, and money by verifying credentials instantly without having to contact issuing organizations.
  • Individuals: Only provide the relevant information to a verifier without disclosing unnecessary information and confirm claims without revealing the actual data.
  • Developers: Enhance the user experience by authenticating securely without the need for passwords.

There are two main ways Self-Sovereign Identity blockchain companies can enable people to preserve privacy:

1) Selective Disclosure

You can decide which data of a credential you want to show to a verifier without revealing unnecessary information than what is requested. For example, if you need to be at least 18 to receive a service, you can show your birth date from your license that was issued as a Verifiable Credential without showing your name or address.

2) Zero-Knowledge Proofs (ZKPs)

With zero-knowledge proof technology, Self-Sovereign Identity providers go even further to help people maintain privacy by proving you are 18 years old or over without even revealing your date of birth. This is made possible with the use of cryptography where the holder can show the verifier that they meet a certain requirement (like minimum age, income, or area of residence) without needing to show the data that supports that proof.

How Blockchain, Decentralized Identifiers, and Verifiable Credentials Work Together

We’ll go through an example that demonstrates how all of these pillars of SSI work together.

Let’s say there’s an online course on how to use a project management tool that will issue a certificate as a Verifiable Credential after students complete the course.

  • Holder: Dawn Lopez completes the Jira Advanced Course and has a digital identity wallet
  • Issuer: Zip Education is an online course provider that issues a certificate to course graduates
  • Verifier: Employer hiring someone with project coordination skills and trusts Zip Education as an issuer
  1. Dawn creates a DID with her digital identity wallet for professional purposes and the DID automatically comes with a private and public key pair.
  2. Dawn successfully completes Jira Advanced Course.
  3. Zip Education uses their private key to sign and issue a certificate to the student using Dock Certs. The Certs API is connected to their existing system.
Dawn's certificate issued as a Verifiable Credential
  1. The Dock blockchain holds the public DIDs of Zip Education and Dawn.
  2. Dock Certs generates a PDF and JSON version of the certificate and Zip Education emails this credential to the student. Dock will soon have an update to automatically send the credential to the holder’s wallet. A JSON file is a file that stores simple data structures and objects in JavaScript Object Notation (JSON) format, which is a standard data interchange format.
  3. Dawn imports the credential on her Dock wallet.
  4. An employer who trusts Zip Education as an issuer verifies the credential by uploading the JSON file onto Dock Certs.

Here is another example of how public and private keys are used in the SSI system.

  • Holder: Tommy
  • Issuer: Government department
  • Verifier: Online English education company

An online English education company in Japan wants to hire contract teachers from the USA and Canada only. They use Verifiable Credentials as part of their screening process to ensure that teachers are residents in North America.

  1. Tommy has a DID in his Dock Wallet and wants to add his passport details on it
  2. Tommy goes to the government office and the staff asks him to scan a QR code, which enables a secure connection and exchange of DIDs
  3. The staff uses the private key to sign and issue the digital passport as a Verifiable Credential
  4. Tommy accepts the credential and stores it in his wallet
  5. The online education company requests data to confirm that he lives in Canada or the USA
  6. Tommy authorizes the online education company to see his relevant data
  7. The company verifies the credential that confirms that he lives in Canada
Government issuer in the Self-Sovereign Identity system
In this example, the government issues a passport to someone as a Verifiable Credential.

Self-Sovereign Identity Wallet

A secure Self-sovereign Identity wallet is essential because it allows people to carry their credentials anywhere on their phone or digital device. Portability is one of the principles of SSI.

Key aspects of an SSI wallet:

  • Enables people to securely store and manage DIDs and Verifiable Credentials without relying on a third party
  • A holder must give the authorization to share data to a verifier who needs to confirm eligibility to access services or products
  • Makes it harder for companies to track or correlate information back to the user
  • People can access websites and apps without revealing personal information or any more details than necessary
  • People can sign in with a DID rather than creating a new account with a user name and password to access another website or app

If Sarah wants to buy alcohol and needs to prove she is at least 18 years old, she can do this without revealing her date of birth or any other details about her identity by using a Self-Sovereign Identity wallet that has implemented zero-knowledge proof technology.

  1. The cashier requests data from her wallet that confirms that she is at least 18 years old (with her driver’s license) and Sarah is prompted to give permission to share the data
  2. When Sarah approves the request, this creates a secure connection between the store and Sarah’s wallet while exchanging DIDs.
  3. Sarah’s driver’s license confirms that she is at least 18 years old. Because of zero-knowledge proof technology, her license details like the actual date of birth and her full name are not revealed at all and the store trusts that the data provided by the issuer, the licensing organization, is legitimate. A verifier can use the issuer’s DID and associated public key on the blockchain to check that the data in the user’s wallet is authentic.

Dock Wallet

Dock's Self-Sovereign Identity wallet enables users to securely manage their digital identity and Verifiable Credentials

The Dock Wallet is a secure Self-Sovereign Identity wallet that allows people to securely store their DIDs and Verifiable Credentials and take them anywhere. You can import Verifiable Credentials through QR code or a JSON file.

Self-Sovereign Identity Use Cases

SSI can be used in many ways across a variety of sectors and new use cases are continuously being developed. Below are just a few examples.

Supply chains

Verify parties and documents instantly in the supply chain while tracing the source of products that are tracked on the blockchain.

Streamline the recruitment process

Organizations that want to recruit high-quality candidates efficiently can verify educational and professional credentials like a university degree and professional certificates instantly with SSI. This will save days to weeks compared to traditional manual verification processes.

Healthcare

In order to provide efficient and consistent service based on accurate information on a patient’s identity and medical history, SSI can help maintain an accurate record that can be shared efficiently with relevant healthcare providers.

Authenticating employees and contractors
Organizations can issue Verifiable Credentials for an employee or contractor status. Holders can login with their Self-Sovereign Identity wallet. Organizations can add credentials that expire for temporary contractors.

Cross border processes and duties

Track shipment credentials and how they are used.

Know Your Customer Compliance (KYC)

KYC compliance can be streamlined by implementing Verifiable Credentials during the client onboarding process. Instead of doing a different KYC process for every service you sign up for, you can reuse your KYC credentials. For example, if Company A ran a KYC and issued you Verifiable Credentials, you can reuse these same credentials when you sign up for Company B to speed up the KYC process.

NFTs

SSI can help prove who created, owned or currently owns non-fungible tokens (NFTs) across their lifecycle. SSI can enable someone to prove they own an NFT without having to connect their ETH wallet.

Income proof for financial and government services
You can provide proof of income without revealing your actual total earnings.

Voting for an organization like a club or company
SSI can be used to ensure that only members can attend and vote. Their credentials will be linked to their DID and their names won’t be revealed.  The organization can trust that people are who they say they are and they have the right to vote because they can cryptographically prove they own the rightful DID.

Immigration and demographic information
Verifiable Credentials can include details that would be needed to qualify for government services such as being old age, a veteran, Native/Aboriginal, or have a disability status. VCs can speed up the verification process because people can use these credentials to apply for a government program or prove something about themselves quickly with no wait times.

Self-Sovereign Identity Standards

SSI standards that help people create and manage their digital identities are a continuous work in progress. Standards include data models, open-source code, APIs, and more. These are the key standards that have been developed:

W3C: Verifiable Claims Data Model and Representations 1.0

The W3C Credentials Community Group explores the creation, storage, presentation, verification, and user control of credentials. The group published a first version of Verifiable Claims Data Model and Representations 1.0 in May 2017. The specification discusses the criteria of verifiable claims. By this standard, a self-sovereign architecture for verifiable claims is one where the holder of a verifiable claim is in complete control of their identifier and how they are used.

W3C DID: Decentralized Identifiers (DIDs) v1.0

The W3C DID Working Group established standards for DIDs in Decentralized Identifiers (DIDs) v1.0 where they specify a variety of criteria including a common data model, DID operations, and an explanation of the process of resolving DIDs to the resources that they represent.

Decentralized Identity Foundation (DIF)

The Decentralized Identity Foundation is an engineering-driven organization that represents a diverse, international collection of organizations and contributors working together to establish an open ecosystem of decentralized identity that is accessible to everyone.

DIF has a variety of working groups establishing standards and protocols (a set of rules or procedures for transmitting data between electronic devices) including the following:

  • Identifiers and discovery: DIF members are working on protocols and implementations that enable the creation, resolution, and discovery of DIDs and names across decentralized systems like blockchains
  • Authentication: Members design and implement DID-based authentication spec, standards, and libraries
  • DID Communication: Produce one or more specifications that embody a method for secure, privacy, and authenticated message-based communication (where possible) where trust is rooted in DIDs.
  • Secure data storage: Create one or more specifications to establish a foundational layer for secure data storage.

Trust Over IP Foundation

The Trust Over IP Foundation was founded in 2022. The organization:

  • Promotes global standards for confidential and direct connections between parties
  • Leverages the opportunities for interoperable digital wallets and credentials
  • Protects citizen and business identities by anchoring them with verifiable credential signatures

They have several working groups including:

  • Governance stack: Working to define models and interoperability standards for governance frameworks that enable business, legal, and social trust between entities implementing the Trust over IP architecture stack.
  • Technical stack: Define the technical standards, test suites, and interoperability certification standards for the Trust Over IP architecture stack

How to Create a Self-Sovereign Identity With Dock

Dock is a Self-Sovereign Identity platform, where people can create DIDs, issue, and verify credentials.

  • Create as many DIDs as you want in Dock Certs
  • Easily issue Verifiable Credentials with the option to issue in bulk
  • Instantly verify credentials by uploading a JSON file under Credentials>Verify

Summary of Key Terms

Blockchain: A decentralized database that is shared among computers in the blockchain network that records information in a way that makes it very difficult to change, hack, or cheat the system.

Centralized identity: Administrative control by a single authority or hierarchy.

Data breach: When an unauthorized person or party steals, views, transmits, copies, or uses information.

Decentralized Identifiers (DIDs): Cryptographically verifiable identifiers created by the user, owned by the user, and independent of any organization. DIDs contain no personal identifiable information.

Federated identity: Allows authorized users to access multiple applications and domains using a single set of credentials.

Holder: Someone who owns the Verifiable Credential and stores it in their digital wallet app.

Issuer: Person or organization with the authority to issue Verifiable Credentials.

Private key: Made up of a long string of letters and numbers that allows people and organizations to prove ownership, sign Verifiable Credentials, and give consent to share selected data.

Public key: Made up of a long string of letters and numbers that can safely be shared with anyone you choose to give specific information to.

Selective Disclosure: You can decide which data of a credential you want to show to a verifier without revealing unnecessary information than what is requested.

Self-Sovereign Identity: A model that gives individuals full ownership and control of their digital identities without relying on anyone or organization.

User-centric identity: This model suggests that users are in the middle of the identity process, the user must have more control over their identity, and trust must be decentralized.

Verifiable Credentials (VCs): Digital cryptographically-secure versions of paper and digital credentials that people can present to verifiers.

Verifier: The person or organization checking the credential.

Conclusion


Since the invention of the internet, people have dominantly used centralized and federated identifiers like emails and user names to access websites and apps. Centralized identity systems often make organizations vulnerable to large scale hacks and data branches while federated systems can enable companies to use people’s personal data to store and track their online activity without their knowledge. Centralized identity management systems have resulted in recurring data breaches, loss of individual control of their data, stolen identities, and the spread of confidential information.

Also, because ID and credential verification processes are very slow, expensive, inefficient, and outdated, credential fraud and lack of product traceability is a big problem in many sectors, particularly in supply chain and licensing.

These problems led to the development of Self-Sovereign Identity (SSI), a model that gives individuals full ownership and control of their digital identities without relying on a third party. There are a growing number of use cases that can implement Self-Sovereign Identity management across a variety of sectors including healthcare, finance, education, and cryptocurrency.

Key Benefits of Self-Sovereign Identity Solutions

Centralized Identity Management Decentralized Identity Management
Increased risk of data breaches from storing data in a centralized system
Data is decentralized and stored by users in their wallets, which reduces the risk of large scale data breaches
Data may be collected, stored, and shared with other parties without your knowledge Data is only shared when you give authorization
Data is owned and controlled by organizations, apps, and services Data is fully owned and controlled by the user

Learn More

About Dock

Dock is a Verifiable Credentials company that provides Dock Certs, a user-friendly, no-code platform, and developer solutions that enable organizations to issue, manage and verify fraud-proof credentials efficiently, securely, and at a lower cost. Dock enables organizations and individuals to create and share verified data.

“We’ve looked at a lot of the systems that allow you to issue DIDs and VCs and generally what we’ve found is that Dock is far easier to use than many of the existing tools out there. It can deploy very quickly and it will be very easy for our developers to use the tool.”
Amber Hartley
Chief Strategy Officer, BurstlQ

Start issuing Verifiable Credentials today

Dock Certs is an all-in-one suite of Verifiable Credential (VC) tools built for organizations to issue digital credentials and certificates that are automatically and instantly verifiable, fraud-proof and auditable.