(Markus Sabadello)
A more technical introduction to one of the technical building blocks of SSI took place on 18.02.2020 (yesterday). It was about Decentralized Identifiers (DIDs) - an approach to digital identity architectures, where we are trying to make sure that an individual user has full control of his digital identity. The goal is independence on a single identity provider or central authority.
Self-Sovereign Identity (SSI) – support from the US government in the last years and right now they are doing a project where they try to model and implement digital versions of identity documents, specifically green cards and residence cards. They made a program called Silicon Valley Innovation Program (SVIP) to try the things out (still not production-ready).
Idea: To create an identifier called Decentralized Identifier (DID) that is not given to you by any identity provider. You can create it by yourself. Nobody can take it away from you. It is created through cryptography. The second building block of SSI is Verifiable Credential (VC), a standard that allows us to express any kind of semantic structure identity data about a subject. It is a set of claims made by an issuer about a subject (holder of the credential) in a manner that is tamper-evident, privacy-respecting and cryptographically verifiable.
Convenor showed us the example of a verifiable credential data model -> green card (JSON document). As a holder of the card, you possess a digital wallet. The credential is issued to one identifier that the subject or the holder controls.
One thing that is important in the Self-Sovereign Identity paradigm is that our credentials are always with us on our device, so there is no communication between the issuer and identifier (Difference from UMA).
DHS is seeking technologies and solutions that address this need via one or more of the following technical topic areas: 1. Issuance and verification of certificates, licenses and attestations 2. Storage and management of certificates, licenses and attestations 3. Decentralized and derived PIV credentials
USCIS administers the nation’s lawful immigration system and is responsible for the issuance of documentary evidence of citizenship, immigration and employment authorization. The application of technologies sought in this topic call could potentially enhance those capabilities by enabling digital representations of those documents that: - Provide identity protections that allow for disclosure of information under the control of the owner of the credential. - Provide the ability to remotely manage the lifecycle of the credential (electronic document). - Integrate with the current secure issuance processes.
Identity documents for travel: TSA has a responsibility to confirm the identity of each passenger at the TSA security checkpoint and ensure that the identity presented on the digital document matches the identity associated with a confirmed travel reservation. TSA is moving towards electronic authentication capabilities to strengthen this process in support of TSOs. The application of technologies sought in the topic call could potentially enhance the USA capabilities to: - Prove the authenticity and provenance od identity documentation at speed - Ensure that the digital document has counter-fraud protections
Case “Indian tribes in the USA” : Tribal jurisdictions within the USA have the authority to issue identity documents that TSA may accept for domestic air travel and USCIS may for other uses… TSA and USCIS have an interest in how the technical implementation of a tribal identity document using the technologies sought in this call could meet the following technical criteria: - The digital document has counter-fraud protections that are equivalent to the security protections required of physical documents. - The digital document allows the reliant party to distinguish among tribal documents based on predetermined criteria - The implementation has the ability to integrate with the current issuance and validation processes. - Mapping against US green card concepts.
There is some ongoing work on OpenID specifications. Self-Issued OpenID Connect Provider (SIOP) -> already OpenID connect standard (situations where you have an interaction between the holder and relying parties; there is no interaction with identity provider).
Question: In your use case, who will be running the blockchain? Answer: That is also an open question. There are some DIDs, that don’t have to be registered on the blockchain. In this case, there are some blockchains, that are specifically designed for DIDs for identity. One of them is called Sovrin (you can find it on www.sovrin.org). The another one is called veres.one. It will be decided by the USA government, how do they want to do that.