- Self-Sovereign Identity
- Copyright
- dedication
- contents
- front matter
- Part 1 An introduction to SSI
- 1 Why the internet is missing an identity layer—and why SSI can finally provide one
- 1.1 How bad has the problem become?
- 1.2 Enter blockchain technology and decentralization
- 1.3 The three models of digital identity
- 1.3.1 The centralized identity model
- 1.3.2 The federated identity model
- 1.3.3 The decentralized identity model
- 1.4 Why “self-sovereign”?
- 1.5 Why is SSI so important?
- 1.6 Market drivers for SSI
- 1.6.1 E-commerce
- 1.6.2 Banking and finance
- 1.6.3 Healthcare
- 1.6.4 Travel
- 1.7 Major challenges to SSI adoption
- 1.7.1 Building out the new SSI ecosystem
- 1.7.2 Decentralized key management
- 1.7.3 Offline access
- References
- 2 The basic building blocks of SSI
- 3 Example scenarios showing how SSI works
- 3.1 A simple notation for SSI scenario diagrams
- 3.2 Scenario 1: Bob meets Alice at a conference
- 3.3 Scenario 2: Bob meets Alice through her online blog
- 3.4 Scenario 3: Bob logs in to Alice’s blog to leave a comment
- 3.5 Scenario 4: Bob meets Alice through an online dating site
- 3.6 Scenario 5: Alice applies for a new bank account
- 3.7 Scenario 6: Alice buys a car
- 3.8 Scenario 7: Alice sells the car to Bob
- 3.9 Scenario summary
- Reference
- 4 SSI Scorecard: Major features and benefits of SSI
- 4.1 Feature/benefit category 1: Bottom line
- 4.1.1 Fraud reduction
- 4.1.2 Reduced customer onboarding costs
- 4.1.3 Improved e-commerce sales
- 4.1.4 Reduced customer service costs
- 4.1.5 New credential issuer revenue
- 4.2 Feature/benefit category 2: Business efficiencies
- 4.2.1 Auto-authentication
- 4.2.2 Auto-authorization
- 4.2.3 Workflow automation
- 4.2.4 Delegation and guardianship
- 4.2.5 Payment and value exchange
- 4.3 Feature/benefit category 3: User experience and convenience
- 4.3.1 Auto-authentication
- 4.3.2 Auto-authorization
- 4.3.3 Workflow automation
- 4.3.4 Delegation and guardianship
- 4.3.5 Payment and value exchange
- 4.4 Feature/benefit category 4: Relationship management
- 4.4.1 Mutual authentication
- 4.4.2 Permanent connections
- 4.4.3 Premium private channels
- 4.4.4 Reputation management
- 4.4.5 Loyalty and rewards programs
- 4.5 Feature/benefit category 5: Regulatory compliance
- 4.5.1 Data security
- 4.5.2 Data privacy
- 4.5.3 Data protection
- 4.5.4 Data portability
- 4.5.5 RegTech (Regulation Technology)
- References
- Part 2 SSI technology
- 5 SSI architecture: The big picture
- 5.1 The SSI stack
- 5.2 Layer 1: Identifiers and public keys
- 5.2.1 Blockchains as DID registries
- 5.2.2 Adapting general-purpose public blockchains for SSI
- 5.2.3 Special-purpose blockchains designed for SSI
- 5.2.4 Conventional databases as DID registries
- 5.2.5 Peer-to-peer protocols as DID registries
- 5.3 Layer 2: Secure communication and interfaces
- 5.3.1 Protocol design options
- 5.3.2 Web-based protocol design using TLS
- 5.3.3 Message-based protocol design using DIDComm
- 5.3.4 Interface design options
- 5.3.5 API-oriented interface design using wallet Dapps
- 5.3.6 Data-oriented interface design using identity hubs (encrypted data vaults)
- 5.3.7 Message-oriented interface design using agents
- 5.4 Layer 3: Credentials
- 5.4.1 JSON Web Token (JWT) format
- 5.4.2 Blockcerts format
- 5.4.3 W3C verifiable credential formats
- 5.4.4 Credential exchange protocols
- 5.5 Layer 4: Governance frameworks
- 5.6 Potential for convergence
- References
- 6 Basic cryptography techniques for SSI
- 6.1 Hash functions
- 6.1.1 Types of hash functions
- 6.1.2 Using hash functions in SSI
- 6.2 Encryption
- 6.2.1 Symmetric-key cryptography
- 6.2.2 Asymmetric-key cryptography
- 6.3 Digital signatures
- 6.4 Verifiable data structures
- 6.4.1 Cryptographic accumulators
- 6.4.2 Merkle trees
- 6.4.3 Patricia tries
- 6.4.4 Merkle-Patricia trie: A hybrid approach
- 6.5 Proofs
- 6.5.1 Zero-knowledge proofs
- 6.5.2 ZKP applications for SSI
- 6.5.3 A final note about proofs and veracity
- References
- 7 Verifiable credentials
- 7.1 Example uses of VCs
- 7.1.1 Opening a bank account
- 7.1.2 Receiving a free local access pass
- 7.1.3 Using an electronic prescription
- 7.2 The VC ecosystem
- 7.3 The VC trust model
- 7.3.1 Federated identity management vs. VCs
- 7.3.2 Specific trust relationships in the VC trust model
- 7.3.3 Bottom-up trust
- 7.4 W3C and the VC standardization process
- 7.5 Syntactic representations
- 7.5.1 JSON
- 7.5.2 Beyond JSON: Adding standardized properties
- 7.5.3 JSON-LD
- 7.5.4 JWT
- 7.6 Basic VC properties
- 7.7 Verifiable presentations
- 7.8 More advanced VC properties
- 7.8.1 Refresh service
- 7.8.2 Disputes
- 7.8.3 Terms of use
- 7.8.4 Evidence
- 7.8.5 When the holder is not the subject
- 7.9 Extensibility and schemas
- 7.10 Zero-knowledge proofs
- 7.11 Protocols and deployments
- 7.12 Security and privacy evaluation
- 7.13 Hurdles to adoption
- References
- 8 Decentralized identifiers
- 8.1 The conceptual level: What is a DID?
- 8.1.1 URIs
- 8.1.2 URLs
- 8.1.3 URNs
- 8.1.4 DIDs
- 8.2 The functional level: How DIDs work
- 8.2.1 DID documents
- 8.2.2 DID methods
- 8.2.3 DID resolution
- 8.2.4 DID URLs
- 8.2.5 Comparison with the Domain Name System (DNS)
- 8.2.6 Comparison with URNs and other persistent Identifiers
- 8.2.7 Types of DIDs
- 8.3 The architectural level: Why DIDs work
- 8.3.1 The core problem of Public Key Infrastructure (PKI)
- 8.3.2 Solution 1: The conventional PKI model
- 8.3.3 Solution 2: The web-of-trust model
- 8.3.4 Solution 3: Public key-based identifiers
- 8.3.5 Solution 4: DIDs and DID documents
- 8.4 Four benefits of DIDs that go beyond PKI
- 8.4.1 Beyond PKI benefit 1: Guardianship and controllership
- 8.4.2 Beyond PKI benefit 2: Service endpoint discovery
- 8.4.3 Beyond PKI benefit 3: DID-to-DID connections
- 8.4.4 Beyond PKI benefit 4: Privacy by design at scale
- 8.5 The semantic level: What DIDs mean
- 8.5.1 The meaning of an address
- 8.5.2 DID networks and digital trust ecosystems
- 8.5.3 Why isn’t a DID human-meaningful?
- 8.5.4 What does a DID identify?
- 9 Digital wallets and digital agents
- 9.1 What is a digital wallet, and what does it typically contain?
- 9.2 What is a digital agent, and how does it typically work with a digital wallet?
- 9.3 An example scenario
- 9.4 Design principles for SSI digital wallets and agents
- 9.4.1 Portable and Open-By-Default
- 9.4.2 Consent-driven
- 9.4.3 Privacy by design
- 9.4.4 Security by design
- 9.5 Basic anatomy of an SSI digital wallet and agent
- 9.6 Standard features of end-user digital wallets and agents
- 9.6.1 Notifications and user experience
- 9.6.2 Connecting: Establishing new digital trust relationships
- 9.6.3 Receiving, offering, and presenting digital credentials
- 9.6.4 Revoking and expiring digital credentials
- 9.6.5 Authenticating: Logging you in
- 9.6.6 Applying digital signatures
- 9.7 Backup and recovery
- 9.7.1 Automatic encrypted backup
- 9.7.2 Offline recovery
- 9.7.3 Social recovery
- 9.7.4 Multi-device recovery
- 9.8 Advanced features of wallets and agents
- 9.8.1 Multiple-device support and wallet synchronization
- 9.8.2 Offline operations
- 9.8.3 Verifying the verifier
- 9.8.4 Compliance and monitoring
- 9.8.5 Secure data storage (vault) support
- 9.8.6 Schemas and overlays
- 9.8.7 Emergencies
- 9.8.8 Insurance
- 9.9 Enterprise wallets
- 9.9.1 Delegation (rights, roles, permissions)
- 9.9.2 Scale
- 9.9.3 Specialized wallets and agents
- 9.9.4 Credential revocation
- 9.9.5 Special security considerations
- 9.10 Guardianship and delegation
- 9.10.1 Guardian wallets
- 9.10.2 Guardian delegates and guardian credentials
- 9.11 Certification and accreditation
- 9.12 The Wallet Wars: The evolving digital wallet/agent marketplace
- 9.12.1 Who
- 9.12.2 What
- 9.12.3 How
- Reference
- 10 Decentralized key management
- 10.1 Why any form of digital key management is hard
- 10.2 Standards and best practices for conventional key management
- 10.3 The starting point for key management architecture: Roots of trust
- 10.4 The special challenges of decentralized key management
- 10.5 The new tools that VCs, DIDs, and SSI bring to decentralized key management
- 10.5.1 Separating identity verification from public key verification
- 10.5.2 Using VCs for proof of identity
- 10.5.3 Automatic key rotation
- 10.5.4 Automatic encrypted backup with both offline and social recovery methods
- 10.5.5 Digital guardianship
- 10.6 Key management with ledger-based DID methods (algorithmic roots of trust)
- 10.7 Key management with peer-based DID methods (self-certifying roots of trust)
- 10.8 Fully autonomous decentralized key management with Key Event Receipt Infrastructure (KERI)
- 10.8.1 Self-certifying identifiers as a root of trust
- 10.8.2 Self-certifying key event logs
- 10.8.3 Witnesses for key event logs
- 10.8.4 Pre-rotation as simple, safe, scalable protection against key compromise
- 10.8.5 System-independent validation (ambient verifiability)
- 10.8.6 Delegated self-certifying identifiers for enterprise-class key management
- 10.8.7 Compatibility with the GDPR “right to be forgotten”
- 10.8.8 KERI standardization and the KERI DID method
- 10.8.9 A trust-spanning layer for the internet
- 10.9 Key takeaways
- References
- 11 SSI governance frameworks
- 11.1 Governance frameworks and trust frameworks: Some background
- 11.2 The governance trust triangle
- 11.3 The Trust over IP governance stack
- 11.3.1 Layer 1: Utility governance frameworks
- 11.3.2 Layer 2: Provider governance frameworks
- 11.3.3 Layer 3: Credential governance frameworks
- 11.3.4 Layer 4: Ecosystem governance frameworks
- 11.4 The role of the governance authority
- 11.5 What specific problems can governance frameworks solve?
- 11.5.1 Discovery of authoritative issuers and verified members
- 11.5.2 Anti-coercion
- 11.5.3 Certification, accreditation, and trust assurance
- 11.5.4 Levels of assurance (LOAs)
- 11.5.5 Business rules
- 11.5.6 Liability and insurance
- 11.6 What are the typical elements of a governance framework?
- 11.6.1 Master document
- 11.6.2 Glossary
- 11.6.3 Risk assessment, trust assurance, and certification
- 11.6.4 Governance rules
- 11.6.5 Business rules
- 11.6.6 Technical rules
- 11.6.7 Information trust rules
- 11.6.8 Inclusion, equitability, and accessibility rules
- 11.6.9 Legal agreements
- 11.7 Digital guardianship
- 11.8 Legal enforcement
- 11.9 Examples
- References
- Part 3 Decentralization as a model for life
- 12 How open source software helps you control your self-sovereign identity
- 13 Cypherpunks: The origin of decentralization
- 14 Decentralized identity for a peaceful society
- 15 Belief systems as drivers for technology choices in decentralization
- 15.1 What is a belief system?
- 15.2 Blockchain and DLT as belief systems
- 15.2.1 Blockchain “believers”
- 15.2.2 DLT “believers”
- 15.3 How are blockchains and DLTs relevant to SSI?
- 15.4 Characterizing differences between blockchain and DLT
- 15.4.1 Governance: How open is the network to open participation?
- 15.4.2 Censorship resistance: How centralized is trust?
- 15.4.3 Openness: Who can run a node?
- 15.5 Why “believers” and not “proponents” or “partisans”?
- 15.5.1 How do we measure decentralization?
- 15.6 Technical advantages of decentralization
- References
- 16 The origins of the SSI community
- 16.1 The birth of the internet
- 16.2 Losing control over our personal information
- 16.3 Pretty Good Privacy
- 16.4 International Planetwork Conference
- 16.5 Augmented Social Network and Identity Commons
- 16.6 The Laws of Identity
- 16.7 Internet Identity Workshop
- 16.8 Increasing support of user control
- 16.9 Rebooting the Web of Trust
- 16.10 Agenda for Sustainable Development and ID2020
- 16.11 Early state interest
- 16.12 MyData and Learning Machine
- 16.13 Verifiable Claims Working Group, Decentralized Identity Foundation, and Hyperledger Indy
- 16.14 Increasing state support for SSI
- 16.15 Ethereum identity
- 16.16 World Economic Forum reports
- 16.17 First production government demo of an SSI-supporting ledger
- 16.18 SSI Meetup
- 16.19 Official W3C standards
- 16.20 Only the beginning
- References
- 17 Identity is money
- Part 4 How SSI will change your business
- 18 Explaining the value of SSI to business
- 18.1 How might we best explain SSI to people and organizations?
- 18.1.1 Failed experiment 1: Leading with the technology
- 18.1.2 Failed experiment 2: Leading with the philosophy
- 18.1.3 Failed experiment 3: Explaining by demonstrating the tech
- 18.1.4 Failed experiment 4: Explaining the (world’s) problems
- 18.2 Learning from other domains
- 18.3 So how should we best explain the value of SSI?
- 18.4 The power of stories
- 18.5 Jackie’s SSI story
- 18.5.1 Part 1: The current physical world
- 18.5.2 Part 2: The SSI world—like the current physical world, but better
- 18.5.3 Part 3: Introducing the Sparkly Ball1—or, what’s wrong with many current digital identity models
- 18.6 SSI Scorecard for apartment leasing
- Reference
- 19 The Internet of Things opportunity
- 20 Animal care and guardianship just became crystal clear
- 20.1 Enter Mei and Bailey
- 20.1.1 Bailey gets a self-sovereign identity
- 20.1.2 Guardianship transfer
- 20.1.3 Vacation for Mei and Bailey
- 20.1.4 A storm and separation
- 20.1.5 Lost and found at your fingertips
- 20.2 Digital identity unlocks opportunities for the well-being of animals and people
- 20.3 SSI for animals reaffirms their inherent worth
- 20.4 SSI Scorecard for pets and other animals
- 21 Open democracy, voting, and SSI
- 22 Healthcare supply chain powered by SSI
- 22.1 Emma’s story
- 22.2 Supply chain transparency and efficiency through SSI
- 22.3 Industry ecosystem efficiency powered by SSI
- 22.4 Future supply chain transformation across industries: The big picture
- 22.5 Eliminating waste
- 22.6 Authentication and quality
- 22.7 SSI Scorecard for the pharma supply chain
- References
- 23 Canada: Enabling self-sovereign identity
- 23.1 The Canadian context
- 23.2 The Canadian approach and policy framework
- 23.3 The Pan-Canadian Trust Framework
- 23.4 The normative core
- 23.5 Mutual recognition
- 23.6 Digital ecosystem roles
- 23.7 Supporting infrastructure
- 23.8 Mapping the SSI stack to the PCTF model
- 23.9 Using the Verifiable Credentials Model
- 23.10 Enabling Self-Sovereign Identity
- 23.11 SSI Scorecard for the Pan-Canadian Trust Framework
- 24 From eIDAS to SSI in the European Union
- 24.1 PKI: The first regulated identity service facility in the EU
- 24.2 The EU legal framework
- 24.3 The EU identity federation
- 24.3.1 The legal concept of electronic identification (eID)
- 24.3.2 The scope of the eIDAS FIM Regulation and its relationship with national law
- 24.4 Summarizing the value of eIDAS for SSI adoption
- 24.5 Scenarios for the adoption of SSI in the EU identity metasystem
- 24.6 SSI Scorecard for the EBSI
- References
- appendix A Additional Livebook chapters
- Chapter 25: SSI, payments, and financial services
- Chapter 26: Solving organizational identity with vLEIs
- Chapter 27: SSI and healthcare
- Chapter 28: Enterprise identity and access management realized with SSI
- Chapter 29: Insurance reinvented with SSI
- Chapter 30: Enabling SSI in humanitarian contexts
- Chapter 31: Guardianship and other forms of Delegated Authority with Self-Sovereign Identity
- Chapter 32: Design principles for SSI
- Chapter 33: SSI: Our dystopian nightmare
- Chapter 34: Trust assurance in SSI ecosystems
- Chapter 35: The evolution of gaming with SSI
- appendix B Landmark essays on SSI
- “The Domains of Identity”
- “New Hope for Digital Identity”
- “The Architecture of Identity Systems”
- “Three Dimensions of Identity”
- “Meta-Platforms and Cooperative Network-of-Network Effects”
- “Verifiable Credentials Aren’t Credentials. They’re Containers.”
- “The Seven Deadly Sins of Customer Relationships”
- appendix C The path to self-sovereign identity
- You can’t spell “identity” without an “I”
- The evolution of identity
- Phase one: Centralized identity (administrative control by a single authority or hierarchy)
- Phase two: Federated identity (administrative control by multiple, federated authorities)
- Phase three: User-centric identity (individual or administrative control across multiple authorities without requiring a federation)
- Phase four: Self-sovereign identity (individual control across any number of authorities)
- A definition of self-sovereign identity
- Ten principles of self-sovereign identity
- Conclusion
- appendix D Identity in the Ethereum blockchain ecosystem
- appendix E The principles of SSI
- index
- contributing authors
Arthur C. Clarke said, “Any sufficiently advanced technology is indistinguishable from magic.” In part 1, we introduced the basic building blocks of SSI at a level comfortable for non-technologists. In part 2, we go behind the curtain to look much more deeply at these building blocks and see how they are assembled to accomplish the “magic” of SSI:
-
Chapter 5 gives a big-picture overview of SSI architecture and some of the key design choices facing SSI architects.
-
Chapter 6 explains why SSI is “cryptography all the way down” and introduces the innovations in cryptography that make SSI possible.
-
Chapter 7 is a mini-textbook on the star of the SSI show: verifiable credentials (VCs). This is the only chapter with code snippets: examples of the JSON and JSON-LD data structures at the heart of the W3C Verifiable Credentials Data Model 1.0 specification.
-
Chapter 8 is a deep dive into the other foundational open standard for SSI: the W3C Decentralized Identifiers (DID) Core Specification. It includes an in-depth analysis of how DIDs solve the hardest problem in conventional public key infrastructure (PKI).
-
Chapter 9 tackles the two main tools in the hands of SSI users—digital wallets and digital agents—and covers lessons learned from the first generation of implementers.
-
Chapter 10 goes even deeper into the very heart of SSI: decentralized cryptographic key management. It includes a full analysis of the most significant innovation in this space: Key Event Receipt Infrastructure (KERI).
-
Chapter 11 explains why all of this fabulous new technology will produce real-world benefits only if it is harnessed to a different kind of tool for trust: governance frameworks (aka trust frameworks) that provide the “glue” to business, legal, and social policies.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.