Architecting a Modern Identity Solution

Transcript

1. None

2. https://creativecommons.org/lic enses/by-sa/4.0/ Architecting a Modern Identity Solution Richard Esplin October

   2019

3. Agenda • What is self-sovereign identity • Verifiable credentials •

   Hyperledger Projects • Governance • Future

4. What is Self Sovereign Identity?

5. Carriers of Identity: Clothing

6. Carriers of Identity: Possessions

7. Carriers of Identity: Documents

8. A Useful Credential Carried by the individual as a possession

   Issued by a relevant authority (including self-issued) Presented by the individual (or can be withheld) Presentation of credential can be private Hard to forge Can be revoked, but still presented Can be verified
9. None

10. Account Based Identity Model Org You Account

11. Federated Identity Model Org You Identity Provider Account

12. Digital Identity

13. AND INTRODUCED TREMENDOUS PROBLEMS

14. None
15. None

16. Ten Principles of Self-Sovereign Identity 1. Users must have an

    independent existence. 2. Users must control their identities. 3. Users must have access to their own data. 4. Systems and algorithms must be transparent. 5. Identities must be long-lived. 6. Information and services about identity must be transportable. 7. Identities should be as widely used as possible. 8. Users must agree to the use of their identity. 9. Disclosure of claims must be minimized. 10. The rights of users must be protected. Christopher Allen, 2016 http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

17. Self-Sovereign Identity is …

18. Also Known As User-Centric Identity User-Controlled Identity Bring Your Own

    Identity Portable Digital Identity Decentralized Identity

19. Verifiable Credentials

20. W3C Verifiable Credentials Ecosystem Holder Issuer Verifier Issues Credential Presents

    Credential Decentralized Identifiers (DIDs) Public Blockchain or other Decentralized Network Signs Credential Countersigns Credential Verifies Signatures Wallet

21. Sovrin Verifiable Credentials Ecosystem Prover Issuer Verifier Issues Credential Presents

    Credential Decentralized Identifiers (DIDs) Public Blockchain Signs Credential Countersigns Credential Verifies Signatures Wallet Pairwise Pseudonymous DIDs Pairwise Pseudonymous DIDs

22. Sovrin Verifiable Credentials Ecosystem Prover Issuer Verifier Issues Credential Presents

    Credential Decentralized Identifiers (DIDs) Signs Credential Countersigns Credential Verifies Signatures Wallet Zero Know-ledge Encoding Zero Know-ledge Proof Public Blockchain

23. The Trust Triangle Holder/ Prover Issuer Verifier Verifiable Credential Proof

    Trust Ledger

24. Buying a fish

25. Peer Peer Connection Aaliyah’s International Friendly fish, sustainable and responsibly

    distributed! Verify our story! Connecting to: Aaliyah’s International DID DID

26. Credential from: Marine Stewardship Advocates Claim: fish sold by Aaliyah’s

    International are sustainably caught or bred Inspection Date: December 8, 2018 Inspection Number: 1576295029659 Holder Verifier Proof Ledger

27. Thank you for purchasing! Please use your phone to finalize

    the transaction… Credential request: Aaliyah’s International Would like: • Proof of age • Permit for owning an exotic species • Certification of veterinary availability Holder Verifier Proof Request

28. Credential from: Utah State University Claim: Richard Esplin completed the

    following classes Computer Science (B) Tiger Handling (C) Ecology (C) Wildlife Management (D) Date: June 16, 2018 Credential from: Salt Lake City, Utah, United States Claim: Richard Esplin is permitted to possess an exotic species within our city. Date: January 10, 2019 Credential from: Utah Aquatic Veterinarians Claim: Richard Esplin is a customer of our business in good standing. Date: December 15, 2018 Credential from: Utah Division of Motor Vehicles Claim: Richard Esplin is licensed to drive Address, Birthdate, Restrictions … Issue Date: December 15, 2018 Composition Credential from: Richard Esplin Claim: • Older than 18 Provided by: Utah Department of Motor Vehicles • Permit for owning an exotic species Provided by: Salt Lake City, Utah, United States • Certification of veterinary availability Provided by: Utah Aquatic Veterinarians

29. Holder Verifier Credential from: Richard Esplin Claim: • Older than

    18 Provided by: Utah Department of Motor Vehicles • Permit for owning an exotic species Provided by: Salt Lake City, Utah, United States • Certification of veterinary availability Provided by: Utah Aquatic Veterinarians Proof Ledger

30. Your delivery will be done by: Speedy Delivery Incorporated Credential

    from: Aaliyah’s International Claim: an employee from Speedy Delivery Incorporated may act on our behalf Date range: January 16, 2019 to January 31, 2019 Issuer Holder Verifiable Credential Ledger

31. Connecting to: Speedy Delivery Incorporated Connect to arrange delivery Credential

    from: Aaliyah’s International Claim: an employee from Speedy Delivery Incorporated may act on our behalf Date range: January 16, 2019 to January 31, 2019

32. Credential from: Richard Esplin Claim: an employee from Speedy Delivery

    Incorporated may access a porch delivery box in my possession. Date range: January 16, 2019 to January 31, 2019

33. Credential from: Aaliyah’s International Claim: an employee from Speedy Delivery

    Incorporated may act on our behalf Date range: January 16, 2019 to January 31, 2019 Update from: Aaliyah’s International Message: Your delivery service has changed. Delivery will be completed by: Advanced Delivery January 28, 2019 Revoked Credential from: Aaliyah’s International Claim: an employee from Advanced Delivery may act on our behalf Date range: January 16, 2019 to January 31, 2019 Issuer Revocation Registry Verifier Proof Ledger

34. Credential from: Richard Esplin Claim: an employee from Speedy Delivery

    Incorporated may access a porch delivery box in my possession. Date range: January 16, 2019 to January 31, 2019 Credential from: Richard Esplin Claim: an employee from Advanced Delivery may access a porch delivery box in my possession. Date range: January 16, 2019 to January 31, 2019 Revoked Connecting to: Advanced Delivery

35. Credential from: Aaliyah’s International Claim: the following employee of Advanced

    Delivery is acting as our representative Name: Julio Valdez Date range: January 28, 2019 to January 30, 2019 Credential from: Richard Esplin Claim: a porch delivery box in my possession accepted a package From: Julio Valdez an employee of Advanced Delivery acting as a representative for Aaliyah’s International Date: January 29, 2019

36. Credential from: Richard Esplin Claim: Luciana Black has access to

    my front door Number of times: Unlimited Date range: January 16, 2019 to January 31, 2019 Credential from: Richard Esplin Claim: Luciana Black has access to a porch delivery box in my possession Number of times: 1 Date range: January 16, 2019 to January 31, 2019

37. Hyperledger

38. Relevant Projects

39. Aries RFCs defining protocols Aries Cloud Agent Python Emerging language

    libraries, frameworks, and agents

40. Hyperledger Indy Public Permissioned Blockchain Custom built for Identity RBFT

    Consensus

41. Hyperledger Indy Catalyst Plenum Node SDK Agents Ursa Wrappers LibVCX

    LibNullPay LibIndy Python NodeJS Rust Java ObjectiveC Cloud Thin Mobile Edge Wallet Static Issuer Edge Aries

42. Correlation = Linkability Attribute based correlation Identifier-based Correlation Signature or

    Hash-based Correlation Timing Inferences Including if Multiple Parties Share Information (Collusion) The Problem is Correlation

43. Ensuring Privacy The prover chooses when to disclose. The prover

    selects what should be disclosed. Don’t share more attributes than necessary Don’t share with more precision than necessary The verifier and the issue do not communicate. The prover can present to any verifier. A proof can hold multiple credentials from multiple issuers. A credential is anonymously revocable.

44. You Don’t Have to Deploy Your Own Engineered solely for

    privacy-enhancing self-sovereign identity Global public utility that no single entity owns or controls Open source, open standards, open governance Fast, efficient—based on Hyperledger Indy

45. More Than Code

46. All blockchains are governed—whether it is implicit or explicit.

47. Creating Trust Moral Pressure Reputational Pressure Institutional Pressure Security Systems

    Bruce Schneier, 2012 Liars and Outliers: Enabling the Trust that Society Needs to Thrive

48. The BLT Business Legal Technical

49. A credit card network relies on a trust framework to

    establish trust between the parties

50. The trust in any SSI digital credential will depend on

    the trust framework under which it is issued Digital Credential

51. Every digital credential intended to serve more than one issuer/verifier

    needs a domain-specific governance framework. It specifies what issuers will issue what credentials under what policies to achieve a community’s trust objectives. — Drummond Reed Chief Trust Officer, Evernym

52. 52 Digital Credential Governance Framework

53. Holder/ Prover Verifier Verifiable Credential Proof Trust Verifiable Credential Governance

    Authority (Issuer) Governance Framework Publishes Proof Holder / Prover Issuer Governance Frameworks

54. Layer One: DID Networks (Public Ledgers) Agent/Wallet/Hub Connection Pairwise Pseudonymous

    Peer DIDs Issuer Verifier Holder Trust Layer Three: Credential Exchange Verifiable Credential ✔ Proof Agent/Wallet/Hub DID Method DID Network DID Method DID Network DID Method DID Network Trust over IP Technology Stack Technical Trust Human Trust Governance Authority Publishes Governance Framework > > Layer Two: DIDComm Layer Four: Governance Frameworks

55. A Usable Digital Identity is Self-Sovereign • Is built with

    open source and open standards • Have a decentralized root of authority (blockchain) • Keeps personal data off the public ledger • Allows selective disclosure • Resists correlation • Exists within a trust framework

56. The Future

57. Aries Test suite Shared libraries More libraries, frameworks, and agents

58. Safe Wallet Resolver Cred Impl Crypto Aggregate Functions lang wrapper

    C-callable API Framework Cache Unsafe Wallet Aries Rust libraries external interface internal interface

59. Ursa Annoncreds 2.0 Support for additional predicates Bullet Proofs for

    ZKPs Support for hardware security modules

60. Identity Working Group Establish best practices Cross-project coordination https://wiki.hyperledger.org/display/IWG/Identity+WG+Implementers+Call Every-other

    Thursday at 17H Central Europe

61. Layer One: DID Networks (Public Ledgers) Layer Two: DIDComm Agent/Wallet/Hub

    Connection Pairwise Pseudonymous Peer DIDs Issuer Verifier Holder Trust Layer Three: Credential Exchange Verifiable Credential ✔ Proof Agent/Wallet/Hub Layer Four: Governance Frameworks Trust Anchor Insurer Governance Authority Auditor Auditor Accreditor Credential Registry Hardware Developer Software Developer Agency Transaction Author Transaction Endorser Steward DID Method DID Network DID Method DID Network DID Method DID Network Trust over IP Technology Stack Trust over IP Governance Stack Network Governance Frameworks Provider Governance Frameworks Credential Governance Frameworks Technical Trust Human Trust Governance Authority Publishes Governance Framework > > Metasystem Governance Frameworks
62. None

63. Discussion

64. Appendix

65. Broadening Contributor Communities

66. Holder/ Prover Issuer Verifier Verifiable Credential Proof Trust The Trust

    Triangle

67. Sovrin Governance Framework