June 6th 2020

Trust Over IP: A governance standard for the digital identity

revolution

Nacer ADAMOU SAIDOU

IT Manager
[email protected]
Presentation title – Client name
IDENTITY PROBLEM OVERVIEW

2
What is Identity?

Identity is defined in different ways depending on the context (psychology, sociology, legal, etc):

“all attributes of an entity that uniquely defines that entity over the course of its existence, providing
sameness and continuity despite varying aspects and conditions.”

Identity is dynamic and multifaceted

• a person's identity is developed over time, and constantly evolves as the result of his interactions with the
environment

Identity Management System must therefore be designed in such a way as to be sufficiently flexible, resilient,
and dynamic to accommodate the variable and complex nature of human identity.

3
Real-World Identity

• Intrinsic identity => what we see when we look in the mirror

• Examples: our gender identity, political identity, or cultural identity.
• It’s who we are in the context of our relationships with our closest confidants.
• It’s intrinsic to us and is the truest form of identity.

• Extrinsic identity => how others, often institutions, identify us.

• Examples: A driver’s license prove our eligibility to drive on public roads; Passports identify us in airports.
• It works because institutions trust the emitting institution (government, educational, professional, and
membership credentials).

4
The identity problem in the real life

• Proofs are usually unstructured data, taking the form of images and photocopies
• Someone has to manually read and scan the documents to extract the relevant data to type into a system for
storage and processing.
• When the data changes in real life, the customer is obliged to tell the various service providers they
have relationships with.
• Some forms of proof can be easily faked
• extra steps to prove authenticity need to be taken, such as having photocopies notarized, leading to extra
friction and expense.

This results in expensive, time-consuming and troublesome processes for everyone.

5
What is a Digital Identity?
Nowadays, a digital identity defines us entirely: our
attributes, our credentials, our interests, ...

Some of the largest internet platforms basically exist to

help us express our intrinsic identity.

But there is still no good way to manage our extrinsic

identities digitally.

A digital identity is an information used by computer

systems in order to identify a defined subject.

Source:
Evernym 6
The Internet was designed to connect machines, not
people

7
The Internet was designed to connect machines, not people

We don't own our digital identities, we simply ‘rent’ them

• from each websites or apps we use
• each organization we interact with must store our personal information in massive databases.

Consumers have unintentionally turned businesses and governments into identity management
organizations
• Unfortunately, as recent hacks have shown, not all organizations are ready to deal with this new role.
• With practically every business and billions of people now online a siloed approach to identity doesn't work
anymore
• The popularization of IoT in a hyper-connected world also bring its part of complication when it comes to
online Identity

8
Real-life identity with physical credentials has been
difficult to duplicate online

9
Difficult to replicate Real-life Caption 10/12pt
Caption body copy

identity online The

proximity
When you’re dealing with
people at a distance,
opportunities for fraud
problem abound.

Online identity systems are

based on business
The scale relationships and technical
integrations to root trust
problem authorities. All this is
expensive and only done
for high-value use cases.

The Current identity systems are

flexibility rigid, with fixed schema
problem and use cases.

The Shared identifiers allow

personal information to be
privacy accumulated and correlated
problem behind our backs.

identity systems rely on

The universal identifiers that
make it easy to correlate
consent behavior and keep tabs on
problem people without their
permission.
10
Self-sovereign/decentralized identity systems solve
these problems using decentralization and
cryptography

11
What is Self-Sovereign Identity?

Self-Sovereign Identity
‘’A self-sovereign identity is a permanent identity that can only be accessed in full by the person or
entity to whom it belongs, yet portions of that identity can be shown to any individual, organization, or
agency whenever it becomes relevant. Since self-sovereign identities are decentralized and encrypted,
identity theft or incidents become much less of a problem’’ -- Aaron Fernando

Decentralized Identity
"is slightly different than the self-sovereign concept. A DID is completely under the authority of the
user. There is NO central registry, identity provider or certificate authority that gives the receiving entity
a “thumbs up” on the validity of the data." -- Stephen Hyduchack, CEO of Bridge Protocol

These concepts are made possible by the decentralized nature of blockchain and the trust created
by consensus algorithms

12
Self-Sovereign Identity Core Principles

Source: IBM

13
SSI/Decentralized identity redefine the way people access, control, and
share their personal information
Decentralized identity allows individuals to maintain full control over their privacy, as well as
decide how and what data is shared
• A user should be able to fully own its personal digital identity.
• A user should be able to monetize its own data.
• A user should be able to choose which data to share with other parties, and trust that their data is not sold to
other parties without consent.
• A user should have the ability to isolate itself from data breaches.
• A user should be able to revoke access to trusted third parties and have proof that it must be deleted from
their servers.

14
SELF-SOVEREIGN GOVERNANCE

15
The Self-Sovereign Identity Bill Caption 10/12pt
Caption body copy

of Rights
Individuals must be
able to establish their
existence as a unified
identity online and in
the physical world
The rights of identity
holders must Individuals must have
supersede any other the tools to access and
platform or ecosystem control their identities
entities

The platforms and

protocols on which
Disclosure of verified
self-sovereign
claims must be
identities are built,
minimized
must be open and
transparent

Users must have the

Individuals must right to participate in
consent to the use of the governance of
their identity their identity
infrastructure

Identities must exist

Identities must be
for the life of the
interoperable
identity holder

Identities must be
portable

16
Trust Over IP

To manage the identity revolution, a new organization named the Trust Over IP Foundation has been
created.

Housed at the Linux Foundation, the Trust Over IP Foundation's mission is to

"define a complete architecture for Internet-scale digital trust that combines both cryptographic trust at the machine
layer and human trust at the business, legal, and social layers".

17
Trust Over IP

Trust Over IP will play for digital trust a similar role that TCP/IP has played for the Internet.
• trust is something that can be structured like TCP/IP through combining a series of protocols and tools across
different technology layers with a series of governance documents.
• if all these frameworks align and do their job, and we figure out how to implement machine readability for
some of the protocols, trust will come to be seen as instantaneous and “stack-like” as TCP/IP.

According to the ToIP Foundation 

"this fusion of governance and technology, says will create a path towards a trustworthy
universal, interoperable system for decentralized identity".

18
The Trust/IP Stack

19
SELF-SOVEREIGN IDENTITY
TECHNOLOGIES

20
Decentralized Identity Technical Standards: DID

The World Wide Web Consortium (W3C) is a technical standards body for the open internet working on
a decentralized identifier (DID) standard.

DIDs are a new type of identifier for verifiable, self-sovereign digital identity that is universally
discoverable and interoperable across a range of systems.

The DID standard is supported by the Decentralized Identity Foundation

• A consortium of companies that are developing and building applications using the DID standard, including
Microsoft, IBM, Hyperledger, Accenture, Mastercard, RSA, Civic, uPort, BigChainDB, Sovrin, and many
others

DIDs are URLs (i.e., unique web addresses) that resolve to a DID Document, which provides
information on how to use that specific DID but also references a series of service endpoints, enabling
further interactions with the DID controller
21
Decentralized Identity Technical Standards: DID characteristics

Decentralization: no centralized authorities or single points of failure in identifier management.

Control: Entities directly control their digital identifiers without relying on external authorities.
Privacy: Entities control the privacy of their information including disclosure of attributes or other data.
Security: Enable sufficient security for relying parties to depend on DID Documents for their required
level of assurance.
Proof-based: DID subject can provide cryptographic proof when interacting with other entities.
Discoverability: Entities can discover DIDs of other entities to learn more about or interact with them.
Interoperability: Use interoperable standards so DID infrastructure can use existing tools and software
libraries designed for interoperability.
Portability: Entities can use their digital identifiers with any system supporting DIDs and DID
Methods.
Simplicity: Favor a reduced set of simple features for the technology to be easier to understand,
implement, and deploy.
Extensibility: Enable extensibility when compatible with interoperability, portability and simplicity.
22
Decentralized Identity Technical Standards: DID + Verifiable
Credentials
A DID by itself is only useful for the purpose of authentication.

It becomes particularly useful when used in combination with verifiable claims or credentials—another
W3C standard that can be used to make any number of attestations about a DID subject.

These attestations include credentials and certifications that grant the DID subject access rights or
privileges.
• For example, a verifiable claim can attest that an individual has been Know-Your-Customer (KYC) approved
and therefore eligible to open a bank account, that the same individual has been certified as eligible to drive,
or authorized to access certain programs as a system administrator

23
Decentralized Identity Technical Standards: Verifiable Credentials

Verifiable credentials are the standard way to represent extrinsic identity online.

As the primary contents in an SSI wallet, they are generally digital, tamper-proof, non-transferrable,
verifiable versions of the cards you’d normally keep in a physical wallet.

You can share verified information from these credentials while preserving privacy (The Zero-
Knowledge Proof).

Since the credentials are yours, you don’t need a username and password to access them.
• They are therefore good candidates to protect access to services countering “identity theft” through social
engineering.

24
Decentralized Identity Technical Standards: Verifiable Claim

A verifiable claim contains the DID of its subject (e.g., a bank customer), the attestation (e.g., KYC
approval), and must be signed by the person or entity making the claim using the private keys associated
with the claim issuer's DID (e.g., the bank)
• Verifiable claims are thus methods for trusted authorities, such as banks, to provably issue a certified
credential associated to a particular DID
• DID claims remain under the control of the DID subject and can be used to prove a particular attribute of the
DID subject, independently from a certificate authority, an identity provider or a centralized registry
• Proving to be the actual subject of that DID (through a specified authentication method) will enable an
individual or entity to benefit from access privileges associated with these credentials.

25
Decentralized Identity Technical Standards: Digital Wallets

A digital wallet is a secure digital environment where you can keep verifiable credentials or currencies.
• The verifiable credentials in the wallet were given to you by trusted entities.
• You can use those credentials however you please to prove your identity or other traits.
• The credentials are yours; nobody can take them away.
• The organization that gave you the credentials may revoke them or let them expire.
• No one can even look at the contents of your wallet without your permission, even the wallet provider.
• You can switch out your wallet at will, switch your wallet contents to the new one relatively painlessly.

26
Decentralized Identity Technical Standards: DID + Distributed Ledgers

While DIDs are independent of and do not require blockchain technology, they are designed to be
compatible with any distributed ledger or blockchain network.
• Since a DID may be associated with a particular private/public key pair used to sign identity claims,
it is possible to associate that key pair with key pairs used to sign financial transactions on a
blockchain.
• Most importantly, the DID specification also makes it possible to associate particular methods to a
DID, which specifies the procedures for key registration, replacement, rotation, recovery, and
expiration.
• Several method schemes have been implemented so far that leverage the resilience and tamper-
resistance of blockchain technology to manage DIDs (e.g., BTCR DID, Blockstack DID, Ethereum
ERC725 DID)

The W3C group is working to ensure technical interoperability between different DID methods.

27
Decentralized Identity Technical Standards: Distributed Ledgers

How Blockchain Creates Trust

• Blockchain is immutable, or unchangeable: it is reasonably impossible to alter blockchain
transactions
• Blockchain is transparent: every computer in the network has a record of every transaction that
occurred.
• Blockchain is decentralized: no one party control the data, so there is no single point of failure or
someone who can override a transaction.

When data cannot be modified and is independently verifiable, it can be trusted.

28
Decentralized Identity Technical Standards: Distributed Ledgers

How Blockchain Helps Decentralized Identity

Currently, there is a presumption that knowledge of information is identity:
• If a person knows a social security number or password, they are presumed to be the person who that
information represents.
• And if a person knows your personal information, they can impersonate you.
Using blockchain technology to decentralize identity is about digital validation and keys:
• You must have physical access to a digital wallet with cryptographic keys that cannot be recreated, to
validate identity.

A remote hacker might have access to pieces of personal information but being able to prove an actual
identity would require physical possession of that person’s device.

29
Decentralized Identity Technical Standards: Distributed Ledgers

How blockchain can solve the identity dilemma

Self-sovereign identity systems use blockchains – distributed ledgers – so that decentralized identifiers
can be looked up without involving a central directory.
• Blockchains don’t solve the identity problem by themselves, but they do provide a missing link that allows
things we’ve known about cryptography for decades to suddenly be used.
• That allows people to prove things about themselves using decentralized, verifiable credentials just as they
do offline.
Several self-sovereign identity systems/ledgers exist now in various stages of development, including
• Sovrin
• uPort 
• Veres One.
• Onename

30
Decentralized Identity Technical Standards: Distributed Ledgers

It is important to note, however, that given the transparency and immutability of a blockchain, personal
information should never be stored on the blockchain itself
• Yet, a blockchain can be used to track permissioning and access of personally identifying data that is
stored off-chain, thereby creating an auditable trail of information access.
• A blockchain can therefore also be used for the recording and eventual revocation of claims or
attestations, for the granting and revocation of access to personal data stores , and other functions
that may be specific to particular identity system (e.g., claims filed and resolved as part of a dispute
resolution system regarding false attestations).

31
Decentralized Identity Technical Standards: Community

Source: IBM
32
How does it work?

33
How does it work?

Source: Rajesh
34
How does it work?

Source: Rajesh 35
SELF-SOVEREIGN BUSINESS
CONSIDERATIONS

36
Decentralized Identity: Business Impact

Self-sovereign identity has huge implications for businesses as well:

Improved conversion Current technologies force companies to make a trade-off between assurance and
conversion.
New engagement Additional trust help better engage with your stakeholders (B2C, compliance
certifications, etc)
Verifications
• SSI can help cut verification costs down.
• SSI ca help reduce business workflow complexity particularly when requiring validation from multiple third
parties.
Risk SSI can reduce your risk by letting you avoid collecting, storing, protecting, and maintaining toxic
PII.
Compliance PCI compliance and data protection regulations like the GDPR, CCPA, and a myriad of
others are driving adoption of SSI.

37
What's the Business Value of SSI?

Potential for new business models

• business opportunity related to providing SSI products and services (platforms, identity wallets, verification
services)
Increased customer experience
• onboard (new) customers faster
• allow employees to be in charge of their identifiable data such as certificates, diplomas or assessments they
achieved, thus drastically reducing employee onboarding times.
Cost cutting
• Replace the costly KYC customer due diligence process

Public sector organizations are also leaning towards the innovation.

• the Government of British Columbia is trialing SSI to launch an OrgBook VC 
• ID 2020 Alliance

38
Decentralized Identity Business: The bootstrapping challenge

The promising potential of SSI unfolds together with the challenges related to its business
implementations.
• The bootstrapping of the SSI infrastructure requires tight collaboration between business partners and
competitors, typical of the coopetition model.
• Blockchain solutions: works best when many different subjects work together in a decentralized and
distributed network => at scale implementation not a technology, but a business challenge.
• The hard part = setting up the governance and collaboration model that will ensure that the federation is
reliable, secure, and affords appropriate data protection.

The SSI paradigm will have the greatest impact in a large network of SSI issuers, holders and verifiers:
• But what is the optimal bootstrapping strategy that will help achieve the scale?
• Who will pay for the verification of credentials?

Accurate setting up of the SSI infrastructure should by definition require no upfront equity to prevent
single entity dominance. 39
FUTURE CONSIDERATIONS

40
Future Considerations for Wide Adoption

Dependence of Self-Sovereignty on Technology Infrastructure

• A true self-sovereign identity system would require a certain level of infrastructure, primarily high
penetration of affordable smartphones that can securely store private keys and reliable connectivity.
• Another problem with localized key storage is the larger issue of key recovery

In light of these issues, there is a consensus that the best practice at the moment is a custody or
guardianship model

Digital Money and the Importance of Self-Sovereign Identity

• The use of blockchain ledgers for peer-to-peer money transfer has numerous implications in
development economics, further highlighting the need for self-sovereign identity solutions.

41
Thank you. Rue Vallin 2
CH-1201 Geneva
Switzerland
11710 Plaza America Drive
Suite 400
Reston, VA 20190, USA

Rambla Republica de Mexico 6125 66 Centrepoint Drive

11000 Montevideo, Nepean, Ontario, K2G 6J5
Uruguay Canada

Firstname Lastname Science Park 400

1098 XH Amsterdam
3 Temasek Avenue, Level 21
Centennial Tower
Job title Netherlands Singapore 039190

• [email protected]
internetsociety.org
@internetsociety

42