Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)

Self-Sovereign Identity allows individuals to control their personal data. To fully control it and the relationships where his or her identity is being used in. Choosing who gets to “see” it and how much of it they get to “see”. 

Self-Sovereign Identity “privileges individual ownership of credentials, rather than custodianship of credentials by a software provider or issuing institution”. (source)

That’s according to Kim Hamilton Duffy, Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Academic Credentials Initiative). 

For her, the path towards a truly decentralized identity management system is through Decentralized Identifiers (DIDs) and Verifiable Credentials. She sees these as fundamental elements of Self-Sovereign Identity, promising to address the shortcomings of existing decentralized credentialing solutions such as Blockcerts, a blockchain-based credentialing solution that Kim developed in collaboration with the MIT Media Lab in order to solve the problem of decentralized verification.

Decentralized Identifiers

According to the W3C DID specification, “DIDs are URLs that relate a DID subject to means for trustable interactions with that subject”. They “enable the controller of a DID to prove control over it and to be implemented independently of any centralized registry, identity provider, or certificate authority”.

In an Self-Sovereign Identity ecosystem, individuals make claims about their identity, using DIDs, and those claims are “rendered tamper proof through digital signatures” stored on the blockchain. These claims can be verified anywhere, anytime. DIDs and Verifiable Claims allow for “persistent, independent digital identities” with increased privacy and security.

Kim considers DIDs an important tool for the proliferation of Self-Sovereign Identity. Managing cryptographic keys is a cumbersome process. DIDs make it easier for an individual to “retain ownership of their identifiers over time”. They offer cryptographic strength while factoring in the full lifecycle of keys, including expiration and revocation”. Decentralized Identifiers help prevent a “situation in which all of a person’s data is tied to a single individual identity profile” by allowing an individual to have as many DIDs as he or she may wish in order to “curate their identity profiles and increase their privacy”. (source)

DIDs also benefit institutions and organisations who issue or verify identity. Their decentralized nature makes identity always available for verification. As opposed to a system where identity is in a centralized database that may be rendered useless if it becomes offline for any reason (or, in a worst case scenario, destroyed).

On the Use Cases for Decentralized Identifiers, you can read what Kim considers the 15 required features for DIDs.

Open Standards

“The Blockcerts standard was published under the MIT open source license in 2016 so that any institution, vendor, or researcher can use it to build their own applications for issuing and verifying claims on the blockchain”. For Kim, it’s extremely important that identity solutions rely on open standards in order to achieve “maximum interoperability and portability of documents and data, without sacrificing privacy or individual control”. To her, openness and standards compliance are essential.

Kim believes that through open standards, DIDs and Verifiable Credentials, there is a possibility to evolve the identity management paradigm to one that preserves the privacy, security and self-sovereignty of the individual. With Blockchain opening the door for the possibility of true individual control of personal data.

We had the opportunity to ask Kim Hamilton Duffy a few questions:

Q&A

What are your responsibilities (and goals) as the Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Credentials Initiative)?

For context, the Digital Credentials Initiative is a university-led effort to develop a learner-centric digital credentialing ecosystem. I joined the initiative to drive the technical architecture and prototype/implementation rollout with the technical working group. Our initial focus is on standards, requirements, and shared infrastructure. We’re not defining competing standards; we’re identifying existing standards that suit our use cases, and extending/adapting them where necessary. So this effort complements existing credentialing standards (such as W3C Verifiable Credentials) and well-known vocabularies/taxonomies in the EDU/OCC space.

There are two characteristics that make this effort special. One is our participants’ commitment to include a broader range of perspectives and expertise. We felt that emerging decentralized credentialing standards showed a lot of promise, but that there were many open questions and gaps (not just technical — policy, governance, and more) that needed to be addressed. So for us, it was important to lead the effort with a well-rounded set of stakeholders.  

The other interesting characteristic is our ability to strongly advocate for learner use cases. The learner side often gets deprioritized in existing credentialing systems, resulting in limited ability for learners to access, store, and use their credentials across systems (as an example, credential exchange protocols are still in early phases of development). This initiative is positioned (and committed) to drive these standards and requirements forward – and even develop reference implementations if the market is not providing them.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

It’s critical to have clearly defined use cases when dealing with digital identity. I think many efforts start that way, but then get muddied by adding on — almost as an afterthought — higher stakes use cases that are not well-understood. When I say “higher stakes”, I mean the stakes may be higher for the populations involved (e.g. displaced persons needing access to resources) or the nature of the claim itself (e.g. containing more private information). The risk is that a poorly-informed “solution” can do more harm than good. 

One reason is that “identity” is so overloaded and potentially all-encompassing. If instead, we’re precise about the capabilities we are building, we may not need to “go to ‘identity’” (phrase borrowed from Steve Wilson). Further, pushing for use case clarity, as well as continually learning from intended users, allows us to build systems for our users (as opposed to systems that are imposed on them).

What needs to be true for SSI to achieve mass adoption, and what uses cases you think will gain early traction?

First, a caveat. SSI on its own is not something we can reasonably ask people to adopt — it’s an idea, with a confusing name at that, due to baggage associated with the word “sovereign”. (For clarity, I’d like to point readers to Christopher Allen’s 10 principles of self-sovereign identity and also Philip Sheldrake’s Generative Identity – beyond self-sovereignty). That said, those of us working in the decentralized identity space have not done a great job communicating the value-add or articulating concise use cases that, if solved, would actually warrant adoption.

An example: an SSI advocate might lead in with “imagine a Facebook but where you control your data”. Here are the problems with pitches like that:

  • Control and privacy are not features many users will pay for. In fact, some users accept (or at least claim to accept) that their data is already for sale so they might as well get paid for it. The downsides of thinking of data as property is more thoroughly analyzed in Elizabeth Renieris’ “Do we really want to “sell” ourselves? The risks of a property law paradigm for personal data ownership”.
  • – Many users believe (rightly so, in many cases) that they must choose between usability/convenience on one hand and privacy/control on the other. Users are accustomed to the conveniences of centralized systems, and we need to work harder on UX.

In sum, we need to (1) improve usability and capabilities (particularly in “exceptional” cases requiring recovery of control), (2) develop interoperability standards currently missing in the decentralized identity stack, and (3) focus on compelling user-focused scenarios.

So there’s a lot of work to do, but there are some use cases that can obtain immediate traction. Those involve public claims (i.e., without sensitive data) that are improving efficiencies of existing workflows. This includes educational and occupational claims (equivalent to what you would post on LinkedIn), and government/business registries. As an example of the latter, Samantha Chase, founder of Venn Agency, is doing some interesting work around safety credentials backed by British Columbia’s Verifiable Organizations Network and OrgBook BC. This approach improves transparency and efficiency around safe workplace claims, which can further benefit companies through reduced costs (in the form of insurance discounts, for example).

Specific roadblocks other people in this space should look out for?

In the decentralized identity space, discussions around GDPR (and similar emerging privacy protections) have focused too much on rationalizing existing technical choices. It seems like every discussion about GDPR jumps to a debate about whether a hash of PII on a blockchain is acceptable. While I’ll steer away from that specific question, I think this misses the point, which is that designing systems for privacy and individual control offers exciting architectural challenges. It’s an opportunity to design systems more responsibly, which can lead to cleaner architectures that limit liability and exposure.

In my mind, GDPR has been generous in its rollout, and as long as system designers are being mindful about how user data is handled, and documenting decisions along the way, then they’ve made tremendous progress. And while it’s important to stay up-to-date as the consequences of such regulatory frameworks emerge, having documented your decisions along the way will make everyone’s life much easier.

What are your hopes for the digital identity field in the future?

I’d like for us to develop meaningful ways to include more diverse perspectives and expertise in our decentralized identity-focused groups. In our eagerness to develop core building blocks, technical folks (myself included) have sometimes inadvertently created sandboxes that exclude essential perspectives. We need to improve how we communicate about what we’re building. But more importantly, we need to actively engage, listen to, and accept leadership from people with a broader range of backgrounds and experience.

What is the book (or books) you have recommended most to others?

Because many of the writings I find interesting are not yet in book form, I’m going to include some blogs as well. Here are the writers/writings I keep coming back to:


We, at Tykn, would like to thank Kim Hamilton Duffy for her time and for sharing her ideas and knowledge with us. Thank you, Kim! Be sure to follow her Blog and Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

Libra – A solution to its identity problem

libra identity problem

Facebook announced the creation of a cryptocurrency named Libra. Running on a permissioned blockchain, the governance model is backed by The Libra Association, composed of Visa, Mastercard, PayPal, Uber, Spotify and several others.

Libra will be exchangeable via Whatsapp and Facebook Messenger and it will allow for payments in “offline” locations. 

According to the Associations’ website, its mission is to create “a simple global currency and financial infrastructure that empowers billions of people”. This includes, as they mention, the 1.7 billion unbanked

In theory, Libra could provide a useful solution to all those with difficult access to money and banking services. People such as the unbanked, refugees or displaced people who lost access to those services. As Tykn’s CEO, Tey Al-Rjula, has stated several times: “in aid, time is lives”. Some people cannot wait for Monday to access funds because banks do not work during the weekends.

Why Libra may only be effective with the well established and leave out the marginalised they proposed themselves to help

Many things are still to be understood and clarified prior to its 2020 release but one thing is certain: to use Libra, a verification with a government issued ID will have to be made. But this won’t solve the problem of the unbanked and the refugees. Globally, 1.2 billion people do not have an identity recognised by a sovereign state. Either because they never had one in the first place or because their identity was lost due to inefficient identity registration procedures, wars or disasters. A case such as Tykn’s CEO who, at the age of 5, had his birth certificate destroyed because the birth registries in Kuwait were burnt during the Gulf War. Many of the unbanked and the refugees The Libra Association (and Facebook) want to help are the same who don’t own the necessary identifying document that will allow them to use Libra. Identity, the missing layer that already prevents these people from accessing services such as healthcare, education or banks, will again be the problem.

Within Libra’s Whitepaper, the only mention to identity is a vague statement: “An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition”. This does not offer any indication of how The Libra Association is planning on including the unidentified.

How could then Libra help the unbanked and the refugees?

By implementing Self-Sovereign Identity principles and allowing for trusted organisations within the Libra ecosystem to issue Verifiable Credentials.

If a trusted NGO within the Libra Association could issue a Verifiable Credential to, say, a refugee, the other organisations in the Libra ecosystem would be able to trust that credential without even having to check the actual data contained within it. They would only need to use the blockchain used for the identity infrastructure (one such as Sovrin) to check the validity of the attestation and attesting party (such as that NGO) from which they can determine whether to validate and accept the credential.

Each user would keep his own data, those Verifiable Credentials, on his own personal digital identity wallet. Private and secure.

The innovative technology of Self-Sovereign Identities would allow trust between all the parties within the Association, while guaranteeing the authenticity of the credentials and the privacy and security of users. No personal data would be stored on any blockchain, or centralised servers, and each user would be the single owner of their own data.


Tykn is a digital identity company. If you’re keen on reading more we suggest this Definitive Guide on Identity Management with Blockchain.

10 Digital Identity experts you should follow right now

Digital Identity and Self-Sovereign Identity are some of the most exciting fields in technology and innovation right now. We round up a list of 10 Digital Identity experts that you should follow if you want to be up to date on all the cutting edge developments in this space.

Christopher Allen

Christopher Allen is a Blockchain & Decentralized Identity Architect, Internet Cryptography Pioneer and co-author of the TLS Security Standard.

Allen wrote the influential The Path to Self-Sovereign Identity text in which he shares his “vision for how we can enhance the ability of digital identity to enable trust while preserving individual privacy”.

“Self-Sovereign Identity is the next step beyond user-centric identity and that means it begins at the same place: the user must be central to the administration of identity. That requires not just the interoperability of a user’s identity across multiple locations, with the user’s consent, but also true user control of that digital identity, creating user autonomy. To accomplish this, a self-sovereign identity must be transportable; it can’t be locked down to one site or locale.” – The Path to Self-Sovereign Identity

@ChristopherA

Kim Cameron

Kim Cameron is the former Chief Architect of Identity at Microsoft. Cameron wrote the seminal paper The Laws of Identity which aims to highlight the problem of the Internet having been built without means to know who and what we are connecting to and its possible solutions. He is described by Phil Windley, Chairman of the Sovrin Foundation as a “being from the future” as his 2005 Laws of Identity are only now being understood.

“Digital identity requires (…) a unifying identity metasystem that can protect applications from the internal complexities of specific implementations and allow digital identity to become loosely coupled. This metasystem is in effect a system of systems that exposes a unified interface much like a device driver or network socket does. That allows one-offs to evolve towards standardized technologies that work within a metasystem framework without requiring the whole world to agree a priori.” – The Laws of Identity

Kim’s Blog

Drummond Reed

Drummond Reed is Evernym’s Chief Trust Officer. Evernym was born to solve the problem of siloed identity. Massive databases of personal data that become honey pots for hackers and liabilities for the database owners. The solution? An identity each one of us can own. A Self-Sovereign Identity.

Reed was also the co-founder and co-author of the Respect Trust Framework, which was honored with the Privacy Award at the 2011 European Identity Conference.

Evernym are the inventors and original Founding Steward of Sovrin, the global public network enabling portable and private digital identity for all. Tykn is proudly one of Sovrin’s Stewards.

What Self-Sovereign Identity “means is that every digital relationship you have will be unique, private, and secure. There is no need to log in “with” anybody. This is a new type of relationship that has never been possible before and it is set to revolutionize the way that we interact with each other online.” – Why Login at all?

@drummondreed

Heather Vescent

Heather Vescent is, in her words, “obsessed with this new technology”, Self-Sovereign Identity, that uses identity standards that will allow for interoperability. For her, digital identity is a base layer where everything else is built on top and people are now starting to realise its importance. According to Heather, banking, healthcare and Internet applications have been building their own siloed identity solutions that are not interoperable between each other and Self-Sovereign Identity can change that.

Heather Vescent owns and operates a foresight and strategic intelligence consultancy and co-authored Your Guide to Self-Sovereign Identity with our next person you should follow, Kaliya Young.

@heathervescent

Kaliya Young

Kaliya, aka Identity Woman, has “committed her life to the development of an open standards based layer of the internet that empowers people”.

Her masters report, Domains of Identity, is a framework that explains the 16 domains of identity and how Self-Sovereign Identity can essentially change the relationships within those domains. Kaliya has a Master of Science in Identity Management and Security and has been named one of the most influential women in tech by the Fast Company Magazine.

“To get to this future we need to coordinate the development of common building blocks: code, infrastructure and protocol. We must ship interoperable products. And we need to work towards alignment, not control.”The Domains of Identity Presentation

@IdentityWoman

Phil Windley

Phil Windley is the chairman of the Sovrin Foundation as well as the co-founder and organizer of the Internet Identity Workshop. He served as CIO for the State of Utah and holds a Ph.D. in Computer Science from the University of California.

“Because there’s no central authority controlling DIDs and because people can issue private DIDs themselves, they constitute a truly decentralized means of not only creating identifiers, but using them for mutual authentication, privacy preservation, and secure communication of almost any information parties need to share.” – Decentralized Identifiers

@windley

Kim Hamilton Duffy

Kim Hamilton Duffy is the CTO of Learning Machine and Principal Architect of Blockcerts (that collaborated with the MIT Media Lab to develop an open standard for issuing and verifying credentials on a blockchain). She also co-chairs the W3C Credentials Community Group and is a member of the Rebooting Web of Trust board and the Steering Committee for the Decentralized Identity Foundation.

“It is time to evolve data management paradigms from those based on a centralized web architecture to those functioning from the decentralized web. Only in this way can individual self-sovereignty be guaranteed in a world where centralized authorities exert irreversibly amplifying control over digital infrastructures, and security breaches will only become more common.”The Time for Self-Sovereign Identity Is Now

Kim is also a researcher at the “Digital Credentials Initiative” at the MIT.

@kimdhamilton

Michiel van der Veen

Michiel van der Veen is the Director of Innovation & Development at the National Office for Identity Data in the Ministry of the Interior of The Netherlands. He is also an identification, biometrics and privacy-by-design expert for the ID4D program at the World Bank Group.

“In addition to digital ID, Biometric ID methods are also promising in poor and developing countries where scores of people still go unregistered. According to the World Bank, nearly a billion people are still unable to prove their identity, and millions more have forms of identification that cannot be reliably verified or authenticated.” –Privacy-by-design leads the way in keeping your online identity safe

@MvdVan

Tim Bouma

Tim Bouma is a Senior Policy Analyst focused on Identity Management for the Treasury Board Secretariat of the Government of Canada.

“My belief that humans still need to be involved in that first-time or “origin” registration of creating the digital identity and linking to the real person. This is the hardest part of creating a digital identity. This origin registration may be an expensive and inconvenient process to carry out, but with the value (and potential harm) associated with it — a digital identity that is, or not, under your control — the fully digital alternatives may be too risky (today, at least). However, once that origin registration is carried out, your digital identity can be easily assured on an ongoing basis, using cryptography, verifiable claims, etc. But that digital identity, to be trusted, must be traceable back to that origin registration.” –Digital Identity – the hardest part

@trbouma

Darrell O’Donnell

Darrell O’Donnell is the CTO at CULedger and Technical Advisor to multiple top-level agencies, departments, and services (including Canada’s and the US’ public safety and homeland security department) in the fields of blockchain and digital identity.

“Here’s the funny thing – we’re realizing that companies never really needed to own our digital identity. They did it out of necessity. Businesses are beginning to figure out what this means – and those that are wrapping their heads around blockchain identity are poised to succeed. The best are realizing that Blockchain Identity, particularly Self Sovereign Identity, is shifting the business view of digital identity. Digital identity is shifting to become a revenue driver, cost cutter, and even an asset.”Blockchain Identity for Dummies

@darrello


Tykn is a digital identity company. If you’re keen on reading more we suggest this Definitive Guide on Identity Management with Blockchain.


tykn digital identity management

Mozambique: How digital identities can help in case of a natural catastrophe

Last Thursday, cyclone Idai left a devastating trail in Mozambique. With more than 400 deaths accounted for, the International Red Cross estimates more than 400.000 people were left homeless. The United Nations is describing it as “the worst climate disaster ever in the southern hemisphere”.

The Red Cross teams on sight are distributing shelter supplies to affected families and chlorine tablets to purify the water. Diseases transmitted by contaminated water are one of the biggest concerns in case of a catastrophe where normal water supplies are interrupted.

“Many families have lost everything” according to the Red Cross spokesperson, Jamie LeSueur. If they also lost their documents or if the governmental identification processes have been compromised, not being able to prove who they are can cause irreparable damage to their short term survival.

Mozambique has the third highest smartphone adoption rate in the African continent (sources 1, 2 and 3) meaning that digital identities could play a pivotal role in easing people’s suffering in a natural catastrophe scenario. This is how:

1) Aid expedition

Humanitarian aid distribution – whether shelter, food or cash based assistance – requires a strong identification layer. How else could an NGO account for what aid has been distributed and to whom?

Current identity management systems are paper-based and make this process reliant on vouchers. Paper vouchers. This not only slows the aid distribution process – and in a scenario like this time is lives – but it also jeopardizes the quality of aid provided. If a citizen is to lose their voucher they would have to start the aid request process all over again. Worse: unfortunately it is quite common, in a scenario like this, that vouchers are stolen or subject to fraud. In a paper-based system, NGOs have no means to efficiently combat wrongful behaviours.

Digital identities will provide an efficient way for an affected person to request aid. A trusted organisation can quickly issue a digital credential that verifies that person’s identity and allows them faster access to their services. All vouchers are digitised and, alongside the identity credentials, are held in a digital identity wallet in that person’s mobile device. Digital vouchers can’t be lost or stolen and provide an NGO with important and reliable information about who has been aided.

Digital identities leveraging distributed ledger technology provide a private and secure channel to share and request personal data to and from an organisation.

2) Displacement to another city/country

In catastrophe scenarios like this, the people affected are often displaced to another city or country. They become refugees. Not being able to prove who they are prevents them from accessing services like healthcare, education or banking and excludes them from society.

The innovative technology of Self-Sovereign Identity allows for a trusted organisation such as the government or an NGO to issue a digital credential attesting to that person’s identity. Through the use of distributed ledger technology that credential is verified with a signature from that organisation. A signature that cannot be deleted or subject to fraud.

When verifying a persons’ affected identity, the verifier does not need to verify the accuracy of the data contained in the credential. The verifying party will validate the issuers’ signature who issued and attested to this credential to then decide whether he trusts the issuers’ assessment about the accuracy of the data.

A process like this, that eliminates the possibility of identity fraud and where everyone in the network has the same source of truth about which credentials are still valid and who attested to the validity of the data inside the credential (without revealing the actual data) will speed and facilitate identification processes between governmental departments and between governments. Accounting for less bureaucracy, less need for data management and possible frauds.

Above all, this will ease people’s suffering as it will allow them to quickly access services, such as healthcare or banking, and be included in society again. Their identities and their access to human rights are protected. Right there on their mobile devices.


Tykn is a digital identity company. If you’re keen on reading more we suggest this Definitive Guide on Identity Management with Blockchain.


tykn digital identity management system gif
The best content about Digital Identity delivered to your inbox once a month.

We are running a newsletter of highly curated and trustworthy content about Digital Identity.

Click here to see an example.