Revocation means deleting or updating a credential. The possibility for an issuer to revoke a credential is crucial to an identity infrastructure for the main reason that identities are dynamic.
Attributes can change over time e.g. house address or number of children, and some credentials should have a expiry date for example a passport or drivers licence.
The fact is however, that in order to ensure trustworthiness of the system and eliminate the possibility to defraud, credentials are immutable. After issuing, no one (not even the issuer) can change the information inside the credential. Hence, when attributes change, a new credential needs to be issued and the old one needs to be announced invalid. Thus, at each proof the users needs to proof that the credentials used in the proof are still valid. The revocation registry allows him to prove this without contacting the issuing party.
For example, the Government issues a credential to you, that you have 3 children. A month later your family is blessed with a 4th child. Now, the Government will mark the previous credential as invalid (stating that you have 3 children) and will issue a new credential stating that you have 4 children.
What is a Revocation Registry?
A Revocation Registry has 4 requirements:
– Credentials need to be revocable by their issuer;
– Revocation needs to be straightforward and fast;
– Testing of revocation needs to be privacy preserving;
– Proving and verifying the proof should be possible without contacting the issuer.
The revocation registry is a complex mathematical concept, however to get the basic idea you can see it as a list of numbers (called factors) and each number has its an index number in the row e.g. 000, 001, 002, etc.
Now all these numbers can be assigned to a verified credential in such a way that each verified credential has its own unique number from the row. All the numbers multiplied together is called the accumulator.
Essential is that only the numbers associated to non-revocated credentials are included in the accumulator. Once a credential is revoked the associated number is excluded from the multiplication and thus the accumulator value changes, see figure 1.
This accumulator is crucial in proving the validity of a credential.
When an identity owner wants to prove that her credential is valid and thus has an associated number in the registry list she can show a verifier that her number multiplied by the rest of all the numbers together (called the witness) results in the accumulator.
This is the basic concept of the revocation registry.
Flow: Set up, issuance, proof and verification
We will now go into more detail, following the flow from set up to issuance till proof and verification.
Step 1 – Set up for a revocable credential
The first step in order to set up a verifiable credential with revocation registry the following things needs to be in place:
Issuer must publish a revocation registry
Issuer must publish the accumulator value that describes the latest status of for all the associated credentials
Step 2 – Additional information for the identity owner
When an issuer issues a credential he will have to give the identity owner the following additional information in order to allow him to create a valid proof.
Additional information for the identity owner:
The credential itself (file/.json).
The index for this credential in the revocation registry (posted on the ledger) such that the prover can look up his private factor (say a).
The product of all other factors contributing to the (current) accumulator (so only the ones associated to non-revocated credentials). This is called the witness (say witness = b*c*d).
Step 3 – Required actions of the issuer of a revocable credential
When an identity owner creates and sends a proof he needs to prove that the credentials she uses in the proof have not been revoked by the issuer. He can do this through proving that:
private factor * witness = accumulator (latest update as stated on ledger)
In order for the identity owners to be able to create an accurate proof the issuer needs to always complete the following tasks:
Required actions of the issuer of a revocable credential:
When a credential is revoked, the issuer needs to update the accumulator on the ledger (leaving this credential factor out of the multiplication).
To ensure that other identity owners can still prove that their credentials are not revoked, a witness delta will be posted in this transaction. Witness delta = a number that the prover has to use to adjust his witness such that his calculation (private factor * witness = accumulator) will match the updated accumulator.
Step 4 – Verify a proof
The proof generated by the identity owner is send to the verifier. The verifier can check the validity of the proof by executing the following checks.
Verify a proof:
Check the attestation using the DID and verkey of the issuer.
Check the non-revocation by checking whether the latest accumulator that is posted on the ledger is equal to the output of the proof (private factor*witness).
We would like to thank Katja Bouman for writing this thorough piece.
We started this interview with Tim Bouma talking about his expertise in digital identity and we ended up trying to solve the puzzle of a mysterious death.
On July 8, 1917, Canadian painter Tom Thomson disappeared while on a canoeing trip on Canoe Lake. Eight days later, his body was found in the lake, with a four-inch cut on his right temple. Although the cause of death was determined as “accidental drowning”, the mystery of Tom Thomson’s death, and the speculation of a potential murder, is something that persists in Canadian lore.
Tim Bouma had been a fan of Thomson’s work for years. Reading biographies and collecting sketches of his work. Being a cybersecurity expert specialized in Digital Identity, Tim had a splinter of an idea forming in his mind: creating a fictional digital identity. The mystery of Thomson’s death created the perfect canvas. From March to July that year, during 100 uninterrupted days, Tim Bouma tweeted fictional journal entries channeling Tom Thomson’s persona and what he might be doing that day.
But less about fiction writing and more about digital identity. Tim Bouma coined the phrase Legally-Enabled Self-Sovereign Identity. LESS Identity. That is how he wants his identity to be. These are the four characteristics of a LESS Identity:
– Minimum Disclosure: Being able to disclose the minimum personal data possible in order to use/access a service.
– Full Control: The user must have full control over what personal information he chooses to disclose (at any point in time).
– Necessary Proof: In case the verifying party needs proof about the claim a user is making, the user has to be able to provide proof that sustain his claim. (i.e: attestations by a legal authority, etc)
– Legally-Enabled: The existence of a legal framework that protects the users and the organisations providing the services while using this digital identity.
Bouma is a proponent of Self-Sovereign Identity. An approach to Digital Identity that puts the user at the center of the locus of control.
The locus of control is the “degree to which people believe that they have control over the outcome of events in their lives, as opposed to external forces beyond their control”(Source).
Self-Sovereign Identity removes the middle man as a vehicle of trust. An individual can prove claims about him or herself to an organisation without the need for that organisation to verify the authenticity of the claim with a third party. This is done through the use of blockchain technology.
Though Self-Sovereign Identity still has some issues to be figured out. Like how to make sure that a digital identity corresponds to an existing person in the analogue world. According to Tim, humans will always have to be involved in the “origin” moment. The initial registration process of the digital identity. “However, once that origin registration is carried out, your digital identity can be easily assured on an ongoing basis, using cryptography, verifiable claims, etc. But that digital identity, to be trusted, must be traceable back to that origin registration.”(Source)
Pan-Canadian Trust Framework
Tim is also one of the masterminds behind the Pan-Canadian Trust Framework.
Given Canada’s different levels of Government – Provincial, Territorial and Federal – this framework aims to avoid the creation of program-centred identities and ensure “the integrity of identity management business processes”, so that everyone can rely on each other’s digital identities.
Through this framework, Canadians will be able to “seamlessly access government services on-demand across jurisdictions in a matter of moments” (Source) and the government will be able to accept “trusted digital identities from other jurisdictions, greatly streamlines program enrolment processes and reduces costs — because the client is already known and trusted.”(Source).
The ultimate goal is to be able to use a Provincially or Territorially issued digital identity to access a federal program. What Canada’s government see as a “big win for all Canadians”. (Source)
What are your responsibilities as Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada?
My role is to develop identity management policy instruments for Treasury Board Secretariat (TBS). TBS is a central agency for the Government of Canada and is responsible for management oversight for federal departments and agencies. Our policy instruments are the basis for aligning identity management capabilities across government. We also work with the Provinces and Territories to ensure alignment across Canada, which we call the Pan-Canadian Approach. Much of the work on the Pan-Canadian Trust Framework evolved from the collaborative work we have done with our different levels of government.
In the field of Digital Identity, what is the question that people should be asking more but aren’t?
The question people should be asking – ‘Why are you setting up your own identity management systems?’ If you are setting up your own systems, you are placing an even greater burden on your clients, who have to prove themselves one more time, and remember yet another password.
What are the specific roadblocks other people in this space should look out for?
The identity management technology is largely there. Centralized and federated approaches have existed for years. Decentralized and self-sovereigns are rapidly evolving and will become mainstream soon. So the roadblocks are largely conceptual – it’s about understanding how your program or business fits into a larger ecosystem. Two decades ago, during the dot-com boom, everyone was setting up their own servers, now nobody does that – it’s a cloud now. Soon identity, or self-sovereign-identity will be available as a utility and controlled by the users.
What are your hopes for the digital identity field in the future?
My hope is that Canadians will be able to access services without having second thought to their safety and security. The systems that will enable digital identity, or more generally verifiable credentials, will be open, interoperable and be as ubiquitous as GPS.
What is the book you have recommended most to others?
I could recommend my own book that would be self-serving. The latest book I am reading is The Blockchain and the New Architecture for Trust, by Kevin Werbach. A book which I really enjoyed, challenging my perspective, was Metaphors We Live By, by George Lakoff and Mark Johnson. I also have a few technical books on the go. I can’t say enough good things about Mastering Bitcoin, by Andreas Antonopoulos. Finally, for relaxation, I subscribe to Kindle Unlimited and churn through CIA spy-thrillers.
We, at Tykn, would like to thank Tim Bouma for his time and for sharing his ideas and knowledge with us. Thank you, Tim! Be sure to follow him on Twitter.
The number one innovative technology you should be paying attention to – whether you work in tech, innovation management, policy making or digital transformation within your organisation – is private and secure digital identity.
This technology will impact the Government (govtech), banking, healthcare, education and even NGOs. Privacy and security of personal data is paramount and, with the possibility of heavy fines due to regulation infringements, is a concern on everyone’s mind.
This is what you must know about Self-Sovereign Identity and how your industry will be affected.
Innovative technology for Identity Management
Identity has a problem. If it’s paper-based, such as birth certificates sitting idly in a basement of a town hall, it’s subject to loss, theft of fraud.
A digital identity reduces the level of bureaucracy and increases the speed of processes within organisations by allowing for a greater interoperability between departments and other institutions. But if this digital identity is stored on a centralised server, it becomes a honeypot for hackers. Looking to breach it and leak it in order to misuse the personal details there contained.
A centralised storage of identity is then a liability to the organisation.
A personal data breach may result in huge fines due to GDPR infringement – such as the British Airways case – or simply due to customer trust loss and consequential damage to the organisation’s brand.
A technological innovation for privacy and security
We have covered extensively on this guide about blockchain and identity management how a modern digital identity management system can maintain the security and privacy of its users by decentralising the data storage and by minimising the quantity of personal data stored.
This is done through the use of cryptography (i.e. Zero Knowledge Proofs) and blockchain technology. By implementing the innovative technology of Self-Sovereign Identity, users own their personal data and are able to access services from an organisation, proving who they are and ensuring trust without the need to disclose any personal details. This greatly reduces the amount of data an organisation stores and thus reduces the possibility of Personal Data Regulations infringement.
An important note before we start: Self-Sovereign Identity leverages blockchain technology. It’s important to have in mind that no personal data – no ids, medical records, academic credentials, etc – are put on a blockchain. A blockchain is immutable and though extremely hard to hack or breach now, no one knows what may happen in the future. Putting personal data on the blockchain also does not comply with any regulations (i.e. GDPR; right to be forgotten). What goes on the blockchain are the means – signatures, pointers, references – that allow for the verification of authenticity of the data that a user holds. You can read more here about what exactly goes on the blockchain.
Govtech: Government Technology
The government of British Columbia, Canada, is using an open-source blockchain framework, Hyperledger Indy, to streamline their services and cut red tape.
Canadian companies claim they waste more than 6 billion € every year on unnecessary bureaucracy. This governmental project – The Verifiable Organizations Network – believes decentralized identities and trusted credentials are the solution.
Innovation in Government Bureaucracy
Each Canadian business owner has to use three different tax numbers and navigate three different levels of governmental bureaucracy: local, provincial and federal.
Using this innovative technology, one trusted organisation within the value chain – such as the provincial government – can issue a digital Verifiable Credential to the business owner and the other organisations – such as the federal government or a financial institution – can verify that credential and trust the attestation made by the first organisation.
According to Product Lead John Jordan, their team wanted to show that this innovative technology can even be applied to more than just identity.
Use cases such as “professional associations that register members like doctors, nurses, or engineers; standards groups that certify food as organic or kosher; or businesses that need to prove their facilities have been inspected”. It can be used “to support private and secure P2P connections where verifiable credentials can be used to build trusted relationships. This can help streamline any process that involves trust.”
“Providers need to know a patient’s identity to access relevant medical and treatment histories and ensure that they are giving consistent and appropriate care.
Patients also need documentation to prove enrollment in insurance programs or other safety nets that cover medical expenses. (…)
Health insurers need to be able to identify patients to ensure that those for whom claims are submitted are actually insured and to facilitate the adjudication of claims based on the patient’s history.
A secure, inclusive, and responsible method of uniquely identifying and authenticating healthcare users over time and across facilities is central to each of these needs and the goal of achieving universal health care”.
Although this World Bank report focuses on the use of unique identifiers – that are a matter of concern privacy wise due to the possibility of correlation – the reasons they present for the importance of identification in healthcare we deem as valid.
Efficient identification becomes jeopardized in countries where identity and information systems are weak. Either because their records are paper based or because their digital identity management system do not allow for interoperability with other systems. Impeding record or data transferring between organisations. Which ultimately leads to less efficient health services.
Private and secure channels for data transfer, that provide trust between health facilities, patients, insurers and government is thus of absolute importante. One that a Self-Sovereign Digital Identity could provide.
An Innovation in Healthcare
By using a common identity metasystem, institutions within the healthcare industry could easily and seamlessly verify digital Verifiable Credentials issued by other organisations (and even issue some themselves). A healthcare facility could trust the authenticity of a patient credential without even having to check the actual data there contained.
These privacy maintaining channels would be assured through cryptography and Zero-Knowledge Proofs. The verifying organisation would just have to check the blockchain to verify the authenticity of the signature of the attesting organisation or physician. If the signature matches the one in the patient’s credential, it’s authentic.
And you may ask, “But how do we know whether to trust the physician?”.
Phil Windley, Sovrin’s Chairman, answers this question: “Professionals can also create proofs from verifiable claims written about them to show that they have specific qualifications, certifications, or work at specific institutions. These claims are, in turn, verifiable in the same manner, creating a chain of trust.”
Non-interoperable identity systems are costly for the institutions and troublesome and stressful for the users. When patients arrive at the new facility, the need for duplicated registrations and paperwork increases bureaucracy for one side and frustrates patients in need of care.
“By allowing for secure and accurate identification and authentication of patients and enabling information exchange, they can increase the efficiency of patient management, improve the quality of treatment, reduce administrative burdens for patients, facilitate access to insurance, reduce fraud, and improve data collection.” (World Bank Report)
The digitization of healthcare identity systems is not enough though. Institutions must make sure their digital records are private and secure. Centralised healthcare records pose a major privacy risk for both patient and organisation.
The innovative technology of Self-Sovereign Identity would provide the decentralization, security, privacy and interoperability for a more efficient healthcare system.
An Innovative idea for birth registrations
1.2 billion people around the world do not have an identity. Some of them because they never had it in the first place. Having no identity has grave consequences for these peoples’ lives as they are not able to access healthcare, education or banking services.
An interoperable identity system would be the innovative technology that allows hospitals, midwives or birth facilities to easily communicate a birth to the government who can instantly issue a digital birth certificate.
If you’ve had the experience of moving to another country you’ll know how difficult it is to prove your academic certifications. How do you prove to your prospective new employer (or host country’s government) that you are a doctor or an engineer? How can they trust the authenticity of the paper or pdf certificate issued by your University? They’ve never seen that certificate before. You could have made it up on Canva and printed. Will the new employer just take your word that you have a masters?
Then starts the grinding process of having one organisation talk to another to attest that you are who you say you are and have the skills you say you have.
Self-Sovereign Identity, an innovative technology that acts as a carrier of trust, can fix this.
An academic institution could issue a certificate (a Verifiable Credential) to a graduate using Self-Sovereign Identity principles. The graduate would own this credential on his devices and the verifying institution would only have to check the cryptographic signature on both the academic certificate and match it with the one on the blockchain.
This would not only allow for a person to prove their academic certifications but also to avoid fraud.
Diploma and Academic Fraud
According to a report by the Association of International Educators (link):
“George Gollin, a University of Illinois physics professor who has investigated diploma mill frauds such as that of St. Regis, says that based on his research, he estimates that 200,000 academic degrees are sold by illegal degree providers in the United States each year.”
For companies or governments, hiring professionals with fake academic credentials can eventually lead to brand damage and a public relations storm.
Innovations in Education
Self-Sovereign Identity could also play a role besides the graduate-hiring organisation relationship. It could help within the education institutions themselves. Making private and secure student records. This innovative technology would allow for students to privately prove claims about themselves (like having paid tuition of having completed a course or credit that is a prerequisite for another course).
An interoperable identity metasystem would also allow an easier transfer of students – and their data – between education institutions (even those in different countries).
They think this innovative technology would improve the speed and efficiency of onboarding and identification processes for opening bank accounts, requesting a loan or establishing a payment services account. Create a more personalized and efficient shopping experience online and in stores or simplify “interactions with government agencies and services – such as filing taxes, applying for passports or securing support payments (e.g., Social Security)”.
All this done through “a single, reusable digital identity [that] can help people interact with a merchant, bank, government agency and countless other digital service providers with greater integrity, lower cost and with less friction”.
Of course this Digital Identity would need to be private and secure. That’s where self-sovereignty comes into play. A centralised storage of digital identity would just become a honeypot for hackers wanting to misuse people’s financial and personal details.
Innovations in Banking
Barclays and Evernym are exploring how a decentralized, private and secure digital identity could benefit banking.
One thing this innovative technology would do is abolish usernames and passwords. “Everyone has multiple usernames and passwords – and some people use the same password for everything. Hackers love that. And it’s not just your email account they can take – once they’ve got your passwords, they can steal your whole identity,” says Jamie Smith, Strategic Engagement Director at Evernym
According to Barclays, “By 2022 it’s predicted that 40% of interactions between businesses and their customers will be affected by a form of digital ID known as self-sovereign identity (SSI).”
With Verifiable Credentials, everyone can prove claims about themselves without the need for login details such as usernames and passwords that jeopardize their data’s security and privacy.
Through the use of blockchain and cryptography (Zero-Knowledge Proofs) customers could prove claims about themselves without the actual need to disclose the personal information contained in the credentials.
– KYC: With their extensive KYC and due diligence processes, Rabobank believes they could provide “directly verifiable data” that the customer could provide to third parties.
– Mortgage: Mortgage flows require a lot of time and documents from several different sources. Most of those documents are not verifiable. Self-Sovereign Identity would allow for the verification of that data.
– HR and onboarding of employees: Rabobank wants their employees to own their own data. Reusing “certificates or assessments they achieved or did at Rabobank everywhere else. Therefore we do projects in order to save certificates, diplomas, trainings and employment credentials”. They believe this innovative technology would “drastically improve onboarding times”.
GDPR implemented the right to data portability. Previously, companies could “lock-in” customers by shutting their access to their personal data. Now, each user has the right to get a copy of the data each company possesses of him.
Self-Sovereign Identities would facilitate this transfer of data and its consequent sharing with other parties. An innovative technology that gives the user the freedom to share what he wants with whomever he wants.
Innovation in Identity and Access Management
Identity and Access Management Softwares (IAM) are used by companies to authenticate, authorize, manage and create a central repository of their users/employees.
Whenever a new employee is onboarded into a company, a whole new set of accounts has to be created. A lot of different accounts. From a simple email account to databases, servers, AWS or even Slack.
Once this employee leaves, all these accounts have to be revoked as they were created: manually one by one. One instance of a not properly revoked credential can open the door for vulnerability. As a malicious former employee can access the company’s network and steal data.
Through the use of Self-Sovereign Identity the user would be onboarded on all the different services using his own credential or one created by the company. One that the employee would store on his identity wallet. On the moment of revocation, only one credential would have to be revoked to cut access to all of the accounts.
Self-Sovereign Identity could also be an innovative technology for the Identity and Access Management space by improving the audit trail. For compliance reasons, these enterprise softwares register a log of user access for fraud prevention. Though the method through which that log is created – sometimes a text file – is of concern as privileged users could modify or delete logs for nefarious reasons. Blockchain, due to its immutable nature, could be a prime use case for accesslog security.
More than 1.2 billion people do not have an identity. Either because they never had it in the first place or because they lost it due to wars or natural catastrophes.
NGOs have an identity problem at hand. Duplication of registration due to paper-based identity systems is a bureaucratic burden that is costing them too much time and money.
A person affected, who is in need of humanitarian aid, has first to undergo a process of registration with an NGO before being able to access aid. In humanitarian aid, time is lives. Different humanitarian aid programs require different registrations with different NGOs. Humanitarian aid paper-based vouchers are prone to loss and fraud.
Innovation for NGOs
Verifiable Credentials and a blockchain based identity management system would allow one NGO to issue a digital credential (i.e. registration record) that other NGOs would be able to verify and accept because they trust the NGO that issued the credential.
This innovative technology would not only reduce bureaucracy by reducing duplication of registrations, it would also allow for a faster and more efficient expedition of aid (with tamper proof digital aid vouchers).
Another problem that plagues people who do not have an identity is the inability to access services such as healthcare, education, banking or government in their host country. If these institutions trust the NGO, thus trusting the Credentials issued by it, it could allow a person to access services to a certain degree.
Self-Sovereign Identity is a major innovative technology to all industries that require identity verification, authentication, proofs of identity, transfer of personal data and trust in the previously mentioned processes.
Self-Sovereign Identity eliminates the middle-man as a carrier of trust. Thus reducing its power over personal data. Improving the relationship between user and organisation. Increasing privacy and offering users the freedom to consent on how they share their data and with whom.
This is our core belief at Tykn. More than 1 billion people do not have an identity. Either because of loss, theft or destruction, the underlying cause is the same: weak, outdated, paper-based identity systems. Without an identity these people cannot access basic services such as healthcare or education. They become at risk, forced to live on the fringes of society.
Identity has to go digital. But that is not enough. Identities also need to be private and secure. And that’s what we do at Tykn. We are building an innovative identity and access management system that makes identity portable, private and secure.
At the heart of Tykn are people who seek purpose and technological innovation. Our growth and success has come from bringing together an exceptional team who wants to produce work that matters and makes a difference in the lives of others. We are creating a future of opportunity. Because people matter.
Join the fastest growing company in the Impact Industry and help define the future of identity.
The Tech Lead establishes a technical vision with the development team and works with developers to turn it into reality. Along the way, a Tech Lead takes on traits that other roles may have, such as a Team Lead, Architect or Software Engineering Manager but remains hands-on with code.
– Facilitate and lead the building of an agile development team (small team).
– Work with senior leadership to align business strategy with technology.
– Collaborate with the team and Product Owner to prioritize projects, design, implement, continually improve highly scalable applications and services.
– Serves as a back-end tech lead on large scale projects.
– Hands-on development of proof of concepts and evaluation of new technologies.
– Implement technical strategic decisions in cross-functional teams and provides technical guidance to other team members.
– Maintains a current understanding of industry and technology trends.
– Ability to use a wide variety of open source technologies and cloud services.
– Manage servers, certificates, and licenses.
– Responsible for maintaining source code repositories, including on open source projects.
– Test case creation & execution, defect reporting, test setup creation.
– Representing Tykn at technical meetups and conferences.
– Inspires the team to achieve the vision by sharing your message effectively.
– A go-getter who isn’t afraid to get their hands dirty and dives into a project to achieve success by problem-solving.
– Agile and Able to function in a fast-moving entrepreneurial environment.
– Able to translate complex technical topics into compelling, easy to understand stories for both tech and non-tech audiences.
– Self-starter with high energy and drive; fast paced and results driven; forward thinking.
– Good cultural and organizational sensitivity, Friendly, knowledgeable, and motivational to others.
– Advocate for a collaborative working environment – turn “my ideas” into “our ideas”.
– Quickly understand our products and components.
– 8+ years of software development experience, minimum 4 years in lead/architect role, mentoring, coaching and influencing team members.
– Excellent communication, collaboration, and influencing skills.
– Experience of working on products that impact a large customer base is an advantage.
– Proven hands-on experience in designing, building, improving and operating high-performance, highly-available and scalable distributed systems in fast growing environment.
– You have a ‘can do’ attitude and you act proactively and not reactively,
– Prior experience with Skills – Java, J2EE, Spring, REST API, Unix, RDBMS, Maven, Test driven development.
– Agile / Scrum – continuous integration / delivery with experience working with multiple teams and evolving technology.
– Proven hands-on experience with blockchain technologies (Hyperledger Fabric/Indy, Ethereum).
– Strong hands-on experience in AWS and its components – EC2, RDS, S3 and VPC etc
– Hands-on experience in build and release management tools such as Jenkins.
– Command over scripting languages such as Bash and Python.
– Must be familiar with build, release, code deployments.
– Experience with containerization tools (such as Docker).
– Experience defining and implementing deployment automation scripts / recipes.
– Exposure to MQ Series, Kafka or any other JMS broker would be a plus.
– Certified Scrum Master (CSM) by the Scrum Alliance and experience running a SCRUM team with continuous integration, automated testing.
– Knowledge of Identity & Access Management (IAM) systems.
– Basic knowledge of biometric systems.
– Knowledge of Blockchain & Self-Sovereign Identity (SSI).
– Dutch language fluency.
What we work with:
– Cryptography, Asymmetric encryption and DKMS.
– Hyperledger Indy.
– Rust, Nodejs, Android(Java), Python, Firebase.
You matter. (What’s in it for you?)
– Doing work that matters. Your work can influence the lives of millions of people.
– Scope for rapid career development, continuous training and active community participation.
– Learn like it’s your job. Within our projects you will not only be focussed on making significant global impact, you will also be continuously learning about the Impact Industry and the cutting edge of both SSI and blockchain technology.
– Compensation with benefits package and great added perks.
– Work flexible hours.
– Free healthy lunch & snacks.
– Vibrant HQ in the capital of Peace & Justice.
– A self-development budget for books or courses that power your personal and professional development.
– A Tykn Welcome Package upon arrival!
At Tykn we are aiming to become billionaires. Not in terms of money, but with impacting the lives of billions of people positively around the world.
Are you ready to become the next billionaire? Please submit your CV and cover letter to firstname.lastname@example.org. And make sure to answer the following questions:
– What is your vision for your contribution to the world, what excites you?
– Why are you applying to Tykn and not somewhere else?
– What value do you think you can bring to the company & team?
Note to Recruitment Agencies: We are already working with an agency, please do not contact us in regards to this job ad.
Digital Identity and Self-Sovereign Identity are some of the most exciting fields in technology and innovation right now. We round up a list of 10 Digital Identity experts that you should follow if you want to be up to date on all the cutting edge developments in this space.
Christopher Allen is a Blockchain & Decentralized Identity Architect, Internet Cryptography Pioneer and co-author of the TLS Security Standard.
Allen wrote the influential The Path to Self-Sovereign Identity text in which he shares his “vision for how we can enhance the ability of digital identity to enable trust while preserving individual privacy”.
“Self-Sovereign Identity is the next step beyond user-centric identity and that means it begins at the same place: the user must be central to the administration of identity. That requires not just the interoperability of a user’s identity across multiple locations, with the user’s consent, but also true user control of that digital identity, creating user autonomy. To accomplish this, a self-sovereign identity must be transportable; it can’t be locked down to one site or locale.” – The Path to Self-Sovereign Identity
Kim Cameron is the former Chief Architect of Identity at Microsoft. Cameron wrote the seminal paper The Laws of Identity which aims to highlight the problem of the Internet having been built without means to know who and what we are connecting to and its possible solutions. He is described by Phil Windley, Chairman of the Sovrin Foundation as a “being from the future” as his 2005 Laws of Identity are only now being understood.
“Digital identity requires (…) a unifying identity metasystem that can protect applications from the internal complexities of specific implementations and allow digital identity to become loosely coupled. This metasystem is in effect a system of systems that exposes a unified interface much like a device driver or network socket does. That allows one-offs to evolve towards standardized technologies that work within a metasystem framework without requiring the whole world to agree a priori.” – The Laws of Identity
Drummond Reed is Evernym’s Chief Trust Officer. Evernym was born to solve the problem of siloed identity. Massive databases of personal data that become honey pots for hackers and liabilities for the database owners. The solution? An identity each one of us can own. A Self-Sovereign Identity.
Reed was also the co-founder and co-author of the Respect Trust Framework, which was honored with the Privacy Award at the 2011 European Identity Conference.
Evernym are the inventors and original Founding Steward of Sovrin, the global public network enabling portable and private digital identity for all. Tykn is proudly one of Sovrin’s Stewards.
What Self-Sovereign Identity “means is that every digital relationship you have will be unique, private, and secure. There is no need to log in “with” anybody. This is a new type of relationship that has never been possible before and it is set to revolutionize the way that we interact with each other online.” – Why Login at all?
Heather Vescent is, in her words, “obsessed with this new technology”, Self-Sovereign Identity, that uses identity standards that will allow for interoperability. For her, digital identity is a base layer where everything else is built on top and people are now starting to realise its importance. According to Heather, banking, healthcare and Internet applications have been building their own siloed identity solutions that are not interoperable between each other and Self-Sovereign Identity can change that.
Heather Vescent owns and operates a foresight and strategic intelligence consultancy and co-authored Your Guide to Self-Sovereign Identity with our next person you should follow, Kaliya Young.
Kaliya, aka Identity Woman, has “committed her life to the development of an open standards based layer of the internet that empowers people”.
Her masters report, Domains of Identity, is a framework that explains the 16 domains of identity and how Self-Sovereign Identity can essentially change the relationships within those domains. Kaliya has a Master of Science in Identity Management and Security and has been named one of the most influential women in tech by the Fast Company Magazine.
“To get to this future we need to coordinate the development of common building blocks: code, infrastructure and protocol. We must ship interoperable products. And we need to work towards alignment, not control.” – The Domains of Identity Presentation
Phil Windley is the chairman of the Sovrin Foundation as well as the co-founder and organizer of the Internet Identity Workshop. He served as CIO for the State of Utah and holds a Ph.D. in Computer Science from the University of California.
“Because there’s no central authority controlling DIDs and because people can issue private DIDs themselves, they constitute a truly decentralized means of not only creating identifiers, but using them for mutual authentication, privacy preservation, and secure communication of almost any information parties need to share.” – Decentralized Identifiers
Kim Hamilton Duffy is the CTO of Learning Machine and Principal Architect of Blockcerts (that collaborated with the MIT Media Lab to develop an open standard for issuing and verifying credentials on a blockchain). She also co-chairs the W3C Credentials Community Group and is a member of the Rebooting Web of Trust board and the Steering Committee for the Decentralized Identity Foundation.
“It is time to evolve data management paradigms from those based on a centralized web architecture to those functioning from the decentralized web. Only in this way can individual self-sovereignty be guaranteed in a world where centralized authorities exert irreversibly amplifying control over digital infrastructures, and security breaches will only become more common.” – The Time for Self-Sovereign Identity Is Now
Kim is also a researcher at the “Digital Credentials Initiative” at the MIT.
Michiel van der Veen is the Director of Innovation & Development at the National Office for Identity Data in the Ministry of the Interior of The Netherlands. He is also an identification, biometrics and privacy-by-design expert for the ID4D program at the World Bank Group.
“In addition to digital ID, Biometric ID methods are also promising in poor and developing countries where scores of people still go unregistered. According to the World Bank, nearly a billion people are still unable to prove their identity, and millions more have forms of identification that cannot be reliably verified or authenticated.” –Privacy-by-design leads the way in keeping your online identity safe
Tim Bouma is a Senior Policy Analyst focused on Identity Management for the Treasury Board Secretariat of the Government of Canada.
“My belief that humans still need to be involved in that first-time or “origin” registration of creating the digital identity and linking to the real person. This is the hardest part of creating a digital identity. This origin registration may be an expensive and inconvenient process to carry out, but with the value (and potential harm) associated with it — a digital identity that is, or not, under your control — the fully digital alternatives may be too risky (today, at least). However, once that origin registration is carried out, your digital identity can be easily assured on an ongoing basis, using cryptography, verifiable claims, etc. But that digital identity, to be trusted, must be traceable back to that origin registration.” –Digital Identity – the hardest part
Darrell O’Donnell is the CTO at CULedger and Technical Advisor to multiple top-level agencies, departments, and services (including Canada’s and the US’ public safety and homeland security department) in the fields of blockchain and digital identity.
“Here’s the funny thing – we’re realizing that companies never really needed to own our digital identity. They did it out of necessity. Businesses are beginning to figure out what this means – and those that are wrapping their heads around blockchain identity are poised to succeed. The best are realizing that Blockchain Identity, particularly Self Sovereign Identity, is shifting the business view of digital identity. Digital identity is shifting to become a revenue driver, cost cutter, and even an asset.” – Blockchain Identity for Dummies
The Hague, May 20, 2019 – Tech start-up Tykn has received an investment of 1.2 million euros from Dutch IT entrepreneur Johan Mastenbroek. By using smart technology and blockchain the start-up is developing a digital identity management platform, which allows public and private institutions to issue and verify digital identity credentials. It is an innovative way to share and request personal data proofs, which protects identities against getting lost. A solution for the 1.2 billion people worldwide who have never had an identifying document or whose proof of existence got lost because of inefficient identity registration, wars or disasters.
Both Tykn and Mastenbroek are excited about the collaboration. “With Johan Mastenbroek as investor we do not just gain a financial partner, but also an experienced one. He has essential knowledge about blockchain and digital identity cases, which helps us to further develop our platform”, said Tey Al-Rjula, CEO of Tykn. “This collaboration is an important step in getting closer to the world as we envision it: a world where identities are portable, private and secure, so that no one has to lose access to their identity ever again.”
Tey Al-Rjula has personally experienced what it is like to be ‘invisible’. “My birth certificate got lost during the Gulf war in Kuwait. I lived as an ‘invisible’ man in the Netherlands when my work contract expired and I ended up in an asylum centre. There I met many Syrian refugees who had also lost their identity and faced the same problems as I did. As without an identity you do not have access to many basic needs and therefore not to your human rights.” This personal experience gave Al-Rjula the inspiration to found Tykn, together with social entrepreneurs Khalid Maliki and Jimmy J.P. Snoek.
IT entrepreneur Mastenbroek is also delighted about the collaboration: “I strongly believe in the principles and ideas of Tykn. They work together with international organisations, with whom they can provide a solution to a global problem and create a future of opportunities instead of a future of problems.”
Additionally, Mastenbroek is pleased with the addition of Tykn to his investment portfolio: “I mainly invest in IT & Innovation companies with a 3 million-plus revenue and a niche market focus, whereby I focus on management buy-outs and growth investments. My mission is to lift these innovate enterprises to the next level market position, business model and size. As such, Tykn fits well with the other companies I invests in, such as Ledger Leopard, Loek! and Finturi.”
The distressing headline is from the New York Times. When we think about refugees, our mind quickly flashes to images of millions leaving Syria because of the war, boats on the mediterranean or a caravan of Venezualeans fleeing because of starvation. But climate change and natural disasters do not discriminate and everyone is at risk of becoming a refugee.
It even happens at the heart of the most powerful country in the world. The United States. In the past few years, the California wildfires and Hurricanes Harvey, Irma and Maria led thousands to be displaced, refugees within their own country.
These people, already vulnerable, can become even more vulnerable if a malicious third party is able to access and use their private information.
As reported recently by The New York Times, The Federal Emergency Management Agency (FEMA) “unnecessarily shared sensitive personal data of more than two million disaster victims with a contractor” potentially subjecting them to fraud and identity thefts.
A memo written by the Office of Inspector General of the Department of Homeland Security “found that 20 data fields were unnecessarily shared with the contractor, including details about the victims’ financial institutions, electronic funds transfer numbers and bank transit numbers”. (source)
Privacy and security of personal data is paramount and something that the current identity management systems have difficulties in providing.
A digital identity management system focused on people’s well-being and leveraging Sovrin’s blockchain technology allows for sharing and requesting of personal data in a private and secure manner. Without the need for an organisation to excessively store sensitive information that may be subject to leaks. The user is in full control over their personal data and decides what data they share and with whom.
This is done through the use of distributed ledger (“blockchain”) technology and Zero-Knowledge Proofs.
Blockchain technology allows for an organisation to verify the validity of the information provided by, say, a person affected by a disaster, without having to check the actual data. Instead, an organisation checks the validity of the signature of the institution who issued and attested the provided data.
Zero-Knowledge Proofs, in the form of Schnorr proofs with Pedersen commitments, allow a person to prove that their personal details fulfil certain requirements (such as being eligible to receive shelter aid) without revealing the actual details.
We believe in a future where identity is portable, private and secure and that no one has to be even more vulnerable after suffering the devastating effects of a natural catastrophe. Because people matter.
Last Thursday, cyclone Idai left a devastating trail in Mozambique. With more than 400 deaths accounted for, the International Red Cross estimates more than 400.000 people were left homeless. The United Nations is describing it as “the worst climate disaster ever in the southern hemisphere”.
The Red Cross teams on sight are distributing shelter supplies to affected families and chlorine tablets to purify the water. Diseases transmitted by contaminated water are one of the biggest concerns in case of a catastrophe where normal water supplies are interrupted.
“Many families have lost everything” according to the Red Cross spokesperson, Jamie LeSueur. If they also lost their documents or if the governmental identification processes have been compromised, not being able to prove who they are can cause irreparable damage to their short term survival.
Mozambique has the third highest smartphone adoption rate in the African continent (sources 1, 2 and 3) meaning that digital identities could play a pivotal role in easing people’s suffering in a natural catastrophe scenario. This is how:
1) Aid expedition
Humanitarian aid distribution – whether shelter, food or cash based assistance – requires a strong identification layer. How else could an NGO account for what aid has been distributed and to whom?
Current identity management systems are paper-based and make this process reliant on vouchers. Paper vouchers. This not only slows the aid distribution process – and in a scenario like this time is lives – but it also jeopardizes the quality of aid provided. If a citizen is to lose their voucher they would have to start the aid request process all over again. Worse: unfortunately it is quite common, in a scenario like this, that vouchers are stolen or subject to fraud. In a paper-based system, NGOs have no means to efficiently combat wrongful behaviours.
Digital identities will provide an efficient way for an affected person to request aid. A trusted organisation can quickly issue a digital credential that verifies that person’s identity and allows them faster access to their services. All vouchers are digitised and, alongside the identity credentials, are held in a digital identity wallet in that person’s mobile device. Digital vouchers can’t be lost or stolen and provide an NGO with important and reliable information about who has been aided.
In catastrophe scenarios like this, the people affected are often displaced to another city or country. They become refugees. Not being able to prove who they are prevents them from accessing services like healthcare, education or banking and excludes them from society.
The innovative technology of Self-Sovereign Identity allows for a trusted organisation such as the government or an NGO to issue a digital credential attesting to that person’s identity. Through the use of distributed ledger technology that credential is verified with a signature from that organisation. A signature that cannot be deleted or subject to fraud.
When verifying a persons’ affected identity, the verifier does not need to verify the accuracy of the data contained in the credential. The verifying party will validate the issuers’ signature who issued and attested to this credential to then decide whether he trusts the issuers’ assessment about the accuracy of the data.
A process like this, that eliminates the possibility of identity fraud and where everyone in the network has the same source of truth about which credentials are still valid and who attested to the validity of the data inside the credential (without revealing the actual data) will speed and facilitate identification processes between governmental departments and between governments. Accounting for less bureaucracy, less need fordata management and possible frauds.
Above all, this will ease people’s suffering as it will allow them to quickly access services, such as healthcare or banking, and be included in society again. Their identities and their access to human rights are protected. Right there on their mobile devices.
Current identity management systems have privacy and security problems. And blockchain technology may be the solution for them. On this blog we examine what blockchain is, what benefits it brings to identity management, the role of cryptography and zero-knowledge proofs, what Self-Sovereign Identity is, why it’s a terrible idea to put personal data on the blockchain and much more.
Let’s dive in.
What is Blockchain?
Distributed Ledger Technology (DLT), commonly simply called “Blockchain Technology”, refers to the technology behind decentralised databases providing control over the evolution of data between entities through a peer-to-peer network, using consensus algorithms that ensure replication across the nodes of the network.
More simply put:
Imagine a book (or ledger) that anyone could obtain, free of charge, where anything written on its pages would be there forever, and at the same time, would be cross-referenced with the other books to check whether what was written to be valid and true; this is the essence of DLT.
Why was Blockchain created?
Digital assets have a problem. How does one avoid that an asset, such as digital money, is copied and used by several people? That was a problem that always plagued the adoption of digital currency.
Banks allow trust between people exchanging funds. The bank withdraws the funds from person A and assures it’s deposited on B’s account. Both parties trust the bank to perform the operation.
But if one intended to create an ecosystem where there is not a single entity controlling the flow of information, where a user could send money directly to another user without it going through a central entity, this was a problem. How could the people involved in this financial system trust that the money had left A’s account and deposited on B’s? How could it be avoided that this digital money was copied and double (or triple) spent by A?
This problem was solved by the person, or entity, known as Satoshi Nakamoto in 2008.
Why is a Blockchain secure?
What makes blockchain secure is the fact that each block where data is recorded cannot be changed retroactively without the consensusof the majority of the network. Meaning that for a piece of information to be changed, all the blocks created after it would have to be changed and 51% of the network would have to agree on that change. Since blocks are being created every moment, changing those and the blocks preceding it until reaching the one we intended to change, would require enormous computing power.
Satoshi created blockchain to solve the double-spend problem of digital currency and to act as a ledger, a registry, of the transactions of Bitcoin. Each person that transacts Bitcoin acts as a node in the network, registering a transaction on the Bitcoin blockchain. This makes it decentralized, as no central authority is needed and each person in the network can write on the ledger, and allows for consensus in the network without the need of a middle-man. The more people are in the network, the more difficult it is for a majority collusion in order to subvert the veracity of the information on the blockchain.
With a public, immutable, registry, managed by collaboration and collective altruism, this digital currency users could easily verify transactions and be assured that the funds were being transferred only once and not digitally copied infinitely.
A Blockchain is also considered a system with high Byzantine Fault tolerance. A Byzantine Fault is an occurrence on decentralized systems where it may appear, for one user, that the system is working perfectly and, to others, that the system is failing.
How does a Blockchain work?
The units where information are registered, the “pages” of this ledger, are blocks. Each block contains hashed information.
A hash is a function widely used in cryptography. It’s a mathematical algorithm that transforms a piece of information into a string of alphanumeric values: the “hash” or “hash value”. If the same information is introduced in the input, it will always deliver the same hash in the output. If there’s even the slightest change in the input information, the output hash will be widely different (this is known as the avalanche effect). Avoiding any correlation between hashes.
It’s a “one way function” because using the hash value in the output to find what was the information in the input is extremely difficult.
An Example of the hash and how the avalanche effect alters the output with even the slightest change in the input. (Graph Source)
Each block is linked to the next block through a cryptographic hash, and so one. Creating a chain. Thus, the blockchain.
Permissioned or Permissionless Blockchains
Blockchains can be Permissioned or Permissionless.
Permissionless, like the most digital currency blockchains, allow all users to write on the ledger. There’s no permission needed from anyone to become a node on the network.
To become a node on a Permissioned blockchains, one would need authorization from one or several parties. An example of a Permissioned Blockchain is the Sovrin one. Sovrin is governed by a set of Stewards who act as nodes. This is done to preserve the integrity of the information, in this case related to digital identity, that is written on the ledger. Stewards are trusted and vetted by The Sovrin Foundation.
What is Identity Management?
Also known as “identity and access management”, or IAM, identity management comprises all the processes and technologies within an organisation that are used to identify, authenticate and authorize someone to access services or systems in that said organisation or other associated ones.
Examples of this would range from customers and/or employees accessing software or hardware inside a company/enterprise – and the level of access, privileges and restrictions each user has while doing so – or, in a governmental setting, the issuing and verification of birth certificates, national id cards, passports or driver’s licenses (that allow a user/citizen to not only prove his identity but also access services from the government and other organisations).
The problem with current Identity Management Systems
Most of the current identity management systems are weak and outdated. Paper-based systems are at risk of loss, destruction or fraud. Digital systems, if centralised, are honeypots of personal data for hackers. Constantly subject to leaks and breaches. Since 2017 alone, more than 600 million personal details – such as addresses or credit card numbers – have been hacked, leaked or breached from organisations
Identities need to be portable and verifiable everywhere, any time, and digitization can enable that. But being digital is not enough. Identities also need to be private and secure.
Several industries suffer the problems of current identity management systems:
– Government: The lack of interoperability between departments and government levels takes a toll in the form of excess bureaucracy. Which, in turn, increases processes’ times and costs.
– Healthcare: half of the world’s population does not have access to quality healthcare. The lack of interoperability between actors in the healthcare space (Hospitals, clinics, insurance companies, doctors, pharmacies, etc) leads to inefficient healthcare and delayed care and frustration for patients.
– Education: It is estimated that two hundred thousand fake academic certificates are sold each year in the USA alone. The difficulty in verifying the authenticity of these credentials leads to hiring of unqualified professionals, brand damage to the universities and the hiring companies.
– Banking: the need for login details such as passwords decreases the security of banking for users.
– Businesses in general: the current need to store clients’ and employees’ personal data is a source of liability for companies. As a breach or leak of these records could mean huge fines (i.e. GDPR).
Whenever we need to prove something about ourselves – either our name, address or passport number – there is a process of authentication. A verifying entity confirms that the data we are claiming about ourselves is true or false. This is usually done through the verification of our identifying documents.
These identity verification and authentication processes make privacy concerns arise. Should a verifying entity requesting me to prove my name with my passport have access to the remaining information contained in my document while they are looking at it to verify that information? Does an entity that request a proof of my age need to know the day and month I was born?
An identity management system that uses Zero-Knowledge Proofs
A Zero-Knowledge Proof is a method of authentication that, through the use of cryptography, allows one entity to prove to another entity that they know a certain information or meet a certain requirement without having to disclose any of the actual information that supports that proof. The entity that verifies the proof has thus “zero knowledge” about the information supporting the proof but is “convinced” of its validity. This is especially useful when and where the prover entity does not trust the verifying entity but still has to prove to them that he knows a specific information.
In an identity management scenario, this allows a person to prove that their personal details fulfil certain requirements without revealing the actual details.
For example, one could prove that she is over 21, without showing her exact date of birth.
Zero-Knowledge Proofs are famously illustrated by the “Yao’s Millionaires’ problem”. A scenario formulated by the computer scientist Andrew Yao. Yao discusses two millionaires, Alice and Bob, who do not want to reveal how much money each has but want to know who is the richest.
Blockchain as an Identity Management Solution
A distributed ledger (a “blockchain”) enables everyone in the network to have the same source of truth about which credentials are valid and who attested to the validity of the data inside the credential, without revealing the actual data.
The 3 actors in Identity Management: Owners, issuers and verifiers
When talking about leveraging blockchain technology for identity management, it’s important to note that there are three different actors in play: identity owners, issuers and verifiers.
The issuer, a trusted party such as local government, can issue personal credentials for an identity owner (the user). By issuing a credential, the issuer attests to the validity of the personal data in that credential (e.g. last name and date of birth). The identity owner can store those credentials in their personal identity wallet and use them later to prove statements about his or her identity to a third party (the verifier).
A Credential is a set of multiple identity attributes and an identity attribute is a piece of information about an identity (a name, an age, a date of birth).
Credentials are issued by second parties whom attest to the validity of the data inside the credential. The usefulness and reliability of a credential fully depends on the reputation/trustworthiness of the issuer.
Privacy and security in Identity Management
Through the infrastructure of a blockchain (like Sovrin), the verifying parties do not need to check the validity of the actual data in the provided proof but can rather use the blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.
For example, when an identity owner presents a proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether he trusts the government’s assessment about the accuracy of the data.
Hence, the validation of a proof is based on the verifier’s judgement of the reliability of the attestor.
Leveraging blockchain technology, like Tykn‘s digital identity management system does, establishes trust between the parties and guarantees the authenticity of the data and attestations, without actually storing any personal data on the blockchain.
This is crucial as a distributed ledger is immutable, meaning anything that is put on the ledger can never be altered nor deleted, and thus no personal data should ever be put on the ledger.
Identity Management Red Flag: Does personal data go on a blockchain?
Putting personal data on the ledger puts the privacy of the users in danger (as it will constantly be subject to hacking and data breaches). It could always be hacked (if not now, probably at some point in the future)
It violates current privacy regulation (e.g. GDPR; right to be forgotten);
it is also not efficient as an identity is dynamic (attributes can change over time e.g. house address or number of children).
No personal data should ever be put on a blockchain.
So… what exactly goes on the blockchain?
Only references and the associated attestation of a user’s verified credential are put on the ledger.
Privacy can be ensured through non-correlation principles via pseudonymisation. So, instead of storing actual private information, the only things stored on the ledger (for the purpose of verification) are:
Public Decentralised Identifiers (Public DIDs) and associated DID Descriptor Objects (DDOs) with verification keys and endpoints.
DIDs are a new type of unique identifiers for verifying digital identities, and are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.
The formal description for the structure of a credential.
The different (often tangible) proofs of identity or qualification issued by authorities; such as drivers licenses, passports, identification cards, credit cards, etc. Hence, credential definitions are — as the name suggests — merely the definitions of these different credentials to be stored on the ledger.
An option for issuers to be able to revoke the claim. The revocation registry is what tells the rest of the world how the issuer will publish the revocation information.
Proofs of consent for data sharing.
In order to prove consent or reception of data (basically saying the data has been received and checks have been executed on it), these consent receipts (i.e. proofs of consent) let people do so.
The next big thing in Identity Management: Decentralized Identifiers.
DIDs are a new type of unique identifiers for verifying digital identities, and are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.
According to Phil Windley, Chairman at Sovrin, DIDs should have the following properties:
Decentralized identifiers should be non-reassignable. They should be permanent. Other identifiers, such as IP address or email address, can be reassigned to other entities by whomever is in control. This reduces privacy and security.
Decentralized identifiers should be resolvable. Each DID resolves to a DID Document that states the “public keys, authentication protocols, and service endpoints necessary to initiate trustworthy interactions with the identified entity” (source). Through the DID Document, an entity should understand how to use that DID.
Decentralized identifiers should be cryptographically verifiable. Through the use of cryptographic keys, a DID owner can prove their ownership of the DID. The public key contained in the DID Document can also be used to attest to the authenticity of the issuing authority’s signature associated with a credential.
Decentralized identifiers should be decentralized. Current identitymanagement systems rely on centralized registries. Each of these registries ensures trust. DIDs do not depend on a central authority. Distributed ledger technology ensures trust as it allows everyone to have the same source of truth about the data in the credentials.
A new spec is coming up in W3C where you don’t need to always rely on the central service to resolve DIDs. For use cases where a DID is going to be unique. E.g in pairwise connections or closed groups you can use Peer DIDs. More info on this, here.
Decentralized Identifiers could then increase security, as they eliminate siloed identity management, and increase privacy, as they give the identity owner the opportunity to selectively disclose specific information about himself. Ultimately, they will lead to Self-Sovereign Identities as they allow each individual to own and control their identity without depending on other parties.
What if I need to change something? Revocation in Identity Management using Blockchain
Next to checking the attesting party, verification of a credential also includes checking the validity of the attestation itself. The validity of the attestation, meaning the accuracy and can be validated through a so called revocation registry.
The registry contains the status of each credential, whether it has been revoked (deleted or updated) and hence whether this specific credential is still valid.
In other words, the ledger enables everyone in the network to have the same source of truth about which credentials are still valid and who attested to the validity of the data inside the credential, without revealing the actual data.
>“This is my drivers licence”
>> “Says who?”
>> “Who are they and do I know I can trust them?”
>> “Do they still agree/attest to this or have they changed their judgement?”
>“Yes they have not revoked their attestation up to now”
Revocation means deleting or updating a credential. The possibility for an issuer to revoke a credential is crucial to an identity infrastructure for the main reason that identities are dynamic.
Attributes can change over time e.g. house address or number of children, and some credentials should have a expiry date for example a passport or drivers licence. The fact is, however, that in order to ensure trustworthiness of the system and eliminate the possibility to defraud, credentials are immutable.
After issuing, no one (not even the issuer) can change the information inside the credential. Hence, when attributes change, a new credential needs to be issued and the old one needs to be announced invalid. Thus, at each proof the users needs to proof that the credentials used in the proof are still valid. The revocation registry allows him to prove this without contacting the issuing party.
For example, the Government issues a credential to you, that you have 3 children. A month later your family is blessed with a 4th child. Now, the Government will mark the previous credential as invalid (stating that you have 3 children) and will issue a new credential stating that you have 4 children.
Through this technology, each user stores their digital identity credentials on a digital identity wallet on his devices (like his mobile phone). Which begs the question: what if his phone is lost or stolen?
The first one is to revoke the device’s authorization to use credentials. Digital Identity credentials are only valid if used from a device that was authorized to do so. If a user’s phone is lost or stolen, that user could use another authorized device, like his laptop, to write on the blockchain that his mobile phone’s authorization is now revoked.
This would take immediate effect and stop anyone from using the identity credentials on the phone. The thief would not be able to impersonate the user even if he has her passwords, biometrics or phone because the blockchain, immutable and secure, would contain a revocation registry for the phone.
Revocation of the device’s authorization impedes the thief to impersonate the user to create new relationships. The second step impedes the thief to explore the existing relationships between the device and other people or organisations. The second step thus is to revoke the existing relationship keys (pairwise connections where each of them has a unique key). Again, it will be written on the blockchain that these keys are deauthorized.
These two steps stop an identity thief to use identity credentials to access new services or explore relationships with existing ones. While conveniently letting the user still use his credentials on another device.
In many current cases, if users wished to cancel a stolen ID card, they would have to physically go to the municipality or governmental department, cancel that card and make a new one from scratch. Which would take time and still would not impede an identity thief from using your data. In the case of a stolen credit card, users will call the bank (which still takes considerable time) and won’t be able to use the card until a new one is issued and sent to him.
Sovrin have published a pdf with a thorough explanation on the technical aspects of device loss of theft that we recommend.
Models of Digital Identity Management
The first model of digital identity was a siloed one. Each organisation issues a digital credential to a user to allow him to access its services. Each user needs a new credential for every new organisation he engages with. According to Elizabeth M. Renieris (Former Global Policy Counsel at Evernym) this provides a “poor overall user experience”. Just remember all the websites you had to register and create new passwords and login details for.
The second model of digital identity is called the “Federated” one. Because of the poor user experience of the first model, third parties began issuing digital credentials that allow users to login to services and other websites. The best examples of this are “Login with facebook” and “Login with Google” functionalities. Companies “outsourced” their identity management to major corporations who have an economic interest in ammassing such large databases of personal data. This, of course, raises privacy and security concerns.
Facebook, Google and others became the middlemen of trust.
The emergence of Blockchain technology is what allowed the third model: Self-Sovereign Identity.
Self-Sovereign Identity Management
Through the use of the Sovrin blockchain, the technology of Self-Sovereign Identities may become a reality. A Self-Sovereign Identity is an identity you own. It’s yours. Only you hold it, on your own personal digital identity wallet, and only you decide who gets to “see” it and what of it they get to “see”.
This avoids the honeypot problem. There are no centralised storage of identity that may be subject to breaches. Meaning that for hackers to steal 50 million identity records they would have to hack those 50 million people individually. Considerably more difficult.
Characteristics of Self-Sovereign Identity:
– User-centric. Each user owns his own data and does not rely on a central entity to prove claims about himself
– Consent and Control. Each user has full control and consent on what personal information he his sharing and with whom.
– Interoperability. Self-Sovereign Identity uses a common identity metasystem. This allows users to verify their identity across multiple platforms and locations (that use the same metasystem).
A Self-Sovereign Identity is thus portable, private and secure.
The Benefits of Self-Sovereign Identities
A digital identity management system where organisations store the minimum necessary personal data of their users means less personal data management and less bureaucracy. Reducing data management costs and increasing the efficiency of identification processes. All while putting people’s privacy and security first.
According to Darrell O’Donnell, a digital identity expert, companies are realising the major liability that is storing personal data of customers (or employees). Every breach, loss or theft of personal data may turn into significant lawsuits and fines. Which may mean that, in the near future, companies will also start working their way into Self-Sovereign Identity solutions.
We wrote extensively here about how this innovative technology is benefiting several industries. Reducing governmental bureaucracy, shaping a more efficient healthcare system, detecting academic fraud, creating a better banking experience, helping to provide a more efficient humanitarian aid distribution system and helping companies avoid personal data breaches and GDPR fines.
Refugees are the first to suffer the problems of the current identity management systems: siloed, inefficient and paper-based infrastructures.
Without portable, private and secure identities they become even more vulnerable, losing access to basic human rights such as education or healthcare and becoming in danger of trafficking, slavery and sexual exploitation.
Because of these outdated systems, NGOs worldwide carry the burden of unnecessary duplication of identity registrations, costly personal data management and lack of privacy in sharing personal details of aid beneficiaries. Taking their time and money from what they want to focus on: helping people.
Since 2017, more than 600 million personal details were breached, leaked or hacked from hotels, banks or even pet stores. Much of this data was either sold to scammers or used to order stolen goods on internet.
Your personal information – such as name, address and credit card details – can be misused, putting you in financial trouble. But if refugees’ data gets leaked their life may be in danger.
Our innovative digital identity solution will help public and private institutions validate the existence of millions of people. Making sure digital identities are portable, private and secure andprotecting people’s access to their human rights. Because people matter.
This is why we needed a new brand identity. One that reflected the humanity in our vision and mission. That accurately portrayed why we are doing this and showed that we are more than a tech company.