Key Points

1. SSI - the user ( principal ) controls the use and information about their identity
2. SSI issued by an IP ( identity provider ) which may be: independent org ( Sovrin ) or government ( eg US ) or another org
3. Just like today, you may have multiple SSI and multiple digital wallets that need to be aware of each other and interoperate potentially
4. SSI are not fully interoperable at this point, related interoperable standards will continue to evolve
5. The primary location for SSI is a smart phone so many people can't access SSI today meaning existing identity systems must remain in parallel now
6. SSI should  be well protected in many ways
7. SSI should be FULLY recoverable easily upon MFA proof of ownership and loss
8. SSI identities and credentials need to integrate to existing Identity and Access Management systems that will remain operational for a long time ( see OIDC interfaces for authentication etc )

References

SSI / DID concepts 

Christopher Allen article on SSI Concepts ***

http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

Key principles 

1. Existence - the SSI ( DID ) makes a digital id for an existing asset ( person, org, thing etc )
2. Control - users control their own identity data
3. Access - users have access to their digital identity
4. Transparent - the systems and algorithms managing identities must be open and transparent
5. Persistent - the identities must be long-lived
6. Portable - user must control his identity existence so it can live on any identity network, not depend on a single outside agency to keep it alive
7. Interoperable -  should be able to be widely used in any context in theory
8. Consent - user controls access to identity and credentials
9. Minimization - user discloses minimum information to 3rd parties for authentication and authorization 
10. Protection - protection individual's identity on networks and systems securely

TrustOverIP Concepts ***

m TOIP Trust Over IP

SSI basics

https://en.wikipedia.org/wiki/Self-sovereign_identity

Drummond Reed - SSI book

DIDs enable digitally signed verifiable claims

SSI - The Future of Identity: Self-Sovereignity, Digital Wallets, and Blockchain paper 2022

https://publications.iadb.org/publications/english/document/Self-Sovereign-Identity-The-Future-of-Identity-Self-Sovereignity-Digital-Wallets-and-Blockchain.pdf

ssi-Self-Sovereign-Identity-The-Future-of-Identity-Self-Sovereignity-Digital-Wallets-and-Blockchain.pdf file

self-sovereign-identity concepts article - 2024 -identity.com **

SSI / DDI Specifications

W3C DID Standard 

https://www.w3.org/TR/did-core/

https://www.w3.org/2020/12/did-wg-charter.html

W3C DID Use cases doc

https://www.w3.org/TR/did-use-cases/

W3C DID Test Suite Implementation doc

https://w3c.github.io/did-test-suite/

W3C DID Primer 

https://w3c-ccg.github.io/did-primer/

DID points to DID document

A DID document is a valid JSON-LD object that uses the DID context (the RDF vocabulary of property names) defined in the DID specification. This includes six components (all optional):

1. The DID itself, so the DID document is fully self-describing.

2. A set of cryptographic material, such as public keys, that can be used for authentication or interaction with the DID subject.

3. A set of cryptographic protocols for interacting with the DID subject, such as authentication and capability delegation.

4. A set of service endpoints that describe where and how to interact with the DID subject.

5. Timestamps for auditing.

6. A optional JSON-LD signature if needed to verify the integrity of the DID document.

See the DID specification for several examples of DID documents.

Should a DID be shared publicly?

https://sovrin.discoursehosting.net/t/public-facing-dids-vs-private-pairwise-dids/243/7

First, I agree that, from the standpoint of the Sovrin ledger itself, there is really no difference between a “public” DID—one intended to be widely correlate-able, and “private” DID that will only be used in a single pairwise relationship. The difference all comes in how the identity owner shares the DID. The public DID will be shared widely (similar to a website address), whereas the private one will only be shared with the other party to the relationship.

Secondly, Andy mentions that you could put public info into the DDO associated with a “public” DID. While that’s possible, it’s not best practice. Better to make public claims (claims anyone can access) available through the agent endpoint for a “public” DID. Essentially you want to publish public info via the agent associated with the DID rather than the DDO associated with the DID. All you want in the DDO is the public key and agent endpoint for the identity owner.

Lastly, just to make sure everyone has the current links for the DID Data Model and Generic Syntax Implementer’s Draft 01 spec:

• PDF version 68 (static)
• Google docs version 20 (accepts comments)

Private DIDs in wallet not ledger

To update this thread and avoid confusion, the technology has been evolving, and pairwise DIDs are now not typically written to the ledger. They are known by and held only by their respective endpoints.

Understanding DIDs, URIs and routing agents 

https://sovrin.discoursehosting.net/t/did-documents-and-uris/1289/3

did-uri-agents-sovrin.discoursehosting.net-DID documents and URIs.pdf

W3C DID Identity Workshop

https://www.w3.org/Security/strong-authentication-and-identity-workshop/report.html

W3C Verifiable Credentials Use Cases

https://www.w3.org/TR/vc-use-cases/

Verifiable Credential Type Differences - Kaliya **

https://www.lfph.io/wp-content/uploads/2021/02/Verifiable-Credentials-Flavors-Explained.pdf

Verifiable-Credentials-Flavors-Explained pdf

This paper explains the differences between various VC flavors for the technically inclined readers. An important goal of the paper is to present a clear path forward that can end the interoperability trilemma that has emerged between three different VC flavor choices, and points to the adoption of the newest VC format to satisfy all stakeholders.

Why does this matter? Without convergence to a standardized VC format, there won’t be functional interoperability across the ecosystem. If application builders process diverse cryptographic calculations using incompatible libraries and methods, and the underlying data has varying readability properties, then interoperability will not be achieved.

What different methods have in common is issuers use them to package up claims about an entity. The issuing entity then uses cryptography to seal the credential. This sealing provides a mechanism for other entities (the verifiers) to check the cryptographic signatures to see if the credential has integrity based on the issuer’s public keys.

What is different is how issuers format claims inside the credentials and use cryptographic signatures suites to sign the information and seal the credential. These methods also have processes for sharing Verifiable Presentations (VP or VPs) to a verifier and conducting the cryptographic verification.

There are advocated variations of these types, but they are less common.

• JSON-LD family with LD Signatures or with BBS+ Signatures that enable Zero Knowledge Proofs (ZKP or ZKPs)
• JSON with JSON Web Signatures, precisely in the form of a JSON Web Token (JWT)
• ZKP with Camenisch-Lysyanskaya Signatures (ZKP-CL)

There are essentially two different “types” of VCs that are unique from one another because of how they elect to express the VC data model, including the associated cryptographic material
(e.g., digital signatures).

• VCs expressed in JSON-LD using Linked Data Proofs (JSON-LD)
• VCs expressed in JSON using JSON Web Signatures (JWS), precisely in the form of a JWT (JSON-JWT)

These two formats support a range of different digital signature algorithms - a vital property to ensure VCs are cryptographically agile, enabling them to move with the constant evolution of cryptography. With both of these formats, users can implement a whole host of different digital signature schemes.

It is important to note that not all digital signature algorithms are the same. Security and capabilities can differ. Some support novel properties such as selective disclosure and anticorrelation techniques via ZKP technology. BBS+ Signatures is one such algorithm that developers leverage with the JSON-LD data format. The third credential format and signature scheme mentioned in the VC Specification is “Camenisch-Lysyanskaya ZKP [CL-SIGNATURES],” however this format is not explained in the specification. This format is a bespoke data expression format coupled with a particular digital signature algorithm.

The company Evernym and then the Sovrin Foundation originally developed this format as part of the Indy codebase which they contributed to Hyperledger, a Linux Foundation project hosting many different open source enterprise-focused blockchain projects. This codebase was forked into the Hyperledger Indy project for ledger code, Hyperledger Ursa for cryptographic libraries, and the ledger-agnostic Hyperledger Aries codebase for agent, wallet, and credentialing code.

Two of these credential formats leverage JSON-LD. In recent years this format has garnered a lot of interest for good reason. It supports semantic clarity and discernment by verifiers about the issuer’s intended meaning for particular attributes in the credential. This format also has a handy feature supporting translation between languages on the fly. It is also new, and because of this, fewer developer tools support it than JSON. Last year, a new format JSON-LD ZKP with
BBS+ Signatures came forward to bridge the gap between JSON-LD and ZKP-CL. MATTR, a New Zealand-based company seeking to bridge the differences, introduced this method of
packaging and expressing VCs. It uses the simplest, widely available cryptography to support selective disclosure. MATTR shared the new format with the VC community as an open
standard. Both the ZKP-committed groups and the JSON-LD community have expressed interest in adopting it. According to its designers, JSON-LD ZKP BBS+ should not be seen as a
different format of VC. It shares much of the processing logic for JSON-LD, even though it supports a new set of fundamental types that enable new functions like derived proofs.

A Metaphor for the difference between JSON and JSON-LD

The second main format JWT is a part of the JOSE framework. It provides no means to support semantic disambiguation but has the benefit of being simpler for assertion format implementations. “JOSE is the rice and beans of cryptography standards. It’s got everything you need to survive and is easy to make, but its extensibility model guarantees you will be eating rice (base64url) and beans (JSON) forever. That might make you “fat” because base64url inflates JSON.

On the other hand, Linked Data Proofs, as seen in Verifiable Credentials and Verifiable Presentations, are like a pharmaceutical drug - really hard to build, but capable of solving all kinds of problems and formally described by an information theoretic model (molecular formula ~= RDF). Linked Data Proofs are capable of working with other bases, other structured data formats (base58, CBOR), and the extensibility model is anything that you can model in RDF. Context determines the relevance of either model. Most people don’t go to a pharmaceutical lab to make lunch, but most people who make drugs in their kitchen also eventually end up sick.”

Anoncreds - Anonymous Credentials - VC with privacy, ZKP concepts

anoncreds-20221121-stppa4-anna-lysyanskaya--anonymous-credentials.pdf   link

anoncreds-20221121-stppa4-anna-lysyanskaya--anonymous-credentials.pdf. file

signature verification on AC

attribute verification on AC

is is practical ? 2019

TOIP DID Messages spec

https://identity.foundation/didcomm-messaging/spec/

VON Use Case - BC Gov Verifiable Organizations Network

https://vonx.io/

Key Concepts

Updated SSI information wiki - indentosphere - Kaliyah

https://newsletter.identosphere.net/. << All things Digital Identity.  <<. https://identosphere.net/

https://newsletter.identosphere.net/p/identosphere-167-retrospectives-eidas2

Everything related to decentralized identity and verifiable credentials including standards and development: updates, walkthroughs, from the enterprise to web3, real world use, policy and research.

SSI Book - Drummond Reed 

Self-Sovereign_Identity_v10_MEAP.pdf

SSI Trends & Challenges - 2022

https://cheqd.io/blog/understanding-the-ssi-stack-through-5-trends-and-challenges

From our deep dive survey we have drawn 5 distinct trends across the layers four of the stack:

• Trend 1: (Layer 1) Hyperledger Indy is still the most supported Layer 1, but there are signs it may be losing its dominance
• Trend 2: (Layers 1, 2, 3) Aries-based SDKs are dominant, correlating with Indy at Layer 1
• Trend 3: (Layer 2) OIDC SIOP may be starting to catch up with DIDComm in terms of a peer-to-peer connection layer
• Trend 4: (Layer 3) The lack of harmonization on Credential type/exchange standards is more stark than ever
• Trend 5: (Layer 4) Ecosystem adoption could be driven by stronger commercial models and payment rails

All five trends culminate in one main challenge:

Interoperability and harmonization is lacking at each layer of the stack, which is a barrier for adoption

Digital Trust Seminar Series 

sessions, materials, use cases, methods, tools, technologies, self assessments for orgs, users 

Session 1 - Digital Trust Primer 

Session 2 - Digital Trust Foundations in Hyperledger 

Session 3 - Digital Trust in Action: Verifiable Organizations Network

Session 4 - Digital Trust Interoperability 

Session 5 = Digital Trust Assessment 

Session 6 - Digital Trust Road map 

DID Solution Design Implementation Concepts

Most companies already have identity, security infrastructure solutions in place.

Potential Advantages for DID solutions

DID ( Decentralized Identity ) designs ( aka Self-Sovereign Identity - SSI ) offer potential benefits over existing identity alternatives:

• cryptographically secure identities and credentials
• more user control over their identities with consent management
• more control over their own user data with consent management
• automated digital trust for verification of identity and credentials using issuer, holder, verifier model
• better privacy with selective disclosure and zero-knowledge proofs under user control
• more efficient management over many existing identity solutions
• real-time validation authorizations using verifiable credentials
• real-time revocation of authorizations when required using the DID-comm protocol
• integration options with identity infrastructure:  digital wallets, vaults, blockchains, services

Keys for DID Solution Design and Delivery

Key 1 - Common Service Layer to Encapsulate DID Service Providers

Key 2 - Common Integration Service for Multiple Authentication Services

Key 3 - Common Integration Service for Multiple Authorization Services

Key 4 - Validate DID Infrastructure Dependencies

Key 5 - Privacy and Personal Identity Information ( PII ) Management governance

Key 1 - Common Service Layer to Encapsulate DID Service Providers

What?

Create a common service layer to encapsulate DID services.  

Why?

Larger organizations have many different business groups, solutions and communities to define the right solutions.

Typically, larger organizations can't usually standardize on a single database solution forever.

The same concept applies to identity management solutions.

The common DID identity service layer makes it easier to add, replace or remove specific DID vendor solutions over time.

How?

Work with business, IT architects and vendors to define a useful common interface for DID solutions.

Look at the DID standards and a first DID service to define what capabilities a common DID service should deliver client applications

When?

Large organizations that may use multiple identity service providers or don't want to bind all applications to a single vendor should consider the service layer

Key 2 - Common Integration Service for Multiple Authentication Services

What?

Provide a common authentication service API for applications

The authentication service can map to different authentication systems

Why?

Organizations usually have existing authentication systems based on LAN-ID, SSO ( Single SignOn ), OAUTH2 ( Open Authorization )

In addition, omni-channel architectures connect Web, mobile, event messaging front-end protocols to common back-end APIs

Rolling out DID for authentication and authorization usually can't replace all other authentication solutions initially

With a common authentication service, changing the authentication implementation on the backend for an application is simpler

How?

Adding the authentication integration service allows flexibility on when applications can change configuration to a different authentication service

Key 3 - Common Integration Service for Multiple Authorization Services

What?

Provide a common authorization service API for applications

The authorization service can map to different entitlement systems on the back-end

Why?

Organizations usually have existing entitlement systems 

In addition, omni-channel architectures connect Web, mobile, event messaging front-end protocols to common back-end APIs

Rolling out DID for authentication and authorization usually can't replace all other authorization solutions initially

With a common authorization service, changing the authorization implementation on the backend for an application is simpler

How?

Adding the authorization integration service allows flexibility when applications can change configuration to a different authorization service

Key 4 - Validate DID Infrastructure Dependencies

What?

Do the key infrastructure dependencies for DID services exist?

Have they been validated for use with the specific DID solutions?

Why?

DID solutions depend on many infrastructure services: cryptographic,  Certificate Authorities, Digital Wallets, Vaults, SIEM, blockchain networks, data services etc

How?

Identify the requirements for a specific DID solution stack

Work with service providers, vendors and implementation teams to identify stack options and define stack strategies

Key 5 - Privacy and Personal Identity Information ( PII ) Management governance

What?

Privacy Regulations continue to increase everywhere: GDPR in Europe ( General Data Protection Regulation ), CCPA ( California Consumer Protection Act ), NYPA ( New York Privacy Act ) and more. In addition, companies have added more data privacy compliance policies to govern their operations. 

Why?

Organizations often have multiple regulations and privacy policies to manage they are liable for to stakeholders.

Some organizations ( not just companies - NGOs, governments ) have misused consumer private data in many different ways.

While DID solutions offer many opportunities to improve data privacy protections for all stakeholders over existing solutions, each organization must determine the regulations and policies that apply and define how to protect and manage those rights.

How?

Management committees and compliance departments need to work with customers and other stakeholders to define the appropriate privacy policies for the organization. Business, IT architects and 3rd party service providers need to work together to define what the options are to implement privacy controls and the priorities to roll those out.

Secure Key One Time Password Tokens issued by Financial Firms

https://security.stackexchange.com/questions/23897/how-does-hsbcs-secure-key-actually-work#:~:text=Typically%20the%20serial%20number%20of,sequence%20value%20derives%20the%20OTP.

I think this question lends itself to a very high level overview of how multi-factor authentication (MFA) works. Of course, we have to skim over lots and lots of technical detail.

In short, here is what happens:

1. The bank programs the token with a unique encryption key. (In this case your Digipass token is made by Vasco, but there are many other companies that make similar tokens, which are "something you have" with regards to multiple factor authentication).

2. The token will generate a series of characters that are derived from the encryption key, current time, and (optionally) other various factors.

3. Since the bank knows the (unique) encryption key, and all other other factors that the token uses, they can reverse-engineer the input to find out who "owns" that token. If the owner of the token matches the owner of the bank account that is being logged-in to, then the login is authentic.

There are many variations on this central theme, but in general they always involve "something you have" (a physical token, or a smartphone app), a secret key stored within the token, and a mathematical algorithm to produce the output.

Often, time is a critical factor in generating the output. Depending on the algorithm, the output may be different every single time (in your case), or it may only vary occasionally (e.g. Every hour).

Potential Value Opportunities

Potential Challenges

Candidate Solutions

France delivers Digital ID app using SSI linked to ID card by NFC - 2022

https://www.biometricupdate.com/202204/france-announces-user-controlled-mobile-digital-identity-app-for-use-with-national-id

france-did-ssi-biometricupdate.com-France announces user-controlled mobile digital identity app for use with national ID.pdf file

France announces a new system for proving digital identity  via a smartphone

The official announcement describes the details of the new app. SGIN will be based on the biographic data held in the new French ID cards launched in August 2021. It will only work with the new credit card-sized CNIe 

It will not access the card holder’s biometrics, in France’s case images of two fingerprints. It is also not compulsory and allows card-holders to be selective as to what data fields they share for any transaction:

“The application allows the user, in particular, to generate electronic certificates comprising only the identity attributes which he considers necessary to transmit to third parties of his choice.”

The decree also stipulates how long data can be kept. It has been developed in light of EU regulations on digital identity and the free movement of data.

SSI - the best solution for CeDeFi

https://blog.cheqd.io/why-centralised-decentralised-finance-cedefi-and-self-sovereign-identity-ssi-work-together-7e49d0e0993a

Centralized Financial services track data for KYC, AML supporting privacy regulations

SSI is the best answer to integrate with centralized financials services providing a solid identity foundation

enables regulatory compliance with the best identity, privacy protections

Think CBDC and data tracking

Add JVS - Jim's Vault Service - BYOR - You control your vault recovery design

Decentralized Financial services - Uniswap etc

Don't support regulatory compliance, KYC, AML well

SSI provides some level of privacy protection here

SSI benefits in financial systems

• NFT: SSI can solve the provenance issue with NFTs regardless of the ledger.
• Content: fully decentralised content consumption with payment and identity, i.e. consumption of media / content directly from the creator without a distribution channel. A possibility for creators to receive fair payments for their work and interact with audiences directly.
• InterPlanetary File System (IPFS) for controlled decentralised storage: SSI can be implemented to manage the data of participants and store distributed files with decentralised access control
• Payment verification: the risky nature of CeDeFi transfers has been holding back many users. There’s no way to further verify the identity of the payment receiver beyond the wallet address. 

cheqd - a decentralized, permissionless payments framework with authentic data

cheqd, are building the payment rails for authentic data*. We want to make it as easy as possible to create authentic data ecosystems through customisable commercial models and governance structures, all built upon a public permissionless network with a dedicated token for payment

Why SSI needs a token for decentralized payment systems

https://blog.cheqd.io/why-self-sovereign-identity-needs-a-token-an-expanded-version-46e93e9f519f

traditional rails don't work when issuers and receivers of credentials are unlikely to have a direct contractual relationship since the user is at the centre.

SSI DID Services Providers

Sovrin

Trinsic.id

https://docs.trinsic.id/docs/tutorial

Trust.id

Verses

Civic

Uport

Step-by-step guide for Example

sample code block

Recommended Next Steps

Related articles