Blockchain for Decentralized Identity — Conceptual Architecture
The conceptual architecture for Decentralized Identity on blockchain includes four layers defined by the Trust over IP Foundation1. Layers 1 and 2 are built on cryptographic trust, while Layers 3 and 4 are on human trust. Each of the four layers will be covered in future posts, while in this one, I will provide a high-level overview of each. Refer to the glossary for the definition of terms.
Layer 1 is the blockchain. Its capabilities include:
• A Verifiable Data Registry and storage of Decentralized Identifiers (DID) of an entity and an associated DID Document (DDO)
• Definitions, schemas, and descriptions of Verifiable Credentials (VCs)
• When an issuer revokes a credential, the issuer writes the Revocation Registry record.
• Proof of consent for data sharing among entities
Layer 2 allows secure pairwise connections between agents and digital wallets to transmit data. Its capabilities include:
• Management of secure pairwise connections between two entities/agents
• The ability to send and receive private messages
• Encryption and decryption of messages sent and received
• Management of digital wallet information
Layer 3 covers issuance of credentials by the issuer to the holder, storage of these credentials, and presentation of credentials to a verifier to complete a transaction. It is called the trust triangle. Business rules construct the business process. Its capabilities include:
• Verifiable Credentials (VCs) that the issuer issues to a holder. (VCs are statements made by the issuer in a tamper-evident manner respecting privacy)
• Storage of verifiable credentials (VCs) in a holder’s digital wallet. These can be from multiple issuers
• The ability to combine various claims from multiple VCs into one compound proof for attestation
• For the verifier, verify the holder’s proof (using VCs). All without making contact with the issuer of the VCs.
Layer 4 encompasses Trust Anchors, Auditors, or a recognized governance body to implement governance across the stack. Its capabilities include:
• Governance frameworks, policies, and legal contracts to ensure trust among parties
• A set of defined rules for parties to operate within the ecosystem
• Trust Anchors and Auditors to ensure the integrity of issuers and verifiers
Security is enhanced using cryptography across layers 1 and 2. It generates public and private keys while issuing, generating, verifying, and revoking credentials. Messages between wallets and agents are encrypted and decrypted.
The benefits of a Decentralized Identity system include:
• The user’s identity is quickly issued, stored, verified, and revoked
• The user (identity holder) is in control to share aspects with someone
• Cryptography ensures immutability
• There is a reduced risk of identity theft. Even if one’s identity gets stolen, the owner can cancel the DIDs and issue new ones. The fraudster hence has no value for the stolen identity.
In the following four posts, I will focus on each of the above layers starting with Layer 1.
To reference previous posts refer to this link. I would suggest reading the posts in succession.
Glossary:
Agent
Piece of code associated with a wallet that makes secure connections with other agents and wallets to share and communicate identity information to complete a transaction. It enables an entity to take on one or more roles in an SSI model –an issuer, holder, or verifier. There are two types: edge agents that run on a mobile device or cloud agents that run on a server in the cloud.
Blockchain
A blockchain is a decentralized ledger, which can be public, private, or hybrid. In the context of decentralized identity, it can store a public DID, DID document, schemas, and formal descriptions of a verifiable credential, revocation registries, and proof of data sharing — however, the blockchain stores no PII (Personal Identifiable Information).
Claim
A claim is an attribute within a verifiable credential. For example, the Drivers License number in a Driver’s License is a claim, whereas the Drivers License is a Verifiable Credential (see below for a definition).
DID (Decentralized Identifier)
Like a Uniform Resource Name, a globally unique identifier that somebody can universally discover a DID on a blockchain using a method. A DID is an interoperable, open-sourced web standard delivered by the W3C2. Each DID associates with only one DID document.
DDO (A DID Document)
The DID document holds the description of the DID, the public key for verification, set of authentication protocols, service endpoints, a timestamp, and signature.
Digital Wallet
A digital wallet is a software used to digitally store (usually in a smartphone) the contents of a wallet, like IDs, loyalty cards, and financial instruments used for payments. In essence, it is a digital version of a physical wallet.
Entity
A person, organization, or thing
Holder
An identity owner and user of a Digital Wallet where their credentials are accepted, stored, and controlled using verifiable credentials. The holder approves attestation requests from verifiers and delivers the same.
Issuer
An issuer is a credible provider of identification documents; their signature (key) attests to the credentials’ validity. Governed by Governing Bodies or Trusted Anchors, issuers can belong to an ecosystem of trusted entities that issue documents/credentials with claims data. Issuers have the infrastructure to access a public blockchain to issue and revoke credentials. The schema and their definition of credentials are on the blockchain.
Private Key
A private key is stored cryptographically in the digital wallet of the entity (holder) in the decentralized identity ecosystem. As the name implies, it is personal for the identity owner.
Presentation or Proof
The proof attests a claim or compound claims from the holder to the verifier to prove some form of identification to complete a transaction. All achieved without making contact with the issuer.
Public Key
A public key is a cryptographic key stored on the blockchain visible to others. It identifies the identity of an entity. Along with the private key, the public key can read encrypted messages for the entity.
Revocation Registry
A registry of DIDs that the issuer revokes. Verifiers can check if the holder is using a revoked claim on the blockchain.
Verifier
A verifier is an entity that wants to verify claims from a holder to complete a transaction or event. The transaction uses a QR code at the endpoints.
Verifiable Credential
A credential is an attestation of authority, competence, or qualification given by an authorized party (issuer) to an entity (holder). It consists of metadata, claims, and proofs and has one or many claims related to an entity’s identity. It is to respond to attestations for proof of a claim. Claims from multiple verifiable credentials consolidated to respond to a request for proof, is called a compound verifiable credential.
References:
1. Trust over IP Foundation- https://www.trustoverip.org/
2. W3C — www.w3c.org
Contact:
Linkedin https://www.linkedin.com/in/anitarao/,
Twitter @anitaprao,