What is digital identity?
In real life, identity refers to the set of characteristics, attributes, and qualities that make an individual unique and distinguishable from others. The recognition of that unicity by the administration is a human right declared in the Universal Declaration of Human Rights since it is the basis for the society to provide assistance and recognition to actual people according to their needs. In the digital world, identifying people as said users helps to provide a customized experience for the services according to a set of data gathered about them. Here comes the Identity and Access Management field providing authentication, identifying the user, authorization, giving them rights to access a service, and access control management to apply those rules within that service. boruta is an example of a component providing those features.
A brief history of digital identity
The digital identity history is made of three significant steps:
the siloed world (2000s), where organizations have control of their user database and keep it for their sole usage the federated world (2010s), where those user registries are shared across organizations with the birth of authorization-aware specifications (OAuth 2.0 / OpenID Connect, SAML 2.0, CAS) and now, the move is to decentralize identity with the self-sovereign identity movement, bringing back their data to the users’ holding using cryptography and ledger technologies Besides that, there is evolution in the authentication field, in identifying the users, improving the user experience and reducing the attack surface since identity theft is one of the most common attack vectors in cybersecurity. Starting with the password mechanism, a string you must remember to access services, there were improvements in the identification factors used. An identification factor is one of something you know, something you are, or something you have. Nowadays, choosing two of them is so-called 2 Factor Authentication which is one of the strongest protections against identity theft. Recently, we have begun to see biometric checks that empower the “something you are” factor, an active research field. Self-Sovereign Identity aims to also improve authentication by providing identification traits to help identify the users of a service.
The SSI model
Three main actors take place in the SSI model, the issuer, the holder, and the verifier. The journey starts with an authority detaining data about a specific person, respectively the issuer and the holder in the model, let’s say his age. The guy wants to be able to provide his age to access services, for that he would have a digital wallet that can be stored in the cloud as a cloud agent or in a device belonging to him, an edge agent. That wallet uses a protocol to get the said verifiable credential, his age, from the issuer that cryptographically signs it to prove the authority is originating that data, the holder can store it for later use. Then comes the service that needs that information to customize the user experience, it asks the holder to present the verifiable credential via his wallet, and the verifier will cryptographically verify the issuance authority and the holding of the verifiable credential. That journey helps the service ensure the current user is telling his actual age.
There are interesting properties about verifiable credentials we can note. First the selective disclosure, the holder can show only the required information with his consent. Then comes the zero-knowledge proof helping to prove that he is for example over 21 without providing his actual age.
The specs
The research work to implement this model is still ongoing. The major Internet specifications editors, namely the Internet Engineering Task Force, the World Wide Web Consortium, and the OpenID Foundation are actively working to give specifications to implementers, most of them are still drafts, some of them are published. boruta aims to follow those specifications that are evolving and is a component that participates in the Proof of Concepts of issuance, mostly with the high-level specifications from the OpenID Foundation. There is also a target to implement the European Blockchain Service Infrastructure model and pass the according compliance test.
A Proof of Concept
An ongoing Proof of Concept made in partnership with Talao’s Altme wallet aims to fix the gap between the federated and the decentralized worlds by getting verifiable credentials from OAuth-protected resources using federation. First, there is the ability to configure a “login with” button that helps to get an organization’s resources and then transform them into verifiable credentials by implementing the OpenID for Verifiable Credential Issuance specification pre-authorized code flow. The exposed credentials are also configurable in the administration interface. To sum up, the point is to give the ability for the boruta administrator to configure a federation to provide its users verifiable credentials from the federated organization resources. Note that this Proof of Concept is listed in the wallet issuer marketplace and is available in all Altme wallet enterprise installations.
This Proof of concept is not perfect since the verifiable credential is signed by the issuer, the boruta instance, but not the federated organization with less credit as an authority for possible real-world usage.
What next?
In order to participate in the OIDF GAIN Proof of Concept, the issuer has to support multiple versions of the specification drafts. The objective of it is to prove the interoperability of the implementation following a specific profile (set of specification choices). Also, the implementation of the EBSI model is a short-term goal to participate in the European SSI initiatives.
If you are interested in Verifiable Credential issuer integration, do not hesitate to reach out.
Thank you for reading me so far.