Decentralized identity also known as self-sovereign identity is earning a reputation as a silver bullet that can solve all of today’s identity problems. It ensures perfect privacy, informed consent, user independence and control, and the ability to leverage the latest technology and cryptography.
New Terminology, Similar Roles
Decentralized identity is a daunting array of unfamiliar terminology. While important distinctions exist, there is a significant amount of high-level overlap with the roles and interactions.
Let’s start with the decentralized identity role of the issuer. It’s pretty easy to follow that an issuer issues things, and in large part you can immediately connect it to the role of an identity provider (IdP) or OpenID provider (OP) in that one of their primary functions is also issuing things: tokens.
What is an issuer issuing if not tokens? That would be credentials. While a traditional opaque access_token isn’t a good analogy to a credential, an id_token is a better comparison since it is a statement by the ID provider (issuer) about some attributes of the user.
The other easy association is that of the relying party (RP) or service provider (SP) to the new term verifier. A verifier is simply the party or service that verifies and acts on the validity of a credential. While the issuer/verifier terms generally map well to existing concepts, it’s important to note that with decentralized identity, both the issuer and verifier may also be a single individual and not always be a service.
In decentralized identity, that middle role is a cornerstone of the architecture and is more formally known as the holder (though typically just called the wallet). Its role is to securely retain credentials on behalf of the user (also known as the subject) and protect their privacy.
Credentials are issued to a holder about a subject, we should highlight the verifier side of a credential flow. It begins when a verifier generates a presentation request to the holder, which, after gathering any user consent, then presents the credential to the verifier.
Decentralized identity follows some very familiar roles and relationships to existing identity management protocols but uses a more action-oriented terminology instead:
- Issuer → identity provider or OpenID provider, issues credentials
- Verifier → relying party or service provider, is presented credentials
- Subject → typically a user or individual, could also be other types of entities
- Credential → crypto envelope of information about a subject, such as an id_token
- Holder → wallet software to manage credentials on behalf of a subject
Possibly the most fundamental difference between decentralized identity and existing identity management is that of trust relationships. What is widely deployed today with SAML and OAuth is bi-directional trust, where two parties that are known to each other have formed some agreement to establish a connection. That connection is then used to share information about the user such as authentication, identity attributes and authorization.
In most self-sovereign and decentralized identity systems the trust model is fundamentally unidirectional, where a verifier will trust the issuer, but the issuer may have no knowledge of the verifier. To accomplish this securely and ensure fundamental one-way privacy, the role of the wallet is a critical component. It is a distinct party with its own independent relationship to both the issuer and verifier, and it must provide strong cryptographic capabilities to perform that role.
Unidirectional trust relationships can be supported with existing solutions and that is quite correct. There are numerous supported mechanisms to approximate those types of relationships with today’s platforms. Where the divergence deepens is in the adoption of more advanced cryptography within decentralized identity, such that the crypto itself guarantees the trust boundaries through the use of zero knowledge proofs and anonymous signature techniques. Newer requirements of those still-evolving security technologies have subtle but important implications that have been easier to accommodate from a clean slate as they grow.
Privacy and Control
The new first-class role of the wallet is where the promise of privacy and control are enforced in decentralized identity. It is the responsibility of the wallet to act with the trust of the user on their behalf, securing credentials to their personal devices by protecting access using enclaves and strong biometrics, and not revealing any metadata when credentials are used that could lead to tracking of their usage.
The wallet must request informed consent from the user when handling any presentation request to ensure that the user understands what is being shared and with whom, and to minimize what is shared. It must also manage the relationship with one or more issuers of credentials, authenticating itself and negotiating for credentials using the strongest available cryptographic techniques.
If any single distinction is to be made between SSO and decentralized identity, it is that the user trusts the wallet to protect their privacy.
Future is moving towards identifying the identity and validating it. Secure future with identity