Self-Sovereign Identity: The Ultimate Guide 2024 (original) (raw)

Dock has been a pioneer in the revolutionary Web3 space. Since 2017, our expert team has been building cutting-edge Verifiable Credentials and Self-Sovereign Identity technology. We created this complete guide on Self-Sovereign Identity to explain its importance to organizations and individuals as well as how the tech works in a simple way.

‍

‍

TL;DR

• As we access apps and websites, organizations by default are dominantly using centralized and federated identity management (e.g. signing in with a Google or Facebook account) systems. Centralized systems often make organizations vulnerable to large-scale hacks and data breaches. With federated systems, credential system providers like Google may use people’s personal data to store and track their online activity without their knowledge.
• Current ID and credential verification processes are very slow, expensive, and outdated.
• Self-Sovereign Identity (SSI) is an identity management model that enables organizations to create fraud-proof Verifiable Credentials and instantly verify the authenticity of those credential. It gives individuals full ownership and control of their digital identities without relying on a central authority.
• Self-Sovereign Identity is made up of 3 pillars: blockchain, decentralized identifiers, and Verifiable Credentials.
• Self-Sovereign Identity technology can be applied to diverse use cases including reusable digital identity, issuing fraud-proof certifications and diplomas, speeding up workforce recruitment times, and more.

‍

Introduction

How would you feel if you found out that your doctor had a fake degree?

If you’re a food supplier, how would you contain a contaminated batch of products when you can’t trace it back to its origin?

And did you know that cybercriminals earn up to $2.2 million through formjacking attacks by stealing 10 credit cards per website?

While all of these situations seem completely unrelated, they actually all tie back to the recurring problems of outdated verification systems and reduced security with traditional identity management systems.

As we access apps and websites, organizations are dominantly using centralized and federated identity management systems (e.g. signing in with a Google or Facebook account) by default. The centralized system puts data at risk of large scale hacks and breaches while the federated model enables companies to track user data without their knowledge. Unsurprisingly, cybersecurity spending increases every year.

These problems are what motivated the development of the Self-Sovereign Identity model to manage digital identities. There are many advantages to Self-Sovereign Identity that we’ll dive into more detail later, including:

• Fully owning and controlling your data
• Increased security and privacy
• Eliminating central points of failure
• Data can’t be tracked and correlated (data that is used to trace back to someone’s identity or track online behavior)

What Is Self-Sovereign Identity?

Self-Sovereign Identity (SSI) is a model that gives individuals full ownership and control of their digital identities without relying on a third party. In contrast to centralized identity management, you are the boss of your identity and get to decide who gets to see your data. You can also remove access to your data any time.

Before diving into the details of Self-Sovereign Identity, it’s important to know what digital identity is first. A digital identity is any data that exists online that can be traced back to an individual or organization. Identifiable data includes passwords, user names, bank accounts, and social media photos.

SSI technology allows people to self-manage their digital identities without depending on third-party providers to store and manage the data. Currently, Self-Sovereign Identity is used interchangeably with the term decentralized identity.

There are three main participants in the SSI system:

• Holder: Someone who creates their decentralized identifier with a digital wallet app and receives Verifiable Credentials.
• Issuer: Party with the authority to issue Verifiable Credentials.
• Verifier: Party checking the credential.

The interactions between the holder, issuer, and verifier is sometimes called "the trust triangle." Every time information is requested by a verifier, the holder chooses whether to allow access to their data.

3 Pillars of Self-Sovereign Identity

Verifiable Credentials, blockchain, and decentralized identifiers are 3 pillars of Self-Sovereign Identity.

Self-Sovereign Identity is made up of 3 pillars:

1. Blockchain: A decentralized database that is shared among computers in the blockchain network that records information in a way that makes it very difficult to change, hack, or cheat the system.
2. Decentralized Identifiers (DIDs): A way to identify yourself online without relying on a centralized organization or company to verify your identity. Instead, you can prove who you are using a unique code that is stored on a blockchain. This means that you have more control over your personal information and who has access to it. It's similar to how you use a driver's license or passport to prove your identity in the physical world.
3. Verifiable Credentials (VCs): Digital cryptographically-secure versions of paper and digital credentials that people can present to verifiers.

For example, let's say a new gym opens and every employee must have a First Aid training certificate, which is valid for three years.

• Holder: Sandy the job applicant
• Issuer: First Aid training organization
• Verifier: Gym

Here is how these roles interact in a Self-Sovereign Identity system:

1. Sandy (holder) has a digital identity wallet app, the Dock Wallet, on her phone that stores her Verifiable Credentials.

2. Sandy successfully passes her First Aid training and the training organization uses the Dock Certs platform to digitally issue her fraud-proof training certificate as a PDF.

3. Sandy scans the QR code on the PDF and imports it in the Dock Wallet.

4. The gym company uses Dock Certs to create a verification template to screen job applicants to ensure they have a valid First Aid certificate. The gym staff sends a QR code to Sandy to start the verification process.

‍

5. Sandy scans the QR code with the Dock Wallet and she chooses her First Aid and CPR credential.

6. To maintain her privacy and not share more than she needs to, she only sends her credential certificate number and name but not her email address.

7. The gym instantly verifies that her credential is authentic and calls her for an interview.

In this case, the gym trusts only the First Aid training organization as an issuer and Sandy wouldn’t be able to fake the certificate. The training organization’s DID is publicly known and only First Aid certificates issued by this issuer as Verifiable Credentials would be recognized as valid for verifiers.

If someone tried to make Sandy a fake digital certificate by changing the data, the verification would fail and would not be sent to the verifier. The failed verification confirms that the certificate is not authentic because the signature wouldn’t match the issuer’s DID or the hash (acts like a digital fingerprint) would be wrong.

Principles of Self-Sovereign Identity

Many people have written about the principles of identity, including Kim Cameron’s “Laws of Identity” and W3C Verifiable Claims Task Force FAQ. While there is no clear consensus on what Self-Sovereign Identity is among different thought leaders and organizations, there are 10 key principles that summarize the essential aspects of SSI.

1) Existence: A user must be able to exist in the digital world without the need of a third party.

2) Control: People must have ultimate authority over their digital identities and personal data.

3) Access: Users must have easy and direct access to their own data.

4) Transparency: The wayan identity system and algorithms are managed and updated must be publicly available and reasonably understandable. The solution design should be based on open protocol standards and open software.

5) Persistence: Identities must be long-lasting. Solution developers should implement sufficient foundational infrastructure and design sustainable commercial and operational models.

6) Portability: People must be able to bring their identities and credentials anywhere, transport their data from one platform to another, and not be restricted to a single platform.

7) Interoperability: Identities should be as widely usable as possible by various stakeholders. Organizations, databases, and registries must be able to quickly and efficiently communicate with each other globally through a digital identity system.

8) Consent: Users must give explicit permission for an entity to use or access their data. The process of expressing consent should be interactive and well-understood by people.

9) Minimization: A digital identity solution should enable people to share the least possible amount of data that another party needs to minimize sharing of excessive and unnecessary personally identifiable information.

10) Protection: People’s right to privacy must be protected and safeguards should exist against tampering and monitoring information. Data traffic should be encrypted end-to-end.

Origins of Self-Sovereign Identity

‍

There are a growing number of discussions about SSI around the world among citizens, companies, and governments. But where did this digital identity approach come from?

Christopher Allen is a standards and identity practice specialist at the blockchain development startup Blockstream and a veteran developer. He believes that SSI began in the early 90s when Pretty Good Privacy (PGP) mentioned the idea of “Web of Trust,” which is the first hint of what could become a Self-Sovereign Identity. PGP is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption.

The “Web of Trust” was an approach where trust could be established by allowing peers to act as introducers and validators of public keys and anyone could be a validator in the PGP model. While this approach was a great example of decentralized trust management, the limitation is that it focused on email addresses that depended on centralized hierarchies. This, in addition to other reasons, is why PGP never became broadly adopted.

In 1996, Carl Ellison wrote a paper on digital identity called “Establishing Identity Without Certification Authority.” He mainly argued that there was a need for a method to establish identity without using certificates from trusted certification authorities.

SSI really gained momentum in the 21st century as the internet developed more. In his article, “The Path to Self-Sovereign Identity,” Allen discussed his vision for Self-Sovereign Identity where digital identity can enable trust while preserving individual privacy. He says SSI is much needed during this time because governments and companies are sharing tremendous amounts of information and correlating everything from purchases, people’s locations, and who they associate with. SSI can help protect people from increasing control from people in power.

Countries, governments, and companies often associate people’s identity with state-issued credentials like driver’s licenses and social security cards. But for SSI advocates, this is problematic because it implies that people can lose their identity if a central authority removes it from them. With a Self-Sovereign Identity, no entity can remove your digital identity.

4 Key Phases in the Evolution of Digital Identity

The models of online identity have gone through these four main phases since the internet was invented:

1. Centralized identity
2. Federated identity
3. User-centric identity
4. Self-sovereign identity

Right now we are dominantly using centralized identifiers like emails, phone numbers, and user names to authenticate our identity to access websites and apps. As we create more accounts, our personal data is being spread more and more on the internet.

Phase 1: Centralized Identity (Administrative Control by a Single Authority or Hierarchy)

As the internet was first developing, centralized authorities became the issuers and authenticators of digital identity. IANA (1988) was an organization that determined the validity of IP addresses and ICANN (1998) arbitrated domain names. In 1995, certificate authorities helped commerce sites authenticate their identities.

Some organizations went beyond centralization and created hierarchies where the root controller would choose other organizations to each oversee their own hierarchy. But the root controller would always have more power. As the internet grew, centralized authorities and hierarchies gained more power as more people had to manage a growing number of digital identities while having no control over them.

This model is a siloed one where systems are isolated from each other as people have to create a digital identity account for every platform. The average person has 100 passwords and a study from the University of Sydney conducted a survey among social media users from Australia, UK, and US revealed that a third of people don’t trust social media companies with their data. This creates a bad user experience as they have to manage an increasing number of accounts.

‍

Phase 2: Federated Identity (Administrative Control by Multiple, Federated Authorities)

Because of the problems that resulted from the first siloed digital identity model, federated identity was developed. A federated identity allows authorized users to access multiple applications and domains using a single set of credentials like when people can use their Google or Facebook to sign into websites or apps. A federated identity links a user’s identity across multiple identity management systems so they can access different applications efficiently.

Microsoft’s Passport initiative in 1999 was one of the first to offer a federated identity. But the problem is that Microsoft was at the center of the federation which made it almost as centralized as traditional authorities.

In federated identity systems, personal data is often being stored, tracked, and shared to other parties without people’s knowledge. In 2019, Facebook had 540 million user records exposed on the Amazon cloud server (CBS). Currently, there is a hacker attack every 39 seconds.

Phase 3: User-Centric Identity (Individual or Administrative Control Across Multiple Authorities Without Requiring a Federation)

In 2000, the Augmented Social Network established the groundwork for a new kind of digital identity for the next generation of the internet. They recommended that a persistent online identity should be built into the architecture of the internet. The key advancement to digital identity is the assumption that every individual ought to have the right to control his or her own online identity.

The Identity Commons (2001-Present) began to compile the new work on digital identity with a focus on decentralization. Their most important contribution was their creation of the Internet Identity Workshop working group, or IIW (2005-Present), where they advance the idea of decentralized identity in a series of semi-yearly meetings. They focused on a new term: user-centric identity.

The user-centric identity model suggests that users are in the middle of the identity process, the user must have more control over their identity, and trust must be decentralized. IIW’s work supported different methods for creating digital identity including OAuth (2010) and OpenID Connect (2014). User-centric approaches tended to focus on user consent and interoperability.

However, powerful institutions prevented them from realizing their goals. Today, the ownership of user-centric identities remains with the entities that register them. Being user-centric isn’t enough.

Phase 4: Self-Sovereign Identity (Individuals Have Full Control Across Any Number of Authorities)

Self-Sovereign Identity is the next step beyond user-centric identity. The term Self-Sovereign Identity was used more in the 2010s when people advocated not just that people be at the center of the identity process but that they are the rulers of their own identity.

There were a growing number of discussions of SSI within international policy that were largely driven by the refugee crisis in Europe. Many people lacked a recognized state-issued identity as they had to flee their homes.

Problems With Centralized Digital Identifiers, Credentials, and IDs

• Centralized digital credentials, like health and safety training certificates and university degrees, are easy to forge. The only way to check their authenticity is by contacting the issuing organization, which can take days to even months to confirm the information you need
• Traditional IDs like a driver’s license or other government-issued IDs are not private as the verifier can access all the information on a credential that they often don’t need like date of birth and address
• The verification of credentials is dependant on the issuer and if their service is offline or disappears, then people can’t prove the authenticity of their credentials to a verifier
• Data can be stored, tracked, and shared by third parties
• More than 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.
• Data stored on an issuer’s centralized servers have an increased risk of becoming targets for hacks, breaches, or leaks

Examples of the Consequences of Data Breaches

In 2020, 33,000 unemployment applicants were exposed to a data security breach through the Pandemic Unemployment Assistance program

• Yahoo holds the record for the largest data breach of all time with three billion compromised accounts
• Annually, hospitals spend 64% more on advertising the two years following a breach
• In 2018, a Marriott International data breach affected roughly 500 million guests

Benefits of Self-Sovereign Identity Management for Organizations, Individuals, and Developers

Organizations

• Significantly reduce costs, inefficiencies, and resources by verifying credentials like nurse licenses or online course completion certificates instantly instead of days, weeks, and months
• Issue fraud-proof Verifiable Credentials efficiently and at a much lower cost
• Improve security with public-key cryptography
• Reduce the risk of being targeted for cyber attacks, breaches, lawsuits, and fines by storing less user data

Individuals

• Full ownership and control over your identity without relying on a third party
• Create your own DIDs and fully manage your data with a digital wallet
• You can choose which data to share and with whom to share it with while having the ability to remove access to the data at any time
• Personal data is not stored on centralized servers
• You don’t have to provide unnecessary and excessive information than what is requested like showing your full address if you only need to confirm your age

Developers

• Build apps that eliminate the need for password, which creates a better user experience
• Removes inefficient authentication processes like using text or email for secondary verification
• Request data directly from users rather than a third party

A Self-Sovereign Identity platform like Dock enables people and organizations to create, manage, and store their data on a decentralized network.

How Does Self-Sovereign Identity Management Work?

We’ll go over the key details of the three pillars of SSI which are blockchain, Decentralized Identifiers, and Verifiable Credentials and how they work together.

SSI Pillar 1: Blockchain

Blockchain is a system of recording information on a digitally distributed database that is shared among computers in the blockchain network. These computers are called nodes. The way that blockchain is designed makes it very difficult to change, hack or cheat the system. Each block has unique data about the previous block and once the data on the blocks are verified, they are added to the blockchain.

Key Features of a Self-Sovereign Identity Blockchain:

• Decentralized: Blockchain uses a peer-to-peer network where no one party can change or manipulate the way a blockchain should act. Nodes can be anywhere in the world as long as they have the required equipment to be part of the network. If it’s a permissionless blockchain, anyone can join the network.
• Distributed ledger (record of transactions): Every node in the network gets a full copy of the blockchain and the information can be used to verify that it hasn’t been tampered with. When new data is verified, everyone adds this information to their copy of the blockchain.
• High security with immutability: Blocks can’t be tampered with or backdated. Every block has a hash (string of letters and numbers) of the previous block, which acts like a unique digital fingerprint. If the hash changes on a block, everyone in the network will know that it has been tampered with and tampered blocks will be rejected by nodes and not be added to the blockchain.

Let’s consider a company where only one person has access to financial records and history. If they changed the numbers, who would know about it? There may be limited or no traceable evidence or record of this change so they can easily steal money or commit fraud. But if all transactions were recorded on a permissioned blockchain, other staff could audit and check the transactions to ensure they are accurate.

Here is how each party uses the blockchain in a Self-Sovereign Identity system:

• Holder: Owner of the Verifiable Credential (e.g. driver’s license) has their public DID on the blockchain.
• Issuer: When an issuer, like a government department, provides a Verifiable Credential to a holder like a driver’s license, they sign it with their DID and associated private key. The department’s DID and associated public key will be on the blockchain.
• Verifier: A verifier, like an on-demand driving company, can check the blockchain to ensure that the government department they trust did in fact issue the license because the credential was signed by the issuer’s DID that is on the blockchain.

A blockchain allows the holder, issuer, and verifier to have the same source of truth about which credentials are valid and who authenticated the validity of the data inside the credentials.

The identity and credentials are not stored on the blockchain but rather on the holder’s digital wallet.

SSI Pillar 2: Decentralized Identifiers (DIDs)

Everyone who has an online presence has a digital identifier like an email address or user name. Today, we mostly rely on centralized identifiers such as Google, Facebook, email providers, or mobile network operators to connect to websites and apps. But these digital identifiers are often used to tore, track, and share user data. Companies can know who we messaged, what we bought, where we live, our location, and so on.

Thankfully, decentralized identifiers (DIDs) allow people to create digital identities that they can securely connect to their Verifiable Credentials that don't reveal personal information without authorization. DIDs allow us to have full ownership and control of our data. Having multiple DIDs makes it harder for someone to correlate those DIDs together.

A DID is a globally unique identifier made up of a string of letters and numbers that is independent of any organization. DIDs are publicly known by relevant parties.

Here is an example of a Dock DID:

A DID:

• Is created by the user
• Comes with one or many private key and public key pairs
• Does not contain personal data or wallet information
• Enables private and secure connections between two parties and can be verified anywhere at any time

People can make as many DIDs as they want for different purposes and interactions. For example, someone can generate three different DIDs:

• DID 1: For their online shopping only
• DID 2: For cryptocurrency-related services like trading and buying NFTs
• DID 3: Professional purposes like holding their educational credentials such as a university degree and course certificates

Private and Public Keys That Come With DIDs

To learn how private and public keys work, it’s important to understand what encryption is. Encryption is the process of taking a message and scrambling its contents so only certain people can look at your message.

There are 2 types of encryption:

1. Symmetric encryption: One key (password) is used to encrypt and decrypt data. Think about securing access to a document by choosing a password like “catsrule.” In order for someone to open the document, they need to type in “catsrule.” In this example, a single password (key) is used to encrypt and decrypt the document.
2. Asymmetric encryption: The encryption key (also called the public key) and the corresponding decryption key (also called the private key) are different. Asymmetric encryption is also known as public-key encryption.

Let’s say Ellen has a confidential document she wants to share with her colleague Ken. She uses an encryption program to protect the document with a password that she chooses. She sends the message to Ken who can’t open the message because he doesn’t know the password in the same way that he doesn’t have a “key” to open the lock to access the document.

Ellen doesn’t want to share the password through email because other people can use it to decrypt any message between Ellen and Ken. This is the problem with symmetric encryption and what asymmetric encryption tries to solve.

With asymmetric encryption, Ellen and Ken have to generate a key pair on their computers. A public and private key will be linked to each other. A public key can be used to encrypt data and only the matching private key can be used to decrypt data. But if you know someone’s public key, you can’t access their private key.

Ellen and Ken can use asymmetric encryption to communicate securely with each other.

1. They first exchange their public keys
2. When Ellen sends her confidential document, she encrypts it with Ken’s public key
3. Ken then uses his private key to unlock the document. Because of asymmetrical encryption, only Ken can decrypt the message. Even Ellen can’t decrypt it because she doesn’t have Ken’s private key.
4. Ken and Ellen should never share their private key. If someone gets Ken’s private keys, a hacker can decrypt all messages intended for Ken. But the hacker can’t decrypt messages sent to Ellen because that requires her private key.

Asymmetric encryption is used where security is very important including a website with the address https://, secure emails, or cryptocurrency to make sure only the owner of a wallet can withdraw or transfer money from it.

‍

Every DID comes with one or many private and public keys and each did can have multiple key pairs.

• Private key: Made up of a long string of letters and numbers that allows people to prove ownership, give consent to share selected data, and sign Verifiable Credentials. As an analogy, a private key is like a master key that can access all of your information and the owner should never share their private key with anyone.
• Public key: Made up of a long string of letters and numbers that can safely be shared with anyone you choose to give specific information to.

Think about a mailbox on the street that is public and many people know the location. Anyone can drop in letters but only the owner can open it up. The mailbox’s address would be like the public key that is safe for everyone to know. The owner of the mailbox is the only one who has the private key that is needed to open up the mailbox.

For additional security, you can generate a new public key whenever you transact with a different party to reduce the chances of someone correlating data. This practice can be compared to having a different password for every new website you create an account for. It’s not safe to use “itsreallyme123” for every site. It’s better to have longer and complex passwords to reduce the risk of your information being hacked.

SSI Pillar 3: Verifiable Credentials (VCs)

ID cards, certificates, and degrees can easily be faked and organizations have few to no options of verifying their authenticity without doing a tedious, manual process of checking with the issuer of a credential like a university or licensing organization. But Verifiable Credentials allow verifiers like an employer, government department, or app to verify credentials in seconds!

Verifiable Credentials are a digital, cryptographically-secured version of paper and digital credentials that people can present to parties that need them for verification. An employer for example can simply use an app to scan a job candidate’s QR code to confirm that they have a bachelor’s degree without needing to spend days or weeks contacting a university to verify if someone’s degree is authentic.

W3C is an international community of member organizations, staff, and the public collaborating to set international standards for the World Wide Web. When digital credentials conform to the Verifiable Credentials Data Model 1.0 standards that they established, they can be referred to as Verifiable Credentials.

The Verifiable Credentials Data Model 1.0 is a “specification [that] provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable.” W3C created standards for Decentralized Identifiers, URL, and others.

Key Benefits of Verifiable Credentials

• Issuing Organizations: Save money and time issuing Verifiable Credentials efficiently, including the option to issue in bulk, prevent fraud, and reduce manual work.
• Verifying Organizations: Save time, resources, and money by verifying credentials instantly without having to contact issuing organizations.
• Individuals: Only provide the relevant information to a verifier without disclosing unnecessary information and confirm claims without revealing the actual data.
• Developers: Enhance the user experience by authenticating securely without the need for passwords.

There are two main ways Self-Sovereign Identity blockchain companies can enable people to preserve privacy:

1) Selective Disclosure

You can decide which data of a credential you want to show to a verifier without revealing unnecessary information than what is requested. For example, if you need to be at least 18 to receive a service, you can show your birth date from your license that was issued as a Verifiable Credential without showing your name or address.

2) Zero-Knowledge Proofs (ZKPs)

With zero-knowledge proof technology, Self-Sovereign Identity providers go even further to help people maintain privacy by proving you are 18 years old or over without even revealing your date of birth. This is made possible with the use of cryptography where the holder can show the verifier that they meet a certain requirement (like minimum age, income, or area of residence) without needing to show the data that supports that proof.

How Blockchain, Decentralized Identifiers, and Verifiable Credentials Work Together

We’ll go through an example that demonstrates how all of these pillars of SSI work together.

Let’s say there’s an online course on how to use a project management tool that will issue a certificate as a Verifiable Credential after students complete the course.

• Holder: Dawn Lopez completes the Jira Advanced Course and has a digital identity wallet. Jira is a project management software.
• Issuer: Successo Academy is an online course provider that issues a certificate to course graduates.
• Verifier: Employer, Naturellica, is looking for someone with project coordination skills and trusts Zip Education as an issuer.

1. Dawn creates a DID with her digital identity wallet for professional purposes and the DID automatically comes with a private and public key pair.

2. Dawn successfully completes Jira Advanced Course and Successo Academy issues her certificate as a Verifiable Credential in PDF and JSON formats. A JSON file is a file that stores simple data structures and objects in JavaScript Object Notation (JSON) format, which is a standard data interchange format. Zip Education uses their private key to sign and issue a certificate to the student using Dock Certs. The Dock blockchain holds the public DIDs of Zip Education and Dawn.

3. Dawn imports the credential on her Dock wallet.

4. Dawn applies for the project coordination position and Naturellica wants to ensure that shortlisted applicants have completed an advanced Jira course. They send Dawn a credential verification request.

5. Dawn scans the request and selects her Advanced Jira course certificate.

6. Because Successo Academy values Self-Sovereign Identity, they issue credentials in a way where recipients can choose which information to share rather than their whole credential to provide more data privacy.

7. She selects which digital identity to send the credential from (DID).

8. Naturellica can instantly see that the credential is authentic and invites Dawn for an interview.

‍

Here is another example of how public and private keys are used in the SSI system.

• Holder: Tommy
• Issuer: Government department
• Verifier: Online English education company

An online English education company in Japan wants to hire contract teachers from the USA and Canada only. They use Verifiable Credentials as part of their screening process to ensure that teachers are residents in North America.

1. Tommy has a DID in his Dock Wallet and wants to add his passport details on it
2. Tommy goes to the government office and the staff asks him to scan a QR code, which enables a secure connection and exchange of DIDs
3. The staff uses the private key to sign and issue the digital passport as a Verifiable Credential
4. Tommy accepts the credential and stores it in his wallet
5. The online education company requests data to confirm that he lives in Canada or the USA
6. Tommy authorizes the online education company to see his relevant data
7. The company verifies the credential that confirms that he lives in Canada

Self-Sovereign Identity Wallet

A secure Self-sovereign Identity wallet is essential because it allows people to carry their credentials anywhere on their phone or digital device. Portability is one of the principles of SSI.

Key aspects of an SSI wallet:

• Enables people to securely store and manage DIDs and Verifiable Credentials without relying on a third party
• A holder must give the authorization to share data to a verifier who needs to confirm eligibility to access services or products
• Makes it harder for companies to track or correlate information back to the user
• People can access websites and apps without revealing personal information or any more details than necessary
• People can sign in with a DID rather than creating a new account with a user name and password to access another website or app

If Sarah wants to buy alcohol and needs to prove she is at least 18 years old, she can do this without revealing her date of birth or any other details about her identity by using a Self-Sovereign Identity wallet that has implemented zero-knowledge proof technology.

1. The cashier requests data from her wallet that confirms that she is at least 18 years old (with her driver’s license) and Sarah is prompted to give permission to share the data
2. When Sarah approves the request, this creates a secure connection between the store and Sarah’s wallet while exchanging DIDs.
3. Sarah’s driver’s license confirms that she is at least 18 years old. Because of zero-knowledge proof technology, her license details like the actual date of birth and her full name are not revealed at all and the store trusts that the data provided by the issuer, the licensing organization, is legitimate. A verifier can use the issuer’s DID and associated public key on the blockchain to check that the data in the user’s wallet is authentic.

Dock Wallet

The Dock Wallet is a secure Self-Sovereign Identity wallet that allows people to securely store their DIDs and Verifiable Credentials and take them anywhere. You can import Verifiable Credentials through QR code or a JSON file.

Verifying Credentials In a Self-Sovereign Identity System

Verifying Credentials In a Self-Sovereign Identity System

Organizations have the ability to instantly verify users' digital credentials using Dock Certs and the Dock Wallet on either a phone or computer. This functionality is made possible through blockchain technology, ensuring that the verification process is fast and secure. The information being presented can be trusted as accurate, as the verification is both quick and fraud-proof. Both online and in-person verification can be done as users can verify documents through the web or directly from one wallet to another.

Instant Credential Verification Benefits for Organizations

• Verify someone's credentials quickly in mere seconds compared to the lengthy traditional verification methods that can take weeks or even months
• Prevent document fraud
• Cut costs by avoiding manual, costly, and inefficient verification processes
• Meet data compliance regulations
• Enhance operational efficiency
• Lower the risk of liabilities, penalties, lawsuits, and serious incidents by ensuring that only qualified individuals are hired

Benefits of Instant Credential Verification for Individuals

The Dock Wallet enables users to:

• Have greater privacy, control, and security of their data by allowing them to selectively share only the parts of their credentials they choose with a verifier. For instance, they can choose to reveal only their full name while keeping their date of birth and address private.
• Easily share their credentials from their phone.
• Share only the necessary information with a verifier which reduces the risk of their data being misused while maintaining full control over who has access to it.

Dock’s Step by Step Verification Guide

‍Click here for the complete guide on how to verify credentials with Dock Certs and Dock Wallet.

Self-Sovereign Identity Use Cases

SSI can be used in many ways across a variety of sectors and new use cases are continuously being developed. Below are just a few examples.

Supply chains

Verify parties and documents instantly in the supply chain while tracing the source of products that are tracked on the blockchain.

Streamline the recruitment process

Organizations that want to recruit high-quality candidates efficiently can verify educational and professional credentials like a university degree and professional certificates instantly with SSI. This will save days to weeks compared to traditional manual verification processes.

Healthcare

In order to provide efficient and consistent service based on accurate information on a patient’s identity and medical history, SSI can help maintain an accurate record that can be shared efficiently with relevant healthcare providers.

Authenticating employees and contractors
Organizations can issue Verifiable Credentials for an employee or contractor status. Holders can login with their Self-Sovereign Identity wallet. Organizations can add credentials that expire for temporary contractors.

Cross border processes and duties

Track shipment credentials and how they are used.

Know Your Customer Compliance (KYC)

KYC compliance can be streamlined by implementing Verifiable Credentials during the client onboarding process. Instead of doing a different KYC process for every service you sign up for, you can reuse your KYC credentials. For example, if Company A ran a KYC and issued you Verifiable Credentials, you can reuse these same credentials when you sign up for Company B to speed up the KYC process.

NFTs

SSI can help prove who created, owned or currently owns non-fungible tokens (NFTs) across their lifecycle. SSI can enable someone to prove they own an NFT without having to connect their ETH wallet.

Income proof for financial and government services
You can provide proof of income without revealing your actual total earnings.

Voting for an organization like a club or company
SSI can be used to ensure that only members can attend and vote. Their credentials will be linked to their DID and their names won’t be revealed. The organization can trust that people are who they say they are and they have the right to vote because they can cryptographically prove they own the rightful DID.

Immigration and demographic information
Verifiable Credentials can include details that would be needed to qualify for government services such as being old age, a veteran, Native/Aboriginal, or have a disability status. VCs can speed up the verification process because people can use these credentials to apply for a government program or prove something about themselves quickly with no wait times.

Self-Sovereign Identity Standards

SSI standards that help people create and manage their digital identities are a continuous work in progress. Standards include data models, open-source code, APIs, and more. These are the key standards that have been developed:

W3C: Verifiable Claims Data Model and Representations 1.0

The W3C Credentials Community Group explores the creation, storage, presentation, verification, and user control of credentials. The group published a first version of Verifiable Claims Data Model and Representations 1.0 in May 2017. The specification discusses the criteria of verifiable claims. By this standard, a self-sovereign architecture for verifiable claims is one where the holder of a verifiable claim is in complete control of their identifier and how they are used.

W3C DID: Decentralized Identifiers (DIDs) v1.0

The W3C DID Working Group established standards for DIDs in Decentralized Identifiers (DIDs) v1.0 where they specify a variety of criteria including a common data model, DID operations, and an explanation of the process of resolving DIDs to the resources that they represent.

Decentralized Identity Foundation (DIF)

The Decentralized Identity Foundation is an engineering-driven organization that represents a diverse, international collection of organizations and contributors working together to establish an open ecosystem of decentralized identity that is accessible to everyone.

DIF has a variety of working groups establishing standards and protocols (a set of rules or procedures for transmitting data between electronic devices) including the following:

• Identifiers and discovery: DIF members are working on protocols and implementations that enable the creation, resolution, and discovery of DIDs and names across decentralized systems like blockchains
• Authentication: Members design and implement DID-based authentication spec, standards, and libraries
• DID Communication: Produce one or more specifications that embody a method for secure, privacy, and authenticated message-based communication (where possible) where trust is rooted in DIDs.
• Secure data storage: Create one or more specifications to establish a foundational layer for secure data storage.

Trust Over IP Foundation

The Trust Over IP Foundation was founded in 2022. The organization:

• Promotes global standards for confidential and direct connections between parties
• Leverages the opportunities for interoperable digital wallets and credentials
• Protects citizen and business identities by anchoring them with verifiable credential signatures

They have several working groups including:

• Governance stack: Working to define models and interoperability standards for governance frameworks that enable business, legal, and social trust between entities implementing the Trust over IP architecture stack.
• Technical stack: Define the technical standards, test suites, and interoperability certification standards for the Trust Over IP architecture stack

How to Create a Self-Sovereign Identity With Dock

‍

Dock is a Self-Sovereign Identity platform, where people can create DIDs, issue, and verify credentials.

• Create as many DIDs as you want in Dock Certs
• Easily issue Verifiable Credentials with the option to issue in bulk

Summary of Key Terms

Blockchain: A decentralized database that is shared among computers in the blockchain network that records information in a way that makes it very difficult to change, hack, or cheat the system.

Centralized identity: Administrative control by a single authority or hierarchy.

Data breach: When an unauthorized person or party steals, views, transmits, copies, or uses information.

Decentralized Identifiers (DIDs): A way to identify yourself online without relying on a centralized organization or company to verify your identity. It is a string of letters and numbers that acts like an identifying address that is stored on a blockchain.

Federated identity: Allows authorized users to access multiple applications and domains using a single set of credentials.

Holder: Someone who owns the Verifiable Credential and stores it in their digital wallet app.

Issuer: Person or organization with the authority to issue Verifiable Credentials.

Private key: Made up of a long string of letters and numbers that allows people and organizations to prove ownership, sign Verifiable Credentials, and give consent to share selected data.

Public key: Made up of a long string of letters and numbers that can safely be shared with anyone you choose to give specific information to.

Selective Disclosure: You can decide which data of a credential you want to show to a verifier without revealing unnecessary information than what is requested.

Self-Sovereign Identity: A model that gives individuals full ownership and control of their digital identities without relying on anyone or organization.

User-centric identity: This model suggests that users are in the middle of the identity process, the user must have more control over their identity, and trust must be decentralized.

Verifiable Credentials (VCs): Digital cryptographically-secure versions of paper and digital credentials that people can present to verifiers.

Verifier: The person or organization checking the credential.

Conclusion

Since the invention of the internet, people have dominantly used centralized and federated identifiers like emails and user names to access websites and apps. Centralized identity systems often make organizations vulnerable to large scale hacks and data branches while federated systems can enable companies to use people’s personal data to store and track their online activity without their knowledge. Centralized identity management systems have resulted in recurring data breaches, loss of individual control of their data, stolen identities, and the spread of confidential information.

Also, because ID and credential verification processes are very slow, expensive, inefficient, and outdated, credential fraud and lack of product traceability is a big problem in many sectors, particularly in supply chain and licensing.

These problems led to the development of Self-Sovereign Identity (SSI), a model that gives individuals full ownership and control of their digital identities without relying on a third party. There are a growing number of use cases that can implement Self-Sovereign Identity management across a variety of sectors including healthcare, finance, education, and cryptocurrency.

Key Benefits of Self-Sovereign Identity Solutions

Learn More

• Blockchain and Health Care: BurstIQ Use Cases
• Blockchain Identity Management
• Data Compliance
• Digital Credentials
• Decentralized Identity
• Verifiable Credentials
• Decentralized Identifiers (DIDs)

About Dock

Dock is a Verifiable Credentials company that provides Dock Certs, a user-friendly, no-code platform, and developer solutions that enable organizations to issue, manage and verify fraud-proof credentials efficiently and securely. Dock enables organizations and individuals to create and share verified data.