Why Self-Sovereign Identity is a movement
published on 19.04.2021
The IDunion consortium is currently building an ecosystem for decentralised identity administration (Self-Sovereign Identity). The goal: people should be able to use their digital identity independently and maintain control of their data. Micha Kraus is one of the SSI experts in the Innovation Department and Technical Head of the Bundesdruckerei GmbH co-project. He explains why the much cited blockchain hype is justified in Self-Sovereign Identity and what role the personal identity card with its eID function should play in the ecosystem.
How the personal identity card enriches the Self-Sovereign Identity
The Self-Sovereign Identity is a relatively new concept in Germany. When did you first encounter it?
It all started in 2019, when Bundesdruckerei started the Lissi project (Let’s initiate self-sovereign identity) with partners. From the start, I worked on the project team, which had just been significantly expanded again for the follow-up project IDunion. However, I had been working with the fundamental principles of the self-sovereign identity for even longer - and with the technical concepts behind it too. One of these concepts is the so-called ‘anonymous credentials’, which we have a somewhat cumbersome term for in German: ‘privatsphärefördernde digitale Identitätsnachweise’. In 2012 I had already dedicated myself to this during my studies. Concretely, this related to the question of how the eID function of the personal identity card can be used on mobile end devices. Back then, NFC had still not made its mark and the AusweisApp was a dream for the future. For this reason, I sought to create a derivative of the personal identity card on smartphone at the first opportunity...
... and thus to create an anonymous credential.
Exactly. When implementing SSI, digitally verifiable evidence plays the key role. As anonymous or - generally - verifiable credentials, they enable the user to maintain data sovereignty at all times while the issuer of such proof of identity has no information as to its use. With the big identity providers from the USA, the opposite is the case. Here, most business models are based on collecting as much information on the user as possible. For this reason, I also see SSI far less as a concrete technology and more as a movement. A movement, which seeks to return the control of people’s digital identities to the people. This is about self-sufficiency above all else. The user manages their proof of identity alone and decides autonomously which identity data they wish to show to whom.
And as well as this, the concept is technologically en vogue. The IDunion project relies on the blockchain in any case.
I didn’t really get started with this technology for a long time actually. I saw it as a typical subject of hype. Suddenly everything had to be blockchain-based, regardless of whether it made sense. With SSI, however, I can see enormous value in the distributed ledger technology. It enables a highly available and decentralised verification structure for proof of identity. A bank can thus verify my derived proof of identity without the issuer being aware of this. Moreover, relatively little happens on the Blockchain. No personal data ends up here and it is mainly accessed to read- or even verify. A blessing for data protection!
Bundesdruckerei is not just an issuer of identity documents for IDunion, but a completely central partner. What exactly are their tasks?
We have three focusses in our co-project: infrastructure, security and applications. Firstly we support the building of the identity network as well as the infrastructure. IDunion should become a cooperative. For this, on the one hand we look after the technical implementation of the policy and clarify how the operators of blockchain nodes can automatically comply. On the other hand, we are involved in the legal organisation, which is already far advanced. The second focus is on security. The SSI approach of IDunion is technologically based on the blockchain frameworks Hyperledger Indy and Hyperledger Aries. And we will put these through their paces and improve them continuously as Bundesdruckerei.
In which areas does Bundesdruckerei want to bring in their skills here in particular?
With decentralised identity systems, I see the biggest challenge as developing user-friendly solutions for topics in the area of key management, the life cycle of digital evidence and building trust. For the three parties involved in the process, various aspects play an important role. The issuer must be able to monitor the life cycle of the issued proof of identity and so recall or update it when needed. The holder of the evidence should be able to use their credentials on different devices. We also need user-friendly solutions for incidents. If a user loses their smartphone, the evidence must be easy to block to prevent misuse. However, it must also be easy for them to then reactivate this quickly later. To check identities, we want to implement concepts for ‘initial trust’ in the sense of the verifier. This means that we want to introduce a method on the basis of which the verifier of a proof of identity can trust the issuer. As, just because a verifiable credential can be presented, this does not mean that this and its issuer are automatically credible.
The identity card would be an especially credible credential ...
Absolutely. That’s why it should also become an important cornerstone. We want to capitalise on the knowledge of OPTIMOS. With a mobile personal identity card, the private key has a very high level of protection. It is precisely this level of protection that we would like for the key to our SSI wallet, so that the user data remains safe.
Can the personal identity card itself become a part of the SSI ecosystem?
Without a doubt. IDunion does not want to replace the personal identity card at all. Quite the opposite: the eID function has set a new standard on matters of credibility, the private sphere and security. That’s why we want to find out how a bridge can be built between eID and self-sovereign identity. Because one thing is clear, in the SSI ecosystem, there are many cases, which could benefit from the personal identity card. The eID function is actually a pioneering project in terms of decentralisation. As after all, different eID servers exist, each service provider can operate their own. The user in turn has their personal identity card, perhaps with its mobile variant soon too, with them all the time - the data is not stored on any central server.
Besides security, what other advantages are there of incorporating the eID into the SSI ecosystem?
You could mix identity data with other documentation, for example with a university certificate. But especially the service providers would gain something from their involvement. They would no longer have to limit themselves to the role of the verifier when it comes to the personal identity card, but could issue their own evidence after verifying the eID data. A company could thus verify an employee’s mobile personal identity card and send them an access card by smartphone in the next stage. As well as this, if a credential is based on a highly secure solution like the eID, this would have enormous value. And that brings us now to point three of our IDunion co-project. We support the development of concrete applications and in doing so pay particular attention to user-friendliness and security. The question is: how can we integrate digital identities as a credential? A pilot project looks at issuing the fishing licence - I apply for this with a verifiable credential, which is perhaps based on the eID function. Then I have this licence as a verifiable credential itself in my SSI wallet and it can be immediately digitally verified in a fraud-secure way in the event of a check.
Regardless of what you are applying for these days, you are always required to present your personal identity card. Is its integration not absolutely vital for an SSI ecosystem?
In any case it would be an extremely important part. Simply because this would make the evidence that the personal identity card is based on more relevant. Of course bank credentials are credible. After all, a verification according to the Money Laundering Act led the way for them. But there are a few things relying on the personal identity card in the field of e-government. In the end, eID and SSI can perfectly complement the system in my opinion. The self-sovereign identity benefits from the security of the personal identity card. In turn, a whole range of services gain applications and users through SSI. So there is a true synergy.