The promise of self sovereign digital identity is to provide both security and privacy that will be in the control of the subject (user, entity) itself.
It will achieve this objective by meeting the requirements of Cameron’s seven Laws of Identity as explained below.
- User Control and Consent: Technical identity systems must only reveal information identifying a user with the user’s consent.
A system meeting this requirement would provide autonomy to the subject to choose who to share their identifying (a.k.a Personal Identifying Information) information with. This would put the control of privacy in the hand of the subject.
2. Minimal Disclosure for Constrained Use: The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.
A system meeting this requirement would provide both improved security and privacy.
Such a s system will acquire minimum needed information (“need to know”) and would retain it for the minimum needed period (“need to retain”). In case such a system is breached, only minimal information will be exposed. Because of acquiring and retaining minimum needed information such a system also reduces the risk of aggregating identifying information.
A self sovereign system would let the subject to have autonomy to agree or disagree to provide the identifying information being requested. The subject will be aware of the identifying information being shared. Because of sharing minimal information there is an increased possibility of providing anonymity to the subject.
3. Justifiable Parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
A system meeting this requirement would make the subject aware of who (a.k.a relying party) they are sharing their identity information with. They would be made aware of the use of such identifying information. They would have a say (autonomy and consent) if they would want to share such information.
The subject would have autonomy to establish unique identity relationship with each relying party rather sharing a common identity across all parties they interact with. This would improve security and reduce the risk of aggregating information as there is no shared (common or universal) Identity.
4. Directed Identity: A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
A system meeting this requirement would provide autonomy to the subject to use either a public or private identity.
The public identity is invariant and well know to others, for example name or email address. Such an identity may be used while interacting in social or professional communities.
The private identity is unique for that specific interaction. For example, while browsing a site the subject doesn’t need to share real data, but need to provide an identity that the site can trust. The private identifiers provide anonymity to the subject.
5. Pluralism of Operations and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.
A subject will have different personas during different interactions, such as, citizen while interacting with government, employee while interacting with an employer, student while interacting with an university, customer while interacting with a service provider etc. All these interactions require different identity information.
A system meeting this requirement would provide the ability for the subject to have the ability to have identities from multiple identity providers that can interoperate.
A system meeting this requirement would enable to meet the other laws of identity.
6. Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.
A system meeting this requirement would be cognizant that the human is an integral part of the system. The system would be aware that the human being is vulnerable to revealing identity information through social engineering attacks, the human being could attack the system to steal identity information. Such a system should protect from these potential threats.
7. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
A system meeting this requirement brings all the laws together and puts the subject at the heart and centre of it. Such a system should make it easy (user friendly) for the subject to know their relying parties, the information that they are sharing, the consent that they are providing, their ability to revoke their consent, etc. This interaction should be consistent irrespective of what identity provider that they are using.
The idea of self sovereign digital identity can be achieved by creating an identity metasystem (analogous to internet that’s a metasystem of networks) that has the following characteristics.
- Decentralised or polycentric
There is no single identity authority or administrator. There will be multiple identity providers including the subject having the ability to self certify. This satisfies Cameron’s law for Pluralism of Operations and Technologies. This also gives the choice to the subject for choosing their identity provider.
- Polymorphic
There is no single definition of identity. Rather the system will support subject’s different personas and interactions. This satisfied Cameron’s law for Pluralism of Operations and Technologies, Minimal Disclosure for Constrained Use, and Directed Identity.
- Heterarchical
The metasystem provides means for subjects (people, organisations, and things) to have relationships with each other as peers without any central authority or administrators. This satisfies Cameron’s laws for User Control and Consent, Justifiable Parties, and Directed Identity.
- Secured
The metasystem provides means for subjects to have relationships that are mutually authenticated, secured, and as private as possible. It enables the parties in the metasystem to use messaging to exchange polymorphic identities that assures confidentiality, integrity, and authenticity of these exchanges. This satisfies the Cameron’s laws for Human Integration, User Control and Consent, and Justifiable Parties.
Like the internet is aware of the metadata to facilitate the communication, the identity metasystem will be aware of metadata only. It will neither store or be aware of the identity data. The identity data will remain with the parties that interact with the metasystem.
- Unified User Experience
Like the internet provides a unified user experience irrespective of what browsers the subject is using, or what the site they are browsing, this Identity metasystem would provide unified user experience. It would help them to understand what to expect when they are interacting with any of the parties in the metasystem. This satisfies Cameron’s law for Consistent Experience Across Contexts.
Like internet has IP (Internet Protocol) as its protocol for facilitating communication, the W3C Decentralised Identifiers Working Group has developed Decentralised Identity (DID) specification as a protocol for Identity metasystem. The next article will delve into DID protocol.
If interested to know how it all works, here is a good article: https://www.windley.com/archives/2016/10/how_sovrin_works.shtml
References:
[1] Cameron’s Laws of Identity: https://www.identityblog.com/?p=352
[2] Learning Digital Identity by Phillip J. Windley
