blockchain-based solutions for identity & access management

With HUGE thanks toDrummond Reed of Evernym forthe DID Primer slides!

B i o m e t r i c I d e n t i t yA s s e r t i o n

V i aS ov r i n B l o c kc h a i n

J o h n R . C a l l a h a nC TO Ve r i d i u m

Identity Evolution

• Centralized Identity– administrative control by a single authority or hierarchy

• Federated Identity– administrative control by multiple, federated authorities

• User-Centric Identity– individual oradministrative control across multiple

authorities without requiring a federation• Self-sovereign identity

– individual control across any number of authorities

2

*ChristopherAllen(ThePathtoSelf-SovereignIdentity)http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

Self-sovereign identity is…

3

Lifetime portable digital identity for any person, organization, or thing that does not depend on any centralized authority and

can never be taken away

4

Decentralized Identifiers (DIDs):a new type of globally

resolvable, cryptographically-verifiable identifier registered

directly on a distributed ledger

This is only possible with…

URN Syntax (RFC 8141)

5

urn:uuid:ae84-d5c2-9fb785ea-72cd34

Namespace

Scheme

Namespace-Specific Identifier

6

did:sov:3k9dg356wdcj5gf2k9bw8kfg7a

Method

Scheme

Method-Specific Identifier

DID Syntax

GeneratedasdefinedbytheparticularDIDmethod

specification

DID Design Goals• Decentralization:DIDarchitectureshouldeliminatetherequirementforcentralizedauthoritiesorsinglepointsoffailure

inidentitymanagement,includingtheregistrationofgloballyuniqueidentifiers,publicverificationkeys,serviceendpoints,andothermetadata.

• Self-Sovereignty:DIDarchitectureshouldgiveentities,bothhumanandnon-human,thepowertodirectlyownandcontroltheirowndigitalidentitieswithouttheneedtorelyonexternalauthorities.

• Privacy:DIDarchitectureshouldenableentitiestocontroltheprivacyoftheirdigitalidentities,includingminimal,selective,andprogressivedisclosureofattributesorotheridentitydata.

• Security:DIDarchitectureshouldenablesufficientsecurityforrelyingpartiestodependonDIDrecordsfortheirrequiredlevelofassurance.

• Proof-based:DIDarchitectureshouldenableanentitytoprovidecryptographicproofofauthenticationandproofofauthorizationrights.

• Discoverability:DIDarchitectureshouldmakeitpossibleforentitiestodiscoverDIDsforotherentitiestolearnmoreaboutorinteractwiththoseentities.

• Interoperability:DIDarchitectureshoulduseinteroperablestandardssoDIDinfrastructurecanmakeuseofexistingtoolsandsoftwarelibrariesdesignedforinteroperability.

• Portability:DIDarchitectureshouldbesystemandnetwork-independentandenableentitys tousetheirdigitalidentitieswithanysystemthatsupportsDIDsandDIDMethods.

• Simplicity:Tomeetthesedesigngoals,DIDarchitectureshouldbe(toparaphraseAlbertEinstein)"assimpleaspossiblebutnosimpler".

• Extensibility:Whenpossible,DIDarchitectureshouldenableextensibilityprovideditdoesnotgreatlyhinderinteroperability,portability,orsimplicity.

7 Source:ChristopherAllen(LifewithAlacrityblog)

DID Layer

The decentralized identity “stack”

Cloud LayerCloudWallet CloudWallet

CloudAgent CloudAgent

Identity Owners

Edge LayerEdgeWallet EdgeWallet

EdgeAgent EdgeAgent

EncryptedP2Pverifiableclaimsexchange

9

Method DIDprefixSovrin did:sov:

Bitcoin Reference did:btcr:

Ethereum uPort did:uport:

Veres One did:v1:

IPFS did:ipfs:

IPDB did:ipdb:

Initial DID Method Specs

10

{ “Key”: “Value” }

{ “DID”: “DID Doc” }

DID Document (JSON-LD)

Decentralized Identifier

11

Source:DanielBuchner(MicrosoftBlockchain Identitylead)https://github.com/decentralized-identity/hubs/blob/master/diagrams/full-system.png

1. DID (i.e., the JSON-LD is self-describing)2. List of public keys (for the owner)3. List of service endpoints (for interaction)4. Access control branch (for key mgmt)5. Timestamps (for audit history)6. Signature (for integrity)

12

The primary elements of a DID doc

Minimal self-managed DID Document

13

Source:https://msporny.github.io/did-spec/

Basic delegate-managed DID Document

14

Source:https://msporny.github.io/did-spec/

IEEE2410BiometricOpenProtocolStandard(BOPS)(2017version)

V E R I D I U M I D E N R O L L M E N T

V E R I D I U M I D E N R O L L M E N T

did:method:abcdef1234567890

IdentityAssertion(BOPS2)

V E R I D I U M I D A U T H E N T I C AT I O N

did:method:abcdef1234567890

19

The new format for interoper-able digital credentials being defined by the W3C Verifiable

Claims Working Group

Verifiable claims are…

Holder

Wallet

Issuer VerifierIssues

VerifiableClaims

PresentsVerifiableClaims

DecentralizedIdentifiers(DIDs)

BlockchainorotherDecentralizedNetwork

W3C Verifiable Claims Ecosystem

21

22

A public permissioned ledger designed exclusively to operate as a global public utility for DIDs and verifiable claims exchange

Bitcoin,Ethereum,

IOTA

Permissionless Permissioned

Public

Private

Validation

Access

Hyperledger Sawtooth*

Sovrin,IPDB

Hyperledger (Fabric, Sawtooth, Iroha),

R3 Corda,CU Ledger

Blockchain governance models

*inpermissionless mode

Governance: The Sovrin Foundation

• International non-profit foundation– http://www.sovrin.org/

• Board of Trustees – currently 12 members– Governs the Sovrin Trust Framework– Sets policy for selecting stewards

• Technical Governance Board – currently 8 members– Governs the Sovrin open source code– Sets the tech policies implemented in code

24

SovrinValidator Pool

SovrinObserver Pool

Edge Agents & Edge Wallets

Cloud Agents& Cloud Wallets

Logical Overview of the Sovrin Network

Distributed agent layer for private off-ledger

P2P comms

Secure exchange of verifiable claims between any two agents

DID

DIDDoc

Richtreeofcontextual,verifiableclaimsbehind

aprivateserviceendpoint

Anydistributedledger

SSI

27

DID Specification LinksImplementer’s Draft 01 November 21 2016

Implementers: please send feedback!

Currentversion https://opencreds.github.io/did-spec/

Github Issues https://github.com/w3c-ccg/did-spec/issues/

Discussion Forumshttps://w3c-ccg.github.io/http://forum.sovrin.org/c/technical/did

• W3C Verifiable Claims Working Group– https://www.w3.org/2017/vc/charter.html

• Sovrin White Papers– https://sovrin.org/library/

• Sovrin Trust Framework– https://sovrin.org/trust-framework/

28

Other Links

29

WorkontheDIDspecificationhasbeenfundedinpartbyaSmallBusinessInnovationResearch(SBIR)grantfromtheU.S.DepartmentofHomelandSecurity

ScienceandTechnologyDirectorate.

ThecontentofthisspecificationdoesnotnecessarilyreflectthepositionorthepolicyoftheU.S.Government

andnoofficialendorsementshouldbeinferred.

Thank Youhttps://www.csoonline.com/author/John-Callahan/

© 2017 Veridium IP Ltd. All Rights Reserved