blockchain-based solutions for identity & access management
TRANSCRIPT
With HUGE thanks toDrummond Reed of Evernym forthe DID Primer slides!
B i o m e t r i c I d e n t i t yA s s e r t i o n
V i aS ov r i n B l o c kc h a i n
J o h n R . C a l l a h a nC TO Ve r i d i u m
Identity Evolution
• Centralized Identity– administrative control by a single authority or hierarchy
• Federated Identity– administrative control by multiple, federated authorities
• User-Centric Identity– individual oradministrative control across multiple
authorities without requiring a federation• Self-sovereign identity
– individual control across any number of authorities
2
*ChristopherAllen(ThePathtoSelf-SovereignIdentity)http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html
Self-sovereign identity is…
3
Lifetime portable digital identity for any person, organization, or thing that does not depend on any centralized authority and
can never be taken away
4
Decentralized Identifiers (DIDs):a new type of globally
resolvable, cryptographically-verifiable identifier registered
directly on a distributed ledger
This is only possible with…
URN Syntax (RFC 8141)
5
urn:uuid:ae84-d5c2-9fb785ea-72cd34
Namespace
Scheme
Namespace-Specific Identifier
6
did:sov:3k9dg356wdcj5gf2k9bw8kfg7a
Method
Scheme
Method-Specific Identifier
DID Syntax
GeneratedasdefinedbytheparticularDIDmethod
specification
DID Design Goals• Decentralization:DIDarchitectureshouldeliminatetherequirementforcentralizedauthoritiesorsinglepointsoffailure
inidentitymanagement,includingtheregistrationofgloballyuniqueidentifiers,publicverificationkeys,serviceendpoints,andothermetadata.
• Self-Sovereignty:DIDarchitectureshouldgiveentities,bothhumanandnon-human,thepowertodirectlyownandcontroltheirowndigitalidentitieswithouttheneedtorelyonexternalauthorities.
• Privacy:DIDarchitectureshouldenableentitiestocontroltheprivacyoftheirdigitalidentities,includingminimal,selective,andprogressivedisclosureofattributesorotheridentitydata.
• Security:DIDarchitectureshouldenablesufficientsecurityforrelyingpartiestodependonDIDrecordsfortheirrequiredlevelofassurance.
• Proof-based:DIDarchitectureshouldenableanentitytoprovidecryptographicproofofauthenticationandproofofauthorizationrights.
• Discoverability:DIDarchitectureshouldmakeitpossibleforentitiestodiscoverDIDsforotherentitiestolearnmoreaboutorinteractwiththoseentities.
• Interoperability:DIDarchitectureshoulduseinteroperablestandardssoDIDinfrastructurecanmakeuseofexistingtoolsandsoftwarelibrariesdesignedforinteroperability.
• Portability:DIDarchitectureshouldbesystemandnetwork-independentandenableentitys tousetheirdigitalidentitieswithanysystemthatsupportsDIDsandDIDMethods.
• Simplicity:Tomeetthesedesigngoals,DIDarchitectureshouldbe(toparaphraseAlbertEinstein)"assimpleaspossiblebutnosimpler".
• Extensibility:Whenpossible,DIDarchitectureshouldenableextensibilityprovideditdoesnotgreatlyhinderinteroperability,portability,orsimplicity.
7 Source:ChristopherAllen(LifewithAlacrityblog)
DID Layer
The decentralized identity “stack”
Cloud LayerCloudWallet CloudWallet
CloudAgent CloudAgent
Identity Owners
Edge LayerEdgeWallet EdgeWallet
EdgeAgent EdgeAgent
EncryptedP2Pverifiableclaimsexchange
9
Method DIDprefixSovrin did:sov:
Bitcoin Reference did:btcr:
Ethereum uPort did:uport:
Veres One did:v1:
IPFS did:ipfs:
IPDB did:ipdb:
Initial DID Method Specs
10
{ “Key”: “Value” }
{ “DID”: “DID Doc” }
DID Document (JSON-LD)
Decentralized Identifier
11
Source:DanielBuchner(MicrosoftBlockchain Identitylead)https://github.com/decentralized-identity/hubs/blob/master/diagrams/full-system.png
1. DID (i.e., the JSON-LD is self-describing)2. List of public keys (for the owner)3. List of service endpoints (for interaction)4. Access control branch (for key mgmt)5. Timestamps (for audit history)6. Signature (for integrity)
12
The primary elements of a DID doc
Minimal self-managed DID Document
13
Source:https://msporny.github.io/did-spec/
Basic delegate-managed DID Document
14
Source:https://msporny.github.io/did-spec/
IEEE2410BiometricOpenProtocolStandard(BOPS)(2017version)
V E R I D I U M I D E N R O L L M E N T
V E R I D I U M I D E N R O L L M E N T
did:method:abcdef1234567890
IdentityAssertion(BOPS2)
V E R I D I U M I D A U T H E N T I C AT I O N
did:method:abcdef1234567890
19
The new format for interoper-able digital credentials being defined by the W3C Verifiable
Claims Working Group
Verifiable claims are…
Holder
Wallet
Issuer VerifierIssues
VerifiableClaims
PresentsVerifiableClaims
DecentralizedIdentifiers(DIDs)
BlockchainorotherDecentralizedNetwork
W3C Verifiable Claims Ecosystem
21
22
A public permissioned ledger designed exclusively to operate as a global public utility for DIDs and verifiable claims exchange
Bitcoin,Ethereum,
IOTA
Permissionless Permissioned
Public
Private
Validation
Access
Hyperledger Sawtooth*
Sovrin,IPDB
Hyperledger (Fabric, Sawtooth, Iroha),
R3 Corda,CU Ledger
Blockchain governance models
*inpermissionless mode
Governance: The Sovrin Foundation
• International non-profit foundation– http://www.sovrin.org/
• Board of Trustees – currently 12 members– Governs the Sovrin Trust Framework– Sets policy for selecting stewards
• Technical Governance Board – currently 8 members– Governs the Sovrin open source code– Sets the tech policies implemented in code
24
SovrinValidator Pool
SovrinObserver Pool
Edge Agents & Edge Wallets
Cloud Agents& Cloud Wallets
Logical Overview of the Sovrin Network
Distributed agent layer for private off-ledger
P2P comms
Secure exchange of verifiable claims between any two agents
DID
DIDDoc
Richtreeofcontextual,verifiableclaimsbehind
aprivateserviceendpoint
Anydistributedledger
SSI
27
DID Specification LinksImplementer’s Draft 01 November 21 2016
Implementers: please send feedback!
Currentversion https://opencreds.github.io/did-spec/
Github Issues https://github.com/w3c-ccg/did-spec/issues/
Discussion Forumshttps://w3c-ccg.github.io/http://forum.sovrin.org/c/technical/did
• W3C Verifiable Claims Working Group– https://www.w3.org/2017/vc/charter.html
• Sovrin White Papers– https://sovrin.org/library/
• Sovrin Trust Framework– https://sovrin.org/trust-framework/
28
Other Links
29
WorkontheDIDspecificationhasbeenfundedinpartbyaSmallBusinessInnovationResearch(SBIR)grantfromtheU.S.DepartmentofHomelandSecurity
ScienceandTechnologyDirectorate.
ThecontentofthisspecificationdoesnotnecessarilyreflectthepositionorthepolicyoftheU.S.Government
andnoofficialendorsementshouldbeinferred.
Thank Youhttps://www.csoonline.com/author/John-Callahan/
© 2017 Veridium IP Ltd. All Rights Reserved