A digital identity that users manage themselves? Can that be safe at all? Absolutely, because behind it is a complex system of multiple entities and modern technologies. dr Paul Muntean, Senior Cyber Security Engineer at Swisscom Trust Services, explains the background of the system.
Self-managed identity does not mean that everyone can create their own identities as they see fit. Official bodies, state or other institutions are also involved in the Self Sovereign Identity (SSI), which act as publishers of identities. However, identity here is much broader than one might think, and also includes documents such as certificates, membership cards, payment details and much more. Even machines can issue identities, for example a sensor could transmit digitally signed proof of certain measured values. Overall, the SSI ecosystem consists of three entities: Issuer, Holder and Verifier.
The most obvious issuer for digital (as well as analogue) identities is the state, which issues ID cards or passports, for example. In theory, however, every person and every instruction can generate digital identities, just as these actors can also issue any form of analogue proof. The credibility of this evidence ultimately depends on the reputation of the issuing institution. A degree from a university, for example, indicates a certain level of education. Of course, it is important that the tools used to create such proofs are kept under strict control.
In the analog field, these are, for example, the seal of a university or the printing plates with which the Federal Printing Office prints the special pattern on the passport paper. The equivalent in the digital realm are the private cryptographic keys, which are a fundamental part of the public key infrastructure that underlies the evidence in the SSI ecosystem. Digital certificates that work according to this principle are already used today for electronic signatures and can be easily adapted to the new use case.
Please confirm your email address!
Click on the link in the email we just sent you. Also check your spam folder and whitelist us.
More information about the newsletter.
In the SSI Framework, the holder is usually a citizen who requests verifiable credentials from the issuing institutions and keeps them in a wallet. In addition to all the things that are normally in the wallet, much more evidence can be stored in an identity wallet – for example all kinds of certificates. Even if the view of individual citizens as users is obvious, corporate wallets are also conceivable, in which, for example, the company credit card is kept or evidence and certificates.
At the wallet level, the aspect of self-determination also comes into play: the user alone decides which information to disclose. If, for example, foreign language skills have to be proven, a user could only transmit this information from a certificate without the recipient seeing the other grades. This principle of data economy can also be transferred to other applications, such as proof of age when shopping online. A major topic in the media at the moment is 3G proof in trains. If you were to log in with an SSI instead of a username and password on the web site, the vaccination status could also be transmitted there and the problem of the controls would be solved.
Verifiers can be any person, organization, or thing that seeks a trustworthy guarantee of identities or other forms of evidence. They request this from the Holder. This is an important point with the SSI: there is no direct communication between issuer and verifier. This is interesting, for example, for job references. At the technical level, the Public Key Infrastructure comes back into play as a fundamental principle during testing. Since only the keys for the creation have to remain secret with this method, anyone can check the proofs issued with a public key.
If the holder agrees (and the holder always has a choice), the holder’s agent responds with evidence, which the examiner can then verify. The crucial step in this process is the verification of the issuer’s digital signature, which is usually performed with a Decentralized Identifier (DID), which can be stored in a blockchain network, for example.
Properly implemented, the SSI approach offers great potential for self-determined handling of personal data. The whole system offers a high level of security. The underlying technologies such as blockchain and asymmetric cryptography have been tried and tested for decades and are constantly being further developed to adapt to current requirements. It is also important to create simple and secure options for initial identification for users and to ensure that the information in the framework is transmitted via secure channels.