Self-Sovereign Identity (SSI) platforms are emerging from the decentralization movement citing how they will replace the traditional Public Key Infrastructure (PKI) model where Certificate Authorities (CAs) are in charge of controlling the identities, but that will not be the case unless our society becomes more egalitarian. Until then, a hybrid of centralized and decentralized identity systems that are localized shall prevail.
The innovation of SSI ends at where users are allowed to generate their identifier which is often the public key of an asymmetric key pair. An example of such an identifier is did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
using the Ethereum address as a self-managed decentralized identifier.
But that identifier is not useful!
How does one know to trust did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
or did:ethr:0xd858ba2179b471140235fc70c2c87c4a9716b00b
more, or at all?
The solution to the trust problem is often “If did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
has verifiable credentials from another trusted entity, you can trust it”.
The only problem was that did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
presented tons of verifiable credentials from many entities with identifiers as enigmatic as itself:
did:ethr:0x46bD9C0d0bc4264f795baCA1Fd958F37A2BC4F27
issued a bank statement to said entitydid:ethr:0x3829cef9502eec6cdbd12010939ef7400a51b3bf
issued an alcohol license to said entitydid:ethr:0x1d7B8F194Ca98f596851Ac5F3481C63dc53bb4E7
issued a chamber of commerce membership to said entityNow, you just have to verify if:
did:ethr:0x46bD9C0d0bc4264f795baCA1Fd958F37A2BC4F27
is a trusted bank?did:ethr:0x3829cef9502eec6cdbd12010939ef7400a51b3bf
is a trusted government organization?did:ethr:0x1d7B8F194Ca98f596851Ac5F3481C63dc53bb4E7
is a trusted chamber of commerce?Easy right?
As seen above, without more information from the external world, there is no way to knowing if did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
is a business, least to say a trustworthy one, amongst many other questions.
One approach to breaking out of the Catch-22 situation is to leverage existing real-world identifiers that are not self-sovereign but yet allowing users to prove the translation of the two identifiers.
An example of such implementation is binding an SSI identifier (such as an Ethereum address) to a domain name on the OpenAttestation protocol. The protocol binds a DID to a domain name in a two-way fashion. As such, the receiver of a verifiable credential will immediately know who the issuer is without figuring out who is did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
.
While this approach translates the identifier from something enigmatic like a DID to a domain name, it doesn't solve the problem of “should I trust this entity?”.
Also, what if I don’t recognize the domain?
To understand if I can trust did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4
, which is claiming to be an alcohol importer in Singapore, I’ll likely ask myself the following questions:
In the example above, it will likely suffice if I have done business with the entity before and there are records to show.
When thinking about if one should trust an entity with something one would start by asking the most personal question first. In each set of questions, one tries to find if the entity is trustworthy enough within the locality or should more information be provided?
Generally, this means I trust something that is more “local” to me! I would:
With that, we can see that it is insufficient to only have a completely decentralized identity platform that generally operates at the “Earthlings” locale.
As the decentralization movement prevails and we move towards using more SSI identifiers, new opportunities will present to companies to provide localized identity resolution services for SSI. Examples are like:
This will yet create another opportunity for standardization of the methods to resolve SSI once more of such services are around.
In the time being, TradeTrust website provides a reference where it allows viewers of verifiable credentials to make use of localized identity resolvers through their identifier resolution specifications.
Like what you read? Subscribe to my mailing list.
Sign up for my personal newsletter to be updated on latest posts, tools & webinars.