Self-Sovereign Identity (SSI) is an approach that has become popular with the emergence of Web3 technologies, including the Blockchain.
After examining its definition in a recent blog post and dedicating a white paper to the subject, we decided to look at the technological concepts that make IMS possible: Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs).
In this article, we will introduce you to:
- How VCs facilitate online authentication
- How Selective Disclosure and Zero-Knowledge Proof work to preserve confidentiality
- How DIDs enable user-controlled verification
VCs or online authentication made easy
VCs make it possible to answer a simple question: how can we provide, online, proof of identity verification that has the same level of trust as an identity document issued by the State?
To answer this question, it is necessary, first of all, to talk about the tools that make it possible to store these Verifiable Credentials: the famous wallets or digital wallets in French.
Definition of a wallet
Like any physical wallet that holds your other credit cards, IDs and other loyalty cards, wallets can store digital assets. Wallets can take the form of a storage key - like Ledger keys - or as a mobile application.
Each wallet includes 2 keys:
- a public key accessible by everyone (e.g. a Bitcoin address)
- a private key (e.g. a series of characters known only to the wallet owner)
If a wallet can contain NFTs, it can also contain VCs.
What is a VC?
Verifiable Credentials are digital, standardised certificates issued by an entity that certify properties about an individual. These certificates allow information to be shared online in a secure and private manner.
With these verifiable credentials, it becomes possible for any individual to issue specific information needed to access a service... without disclosing the data concerned.
VCs allow, for example, to prove eligibility for access to a service... without disclosing personal data (e.g. we can prove that you are over 18... without disclosing your date of birth... and with a high level of trust).
How can you prove a condition without disclosing data? This is possible through selective disclosure and Zero-Knowledge Proof.
Selective disclosure allows evidence to be generated from a selected set of attributes. Imagine if you could prove that you are over 18 with your ID card without disclosing the mailing address on it. That is disclosing the attribute needed for proof.
Zero-Knowledge Proof is a cryptographic protocol that allows you to verify the authenticity of a property without revealing the value of the data. You can prove that you are over 18 years old without revealing your date of birth.
Selective disclosure and Zero-Knowledge Proof are at the heart of the application of Self-Sovereign Identity.
In the above diagram, largely inspired by the W3C diagram, two situations can be imagined.
First, an online betting site asks a person wishing to use its services to prove that they are over 18. Through their wallet, they could simply reveal their Verifiable Credentials, which contain the necessary attributes to prove their eligibility. But in doing so, they would be revealing personal information that is not necessary. An alternative approach would therefore be to create a derived credential that contains only the information necessary for proof. This is called selective disclosure.
The second is that, in order to hold a position in his company, an employer asks a candidate to prove that he has a degree at Bac + 5 level. Thanks to the Zero-Knowledge Proof protocol, the employer knows if the candidate has the diploma... without needing to know when the diploma was obtained.
So attributes can be verified without having to share information... but how can we be sure that this evidence is authentic and not falsified?
Let us now turn our attention to Decentralized Identifiers (DIDs).
DIDs: facilitating authentication under user control
Today, when you send messages on an application, you are given identifiers.
These identifiers are the property of the application operator. These identifiers are contained in metadata, i.e. information that defines the context and use of the data.
However, these identifiers can raise privacy concerns. For example, Whatsapp collects data associated with your use of the application in the metadata: the timestamp of your messages, the recipients, the duration of the call, your geographical location (this has nothing to do with the fact that Whatsapp encrypts your messages).
Moreover, this data is monetised. For example, for the creation of profiles, which are then used for advertising targeting.
DIDs are a way of getting around this problem of privacy and monetisation. DIDs are secure, unique identifiers created by the user to ensure authentication to online services, for example .
When a person requests a VC from an issuer, the issuer can create an ephemeral DID, dedicated to this exchange between the person and the issuer, to which the VC will be attached.
The blockchain stores data about issuers and confirms the validity of a VC.
Thus, an individual who wants to verify a VC can query an identity and evidence registry to confirm the identity of the issuer and their eligibility to issue such a credential... confirming that the credential in question is still valid.
As Quentin Drouot, CTO of Archipels, puts it so well: "Your energy supplier doesn't need to know that one of its customers has registered on an online betting site because it has to check that you live in France.
DIDs and VCs build trust between the issuer, the user and the verifier.
DIDs + VCs = SSI
Cyber attacks have increased dramatically in recent years, challenging traditional models for managing personal data.
In this context, ISS becomes a first choice solution. If you have any questions about ISS or decentralised identity, please do not hesitate to contactus