by Rieks Joosten (TNO)
The ability to use identities in many different digital contexts is vital for doing electronic business transactions. Such identities are hard to come by, in particular when the transaction involves international parties that do not necessarily trust each other (yet). The Dutch Techruption project has taken on the challenge of specifying a self-sovereign identity framework (SSIF) that aims to solve this problem, and to build demonstrators that show its practical use, for businesses, consumers and governments. Blockchain technologies are used for critical parts, such as storing commitments to attestations and revocation events.
The Techruption Blockchain Project is a public-private partnership project in the Netherlands, within which large corporates, small companies, startups and scientific institutions collectively create disruptive technological innovations around distributed ledger (blockchain) technologies (DLT). DLTs are particularly useful in business and governance situations that involve multiple parties that do not necessarily trust one another to negotiate and execute electronic business transactions. In many cases such transactions require the ability to establish and validate identities and identity attributes, or to check whether or not they have been revoked.
Seven participants of the project (Accenture, APG, Brightlands, Chamber of Commerce, De Volksbank, Rabobank, and TNO) are developing a self-sovereign identity framework (SSIF) for the creation, validation and revocation of such identities that can be used in conjunction with blockchain technologies and the (disruptive) applications that are enabled by such technologies. The goal is to specify, validate and ultimately build a trustworthy, open digital infrastructure for self-sovereign identities that is secure, decentralized, open source, supports privacy (e.g., GDPR compliance) in multiple roles, and lacks a single point of failure or large information honey-pot. We aim to follow well-established requirements for user-centric identity systems [1], [L1].
Figure 1: Techruption Blockchain Project.
The SSIF has a terminology and method (based on the DEMO models for (business) transactions [2] and the Networked Risk Management model [L2]) that a business party can use to specify all information it needs to construct a valid argument for deciding whether or not it should commit to a proposed business transaction.
One prerequisite for an argument to be valid is that the meaning (semantics) of every statement must be defined. Using semantic web models (e.g., RDF(S)) for mapping statement-representations to their corresponding meaning allows the use of semantic business standards such as UBL, open data, data from “things” (from IoT frameworks) as well as personal data.
The other prerequisite for valid arguments is that the truth of all statements must be established. The SSIF assumes that the “truth” of a statement is subjective, i.e., a decision by the party that uses the statement in an argument. One of the most important concepts in the SSIF is the “attestation”, i.e., a statement (with well-defined semantics) that is signed by some party (the “attestor”) that attests to the truth of other statements.
The value of attestations is that parties that trust them (or the attestors) can simplify processes, such as the onboarding process of banks that are heavily burdened by KYC regulations. We believe there is new business to be found in the issuance of solid attestations, and that smart contracts can be designed that facilitate such businesses.
Another crucial role of DLTs is to register events by which attestations are revoked. It is easy to envisage the benefits of knowing whether or not a person is still an employee of a company, if a passport or driving licence has been revoked, a father still has parental authority, or a certificate is still valid. The distributed nature of DLTs allow parties to query a single (but redundant) endpoint for revocations of attestations by all parties, rather than having to query a specific endpoint for individual parties.
Several ideas still need to be developed. One such idea is the SSIF wallet, which is seen as an embodiment of the “self-sovereignty” aspect of the framework. It is envisaged as a container for statements and attestations that can act as a proxy of its owner in the negotiation and execution of electronic business transactions. This means that the proliferation of statements and attestations is controlled by the user, and their use is subject to the user’s consent. While the idea itself is not new (we have seen InfoCards, attribute-based credentials, etc.), the interfacing with and use of BLTs is.
Ultimately, the project will provide a solid framework for self-sovereign identity that can be used in combination with DLTs, with a firm conceptual underpinning, that reuses existing technologies, is easy to install and maintain from a business perspective, is an enabler for disruptive business ideas, and has at least one working prototype to demonstrate its viability.
Links:
[L1] https://github.com/ChristopherA/self-sovereign-identity
[L2] http://repository.tudelft.nl/view/tno/uuid%3A95b1a97a-2d5c-41b1-b5d9-43bcd04d981b/
References:
[1] K. Cameron, R. Posch, and K. Rannenberg: “Appendix d. proposal for a common identity framework: A user-centric identity metasystem”, The Future of Identity in the Information Society (2009): 477.
[2] J. Dietz: “Understanding and Modelling Business Processes with DEMO”, LNCS, vol 1728, 1999.
Please contact:
Rieks Joosten
TNO, the Netherlands
+31622901317