book

Self-Sovereign Identity

Name: Self-Sovereign Identity
ISBN: 9781617296598

by Alex Preukschat, Drummond Reed

July 2021

Intermediate to advanced

504 pages

17h 18m

English

Manning Publications

Read now

Unlock full access

Self-Sovereign Identity
Copyright
dedication
contents
front matter
prefaceacknowledgmentsabout this bookWho should read this bookAbout the codeliveBook discussion forumOther online resourcesabout the authorsabout the cover illustration
Part 1 An introduction to SSI
1 Why the internet is missing an identity layer—and why SSI can finally provide one
1.1 How bad has the problem become?1.2 Enter blockchain technology and decentralization1.3 The three models of digital identity1.3.1 The centralized identity model1.3.2 The federated identity model1.3.3 The decentralized identity model1.4 Why “self-sovereign”?1.5 Why is SSI so important?1.6 Market drivers for SSI1.6.1 E-commerce1.6.2 Banking and finance1.6.3 Healthcare1.6.4 Travel1.7 Major challenges to SSI adoption1.7.1 Building out the new SSI ecosystem1.7.2 Decentralized key management1.7.3 Offline accessReferences
2 The basic building blocks of SSI
2.1 Verifiable credentials2.2 Issuers, holders, and verifiers2.3 Digital wallets2.4 Digital agents2.5 Decentralized identifiers (DIDs)2.6 Blockchains and other verifiable data registries2.7 Governance frameworks2.8 Summarizing the building blocksReferences
3 Example scenarios showing how SSI works
3.1 A simple notation for SSI scenario diagrams3.2 Scenario 1: Bob meets Alice at a conference3.3 Scenario 2: Bob meets Alice through her online blog3.4 Scenario 3: Bob logs in to Alice’s blog to leave a comment3.5 Scenario 4: Bob meets Alice through an online dating site3.6 Scenario 5: Alice applies for a new bank account3.7 Scenario 6: Alice buys a car3.8 Scenario 7: Alice sells the car to Bob3.9 Scenario summaryReference
4 SSI Scorecard: Major features and benefits of SSI
4.1 Feature/benefit category 1: Bottom line4.1.1 Fraud reduction4.1.2 Reduced customer onboarding costs4.1.3 Improved e-commerce sales4.1.4 Reduced customer service costs4.1.5 New credential issuer revenue4.2 Feature/benefit category 2: Business efficiencies4.2.1 Auto-authentication4.2.2 Auto-authorization4.2.3 Workflow automation4.2.4 Delegation and guardianship4.2.5 Payment and value exchange4.3 Feature/benefit category 3: User experience and convenience4.3.1 Auto-authentication4.3.2 Auto-authorization4.3.3 Workflow automation4.3.4 Delegation and guardianship4.3.5 Payment and value exchange4.4 Feature/benefit category 4: Relationship management4.4.1 Mutual authentication4.4.2 Permanent connections4.4.3 Premium private channels4.4.4 Reputation management4.4.5 Loyalty and rewards programs4.5 Feature/benefit category 5: Regulatory compliance4.5.1 Data security4.5.2 Data privacy4.5.3 Data protection4.5.4 Data portability4.5.5 RegTech (Regulation Technology)References

Part 2 SSI technology
5 SSI architecture: The big picture
5.1 The SSI stack5.2 Layer 1: Identifiers and public keys5.2.1 Blockchains as DID registries5.2.2 Adapting general-purpose public blockchains for SSI5.2.3 Special-purpose blockchains designed for SSI5.2.4 Conventional databases as DID registries5.2.5 Peer-to-peer protocols as DID registries5.3 Layer 2: Secure communication and interfaces5.3.1 Protocol design options5.3.2 Web-based protocol design using TLS5.3.3 Message-based protocol design using DIDComm5.3.4 Interface design options5.3.5 API-oriented interface design using wallet Dapps5.3.6 Data-oriented interface design using identity hubs (encrypted data vaults)5.3.7 Message-oriented interface design using agents5.4 Layer 3: Credentials5.4.1 JSON Web Token (JWT) format5.4.2 Blockcerts format5.4.3 W3C verifiable credential formats5.4.4 Credential exchange protocols5.5 Layer 4: Governance frameworks5.6 Potential for convergenceReferences
6 Basic cryptography techniques for SSI
6.1 Hash functions6.1.1 Types of hash functions6.1.2 Using hash functions in SSI6.2 Encryption6.2.1 Symmetric-key cryptography6.2.2 Asymmetric-key cryptography6.3 Digital signatures6.4 Verifiable data structures6.4.1 Cryptographic accumulators6.4.2 Merkle trees6.4.3 Patricia tries6.4.4 Merkle-Patricia trie: A hybrid approach6.5 Proofs6.5.1 Zero-knowledge proofs6.5.2 ZKP applications for SSI6.5.3 A final note about proofs and veracityReferences
7 Verifiable credentials
7.1 Example uses of VCs7.1.1 Opening a bank account7.1.2 Receiving a free local access pass7.1.3 Using an electronic prescription7.2 The VC ecosystem7.3 The VC trust model7.3.1 Federated identity management vs. VCs7.3.2 Specific trust relationships in the VC trust model7.3.3 Bottom-up trust7.4 W3C and the VC standardization process7.5 Syntactic representations7.5.1 JSON7.5.2 Beyond JSON: Adding standardized properties7.5.3 JSON-LD7.5.4 JWT7.6 Basic VC properties7.7 Verifiable presentations7.8 More advanced VC properties7.8.1 Refresh service7.8.2 Disputes7.8.3 Terms of use7.8.4 Evidence7.8.5 When the holder is not the subject7.9 Extensibility and schemas7.10 Zero-knowledge proofs7.11 Protocols and deployments7.12 Security and privacy evaluation7.13 Hurdles to adoptionReferences
8 Decentralized identifiers
8.1 The conceptual level: What is a DID?8.1.1 URIs8.1.2 URLs8.1.3 URNs8.1.4 DIDs8.2 The functional level: How DIDs work8.2.1 DID documents8.2.2 DID methods8.2.3 DID resolution8.2.4 DID URLs8.2.5 Comparison with the Domain Name System (DNS)8.2.6 Comparison with URNs and other persistent Identifiers8.2.7 Types of DIDs8.3 The architectural level: Why DIDs work8.3.1 The core problem of Public Key Infrastructure (PKI)8.3.2 Solution 1: The conventional PKI model8.3.3 Solution 2: The web-of-trust model8.3.4 Solution 3: Public key-based identifiers8.3.5 Solution 4: DIDs and DID documents8.4 Four benefits of DIDs that go beyond PKI8.4.1 Beyond PKI benefit 1: Guardianship and controllership8.4.2 Beyond PKI benefit 2: Service endpoint discovery8.4.3 Beyond PKI benefit 3: DID-to-DID connections8.4.4 Beyond PKI benefit 4: Privacy by design at scale8.5 The semantic level: What DIDs mean8.5.1 The meaning of an address8.5.2 DID networks and digital trust ecosystems8.5.3 Why isn’t a DID human-meaningful?8.5.4 What does a DID identify?
9 Digital wallets and digital agents
9.1 What is a digital wallet, and what does it typically contain?9.2 What is a digital agent, and how does it typically work with a digital wallet?9.3 An example scenario9.4 Design principles for SSI digital wallets and agents9.4.1 Portable and Open-By-Default9.4.2 Consent-driven9.4.3 Privacy by design9.4.4 Security by design9.5 Basic anatomy of an SSI digital wallet and agent9.6 Standard features of end-user digital wallets and agents9.6.1 Notifications and user experience9.6.2 Connecting: Establishing new digital trust relationships9.6.3 Receiving, offering, and presenting digital credentials9.6.4 Revoking and expiring digital credentials9.6.5 Authenticating: Logging you in9.6.6 Applying digital signatures9.7 Backup and recovery9.7.1 Automatic encrypted backup9.7.2 Offline recovery9.7.3 Social recovery9.7.4 Multi-device recovery9.8 Advanced features of wallets and agents9.8.1 Multiple-device support and wallet synchronization9.8.2 Offline operations9.8.3 Verifying the verifier9.8.4 Compliance and monitoring9.8.5 Secure data storage (vault) support9.8.6 Schemas and overlays9.8.7 Emergencies9.8.8 Insurance9.9 Enterprise wallets9.9.1 Delegation (rights, roles, permissions)9.9.2 Scale9.9.3 Specialized wallets and agents9.9.4 Credential revocation9.9.5 Special security considerations9.10 Guardianship and delegation9.10.1 Guardian wallets9.10.2 Guardian delegates and guardian credentials9.11 Certification and accreditation9.12 The Wallet Wars: The evolving digital wallet/agent marketplace9.12.1 Who9.12.2 What9.12.3 HowReference
10 Decentralized key management
10.1 Why any form of digital key management is hard10.2 Standards and best practices for conventional key management10.3 The starting point for key management architecture: Roots of trust10.4 The special challenges of decentralized key management10.5 The new tools that VCs, DIDs, and SSI bring to decentralized key management10.5.1 Separating identity verification from public key verification10.5.2 Using VCs for proof of identity10.5.3 Automatic key rotation10.5.4 Automatic encrypted backup with both offline and social recovery methods10.5.5 Digital guardianship10.6 Key management with ledger-based DID methods (algorithmic roots of trust)10.7 Key management with peer-based DID methods (self-certifying roots of trust)10.8 Fully autonomous decentralized key management with Key Event Receipt Infrastructure (KERI)10.8.1 Self-certifying identifiers as a root of trust10.8.2 Self-certifying key event logs10.8.3 Witnesses for key event logs10.8.4 Pre-rotation as simple, safe, scalable protection against key compromise10.8.5 System-independent validation (ambient verifiability)10.8.6 Delegated self-certifying identifiers for enterprise-class key management10.8.7 Compatibility with the GDPR “right to be forgotten”10.8.8 KERI standardization and the KERI DID method10.8.9 A trust-spanning layer for the internet10.9 Key takeawaysReferences
11 SSI governance frameworks
11.1 Governance frameworks and trust frameworks: Some background11.2 The governance trust triangle11.3 The Trust over IP governance stack11.3.1 Layer 1: Utility governance frameworks11.3.2 Layer 2: Provider governance frameworks11.3.3 Layer 3: Credential governance frameworks11.3.4 Layer 4: Ecosystem governance frameworks11.4 The role of the governance authority11.5 What specific problems can governance frameworks solve?11.5.1 Discovery of authoritative issuers and verified members11.5.2 Anti-coercion11.5.3 Certification, accreditation, and trust assurance11.5.4 Levels of assurance (LOAs)11.5.5 Business rules11.5.6 Liability and insurance11.6 What are the typical elements of a governance framework?11.6.1 Master document11.6.2 Glossary11.6.3 Risk assessment, trust assurance, and certification11.6.4 Governance rules11.6.5 Business rules11.6.6 Technical rules11.6.7 Information trust rules11.6.8 Inclusion, equitability, and accessibility rules11.6.9 Legal agreements11.7 Digital guardianship11.8 Legal enforcement11.9 ExamplesReferences
Part 3 Decentralization as a model for life
12 How open source software helps you control your self-sovereign identity
12.1 The origin of free software12.2 Wooing businesses with open source12.3 How open source works in practice12.4 Open source and digital identitiesReferences
13 Cypherpunks: The origin of decentralization
13.1 The origins of modern cryptography13.2 The birth of the cypherpunk movement13.3 Digital freedom, digital cash, and decentralization13.4 From cryptography to cryptocurrency to credentialsReferences
14 Decentralized identity for a peaceful society
14.1 Technology and society14.2 A global civil society14.3 Identity as a source of conflict14.4 Identity as a source of peaceReferences
15 Belief systems as drivers for technology choices in decentralization
15.1 What is a belief system?15.2 Blockchain and DLT as belief systems15.2.1 Blockchain “believers”15.2.2 DLT “believers”15.3 How are blockchains and DLTs relevant to SSI?15.4 Characterizing differences between blockchain and DLT15.4.1 Governance: How open is the network to open participation?15.4.2 Censorship resistance: How centralized is trust?15.4.3 Openness: Who can run a node?15.5 Why “believers” and not “proponents” or “partisans”?15.5.1 How do we measure decentralization?15.6 Technical advantages of decentralizationReferences
16 The origins of the SSI community
16.1 The birth of the internet16.2 Losing control over our personal information16.3 Pretty Good Privacy16.4 International Planetwork Conference16.5 Augmented Social Network and Identity Commons16.6 The Laws of Identity16.7 Internet Identity Workshop16.8 Increasing support of user control16.9 Rebooting the Web of Trust16.10 Agenda for Sustainable Development and ID202016.11 Early state interest16.12 MyData and Learning Machine16.13 Verifiable Claims Working Group, Decentralized Identity Foundation, and Hyperledger Indy16.14 Increasing state support for SSI16.15 Ethereum identity16.16 World Economic Forum reports16.17 First production government demo of an SSI-supporting ledger16.18 SSI Meetup16.19 Official W3C standards16.20 Only the beginningReferences
17 Identity is money
17.1 Going back to the starting point17.2 Identity as the source of relationships and value17.3 The properties of money17.4 The three functions of money17.5 The tokenization of value with identityReferences
Part 4 How SSI will change your business
18 Explaining the value of SSI to business
18.1 How might we best explain SSI to people and organizations?18.1.1 Failed experiment 1: Leading with the technology18.1.2 Failed experiment 2: Leading with the philosophy18.1.3 Failed experiment 3: Explaining by demonstrating the tech18.1.4 Failed experiment 4: Explaining the (world’s) problems18.2 Learning from other domains18.3 So how should we best explain the value of SSI?18.4 The power of stories18.5 Jackie’s SSI story18.5.1 Part 1: The current physical world18.5.2 Part 2: The SSI world—like the current physical world, but better18.5.3 Part 3: Introducing the Sparkly Ball1—or, what’s wrong with many current digital identity models18.6 SSI Scorecard for apartment leasingReference
19 The Internet of Things opportunity
19.1 IoT: Connecting everything safely19.2 How does SSI help IoT?19.3 The business perspective for SSI and IoT19.4 An SSI-based IoT architecture19.5 Tragic story: Bob’s car hacked19.6 The Austrian Power Grid19.7 SSI Scorecard for IoTReferences
20 Animal care and guardianship just became crystal clear
20.1 Enter Mei and Bailey20.1.1 Bailey gets a self-sovereign identity20.1.2 Guardianship transfer20.1.3 Vacation for Mei and Bailey20.1.4 A storm and separation20.1.5 Lost and found at your fingertips20.2 Digital identity unlocks opportunities for the well-being of animals and people20.3 SSI for animals reaffirms their inherent worth20.4 SSI Scorecard for pets and other animals
21 Open democracy, voting, and SSI
21.1 The problems with postal voting21.2 The problems with e-voting21.3 Estonia: A case study21.4 The three pillars of voting21.4.1 A state’s bill of needs21.4.2 A voter’s bill of rights21.5 The advantages of SSI21.5.1 SSI Scorecard for votingReferences
22 Healthcare supply chain powered by SSI
22.1 Emma’s story22.2 Supply chain transparency and efficiency through SSI22.3 Industry ecosystem efficiency powered by SSI22.4 Future supply chain transformation across industries: The big picture22.5 Eliminating waste22.6 Authentication and quality22.7 SSI Scorecard for the pharma supply chainReferences
23 Canada: Enabling self-sovereign identity
23.1 The Canadian context23.2 The Canadian approach and policy framework23.3 The Pan-Canadian Trust Framework23.4 The normative core23.5 Mutual recognition23.6 Digital ecosystem roles23.7 Supporting infrastructure23.8 Mapping the SSI stack to the PCTF model23.9 Using the Verifiable Credentials Model23.10 Enabling Self-Sovereign Identity23.11 SSI Scorecard for the Pan-Canadian Trust Framework
24 From eIDAS to SSI in the European Union
24.1 PKI: The first regulated identity service facility in the EU24.2 The EU legal framework24.3 The EU identity federation24.3.1 The legal concept of electronic identification (eID)24.3.2 The scope of the eIDAS FIM Regulation and its relationship with national law24.4 Summarizing the value of eIDAS for SSI adoption24.5 Scenarios for the adoption of SSI in the EU identity metasystem24.6 SSI Scorecard for the EBSIReferences
appendix A Additional Livebook chapters
Chapter 25: SSI, payments, and financial servicesChapter 26: Solving organizational identity with vLEIsChapter 27: SSI and healthcareChapter 28: Enterprise identity and access management realized with SSIChapter 29: Insurance reinvented with SSIChapter 30: Enabling SSI in humanitarian contextsChapter 31: Guardianship and other forms of Delegated Authority with Self-Sovereign IdentityChapter 32: Design principles for SSIChapter 33: SSI: Our dystopian nightmareChapter 34: Trust assurance in SSI ecosystemsChapter 35: The evolution of gaming with SSI
appendix B Landmark essays on SSI
“The Domains of Identity”“New Hope for Digital Identity”“The Architecture of Identity Systems”“Three Dimensions of Identity”“Meta-Platforms and Cooperative Network-of-Network Effects”“Verifiable Credentials Aren’t Credentials. They’re Containers.”“The Seven Deadly Sins of Customer Relationships”
appendix C The path to self-sovereign identity
You can’t spell “identity” without an “I”The evolution of identityPhase one: Centralized identity (administrative control by a single authority or hierarchy)Phase two: Federated identity (administrative control by multiple, federated authorities)Phase three: User-centric identity (individual or administrative control across multiple authorities without requiring a federation)Phase four: Self-sovereign identity (individual control across any number of authorities)A definition of self-sovereign identityTen principles of self-sovereign identityConclusion
appendix D Identity in the Ethereum blockchain ecosystem
Identity on the blockchainThe keys to identityOn-chain identity solutionsERC 725 v2: “Proxy Account”The ownerThe key-value storeThe public on-chain identityOff-chain identity solutionsERC 1056: “Lightweight Identity”The lightweight registryOwner and delegatesOther ERCsConclusion
appendix E The principles of SSI
index
contributing authors

Overview

In a world of changing privacy regulations, identity theft, and online anonymity, identity is a precious and complex concept. Self-Sovereign Identity (SSI) is a set of technologies that move control of digital identity from third party “identity providers” directly to individuals, and it promises to be one of the most important trends for the coming decades. Now in Self-Sovereign Identity, privacy and personal data experts Drummond Reed and Alex Preukschat lay out a roadmap for a future of personal sovereignty powered by the Blockchain and cryptography. Cutting through the technical jargon with dozens of practical use cases from experts across all major industries, it presents a clear and compelling argument for why SSI is a paradigm shift, and shows how you can be ready to be prepared for it.

About the Technology
Trust on the internet is at an all-time low. Large corporations and institutions control our personal data because we’ve never had a simple, safe, strong way to prove who we are online. Self-sovereign identity (SSI) changes all that.

About the Book
In Self-Sovereign Identity: Decentralized digital identity and verifiable credentials, you’ll learn how SSI empowers us to receive digitally-signed credentials, store them in private wallets, and securely prove our online identities. It combines a clear, jargon-free introduction to this blockchain-inspired paradigm shift with interesting essays written by its leading practitioners. Whether for property transfer, ebanking, frictionless travel, or personalized services, the SSI model for digital trust will reshape our collective future.

What's Inside

The architecture of SSI software and services
The technical, legal, and governance concepts behind SSI
How SSI affects global business industry-by-industry
Emerging standards for SSI

About the Reader
For technology and business readers. No prior SSI, cryptography, or blockchain experience required.

About the Authors
Drummond Reed is the Chief Trust Officer at Evernym, a technology leader in SSI. Alex Preukschat is the co-founder of SSIMeetup.org and AlianzaBlockchain.org.

Quotes
This book is a comprehensive roadmap to the most crucial fix for today’s broken Internet.
- Brian Behlendorf, GM for Blockchain, Healthcare and Identity at the Linux Foundation

If trusted relationships over the Internet are important to you or your business, this book is for you.
- John Jordan, Executive Director, Trust over IP Foundation

Decentralized identity represents not only a wide range of trust-enabling technologies, but also a paradigm shift in our increasingly digital-first world.
- Rouven Heck, Executive Director, Decentralized Identity Foundation

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781617296598Publisher Support Publisher Website Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills