DID, SSI — Part 1, Prologue

Part 1, Prologue — notes after attending the SSI Forum last week

Recently gaining attention again, DID and SSI are both a technical and an ideological system — built on the technical side as an advancement of digital identity, and on a new common sense that I can prove myself to myself.

As of 2022, the global DID market size was valued at $647.8 million, and CAGR is expected to rise to 88.2% by 2030, reaching $102 billion.

First, the core of DID (Decentralized ID — decentralized identity system) is PKI*-based authentication technology (cryptography) and services (clients). In addition, among schemes to build a VDR* that stores specific information, the most widely used technology is blockchain. Here, *PKI verification is a process of using the DID to pull the other party's DID document and verifying via the public key within it. And *VDR (Verifiable Decentralized Registry) is a system that records DID data and can provide related data when generating DID documents. More concretely, it is where, per subject, the DID, public key, and authentication info comprising the DID document are stored. Depending on the organization's and service's (client's) characteristics, you can pick one of three forms: 1) blockchain, 2) DLT (distributed ledger technology, distinct from blockchain), 3) centralized server.

Without decentralization, the risk of large-scale personal data breaches is not very different from WEB 2.0, and the possibility of data misuse/abuse is bound to remain. That's why even the EU, famous for its strict GDPR, is reportedly making continuous efforts to apply SSI to the EUDI wallet (European Digital Identity wallet) — already underway to accelerate the single market.

The DID standard is being formed with W3C at the center. Because there is no single authority that certifies identity, standardization for use in various contexts is essential, so early starters in the US and Europe mostly build with the W3C DID standard. DIF and ToIP are also actively participating. Although last September Google, Mozilla, and Apple raised opposing opinions, which became an issue, it was confirmed as a recommendation in June this year.

SSI is self-sovereign identity and has VC & VP verifiable credential systems. Though blockchain is the most suitable environment to implement and use SSI, it is not a required component, and even using DID for VC is not a mandatory requirement. What matters more is that it was made with the intent of granting individuals informational rights — like rights to one's body or property — beyond simple login.

For reference, Civic, famous for Civic Coin and Civic Pass, is a DID (though it does not follow the w3c DID core spec standard), yet its DID documents are managed on a centralized server. So it's hard to call it SSI (self-sovereign identity) — where how much sovereignty the individual has over the operation of their information matters. That is the very point that distinguishes DID from SSI.

Back home in Korea, there is still a hot potato: VC issuance.

Since individuals can't create DIDs on their own, a platform provider that issues DIDs is necessarily required. And the trusted individual institutions that issue VCs — like resident ID cards and driver's licenses — are still organized and operated by the government (centralized). So strictly speaking, we cannot yet say it perfectly satisfies both DID and SSI.

Still, for the already-underway driver's license case, VC and VP are applied, and from the identity-model perspective, it uses not a centralized/federated model but a distributed one, and personal data is not stored on a centralized server — both meaningful aspects.

It looks like a process of the existing system and the new system matching step by step. As wallets and the W3C DID standard take root, various issues will likely improve more naturally than now, much like past web standards did.

Summary: 10 Principles of Self-Sovereign Identity

Christopher Allen

1. Existence - Users must exist independently.
2. Control - Users must control their IDs.
3. Access - Users must be able to access their own data.
4. Transparency - Systems and algorithms must be transparent.
5. Persistence - IDs must be long-lasting.
6. Portability - Information and services about identity must be transferable.
7. Interoperability - IDs must be as widely usable as possible.
8. Consent - Users must consent to the use of their ID.
9. Minimization - Claim disclosure must be minimized.
10. Protection - Users' rights must be protected.

Main References

10 Principles of Self-Sovereign Identity (full original)

Principles of SSI (Sovrin Foundation) - Korean translation PDF

DIF

W3C DIDs

PKI

A Comparative Analysis of PKI Authentication and FIDO Authentication