Blockchain for Decentralized Identity — Layer 1 — Blockchain
The blockchain or a decentralized ledger is the first layer in the Self-Sovereign stack. It is a verifiable data registry like a phone book for decentralized identifiers (DIDs) that hold cryptographic keys and identifiers.
A blockchain could be public, permissioned, or hybrid.
1. A public blockchain is open to all for read, write access. (see below for what information gets written to the blockchain).
2. Pre-approved participants are authorized to use a permissioned blockchain. For example, an organization can set up a Decentralized Identity solution for their departments, and employees get permission to use the system.
3. A hybrid blockchain can have some public and other permissioned properties. For example, approved issuers get invited, while verifiers can be anyone.
A blockchain (decentralized ledger) stores the registry of identities (DIDs) and revocation. It provides the ability to issue verifiable documents used independently to give verifier proof. The DID is a globally unique and highly available, uniform resource identifier cryptographically verifiable and created anytime. The blockchain maintains an audit trail for permissions and attestations of claims for a verifiable credential.
Information that gets written to the blockchain includes:
1. A public DID (a decentralized identifier that is unique)
2. The DDO (DID descriptor document) contains the DID description, a public key of the DID, authentication protocols, service endpoints, timestamp, and signature. Through the DDO, an entity learns how to use the DID.
3. Schemas for the verifiable credentials.
4. Description of the verifiable credential.
5. An event is logged in the Revocation Registry when an issuer revokes a credential issued. The verifier can check the registry for an entry to confirm the validity of the proof.
6. Proof of data sharing between wallets/agents. (More on this in the next blog, Layer 2).
The advantages of using a blockchain for Decentralized Identity include:
1. Following Web 3.0 principles, the blockchain is decentralized, with no central authority. Therefore, identity data storage is decentralized, avoiding identity theft by hackers. In addition, the blockchain does not store PII (personally identifiable information) data.
2. Identity is always available and persistent
3. A universal resolver helps identify DIDs across multiple blockchains
4. It builds trust — everyone on the blockchain has the exact source of truth to data associated with a Verifiable Credential. In addition, it is an append-only log that is secure and tamper-proof.
5. A ledger that creates an audit trail for permissions and attestation of claims
The W3C1 has defined a DID specification. A DID starts with a generic scheme that identifies it as a DID. A DID Method and a Method identifier follow a scheme. DID Methods are associated with a verifiable data registry (blockchain) and define the mechanisms for creating, resolving, updating, and deactivating DIDs and DID documents. A DID on the public blockchain can be discovered using a DID resolver. A DID resolver takes a DID as input and produces a corresponding DID Document as output. A universal DID resolver is a service that locates a DID on any public blockchain. A standard for a universal resolver is underway by The Decentralized Identity Foundation2 to find any DID on any blockchain across the internet. An entity can have thousands of DIDs, one for each unique, secured relationship on the internet.
The public key and endpoints of the entity within the DID Doc together enable receipt of messages to it. With the help of the private and public keys, the entity can decrypt and process incoming messages.
The benefits of using DIDs include:
1. They are independent of central authorities or identity providers
2. Two entities can create a unique, private, secure channel on the blockchain without anyone's knowledge
3. An entity can create any number of DIDs, separate ones for different digital relationships and contexts
4. The decentralized nature makes Verifiable Credentials always available
5. The identity owner controls DIDs
6. They are permanent — cannot be re-assigned; hence more secure and private
7. DIDs are resolvable by the DDO (DID descriptor document):
8. DIDs are cryptographically verifiable — the public key proves ownership of the DID
9. Specific methods are associated with DIDs — they specify procedures for key registration, replacement, rotation, recovery, and expiration (which makes them tamper-resistant and resilient)
In the next post, I will cover Layer 2 — Digital Wallets.
To reference previous posts refer to this link. Again, I would suggest reading the posts in succession.
A blockchain is a decentralized ledger, which can be public, private, or hybrid. In the context of decentralized identity, it can store a public DID, DID Document, schemas, and formal descriptions of a verifiable credential, revocation registries, and proof of data sharing — however, the blockchain stores no PII (Personal Identifiable Information).
DID (Decentralized Identifier)
Like a Uniform Resource Name, a globally unique identifier that somebody can universally discover a DID on a blockchain using a method. A DID is an interoperable, open-sourced web standard delivered by the W3C1. Each DID associates with only one DID document.
DDO (A DID Document)
The DID document is a JSON document that holds the description of the DID, the public key for verification, set of authentication protocols, service endpoints, a timestamp, and signature.
A piece of code that helps locate a DID on any public blockchain. It takes the DID (unique identifier) as input and returns the DID document (metadata) associated with the DID by calling the method used by the DID. The Decentralized Identity Foundation is working on a standard.
A registry of DIDs that the issuer revokes. Verifiers can check if the holder uses a revoked claim on the blockchain.
A credential is an attestation of authority, competence, or qualification given by an authorized party (issuer) to an entity (holder). It consists of metadata, claims, and proofs and has one or many claims related to an entity’s identity. It is to respond to attestations for proof of a claim. Claims from multiple verifiable credentials consolidated to respond to a request for proof is called a compound verifiable credential.
1. W3C www.w3c.org Specification for a DID link
2. DIF (Decentralized Identity Foundation) — https://identity.foundation/
3. 2021, Reed, Drummond and Preukschat, Alex: Self-Sovereign Identity
#SSI; #decentralizedidentity; #blockchain; #digitalidentity; #selfsovereignidentity; #identity; #dlt; #web3; #web3.0; #dApps; #digitalwallets; #distributedledger