What is Self-Sovereign Identity (SSI)?
The concept of Self-Sovereign Identity does not yet admit a consensual definition. We will try to establish here a definition that we believe can cover the essential aspects of this concept, particularly by drawing inspiration from the work of Christopher Allen in his Ten Principles of SSI.
Self-Sovereign Identity is a concept that gives each user exclusive ownership of his identity data, implying that only he can control how his data is shared and used. This results in the fact that the user has no obligation to reveal any information other than that strictly necessary for a given transaction or interaction. Self-Sovereign Identity must make the user completely autonomous in all matters relating to his identity.
It is a protection system for the individual. It shall protect him from the control that the powerful can exercise over him, just as it shall guarantee his right to free association.
We will try to set out here as clearly as possible the 10 principles that make up this notion:
1. Existence is the first principle. It is the one that underlies all the others; it refers to a person’s essential identity, which Christopher Allen describes with a play on words as the “I” of Identity. This principle implies that a user must have an independent existence that precedes his representation in the digital world and that cannot fully exist in digital form. A Self-Sovereign Identity makes public and accessible some of these aspects according to the desire of the owner of the identity.
2. Control is the second fundamental principle. Users must have control over their identity and be sovereign in defining who they are. To do this, the blockchain’s decentralization and secure algorithms must ensure the continued validity of the user’s identity as well as that of the Claims associated with it (for more information on this topic, see the articles on DIDs). This shall make it possible for the user to transmit, modify, update or hide his information at will. This does not mean that the user will have the ability to control all Claims that are made about his identity, but simply that he will be at the center of all Claims and will be able to choose whether or not to disclose the information arising from them.
3. Access is the third principle. Users must have access to their data without the intervention of third parties. Again, this does not necessarily mean that the user will have the authorization to modify all the Claims associated with his identity, but that he will have full and transparent access to a history of all the uses and modifications that may be made of them. The user shall also be the only one with such access. This guarantees to the user that no modification of his identity data may be made without his knowledge by malicious centralized authorities seeking to conceal information, but also that they may not have knowledge of information that they could use against the user, such as location data, Internet searches, etc., without his consent.
4. Transparency is the fourth fundamental point. It will allow users to know exactly how their data is stored and used. The way the system and the algorithms used work and can be managed or modified should be open-source and accessible to all.
5. Persistence is the fifth principle of Christopher Allen’s SSI. According to him, identities must be long-lasting, to the extent that the user wants them to be. Despite any possible changes in the places where user data is stored and any changes in platforms or private keys, users must be able to maintain their identities for as long as they wish. This is why this principle is closely related to others of Christopher Allen’s principles, such as portability and interoperability. This needs to be in line with the “right to be forgotten” which stipulates that a user has the right to modify or permanently delete one of his digital identities and the Claims linked to it. Here again, everything is subject to the control and desire of the user.
6. Portability, as mentioned in the previous paragraph, is the sixth principle of SSI. It proposes that identities can never be held by a single third party, even if it is a trusted. Even if it would act in the best interest of the user, the Single Point of Failure (SPOF) problem would remain. This SPOF is a point on which the entire system is dependent and which can, if it fails, lead to the partial or complete shutdown of the system and the services that depend on it. Decentralization eliminates this type of problem by distributing data storage. Even if one of a service provider’s servers were to disappear, the integrity of the system would not be affected and the user, since his data would be distributed in several locations, could simply transfer his data to another functional server. Identity portability ensures that the user maintains control over his identity no matter what happens, which is linked to the principle of Persistence.
7. Interoperability is the principle that proposes that identities should be able to be used by as many services as possible. The way identity systems work today is complex and sub-optimal. Each country, each service on the Internet has its own identity verification system, which makes administrative procedures very complex and undermines the user experience on the Internet. Interoperability must therefore allow users to keep control of their identity across all platforms and all countries thanks to an international standard that must be established with the agreement of all. We see here that the three principles of Persistence, Portability and Interoperability are intimately linked and that they work in synergy with all the other principles of SSI.
8. Consent implies that users must give approval for all uses that are made of their identity by third parties. This notion permeates all the principles of SSI. It emphasizes the fact that all user interactions with third parties must be carried out with the user’s consent and that nothing may be done without the user’s knowledge and control.
9. Minimalization claims that in order to accomplish a task, only the very minimum amount of information must be disclosed. This is the case with the Zero-Knowledge Proof for example. Thanks to the DIDs technology (see this article), a user can, if a minimum age is required to access a service, only present a Verifiable Presentation stipulating that he meets the age requirements without ever disclosing his age. Thus, by minimizing the information that is disclosed, one reduces at the same time the risk of dispersion of this data.
10. Protection is the last of SSI’s principles. It reminds that the ultimate goal of SSI is the protection of the user from all those who could potentially take advantage of his data to exploit or cause prejudice to him. This principle of Protection wishes to recognize the user’s right to his protection and that of his data. Thus, for any conflict between the needs of the network and the rights of the user, the Protection principle proposes that users should always be protected. In order to enforce this right, it advocates the use of an independent decentralized algorithm censorship-resistant and attack-resilient. Once again, blockchain technology offers the best answer to enable us to satisfy this project.
As we have seen in this article, Christopher Allen’s Self-Sovereign Identity is based on these 10 principles, which are also those that found the theoretical apparatus on which Decentralized Identifiers are built. The goal of SSI, like that of DIDs, is to guarantee user’s identity protection and independence from private or state entities that might be tempted to take advantage of or harm him thanks to his data. SSI thus intends to revolutionize the way we interact with other Internet users, whether individuals or entities, by making our interactions more secure and trustworthy.