Self-sovereign identity is multi-source, but not all multi-source identity systems are self-sovereign. Self-sovereignty requires that people and organizations have control of their credentials and interact as peers.
The world is full of credentials. Some, like a driving license, an employee ID card, a passport, or a university diploma are widely recognized as such. But many other things are also credentials: a store receipt, a boarding pass, or a credit score, for example. Credentials, designed properly, allow verifiable data to be employed in workflows without centralized hubs, point-to-point integrations, or real-time communication between the various players. Credentials enable decentralized, asynchronous workflows.
Multi-source identity (MSI) allows multiple credentials from multiple providers to be brought to bear, flexibly and conveniently, in a situation where trusted attestations are needed for the participants in a workflow to make progress. In MSI, there are three players: credential issuers, credential holders, and credential verifiers. Any person or organization can play any or all of the roles.
- Credential issuers determine what credentials to issue, what the credential means, and how they'll validate the information they put in the credential.
- Credential holders determine what credentials they need and which they'll employ in workflows to prove things about themselves.
- Credential verifiers determine what credentials to accept and who to trust.
Because of these features, MSI is decentralized. In contrast, traditional identity systems have a single identity provider (IdP) who administers an identity system for their own purposes, determines what attributes are important, and decides which partners can participate.
In MSI, a particular credential is not intrinsicly true. Rather each verifier determines who and what they will trust by relying on the attestations of other parties. Thus, truth is established through a preponderance of evidence. How much evidence is needed for a situation depends on the risk, something the verifier determines independently.
Self-sovereign identity means the individual or organization controls and manages their identity. Multi-source identity becomes self-sovereign identity (SSI) when the individual is able to control the credentials and use them in a privacy-preserving manner whenever and where ever they want. Privacy is a critical feature of SSI because without privacy, there is no control. In SSI, the identity owner must be able to control who sees what and that means that privacy is a fundamental property of the architecture for SSI.
SSI also implies that the parties to the credential transaction behave as peers. In traditional identity systems the rights of the so-called "identity subject" are subordinate to those of the identity provider. In SSI, every player independently determines the role they'll play, who they trust, and what they will believe. As we've seen, in SSI, an identity owner holds credentials from multiple providers and can use them where ever she wants. While these credentials can be revoked individually, the identity owner still controls her own identity wallet and all the other credentials she has collected.
Self-sovereign identity represents a monumental shift in how identity functions on the Internet. Internet identity systems have traditionally only supported a limited set of attributes and required prior agreement and custom integration. SSI frees Internet identity from this narrow view by introducing support for the exchange of credentials by individuals and organizations acting as peers. The result will be an Internet identity regime that is more flexible, more secure, more private, less burdensome, and less costly.
Photo Credit: A picture of a wallet from TheArmadillo (CC BY-SA 3.0)