If your identity system doesn't use DIDs and verifiable credentials in a way that gives participants autonomy and freedom from intervening administrative authorities, then it's not SSI.
A few days ago I was in a conversation with a couple of my identerati friends. When one used the term "SSI", the other asked him to define it since there were so many systems that were claiming to be SSI and yet were seemingly different. That's a fair question. So I thought I'd write down my definition in hopes of stimulating some conversation around the topic.
I think we've arrived at a place where it's possible to define SSI and get broad consensus about it. SSI stands for self-sovereign identity, but that's not really helpful since people have different ideas about what "sovereign" means and what "identity" means. So, rather than try to go down those rabbit holes, let's just stick with "SSI."1
SSI has the following properties:
- SSI systems use decentralized identifiers (DIDs) to identify people, organizations, and things. Decentralized identifiers provide a cryptograhic basis for the system and can be employed so that they don't require a central administrative system to manage and control the identifiers. Exchanging DIDs is how participants in SSI create relationships.
- SSI participants use verifiable credentials exchange to share information (attributes) with each other to strengthen or enrich relationships. The system provides the means of establishing credential fidelity.
- SSI supports autonomy for participants. The real value proposition of SSI is autonomy—not being inside someone else's administrative system where they make the rules in a one sided way. Autonomy implies that participants interact as peers in the system. You can build systems that use DIDs and verifiable credentials without giving participants autonomy.
Beyond these there are lots of choices system architects are making. Debates rage about how specifically credential exchange should work, whether distributed ledgers are necessary, and, if so, how should they be employed. But if you don't use DIDs and verifiable credentials in a way that gives participants autonomy and freedom from intervening administrative authorities, then you're not doing SSI.
As a consequence of these properties, participants in SSI systems use some kind of software agent (typically called a wallet for individuals) to create relationships and exchange credentials. They don't typically see or manage keys or passwords. And there's no artifact called an "identity." The primary artifacts are relationships and credentials. The user experience involves managing these artifacts to share attributes within relationships via credential exchange. This user experience should be common to all SSI systems, although the user interface and what happens under the covers might be different between SSI systems or vendors on those systems.
I'm hopeful that, as we work more on interoperability, the implementation differences will fade away so that we have a single identity metasystem where participants have choice about tools and vendors. An identity metasystem is flexible enough to support the various ad hoc scenarios that the world presents us and will support digital interactions that are life-like.
- This is not to say I don't have opinions on what those words mean in this context. I've written about "sovereign" in On Sovereignty and Self Sovereign is Not Self Asserted.
Photo Credit: Girl On A Bicycle from alantankenghoe (CC BY 2.0)