Internet identity management has struggled to replicate existing real (physical) world systems. For example, crossing a country border generally requires a physical passport, and buying alcohol (in the US at least) requires the presentation of a driver’s license. This both authenticates the holder of the credential and also provides specific attributes to support getting a drink or entering a country. Verification can be established by comparing the picture on the credential with the person presenting it and is supported by the physical certificate generated by the credential provider. The handling of these types of transactions can be much more challenging in cyberspace.
Internet identity generally starts by establishing an initial identifier with an identity provider using some form of proof (credit card, mobile phone…). These identifiers are generally bound to the organization (bank, retailer) providing the credentials and authorizing transactions. This means that an individual needs to establish identities with every organization they would like to have a trusted relationship with. This is like “renting an identity” since the identity and at least some rights associated with the identity are bound to a specific identity provider or relying party (like a bank or retailer). But a new identity needs to be established and maintained for every digital relationship an individual has with an organization. This is expensive for businesses and hard to manage for individuals.
The Sovrin Foundation claims to have a distributed, self-sovereign identity service that can better serve both communities. They start with the premise that the individual controls an identity, manages the use of his/her attributes and uses this to establish and maintain relationships as they see fit. Sovrin does this by leveraging blockchain technology and a supporting ecosystem to enable individuals to control and manage personal identity and how the identity, personas and attributes are represented and shared.
Phil Windley, Chair of the non-profit Sovrin Foundation met with TechVision Research analysts recently and described this new distributed identity model leveraging a public permissioned distributed ledger, a trust framework, privacy controls and the concept of zero-knowledge proof verifiable claims as the basis for a new distributed, self-sovereign identity service. While I won’t get into all the deep technical details in this blog, I’ll provide an overview of what Sovrin is building and TechVision’s assessment of this early distributed ledger-based identity ecosystem.
Phil characterized the Sovrin Foundation as operating and governing a public, permissioned network leveraging an open-source code base originally developed and contributed to the Foundation by the distributed ledger-based identity vendor Evernym. Phil explained that the goal is to have individuals control their identities and the representation of those identities (and personas) across the Internet. Sovrin seeks to achieve this through an interesting combination of human governance and technical innovation.
First the human part; The Sovrin foundation has an international independent board of trustees including representatives from banking, credit unions, education and retail, as well as those representing individuals. They have developed a draft trust framework defining the rules for participants at all levels using the concept of stewards (trusted institutions who operate the nodes of the Sovrin ledger) and trust anchors (who handle provisioning) to establish decentralized trust and govern changes to the Sovrin open source code. Stewards need to be approved by the board of trustees and they are the ones actually operating the network with the Sovrin Foundation only providing governance.
There is a heavy emphasis on governance in defining the rules by which the foundation operates, the responsibilities of owners of the validating nodes (stewards) and the roles these stewards and trust anchors will play.
So how does this work? To net it out, Sovrin is building and operating an identity service leveraging a distributed ledger that will be completely open and public, but on which identities will be completely private and under the control of the identity owner. When TechVision asked about the challenge of having a public ledger and claiming privacy, Phil explained that they are NOT including any personally identifiable data within the ledger, but only using the distribution of identifiers and public keys with pointers to “agents” for requesting additional data from an identity owner. They are also supporting a concept of zero-knowledge proof verifiable claims in which a claim (such as “I am of legal drinking age”) can be verified using Sovrin without disclosing any undesired personal information; only that the individual is of legal drinking age. The concept of sharable verifiable attributes is explained in more detail in Phil’s blog on the topic: System for Sharing Verifiable Attributes
Phil also described some foundational use cases leveraging additional Sovrin functionality in banking (KYC–Know Your Customer initiatives) and health care systems (HIPPA compliant exchanges between doctors, patients and health care networks). For example, Sovrin could be used to verify a “doctors passport”–a portable credential as currently being piloted with Doctors Link in the UK.
Sovrin, per Phil, is building a scalable, privacy-protected, auditable (based on time-stamped data written to the distributed ledger) ecosytem empowering individuals to manage their identities, support granular selective disclosure and provide organizations with trusted connections to individuals. What is not to like about this? Well Sovrin isn’t here yet at a production-level, the technology is evolving and it’s ultimate success is dependent on Sovrin gaining critical mass. Simply put it is early, but developing rapidly.
What do I like about Sovrin? I like the fact that it is an independent non-profit foundation, with a board represented by a variety of diverse stakeholders. I like the combination of technology and human governance. I also really like the privacy-centric elements of Sovrin as well as the combination of wide availability and control of verifying nodes via their public, permissioned blockchain approach. I also like the fact that there are several POCs currently in process as the Sovrin foundation appears to have momentum and the opportunity to rapidly evolve.
We will continue to cover Sovrin, HyperLedger, Ethereum, R3, IBM, ShoCard and Microsoft’s blockchain initiatives (and many others) since we believe blockchain identity is a very attractive long-term approach, but critical mass and key ecosystems are needed to make this a reality. Phil summarized this nicely by saying “Sovrin’s goals are both outlandishly ambitious and relatively conservative.” I think this summarizes how organizations should be approaching blockchain; understand the long-term opportunity while taking baby steps, learning, iterating and continuing to move forward.
TechVision is happy to work with enterprise organizations looking for education and guidance in navigating this complex, nascent, but potentially game-changing space. The disruptive potential is massive, but the roadblocks can be very intimidating and costly. For some further data on blockchain identity, here is a link to an 18 page except from a research report Doug Simmons and I wrote on blockchain identity. Blockchain and the Future of Identity Management