The Keys to Decentralized Identity - Okta

Last updated Feb 9, 2023

• Type note
• Source video
• Status needs revision
• On web3 did

Metadata

• Source:: The Keys to Decentralized Identity - YouTube
• Channel:: Okta
• Presenter:: Jared Hanson
• Publish Date:: 2021-04-09
• Review Date::

Description

Identity is key to everything we do in a digital world: from online banking to your favorite streaming services to your workplace apps, it serves as the core of your interactions with digital systems. Decentralized identity puts control of that digital ID in the hands of the individual, replacing traditional identifiers like usernames with IDs that are self-owned and independent – but delivering on this promise is easier said than done. In this session, we’ll break down what decentralized identity is, the potential technologies that can help deliver on it, and the challenges that must be overcome to achieve it.

1

 https://www.youtube.com/watch?v=gWfAIYXcyH4

1

 00:00

Intro

1

 00:29

Agenda

• [?] What is Decentralized Identity?
  • Decentralized identity gives individuals control over their own identity so that they can decide how their personal information is shared and accessed, enabling trusted interactions while preserving privacy.

1

 03:19

Evolution of Identity

Identity has evolved through three distinct phases:

1. Centralized identity
2. Federated identity
3. Decentralized identity
   

Centralized identity is characterized by using a username and password to sign in to a website.

1

 05:21

Federated Identity

• Federated Identity enables single sign-on (SSO), building on centralized identity and allowing individuals to use a single password to sign in to multiple websites.
• It appoints one website as an identity provider, which other websites trust for authentication.
• This trust relationship leaves out the individual, giving rise to privacy and data protection concerns.

1

 07:32

Decentralized Identity

• Decentralized Identity aims to rectify the shortcomings of federated identity by putting the individual in control.
• Individual control is enabled by shifting the transfer of identity information through the individual, rather than directly between websites.
• 

1

 08:04

Digital Passport

Let’s explore how Alice will obtain and use a digital passport:

1. Alice installs an identity wallet.
2. Alice requests a digital passport, which is stored in her wallet.
3. Alice presents her digital passport to an airline.
4. The airline validates the passport and confirms it belongs to Alice.

1

 09:05

Install Wallet

• Alice begins by installing an identity wallet on her mobile device.
• This wallet will hold her digital identity, including her digital passport, as well as other credentials over time.

1

 09:55

Create Identity

• The wallet generates an identifier for Alice along with a key pair that is used to prove ownership of the identifier.
• The private key is stored securely by Alice’s wallet, which also publishes the public key to a ledger.
• The identifier will be used to identify Alice in her digital passport, and the keys will be used to verify Alice’s identity.

1

 10:25

Obtaining a Passport

• Now that her identity wallet is set up, Alice requests a digital passport from the state department.
• The state department issues Alice a digital passport, which is stored in her wallet.
• The passport itself is issued by the United States. It contains information, known as claims, about Alice, such as her name, date of birth, and other information.
• Since this is a digital passport, it is accompanied by a digital signature, which can be used to validate the passport as having been issued by the United States.
• Later, when Alice decides to take a vacation, the airline requests a form of identity to confirm Alice is authorized to fly.
• Alice selects her passport from her wallet, and taps her mobile phone at the check-in terminal.

1

 11:42

Verifying a Passport

• The airline now verifies the validity of the passport by checking the digital signature and ensuring that it was issued by an authorized country.
• In this case, the airline trusts passports issued by the United States.
• Alice presented a valid United States passport. But how do we know it was Alice who presented it?
• The presentation has unique characteristics.

1

 12:23

Passport Presentation

• When the passport is presented, it is encompassed with a digital signature from Alice’s wallet.
• This allows the airline to verify not only the passport, but that the passport is being presented by the person who it was issued to.
• Verifying Alice’s signature requires Alice’s public key.

1

 12:52

Verifying Alice

• This brings us full circle to Alice’s identity, and the key registered on the ledger by her wallet.
• The airline retrieves that key and uses it to verify Alice as having presented the passport.
• The introduction of a network on which individuals’ public keys are stored enables new opportunities.

1

 13:23

Self-Signed Credentials

• Alice can now choose to issue self-signed credentials — statements about herself that don’t need to be made by a third party.
• This capability was previously unavailable to individuals in identity systems, and is new with decentralized identity.
• Cryptographic keys are a necessary requirement in order to make verifiable credentials or assertions.

1

 13:46

Self-Sovereign Identity

• Self-signed credentials give rise to the notion of self-sovereign identity, in which the individual is in full control of their identity, without the need for an identity provider.

1

 14:11

Trust Triangle

• We have now completed a loop between all three parties, each of whom participate in what is known as the “trust triangle”.

1

 14:20

Terminology

• Roles
  • Issuer
  • Verifier
  • Holder (Presenter)
• In Centralized identity and Federated Identity, identity is not what you say about yourself, but what others say about you.

1

 15:37

Roles

• Different roles to map to different terminologies in federated and decentralized identity systems:
• In Federated Identity, IDPs and RPs can assume both roles. The user, however, cannot assume any other role.
• A similar thing happens in Decentralized Identity, where issuers can also be verifiers, and vice versa. Each can also be a holder of their own credentials.
  • Importantly, individuals can assume all three roles as well.
  • Everyone is an equal peer.

1

 17:29

Keys to Decentralized Identity

• Identity is derived from cryptographic keys.
• Identity shifts to a network model, from a provider model.
• All entities on the network have equal capabilities (peer-to-peer).
• [“] The impact of a network is the square of the number of nodes in the network — Metcalfe’s Law.

1

 18:49

Decentralized Identity Ecosystem

• New components in the decentralized identity ecosystem:
  • Wallets
  • Ledgers
  • Credentials

1

 19:11

Wallets

• Wallets are applications used by individuals to control their identity.
• Functionally, this includes:
  • Managing identifiers and keys associated with that identity.
  • Managing keys and information published to the distributed ledger.
  • Exchanging credentials with issuers and verifiers.

1

 19:54

Decentralized Identifiers

• Decentralized identifiers (DID) are globally unique and don’t require centralized registries.
• A DID is resolvable with ownership proven via public key cryptography.
• The structure of a DID indicates the identifier as well the ledger to use when resolving the identifier.
• Difference between Federated and Decentralized identifiers:
  • Federated Identity
    • { iss: “https://berkeley.edu”, sub: “1234”}
    • Identity is issued by a provider to an individual.
    • Use of identity at other services is mediated by the provider.
  • Decentralized Identity
    • did:btcr:xyv2-xzpq-q9wa-p7t
    • Identifier is created by an individual and stored on a network or ledger.
    • Use of identity requires other services to be on the same network or ledger.

1

 21:38

Ledgers

• Wallets, in addition to storing credentials, keys and other secrets, also publish an individual’s public keys to a ledger.
• This network is often a blockchain, such as Bitcoin or Ethereum. Other topologies are possible.
• The ledger allows the individual to interact with other people or organizations on the same network.
• Ledgers span a range of topologies. Commonly seen are blockchains such as Bitcoin, Ethereum, and numerous others.
• There are also permissioned ledgers, distributed file systems, “layer 2” overlays, and peer-to-peer networks.
• Each ledger has a corresponding DID method, which is encoded into a DID and specifies how to use the network to register and resolve the DID.
  • Bitcoin: did:btcr
  • Ethereum: did:ethr
  • Sovrin: did:sov
  • IPFS: did:ipid
  • ION: did:ion
  • Peer-to-peer: did:peer

1

 23:17

Credentials

• Credentials contain a set of claims, which are statements made about an individual. Claims are made by an issuer and can be cryptographically verified using digital signatures
• The validity of the signature, along with the trustworthiness of the issuer, allow claims to be used as credentials.

1

 23:44

Verifiable Credentials

• Verifiable Credentials (VC) is a standard format for expressing credentials on the web.
• While VC is used heavily in decentralized identity, it is not dependent on DIDs.
• VC can be flexibly used in decentralized environments, as well as hybrid environments that combine federated and decentralized identity.

1

 24:43

Credential Exchange

• In order to facilitate an exchange of credentials, a wallet needs to be able to:
  • Obtain a credential from an issuer.
  • Present a credential to a verifier.
• There is currenlty no broadly interoperable protocol for working with identity wallets from multiple vendors.
• Work is being done in various communities such as Hyperledger and DIG as well as the W3C with credential handler API.

1

 26:05

Verifying Credentials

• Verifying a credential requires a public key, needed to validate the digital signature on the credential.

1

 26:19

DID Resolution

• DIDs resolve through a ledger to a DID document.
• A DID document contains public keys used to securely authenticate and interact with the DID. Additionally, it contains other metadata, such as services associated with the DID.
• Each DID method specifies the interaction with the network.

1

 27:22

Current State & Adoption

1

 27:36

Why Now?

• There are three major factors driving momentum:
  • Privacy
  • Data Protection
  • Mobile Identity

1

 29:03

Bootstrapping a Network

• The flip side of network effects is the chicken and egg problem.
  • Which comes first, the issuer or the verifier?
  • Do individuals come before either?
• Despite the future promise of decentralized identity, it is limited by lack of adoption today.

1

 29:31

Company Mode

• Look for opportunities to introduce where the issuer and verifier are the same.
• Loyalty programs in retail settings or ticketing system such as airlines or rentals.
• Decentralized identity technologies can be adopted incrementally, in combination with existing identity systems to speed deployment and lower costs.

1

 30:05

Industry Mode

• Within existing ecosystems that already have partner relationships with well established governance or regulatory frameworks.
• Goverment, healthcare, and finance are all good examples.

1

 30:38

Global Mode

• This is a 5+ year timeframe, that depends on two key pieces:
  • Technical Convergence
  • Governance

1

 30:54

Technical Convergence

• There are currently over 80+ DID methods defined, as well as the corresponding ledgers.
• Existing wallets typically talk to a single ledger, creating a fractured ecosystem.
• Technical infrastructure and standards need to converge in order to achieve interoperability.

1

 31:26

Governance

• Governance is well established when operating within a company, as well as within existing regulated industries such as healthcare and finance.
• As decentralized identity helps facilitate interactions in other contexts, how do we determine issues of trust, and what do we do when things go wrong?

1

 31:56

What Now?

• Technologists can get involved with the W3C, Decentralized Identity Foundation, and Hyperledger to contribute to technical specifications and interoperability.
• The Trust over IP foundation is bringing together technologists with their social and legal counterparts to address governance questions.