Laatste update:
The rise of federated identities (Google, Facebook, eID, itsme, …) made onboarding in CIAM (Customer Identity and Access Management) environments a lot easier. A federated identity differs from a central identity in that it is not associated with the organisation providing a service. My federated identity is not stored in my employers AD system. But let it be clear, federation is powerful and used in the right way (as we will see below) it is core to CIAM.
For example, itsme, although owned by the banks, can be used to sign on to over 800 companies in Belgium. Google, Facebook and other social media provide similar services that can be used almost everywhere on the internet and that is based on the same technology. But not all that glitters is gold.
We all know what happened with Facebook and Cambridge Analytica. But do we also what many organizations do with customer data? Do we realize that many commercial organisations build their business on our personal data and not on the goods they are selling?
If used without considering the privacy of the end-user federation can be a 7 headed beast. All federated identity providers know perfectly well where we sign on and which data we are exposing. That’s probably not what we want.
Decentralised Identity
A decentralised identity basically is an identity that is created and managed by an end-user. Let’s say a customer in a CIAM environment. But wait a minute. So, I can claim that I’m Joe Biden and you have no way of verifying this. No, that is obviously not the way it works. A decentralised identifier (DID) is a random ID that doesn’t hold any information about the user who created it. But because it is PKI based and associated with a public/private key pair I can proof it is mine, without revealing who I am. Look at it as a certificate (on your eID card) that doesn’t state anything about you.
And here comes the magic. With this DID I can now go to any organisation (public, private, government) that holds information about me. We call them Identity Providers (IdPs). E.g. I can go to a government website and sign in with my eID. I can now proof my identity and link that information on the fly to my DID. I’ve just created a Verifiable Credential (VC). The VC is signed by the identity provider and the signature links it to my DID. I can leave this VC hanging around because nobody else can use it as they don’t have the private key associated with my DID. I can even revoke the VC without invalidating the DID an any other data associated with it. Try doing that with eID.
Given that I can find the right identity provider, I can now link other data to my DID. A driver’s licence, a university diploma, a boarding pass, a hotel reservation, a covid vaccination certificate, basically anything I want to share.
Where is VC Connect?
We all know numerous sites where we can login with Google, Facebook and even itsme, but what about my Verifiable Credential that proofs I’m a qualified professional. Sorry no, you will have a hard time finding such a site.
Europe has released several initiatives to promote SSI (Self Sovereign Identity). SSI is the term used to express that somebody wants to use a DID and associated VCs to sign-on to some environment.
There is ESSIF, the European Self Sovereign Identity Framework. It still needs to take shape but it’s a platform on which SSI partners can come together. It is built on EBSI (European Blockchain Services Infrastructure) a platform where enterprise DIDs can be registered. Just like our personal DIDs, enterprises use DIDs to proof who they are and EBSI is the place where a customer can verify this data. Some people might get the shivers hearing the word “blockchain”. No worries, in closed environments, which is what we will be facing the coming years, there is no need for a real blockchain. Any shared repository will do just fine.
Sounds complicated, well no. It’s all based on existing technology and organisations might be surprised on how close they are to adoptings this. The answer is in Wallets.
Where did I put my Wallet?
A Wallet is an application that usually runs on your mobile device. Look at it as a digital version of your classic wallet. It will hold currency, identity information, drivers’ licence, diploma and anything you might need at some time.
Basically all this data is in VC format, but most wallets will allow you to store just any data (e.g. a picture of your cat). Europe has released a specification and conformance testing services for EBSI based wallets.
When you try to access an SSI enabled service, an SP (Service Provider), will ask you to present some VCs, just like Google, Facebook or itsme will ask for your mail-address. Well, it’s exactly the same.Under the hood Wallets use OIDC (OpenID Connect) to present your data. You either give a consent, or not, just like you would do for OIDC. The only difference is that the data that is presented to the SP will be in VP (Verifiable Presentation) format. A VP is a special OIDC Access Token collecting several VCs.
So, where is it different from OIDC?
A VP is constructed by your wallet and not just by some Google, Facebook or government. You sign it and not a third party. But that’s OK because all the contained VCs have been signed by trusted organisations anyway.
So there is a bit of a difference with standard OIDC. We call it SIOP or Self Issued OIDC Provider because you have just become your own Identity Provider. It’s not a huge difference, but the SP should be prepared for this.
Conclusion
SSI and DIDs are promising technologies that might change the way we do online transactions. Major IAM vendors already have promising technology and several solutions are in place, but we will need some time for these things to converge.
