Self-sovereign Identity: A position paper on blockchain enabled identity and the road ahead

Von Ralf Keuper

Vor wenigen Tagen hat der Bundesblock ein weiteres Positionspapier herausgegeben, das die Einsatzmöglichkeiten von Self-sovereign Identities (SSI), d.h. digitalen Identitäten, die unter Kontrolle des Nutzers stehen, den aktuellen Stand der Entwicklung sowie die weiteren Aussichten behandelt.

Definition SSI:

We use the terminology of SSI, as an identity model that allows an individual or entity to have sole control of their digital identity expressed through the use of one or more decentralised identifiers or “DIDs.” Mindful of the associations that arise from the use of the term “self-sovereign,” we want to clarify that self-sovereign refers to this ability to control the use of one’s identifiers that reveal something about their identity. It does not imply that the power of sovereign actors such as the state or public authorities is weakened by the SSI model. Quite the opposite—SSI allows the state to engage directly with citizens and organizations without depending on a third party

In ihrem Paper plädieren die Autoren für die Einführung eines universal identity layers:

The introduction of a well-designed, universal identity layer could trigger unprecedented scales of efficiency and trust in the digital space. The current data silo- based ecosystems could be replaced by a new paradigm where self-sovereign individuals and entities have the ability to establish web-of-trust networks outside of the current silos through the entire digital space.

Vier (Credential-)Rollen werden definiert:

  • Subject — the individual, entity, or thing that a given Credential is about or relates to
  • Holder — the individual or entity in control of the digital wallet or agent that stores and controls the use of a given Credential; note, the Holder may or may not be the Subject (e.g. a child may be the Subject of a digital passport, but the child’s parent may be the. Holder of that passport)
  • Issuer — the individual or entity who issues a given Credential
  • Verifier — the individual or entity who verifies or relies upon a given Credential

Weiterhin zwei DID (Decentralized Identifiers)-basierte Rollen:

  • DID Subject — the individual, entity, or thing that a given DID identifies
  • DID Owner (or Identity Owner) — the individual or entity who holds and controls the private keys associated with that DID

Self-sovereign Identities sind kompatibel mit den Datenschutzbestimmungen, allen voran GDPR:

SSI is a powerful tool for privacy protection. In fact, it has a strong visionary alignment with the EU’s General Data Protection Regulation (GDPR). SSI even has the potential to become the foundation for real world achievement of the GDPR’s principles. One objective of the GDPR is to enhance individual data protection rights, just as SSI seeks to provide individuals with more control over their own personal data. A second objective of the Regulation is to enable the free movement of personal data across the European single market and stimulate economic growth, embodied in the right to data portability. SSI also promotes the free flow of data by creating a layer of trust and autonomy around identifiers and Credentials that can be portable by design.

Der Punkt “Recht auf Vergessen” taucht nicht auf.

Single Sign On mit SSI im Unterschied zu den üblichen Social-login Services:

Unlike centralized single sign-on solutions, such as social login services (e.g. Facebook, Google, Twitter, LinkedIn, WeChat), SSI allows for fully decentralized single sign-on, circumventing the core problems of social logins, including vendor lock-in, single points of failure, and correlation and involuntary sharing of meta-data.

Neue, potenzielle Geschäftsmodelle durch den Einsatz von SSI:

Reusable and portable Verifiable Credentials could motivate a race-to-the-top for the best or highest quality Issuers for a particular use case. Issuers of Credentials, such as verification services, trust services providers, and other entities that provide Verifiable Credentials can directly compete with each other in offering their services in the market. This effectively creates a B2C market for trusted identity data and attestations in contrast to the status quo of services are bound to B2B interactions and associated with high barriers of entry to the market.

Mit einem Universal Identity Layer wäre es möglich, digitale Identitäten über verschiedene Domänen, Netzwerke und Anbieter hinweg zu verwenden, sowohl für Personen wie auch für technische Objekte (IoT):

With all entities utilizing the universal identity layer built on top of interoperable and open standards, flexible interaction between entities can be enabled with very low friction. Examples can be the interaction of two identity subjects that utilize different client and network solutions (see building blocks), but even more so entities that are different in their nature, such as the interaction between humans and IoT devices or devices and organizations, as well as every other thinkable connection between identity subjects in the SSI model.

Bei allen Vorzügen von self-sovereign identities; Technik alleine wird nicht reichen:

It also means that we cannot rely on technology alone but that there must also be non- technical measures in place, including laws, regulations, and “off-chain” governance mechanisms, as well as the application of existing legal constructs like guardianship, delegated access, and powers of attorney and other proxy contracts. SSI is not self- sovereign unless it is truly identity for all.

Größte Hindernisse, das räumen die Autoren ein, ist die Skalierung bzw. Akzeptanz bei den Nutzern und rechtliche Fragen. Außerdem müssten viele Anbieter, bis hin zu ganzen Branchen, ihr Geschäftsmodell ändern. Unser derzeitiges (europäisches) Rechtssystem ist mit den Anforderungen selbstverwalteter souveräner ID’s nur bedingt kompatibel. Eine offene Frage ist die Wiederherstellung des Private Keys im Verlustfall.

Die Komplexität der Lösungen müsste deutlich abnehmen, um den normalen Nutzer nicht zu überfordern und abzuschrecken:

… we have to break the status quo of centrally-managed, digital identity where each interaction is routed through a third party. This habit will be very hard to break and requires SSI solutions to be tenfold better as compared to the convenience of centralized identity solutions, while being enriched with the unique capabilities of a universal identity layer.

Die beschriebene Problematik greift Learning Machine in Digital Identity. A framework for organizing the categories of digital identity and an analysis of where disruptive innovation is most likely to succeed auf.

Darin beziehen sich die Autoren auf Clayton Christensen, für den sich echte “disruptive” Innovationen dadurch auszeichnen, dass sie einen bislang eher exklusiven Service oder ein exklusives Produkt breiten Massen zugänglich machen und dabei großen Wert auf Bedienerfreundlichkteit und geringe Kosten/hohe Effizienz legen (Vgl. dazu: Clayton Christensen: Disruptive and efficiency innovations – The capitalist’s dilemma).

Übertragen auf den Markt für digitale Identitäten:

With disruptive innovation in mind, let’s look at the digital identity problem space from a business strategy perspective. This starts by recognizing that digital identity is not one monolithic sector, but rather a collection of different categories in competition with each other.Access management, regulatory compliance, and Internet accounts are typically considered the three constitutive parts of the identity space.

Der Bezug auf das Innovator’s Dilemma von Clayton Christensen liefert einige wichtige Argumente, die einer Verbreitung von Self Sovereign Identities (SSI) derzeit noch im Wege stehen. Solange die Lösungen nicht einen vergleichbaren Komfort mit deutlich höherer Sicherheitsstufe (Datenschutz, Datensicherheit, Privatheit) bieten als die gängigen – und das noch zu vertretbaren Kosten und einem geringen (Lern-)Aufwand – dürfte es in der Tat schwer werden. In gewisser Weise würden Wirtschaft und Gesellschaft ein neues Betriebssystem erhalten, die Verhaltensweisen müssten sich z.T. gravierend ändern. Insofern wird dieser Transformationsprozess schrittweise, in Stufen verlaufen.

Alles in allem, ein wegweisendes Positionspapier.

Dieser Beitrag wurde unter Blockchain / Distributed Ledger Technology, Digitale Identitäten veröffentlicht. Setze ein Lesezeichen auf den Permalink.