In the physical world, people collect and manage identity credentials from various sources including governments, financial institutions, schools, businesses, family, colleagues, and friends. They also assert information themselves. These various credentials serve different purposes. People collect them and present them in various contexts. When presented, the credential verifier is free to determine whether to trust the credential or not.
Online, identity doesn’t work that way. Online identity has traditionally been single-source and built for specific purposes. Online, various, so-called “identity providers” authenticate people using usernames and passwords and provide a fixed, usually limited set of attributes about the subject of the identity transaction. The identity information from these systems is usually used within a specific, limited context. Social login allows it to be used across contexts but the kind of information shared is limited and its provenance is often difficult to determine. These identity systems are not interoperable, making it hard to combine attributes from one with those of another. Consequently, online identity is one-dimensional and has limited value. At Sovrin we’re changing that.
Sovrin doesn’t give you an identity — we’re not an identity provider. Rather Sovrin enables a rich ecosystem of third party credentials, just like in the physical world. Your identity in Sovrin is represented by a collection of relationships along with credentials from many trusted sources. I call this “multi-source identity.” Multi-source identity is decentralized in ways that single-source identity systems can never be. Decentralization enables a richer set of identity transactions; supports ad hoc, emergent use of credentials; and ensures that an identity owner is never at the mercy of just one identity authority.
Multi-source identity emphasizes relationships instead of identifiers. Identifiers still exist, but they’re not the primary focus. In Sovrin, each relationship is represented by a pairwise, pseudonymous identifier exchange. These identifiers are linked to public-private keypairs so that each relationship can be validated by either party and supports private, confidential communications between the parties to the relationship.
Mutual exchange of keys is a big step up from SSL-mediated transactions on the Web where only one-side is cryptographically authenticated. In Sovrin, mutually authenticated connections are built into every relationship. When you use Sovrin to authenticate with your bank, they know it’s you and you know it’s them. Rather than an asymmetric relationship where one side uses cryptographic means to authenticate itself and the other uses a mishmash of user names and passwords, both sides symmetrically use strong, cryptographic technology to authenticate the other.
Your digital identity is made from credentials from multiple sources. You might have a Sovrin-based relationship with your bank. They could provide a Sovrin credential stating you’re a customer and maintain a certain balance. Similarly, you could have a relationship with your employer and an employer-issued credential stating you’re an employee. And you likely have a relationship with the state, and credentials they issue representing your birth certificate or drivers license. The list goes on. You could have hundreds of relationships and associated credentials in your wallet. You can use any of these, in multiple configurations, to prove things about yourself (with minimal disclosure) to any other party who accepts them.
Multi-source identity allows for flexible and complex identity transactions — just like in the physical world. To see some examples of this, take a look at these two videos.
In the first, the identity owner, a recent college graduate, collects credentials from the government, her college, her employer, and bank. The credentials are used sequentially: she uses her Government ID to get her college transcript, the transcript to apply for a job, and then the employment verification credential to apply for a loan.
In the second, the identity owner has credentials from their telco, bank, and drivers license division. He connects to an airline and uses these credentials in concert to provide passenger info so that he can buy a ticket and get a boarding pass (which is issued as a Sovrin credential).
These are just a few examples of how multi-source identity enables online identity transactions that are nearly impossible to imagine using the single-source identity systems of the past. The Internet enabled a rich, decentralized ecosystem of message exchange that could never have been supported by the walled gardens of Compuserve and AOL. Similarly, Sovrin enables a richer, decentralized ecosystem of identity transactions that can never be realized with the single-source identity systems we’ve used to date. That’s why I call Sovrin the Internet for Identity.
If you’re interested in exploring the details of how this work further, please see the Sovrin whitepaper.
- Credentials may be too strong a word for some of the documents we treat as identity documents. For example, a note from a parent to a teacher about a child might not be considered a “credential” by most people, but it would qualify in what I’m trying to describe. In the interest of succinctness, I’ll just use it for this post.
- I was recently reminded of a paper on Personal Channels that Drummond Reed and I wrote back in 2012. In it we list ten benefits of personal channels. Most of these are relevant to multi-source identity and relationships as envisioned in Sovrin.
- Both of the demos in these two videos are real — they are not conceptualizations or mockups, but are using Sovrin’s test network for the DID and verifiable credential exchange.
Photo Credit: Audio Mixer from pxhere (CC0)
Originally published at www.windley.com.