Decentralized ID (DID) and Self-Sovereign Identity (SSI)

- Standardization of Global DID technology enabling user-centric identification

Written by Chunsik Park, a member of DID Alliance Promotion Committee

 (Professor at Ajou University)

These days, Decentralized Identity (DID) is becoming one of the popular blockchain application in the era where data ownership and Self-Sovereign Identity (SSI) concepts are increasingly important for users. In our lifetime, we create and manage various IDs such as national ID, passport, driver's license, etc... We use these IDs (and their associated numbers) in multiple places, including financial institutions, public organizations, shops, online portal or SNS.

At this point, two questions may naturally arise. Can I prove that each ID created and used corresponds to me? Do I really and fully own my identity reflected by these proofs of ID?

First, does the legacy ID system provides enough identification proof of ‘me’? Create and input user ID/password seems to be enough to prove that the ID is mine. That said, technically speaking, I am not proving myself via this process but I just verify that I am the right owner of the corresponding ID. In other words, we only prove our own identity once during the identity verification process that leads to the creation of our IDs. Therefore, the possibility of identity theft exists, which put pressure on entities (relying on identity verification before granting access to or delivering their services) that require additional authentication means. As a result, the current identity system seems not to provide sufficient tool to prove our own identity.

Hereinafter, let’s review whether the ID that I create and use truly belongs to me. For example, before purchasing goods in an online shopping mall, I need to create ‘my’ ID related to the online shopping mall. To what extent the created ID corresponds to the real ‘me’? If there is a direct connection between ‘me’ and this created ID, and if the created ID is equal to ‘me’, I should be able to prove myself anywhere else using this ID.

Nevertheless, the reality is quite different. The personal information related to the creation of my ID is stored by the entity where I registered my ID. The latter is managed and exchanged between entities, and in federated ID systems cases, the ID can be reused by other entities. In other words, the ID that I create and use is being utilized by entities for managing subscribers. Thus, the real owner of the ID that I created to get access to the service provider is not me but the service provider itself.

In terms of solution, the European Union was among the first governmental body to strengthen the user’s personal information protection via the General Data Protection Regulation (GDPR). Such regulation enhanced the protection of user’s rights, which fosters means to prove our own identity. In that regards, the concept of Self-Sovereign Identity (SSI) is compelling as it enables users to take the control back over their own identity. Meanwhile, DID specifications and standards became main topics in major tech. organizations such as the World Wide Web Consortium (W3C), which is the main international standards organization for the World Wide Web. The development of the Decentralized Identity technology is opening new possibilities in the identity industry: I can truly prove myself by using the ID that I created through my personal information. DID is not only a theoretical concept only being discussed in research center as this innovative technology also attracts a growing number of companies that are actively looking for implementing it in their business.

In order to solve the issues involved by the use of existing ID systems, which are centered on actual service providers, several consortiums, based on user-centric DID concept and Distributed Ledger Technology (such as the blockchain), are being formed. In this context, interest in the DID technology has soared in Korea this year, and the Financial Services Commission (equivalent of the SEC in the US) accepted DID as an exceptional case in terms of regulation restriction among the innovative financial services. Nevertheless, it is undeniable that the DID technology is still in its early stage. Therefore, various DID infrastructures are being elaborated, leading to the development of different approaches that are isolated from each other. That said, developing independent DID infrastructures isolated from each other may lead to interoperability issues that legacy ID systems are facing.

That is the reason why it is highly desirable to discuss interoperability and application between DID infrastructures. Such discussions have been initiated on June 26 via the ‘Blockchain Distributed Authentication Technology Seminar’ co-hosted by Korea FIDO Forum and Korea PKI Forum. In order to speed up the application of DID in our daily life, it is necessary to gather various companies and interested parties in a consortium aiming at fostering these public discussions and study group on DID technology specifications. Sharing our knowledge and our experiences will help establish the Decentralized Identity as an international standard, which is the key for spreading the technology around the world. In addition, in this effort of standardization, not only a consortium but also an Alliance would be needed to build an international cooperative system.