Trust registries are relics of centralized thinking that undo many of the benefits of decentralized identity. But there is a better way to implementing governance in a verifiable credential ecosystem—and Decentralized Ecosystem Governance is on its way to becoming an open standard thanks to work at the Decentralized Identity Foundation
By Sam Curren
Decentralized identity technologies are about making important data immediately actionable because that data can be trusted. The combination of decentralized identifiers (DIDs), credential schemas and definitions, cryptographic calculation, and tamper-proof distributed ledgers manages to add the missing verification layer to the internet and deliver the privacy and security features that are now essential in the marketplace.
But all these components do not fully negate the need for humans to make decisions about who can be trusted as an issuer of data—and how those decisions are implemented in the workflow of a decentralized, verifiable credential ecosystem.
Many have invoked the idea of a Trust Registry as a service to solve this problem. At Indicio, and now at the Decentralized Identity Foundation, we are turning this idea into a file — a serialized, downloadable collection of all the information relevant to an ecosystem.
The idea of a Trust Registry as a service raises many problems, both technical and governmental. Examples of the former include adding friction to a system of verification whose value is that it is maximally frictionless: If each verification needs to ping a Trust Registry and then wait for approval, the system slows down.
Then we have the issue of offline functionality due to poor internet speeds or outages — how does that work? And we have governance problems: Who governs the Trust Registry so that we can trust it to be inclusive? And how much will this cost? In sum, Trust Registries as a service create bottlenecks in identity governance and risk becoming toll booths on information flows.
These concerns were not theoretical. In the work Indicio did for SITA and the Government of Aruba, it was clear that organizations and governments want to control their verifiable credential ecosystems; sovereign authorities do not want services to do this that are outside their control.
Indicio developed Machine Readable Governance to manage this issue. In essence, keep the Trust Registry, but make it a file in a machine readable format that’s issued by a governance authority for a particular ecosystem that propagates through the agent software in that ecosystem. No bottleneck. No decrease in speed. Can be rapidly updated. And, because the file is cached, there is offline functionality.
We weren’t the only ones thinking along the same lines. Other developers and organizations were working independently on the same solution, including Gabe Cohen with TBD and Daniel Buchner at Block. It made sense to collaborate and establish a community standard, and provide code in open source repositories.
Led by Indicio’s Mike Ebert, this is what is now happening in the Claims and Credentials working group at DIF. It’s called Decentralized Ecosystem Governance—and progress is rapid. As part of this work, we have developed functioning systems that use all the elements below and are involved in efforts to standardize this approach with other interested companies in the space.
Here is a quick summary of the work and status:
Participant Lists (nearly done): This is the portion of governance that designates the participants of an ecosystem — the Issuers and Verifiers involved in credential flows.
Delegated Participants (next under discussion): This allows the involvement of parties who are not explicitly listed as a participant, but rather presenting a credential issued by a listed participant. This enables credential chain support and allows a variety of dynamic and large ecosystems to benefit from this technology.
Action / Workflows (not yet discussed): Enables specific interactions for smooth UX and confident interaction with credentials. Will work with Presentation Definitions and Credential Manifests.
Presentation Definitions -(published): Enables the specification of schemas and other details of credential interactions.
Credential Manifest (published): Enables the specification of workflows related to credential issuance.
Summary: Decentralized Ecosystem Governance does five powerful things:
- It provides a low cost, efficient and error-free way to choreograph the rules for interaction in a jurisdiction.
- It makes a governance framework portable, instead of a centralized trust registry service to verify issuers in real time, a governance authority publishes a governance file that propagates to all the agents in an ecosystem.
- It enables the appropriate governance authority — such as a government or health authority — to directly implement and easily update the applicable rules for how individual data is used.
- It can manage interactions within and across jurisdictions and systems, allowing each governance authority to enact the rule they decide on as important.
- It’s easily updated.
Decentralized Ecosystem Governance makes verifying data an easy-to-play game of red light/green light. And, importantly, it decentralizes governance to the appropriate authorities.