By Tim Spring
One of the ironies of decentralized identity is that while it radically simplifies data sharing and verification, it does so by way of new and mostly unfamiliar technical terms. Most people will never need to know the meaning of any of these terms, they will simply enjoy the seamless benefits, privacy protection, and security that the technology delivers; but as this technology is increasingly deployed, a quick lexicon of essential concepts and terms will help businesses and organizations get a better grasp of the digital transformation now on tap.
Imagine that every time you wrote something in a special notebook, the exact same note appeared in a dozen other notebooks in a variety of different places. If you lost your notebook, you’d still be able to access an exact copy of what you had written. If you tried to change what you wrote (or someone with access to another notebook tried to change what you wrote), the note, the record, would break — and everyone could see that it was broken.
Turn that notebook into a database and that’s what a distributed ledger is: a network of ledgers for recording information in a way that creates a consensus about that information. As there are multiple copies of the one ledger in different locations, we say it is “distributed” or “decentralized” (in contrast to holding information on a single, centralized database).
A distributed ledger provides transparency (everyone can see what you’ve written), immutability (you can’t change what you’ve written), and resilience (there are multiple copies of what you’ve written). Information written to a distributed ledger is often described as a “write to the ledger” or a “record” or a “transaction.”
A blockchain is a type of distributed ledger. It assembles records into time-stamped blocks that are chained together chronologically through an encrypted hash, hence a “blockchain.” This block is validated and duplicated on multiple ledgers. All this happens rapidly. Blockchains are constantly adding new blocks.
If you try to alter information in one block, the encrypted hash changes and the chain breaks. If you try to enter new information between blocks, the chain breaks. To alter a blockchain on one ledger, you would have to successfully hack and alter all the blocks at once. But then that blockchain would be out of consensus with all the other copies of the ledger. You would then have to persuade every other copy of the ledger that your altered copy was the correct copy. This is not impossible but it would be exceptionally difficult to do — and orders of magnitude more difficult than stealing a password and accessing a conventional database.
While all blockchains use distributed ledgers, not all distributed ledgers are blockchains. Similarly, while blockchain found its first application in supporting Bitcoin, where it is used to record and validate ledger transactions (a process which allows new Bitcoin to be created or “mined”), not all blockchains are cryptocurrency blockchains or need the energy-intensive mining functionality. Blockchain-based distributed ledgers used for decentralized identity can be used to issue millions of identity credentials with just one write to the ledger, while verification requires no more energy than a web search.
In Web 2.0, your digital identity is the product of multiple user accounts, usernames, and passwords, all of which are tied to centralized databases. Some of these digital identities are federated, meaning you can use your identity across multiple sites (e.g., your Facebook or Google account can be used to access different sites). All these digital identities are leased, meaning you don’t own them, the identity provider owns them. In exchange for an identity, we share our personal data with the identity provider and often the right of the provider to use that data to track our behavior online. The advertisements that follow us across multiple sites are a common example of this data surveillance in action. At the same time, the security risks that come with this way of managing identity are considerable: stealing usernames and passwords has become a major source of identity fraud requiring ever more complex systems for managing security.
Decentralized identity replaces centralized and federated ways of doing identity. It allows us to prove who we are without a third party cross-checking our personal data or passwords against information it already stores. Instead, cryptographic information about our digital identity credential is written to a distributed ledger and that information is able to definitively prove the source of the credential (i.e., who issued it) and that the personal information held in the credential hasn’t been tampered with. It may be easier to grasp decentralized identity by what it sets out to achieve:
- You can hold personal data without anyone else having access to it.
- You can consent to share that personal data (either wholly or selectively) and be able to share that data in ways that enable maximal privacy.
- Someone else can verify your data without a direct integration between their database and the database belonging to the issuer of the credential (which is a complex and expensive process).
- This can all work on mobile devices in a simple, seamless way that is “transport agnostic” (which is to say isn’t dependent on any one communications channel) and which effectively means your phone can host an API (only better than an API).
To understand the mechanisms by which all this works requires understanding the interplay between credential issuers, decentralized identifiers, digital signatures and cryptography, verifiable credentials and distributed ledgers, and holders and verifiers. That’s a lot to take in! And it’s one of the reasons people struggle to “see” how decentralized identity works from reading about it; there are a lot of unfamiliar concepts and components working together simultaneously to deliver multiple benefits. The good thing is that it’s a lot easier to see decentralized identity in action than it is to read about it, so if interested, we recommend watching this video on its application in finance, which has a demonstration of what using a digital credential looks like.
Still, it’s helpful to have a quick review of some of the components.
There are three roles in decentralized identity: those who issue credentials, those who hold them and present them to — those who verify them. Each of these roles has its own dedicated software for issuing, holding and presenting, and verifying. We refer to this software as an “agent” — as it acts on your behalf and in your interest. Agent software can be mobile or cloud based so, for example, you would use a mobile agent in a digital wallet application to receive, store, and present credentials. If you don’t have a phone, you would use the web to access a cloud agent that would execute the same responsibilities.
Verifiable credentials are digital credentials that are cryptographically signed. This signature means you can prove their integrity, that they haven’t been altered, and their source (i.e., the authority that issued them). A verifiable credential is similar to a physical identity credential, such as a driver’s license or passport. But the verifiable credential has specific digital benefits compared to other kinds of digital ID: In addition to being able to authenticate the source of the credential and determine the integrity of the information in the credential, the credential and its information can be shared over an encrypted, authenticated communication channel. This adds another layer of security because it means that the person or entity you are interacting with can only be the source of the credential they’ve presented.
It’s important to note that verifiable credentials aren’t just about proving conventional identity; they are much more expansive: anything that can be given an identity can share data in a trusted way — as long as that information can be sent via a credential. This means devices and machines can be authenticated for sharing important data.
Decentralized Identifiers (DIDs)
Decentralized Identifiers or DIDs are a new open web standard approved by the World Wide Web Consortium (W3C) to enable verifiable, decentralized identities. If a device has an IP address and a website, a URL or web address, the digital identity of someone or something begins with a unique DID. Technically, a DID is a URI (a uniform resource identifier), meaning it identifies some resource.
What makes DIDs different from IP addresses and URLs is that anyone with agent software can create one: they are not leased from a third party or controlled by a centralized organization (as emails and user accounts are), hence they are decentralized.
There is no limit on the number of DIDs that can be created, and this means that there is no need to reuse them for sharing verifiable credentials. DIDs also create their own communications channel, known as DIDComm for direct, peer-to-peer communication between DIDs.
It’s as if you were able to create a unique email address for each email, send it across a direct, encrypted communications channel to each recipient, and the recipient could verify that it came from you — all independent of an email provider. This means that interactions between DIDs are non-correlating, which has important security implications.
DIDComm is a powerful way to manage complex information flows as it enables people with mobile devices to fully participate in seamless, secure digital interaction (currently impossible, as APIs cannot interact with mobile devices or be used by people).
Web3 denotes what many people see as the next iteration of the internet, which will include decentralization technologies and token-based economics in an effort to provide more scalability, privacy, and data security for the end user.
A cryptocurrency is any currency designed to be exchanged over computer networks with no central authority over the currency. Often built on blockchain technology, these currencies use a decentralized system to verify that both parties have the funds they claim to when completing a transaction, and records the transaction so anyone can verify.
Non-fungible tokens (NFTs) are unique identifiers used to certify the ownership and authenticity of an asset. NFTs are different from crypto currencies because they reference specific digital files, for example 1 bitcoin is the same as any other bitcoin, but 1 NFT is not the same as any other NFT.
A Trusted Digital Ecosystem describes parties interacting with each other using verifiable credentials. Parties issue, share, and verify high-value data in a direct, secure, and privacy-preserving way that enables the data and its source to be trusted.
Trusted Digital Ecosystems remove the need for direct integrations between different data systems, avoid the need for third parties to store personal data, enable mobile devices to function as highly secure APIs, and transform how we create and manage digital relationships.
This list is by no means comprehensive, but we hope it gives you a good starting point. If you have specific questions or would like to learn more please feel free to contact our team.