Skip to content

Digital Identity & Self-sovereign Identity (SSI)

Digital identity is a set of attributes that define your identity to an other entity (relaying party). The identity attribute set (assertion of attributes) must be unique from the other entity’s perspective.

Typical identity attributes are: user name, first and last name, address or social security number.

Self-sovereign identity (SSI) is a digital identity concept that provides you a control over your digital identities. Moreover, SSI makes your identity independent of any specific identity authority.

Motivation behind SSI is that currently you share all your identity attributes with every entity and this can be considered as user’s privacy problem.

In the SSI concept a user enrolls/registers themselves with a credential issuer (like Kiuru MSSP or some other platform) which issues credentials (like digital certificates in PKI) & pseudonym to the user. An entity like a service provider uses these credential & pseudonym to verify user’s identity. No other identity attributes are shared. These credential & pseudonym can be based on public keys and certificates or blockchain technology.

In the mobile PKI SSI model the certificate contains a unique pseudonym for the user that the service provider can use to uniquely identify the user. The user owns the pseudonym and can renew and revoke their credential. Therefore, we can say that basic structure of SSI is similar as any PKI based system.

Relation between user, SSI & Pseudonym certificates

In the SSI system, user register into services by using any method that the service uses. The assurance level of the identity is defined by the service itself. Additionally, user can easily affect what identity attributes they share with the service. This reduces the unintended sharing of users’ personal data. This is contrasted with the centralized identity where identity attributes are provided and controlled by some centralized entity like a Certificate Authority.

SSI & Business:

One of the best application area for the SSI is in banking sector, where banks need to know their customers (KYC) according to the legislation. This kind of strong relationship between the bank and its customers can be bound with any strong authentication method. A trusted SSI provider could easily provide a standard authentication technology to a bank, which binds its customer’s authentication and identity attributes to the SSI authentication identity. In this way any banking related attributes are not disclosed to any third party and users can use their authentication mechanism with other online services.

An other business could be mobile network operators (MNO), who could provide the SSI method to their subscribers. Subscribers could register for their new SSI identity themselves and manage their mobile subscription online. Only MNO knows the binding between the pseudonym and your subscription. No other registration methods would be needed. Mobile operators can offer this SSI service to other service providers so that MNO provides only an authentication method with SSI pseudonym.

Enterprises can utilize SSI for their employees by binding intranet user accounts and company credentials to the pseudonym. In this way companies can share any user attributes securely between their internal systems without disclosing any of them to third parties.

SSI means an additional business model stream for Certificate Authorities & Trust Service Provider (TSP). SSI certificate is completely pseudonymous assertion of attributes. Only thing that matters to the other entity is that at next login they see same certificate and pseudonym and the response to the authentication challenge validates correctly with the public key in the SSI certificate.

The CA/TSP business goal of the SSI concept is to issue a large number of certificates by using user’s self registration. The user certificates must be cost efficient and CA can focus to other PKI aspects like easy certificate revocation, renewal or time stamping etc.

Once the SSI business has been started, CA can concentrate to enroll user certificates with more identity attributes. Moreover, CA cannot anymore play a centralized authority role. This is because issued certificates are unique over the mobilePKI service and they can be re-issued at anytime by any other CA.

Summary

SSI enables efficient identity management

  • by decentralizing identity attribute management to service providers,
  • by enabling self-care registration for the users and
  • by allowing user to use single identity credentials without disclosing any private identity attributes
  • by outsourcing identity assurance level to service providers

Mobile PKI based SSI is simple to implement, it provides high security and it is a good starting point for a new Mobile ID service or one extension for the existing Mobile ID service. Methics standard based MSSP has a built-in support for wide variety of SSI profiles.

Feel free to get in touch with us if you want a user-friendly software for your CA/TSP operations.

This is the first post in our article series covering emerging technologies related to digital identification. Check our LinkedIn page for more related topics.,

Publish Date: 18 February 2022
Written and Edited by: Jarmo Miettinen & Ammar Bukhari

References