In an age of individualism, self-determination has never been more important. Such a mindset has also entered the digital world. What makes us truly unique as individuals is certainly our personal data – information requiring protection and ideally the option to manage it ourselves. This is now possible thanks to SSIs – self-sovereign identities.
What does SSI stand for?
Self-sovereign identities allow private individuals or organisations to generate a digital identity. What makes SSI technology unique is that users can decide for themselves whether to share their identity and how much they want to reveal about themselves. The German federal government is supporting this SSI approach through its initiative to establish a digital identity ecosystem. The technology relies on tried and tested security mechanisms such as 2FA (two-factor authentication). This model is widely used in areas such as ID proofing, which is frequently used for setting up online bank accounts. The fundamental aspect of SSIs is that the person is at the centre. They have full control and can determine who gains access to which of their data.
Components of a self-sovereign identity
But what does an SSI (self-sovereign identity) consist of precisely? Three elements make it possible to independently administer personal data.
This is who ‘issues’ the identity. The issuer is usually the state, who produces documents like IDs and passports. In theory, however, it is possible for anyone to create a proof of identity and thus be the issuer of certificates. It is therefore important for the certificates and their production to be strictly controlled and regulated so that not just anyone can create such certificates. An example of a document that is far removed from state IDs is a university certificate to indicate that someone holds an academic degree. Such a certificate in the analogue world is usually provided with a seal or special patterns on the paper to allow its authenticity to be verified. When it comes to the digital sphere, it is private cryptographic keys that provide proof in the SSI ecosystem as an elementary part of the public key infrastructure. Digital certificates that work according to this principle are already used today for electronic signatures and can be easily adapted to new uses.
The holder is usually the person who owns an identity wallet; the one who requests and manages the documents that are to be verified. The basic idea of self-sovereign identity management is implemented in the wallet. This is where every person can determine which information from the documents they have stored there can be viewed. After all, a digital wallet holds not just our ID, but also has plenty of space for other certificates and documents. Users can place all sorts of credentials in their wallets. If a third party wants to see an applicant’s English grade, for instance, the user can go to their wallet and only allow this grade to be viewed without having to disclose all their other school grades. This mechanism works in just the same way with online shopping when proof of age is required.
As the name suggests, this is the person or entity wishing to verify something. For example, if a prospective employer wants to see and check an employee’s last job reference, they can request this from them as the digital wallet holder. They can then choose whether to provide this information to the employer or not. The verifier and issuer never communicate directly with one another at any time. The key step in this process involves verifying the issuer’s digital signature – usually done using a decentralised identifier (DID) – which might be stored on a blockchain network, for example.
My data belongs to me
SSI technology not only allows us to choose which data we share with third parties but is primarily about us defining and managing our own identity. This is also why the storage location for personal data is as private as the photographs we have on our smartphones. Put simply, all personal data is stored only there – on the mobile phone itself. Users process sensitive data in their internal systems thereby taking responsibility for complying with the General Data Protection Regulation (GDPR).
SSI technology is secure as every user can manage their data individually. Last but not least, the tried and tested technologies of blockchain and asymmetric cryptography provide security and are constantly being further developed and can therefore always rise to new challenges.