Self-Sovereign Identity (SSI)

Decentralized Identifiers (DIDs) are a new type of globally unique identifier that an individual or entity creates, owns, and controls, independent of any centralized registry, identity provider, or certificate authority. They are the foundational address for an SSI identity.

• Key Property: Resolve to a DID Document containing public keys and service endpoints.
• Example: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
• Purpose: Enables verifiable, cryptographically secure interactions without a central issuing party.

Verifiable Credentials are tamper-evident digital claims (like a digital driver's license or university degree) issued by an authoritative entity. They are cryptographically signed and can be instantly verified by anyone.

• Structure: Composed of metadata, claims, and a proof (digital signature).
• Holder Control: Stored in a user's digital wallet, not in the issuer's database.
• Example: A university issues a VC for a degree. The graduate holds it in their wallet and can present it to an employer, who verifies its authenticity without contacting the university.

This principle allows an identity holder to prove specific claims from a credential without revealing the entire document or unnecessary personal data.

• Zero-Knowledge Proofs (ZKPs): Enable proving you are over 21 without revealing your birth date.
• Derived Credentials: Create a single-use proof from a broader credential.
• Benefit: Dramatically enhances privacy and reduces data exposure risk, adhering to regulations like GDPR by design.

The user's point of control is a digital wallet (or agent) – software that manages DIDs, stores Verifiable Credentials, and facilitates secure interactions. It is not a cryptocurrency wallet but shares similar cryptographic principles.

• Functions: Creates DIDs, receives/store VCs, creates Verifiable Presentations, and manages consent.
• Sovereignty: The wallet enables the user to be the issuer, holder, and verifier of their own identity data in different contexts.
• Security: Private keys never leave the user's device or secure hardware module.

SSI ecosystems rely on trust registries and governance frameworks to establish rules for participation, ensuring interoperability and legal validity. They answer: Who is a trusted issuer? What schemas are valid?

• Role: Provide a decentralized, auditable list of authorized issuers and credential definitions.
• Example: A government might maintain a trust registry of accredited universities authorized to issue digital degree credentials.
• Critical Function: Replaces centralized trust anchors (like Certificate Authorities) with transparent, auditable systems.

A core goal of SSI is to create identities and credentials that work across different organizations, sectors, and jurisdictional boundaries. This is achieved through open, standardized protocols.

• Standards: Built on W3C standards for DIDs and Verifiable Credentials.
• Portability: Users can take their identity and credentials from one wallet provider or ecosystem to another without lock-in.
• Universal Resolver: Tools exist to resolve any DID method to its corresponding DID Document, enabling cross-system verification.

Decentralized Identifiers (DIDs) are a core SSI standard (W3C) for creating globally unique, persistent identifiers that are independent of any centralized registry, identity provider, or certificate authority. They are stored on a decentralized system like a blockchain or distributed ledger.

• Structure: A DID is a URI composed of a did: scheme, a method identifier (e.g., ethr: for Ethereum), and a method-specific identifier.
• Example: did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a
• Control: The DID is controlled by the holder via cryptographic private keys, enabling them to prove ownership and interact with services.

Verifiable Credentials (VCs) are a W3C standard for tamper-evident digital credentials that can be cryptographically verified. They are the digital equivalent of physical credentials like a driver's license or university degree.

• Structure: A VC contains claims (e.g., name, birth date, accreditation) issued by an issuer, is held by a holder, and can be presented to a verifier.
• Cryptographic Proof: Each credential is digitally signed by the issuer, allowing any verifier to check its authenticity and integrity without contacting the issuer directly.
• Selective Disclosure: Holders can prove specific claims from a credential without revealing the entire document.

A Verifiable Presentation (VP) is how a holder presents one or more Verifiable Credentials to a verifier. It packages the credentials and includes a cryptographic proof from the holder, demonstrating they control the credentials being presented.

• Purpose: Enables data minimization; the holder shares only the credentials required for a specific interaction.
• Process: The holder creates a VP, which includes the relevant VCs and is signed with their DID's private key. This proves both the credentials' validity and the holder's control over them.
• Example: Presenting a VC proving you are over 21 without revealing your exact birth date or other personal information.

A DID Method defines the specific operations (create, read, update, deactivate) for a particular type of DID on a given decentralized ledger or network (e.g., did:ethr for Ethereum, did:key for static key pairs).

• DID Document: Each DID resolves to a DID Document, a JSON-LD file containing public keys, service endpoints, and verification methods.
• Resolver: A DID Resolver is a software component that takes a DID as input, performs the method-specific lookup on the associated ledger, and returns the corresponding DID Document.
• Interoperability: Different methods allow DIDs to be anchored to various blockchains (Bitcoin, Sovrin, ION) while adhering to the same core W3C specification.

A Digital Identity Wallet (or Agent) is the user-controlled software that stores and manages DIDs, private keys, and Verifiable Credentials. It acts as the user's interface to the SSI ecosystem.

• Core Functions: Generates key pairs, creates DIDs, stores received VCs, creates Verifiable Presentations, and communicates with other agents using protocols like DIDComm.
• Security: Private keys never leave the wallet, which can be a mobile app, browser extension, or hardware device.
• Agent-to-Agent Communication: Wallets use encrypted, peer-to-peer messaging protocols to exchange credentials and proofs directly, eliminating the need for data to pass through centralized servers.

Trust Registries and Governance Frameworks establish the rules, policies, and recognized authorities within an SSI ecosystem. They answer the question: "Who is trusted to issue or verify credentials in this context?"

• Trust Registry: A decentralized list (often on a blockchain) of accredited issuers and the types of credentials they are authorized to issue (e.g., which universities can issue diplomas).
• Governance Framework: A documented set of rules defining the roles, responsibilities, technical standards, and legal agreements for all participants (issuers, holders, verifiers).
• Purpose: Enables scalable trust by allowing verifiers to automatically check the status and authority of an issuer before accepting a credential.

SSI streamlines regulatory compliance by allowing users to obtain a reusable, cryptographically verifiable KYC credential from a trusted issuer (e.g., a bank).

• Process: User verifies identity once with an issuer, receives a VC. They can then instantly share proof of KYC status with any other service.
• Benefits: Reduces friction, lowers costs for businesses, and enhances user privacy by minimizing data exposure (selective disclosure).
• Real-world: Projects like Sovrin and Civic are building networks for reusable digital identity credentials.

SSI enables patients to own and control their medical records, granting granular access to healthcare providers as needed.

• Patient-Centric Model: Medical data (vaccination records, prescriptions, test results) are issued as VCs to the patient's wallet.
• Consent-Driven Sharing: Patients can share specific data with a new doctor or pharmacy for a limited time, improving care coordination.
• Privacy & Compliance: Aligns with regulations like HIPAA and GDPR by giving data subjects direct control, reducing breach risks for centralized databases.

Replaces vulnerable username/password systems and centralized Single Sign-On (SSO) with passwordless authentication using cryptographic proofs.

• How it works: A user proves control of their DID (via a wallet) to log into a website or physical device, without revealing personal data.
• Zero-Knowledge Proofs (ZKPs): Can be used to prove attributes (e.g., "over 21") without disclosing the underlying credential or birthdate.
• Use Cases: Secure website logins, access to corporate networks, and IoT device authentication.

SSI provides a framework for creating verifiable digital identities for physical products, components, and the entities that handle them.

• Digital Twins: Each product or batch gets a DID, with VCs issued at each stage (manufacturing, shipping, quality check) to create an immutable chain of custody.
• Transparency: End consumers can scan a QR code to verify a product's origin, authenticity, and ethical sourcing claims.
• Industry Impact: Critical for luxury goods, pharmaceuticals, organic food, and conflict-free minerals.

A Decentralized Identifier (DID) is a globally unique, cryptographically verifiable identifier that is created and controlled by the identity holder, not a central registry. DIDs are the foundational address system for SSI, enabling entities to prove control without a central authority.

• Structure: did:method:method-specific-identifier (e.g., did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a).
• Method: The blockchain or network where the DID is anchored (e.g., ethr for Ethereum, key for public keys).
• DID Document: A JSON-LD document on the ledger containing public keys, authentication protocols, and service endpoints for interaction.

Verifiable Credentials are tamper-evident digital claims (like a driver's license or university degree) issued by an authority, which can be cryptographically verified by any third party. They are the core data object in SSI, replacing physical documents.

• Components: A VC consists of metadata, claims, and a digital proof (signature).
• Issuance: An issuer (e.g., a university) signs a credential with their private key and gives it to the holder.
• Presentation: The holder presents a Verifiable Presentation—a wrapper for one or more VCs—to a verifier, who checks the issuer's signature and revocation status.

Zero-Knowledge Proofs (ZKPs) are cryptographic protocols that allow one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. In SSI, ZKPs enable selective disclosure and minimize data exposure.

• Example: Proving you are over 21 without revealing your exact birth date.
• Use Case: zk-SNARKs or zk-STARKs can generate proofs for credential attributes, allowing verification while keeping the underlying data private.
• Benefit: Enhances user privacy and reduces the risk of data correlation and identity theft.

The SSI model operates on a standard framework involving three core roles, often visualized as the Trust Triangle:

• Holder: The entity (person or organization) that receives, stores, and controls the presentation of Verifiable Credentials.
• Issuer: The authoritative entity (e.g., government, university, corporation) that creates and cryptographically signs Verifiable Credentials.
• Verifier: The entity that requests and cryptographically verifies credentials presented by a holder to grant access or services.

The blockchain acts as a verifiable data registry, providing a shared source of truth for DID Documents and credential status, enabling trust between these parties without direct relationships.

A critical challenge for SSI is managing the revocation status of credentials (e.g., a revoked driver's license). Solutions use the blockchain as a status registry without exposing private holder data.

• Revocation Registries: Issuers publish cryptographic accumulators (like a revocation list) on-chain. Verifiers check a credential's unique identifier against this list.
• Status List Credentials: A special Verifiable Credential issued by the issuer that contains an encrypted status list, enabling privacy-preserving revocation checks.
• Smart Contracts: Can be used to manage permissioned update rights for revocation lists, ensuring only the issuer can modify status.

SSI inverts the traditional data model by making the holder (the subject) the central point of control for their credentials. This minimizes data exposure through several key principles:

• Data Minimization: Verifiers receive only the specific claims they need.
• No Centralized Data Silos: Credentials are stored in the user's wallet, not in issuer or verifier databases vulnerable to mass breaches.
• Consent & Audit Trail: Every presentation of a credential requires explicit user consent and can create an immutable, user-controlled log of disclosures.

Trust in SSI is established through cryptographic proofs rather than trusted third parties. The entire chain of trust is verifiable:

1. Issuer Signature: The credential is signed by the issuer's private key, verifiable via their public key in their DID Document.
2. Holder Binding: The credential is cryptographically bound to the holder's DID, proving they are the legitimate subject.
3. Status Verification: Credential status (e.g., not revoked) is checked via decentralized mechanisms like revocation registries or bitstrings, avoiding centralized status lists.

This creates end-to-end verifiable data integrity.

The security of an SSI system ultimately depends on the security of the user's digital wallet and their private keys. This introduces critical considerations:

• Custody Models: Wallets range from custodial (managed by a service) to non-custodial (user holds keys). Non-custodial wallets align with SSI principles but place the burden of key security on the user.
• Recovery: Secure, user-controlled key recovery mechanisms (e.g., social recovery, sharded backups) are essential to prevent permanent identity loss.
• Device Security: Wallets are targets for malware and phishing, requiring secure execution environments.

A core privacy challenge in SSI is preventing unwanted correlation across different interactions. Advanced cryptographic techniques are employed to enhance unlinkability:

• Pairwise Pseudonymous DIDs: Using a unique, one-time DID for each relationship prevents different verifiers from linking a user's activities.
• Zero-Knowledge Proofs (ZKPs): Allow a user to prove a statement ("I am over 18") without revealing the credential itself or a correlatable identifier.
• Blind Signatures: Enable an issuer to sign a credential without seeing its contents, protecting holder privacy from the issuer.

Without these, SSI systems could create a comprehensive, linkable trail of all user interactions.