In the digital age where digital identity is important for business operations, the increasing concern of privacy leads to better personal data control, and hence the “Self-Sovereign Identity (SSI)” model. However, traditional federated identities only provide limited control over user personal data, thus the new concept of “Decentralized Identity (DID)” was recommended by the major web community (W3C), where a new identity model allowing verification of identity without intermediaries would be more compatible for the SSI model.
The SCB TechX Innovation Lab created a prototype platform to accelerate the adoption of DID using the SSI model, where the platform acts as a governance body to handle connections between users and/or businesses on blockchain. While some may view this platform as not fully in compliance with the SSI model, we focused on accelerating adoption in a more compatible way to current practices by creating trust between user and business using governance framework and possibly some level of KYC. However the platform is open for improvement and migration toward 100% user control by moving the key management from platform to user and allow direct connection between key holder and blockchain.
The motivation for this project was a consolidation of multiple trends and business concerns. First was the privacy trend where users had growing awareness of the misuse of their personal data such as targeted advertisement and leak of data. This lead to the emerging “Self-Sovereign Identity (SSI)” identity model and framework where users have full control over their data sharing while allowing service providers to verify the validity of shared data using tampered-proof cryptographic encryption.
The second key motivator is from a common business concern when subscribing to open blockchain ecosystems, where there is abundant lack of trust and difficulty for business operation considering users are anonymous. The standard that had been discussed and recommended by World Wide Web Consortium (W3C) is “Decentralized Identity(DID)” which promotes the decentralized nature of identity verification and data, leveraging on the decentralized nature of open blockchain.
We decided to develop a value proposition and create a prototype system using DID over public blockchain (Ethereum) as a baseline and simulate data exchange between 2 businesses by going through user and giving full control of data sharing to user according to SSI model.
We created a DID prototype on top of a self-hosted Ethereum blockchain and using Veramo as development library due to the feature of supporting Ethereum as DID registry (to prove compatibility with open Ethereum while evaluating transaction speed finality). We also chose a hybrid approach containing a governance body as the main DID provider responsible for creation DIDS and maintaining related information and trust levels between each DID inside the platform. The primary reason of this choice is to reduce adoption friction and investment cost, while improving trust between businesses and user via the intermediary registrar service. After DID was created, the platform will act as key management system providing APIs for create and signing the verification credential (VC) and verification presentation (VP). However, users and businesses are allowed to connect to the blockchain to access their counter party’s public key for identity verification.
The platform consisted of 2 main layers connected to businesses within the ecosystem via verifiable credentials and verifiable presentation.
Customer Identity Layer : An SDK to integrate to user-facing application or create new Identity Wallet Application, this SDK wrap the APIs that provide functions for user to access their credential and approve data sharing request.
DID + Federated Identity Layer : The services in this layer provide functionality similar to existing federated identity framework but modified to work with DID. This layer include APIs for authentication, authorization and data access for both users and businesses.
The platform allows users to create linkage between their DIDS and existing or new user profile on ecosystem partner services. After linking the DIDS, user can request his/her information from the partner’s services in the form of Verifiable Credentials (VCs) and store it within the platform fully under user control. When user interact with other services, they can request VC from the platform which in turn ask user to selectively share the requested information and send back as Verifiable Presentations (VPs). Finally, the transaction logs will be stored on-chain without user data and allow user to find the sharing history and possibly revoke the consent later.