Self-Sovereign-Identity
Last updated
Last updated
This page introduces the concept of Self-Sovereign identity (SSI), the components of Decentralized Identifiers (DIDs) and verifiable credentials (VCs), and how they provide the mechanisms for identity access and management in EW-DOS.
To learn more about Energy Web's implementation of SSI technologies, visit the page.
Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without the intervening administrative authorities. SSI allows people to interact in the digital world with the same freedom and capacity for trust as they do in the offline world.
-
‘Self-Sovereign Identity’ is a growing paradigm that promotes an individual’s control over their identity and their data. This is in contrast to the current paradigm where most of our official identifiers (driver’s license, birth certificate, usernames, etc.) are given to us and maintained by a central authority, and where our data can be shared without our knowledge or consent.
The SSI movement catalyzes the shift away from stratified, centralized authorities as the distributors and overseers of identity, and toward a system where individuals can maintain their own identity and where verification and data-sharing can occur via secure, digital consent.
and are two of the most important components of SSI.
A DID is an identifier that can be generated and controlled by individuals or organizations without an external authority. It can be used to identify any subject, such as a non-tangible asset, a customer, or an organization.
A Verifiable Credential is a secure and machine-verifiable digital credential which respects a standard data model.
Together they allow users and organizations to have control over their identities. Instead of an external authority maintaining control over an identifier and its associated identity data, any individual or asset can create an identity, and then establish credentials over time through interactions with peers or authorities on a trusted, decentralized network.
Both DIDs and VCs are specifications of the W3C. The W3C is an organization which provides core technical specifications to establish guidelines and best practices for an open, inclusive and trustworthy web. Energy Web’s approach to DIDs and VCs is sufficiently abstract and flexible that it can be used with the Energy Web Chain, another blockchain, or no chain at all.
A DID is an identifier that is user-generated and not coupled to any centralized authority. It can be used to identify any subject, such as a non-tangible asset, a customer, or an organization.
Unlike traditional forms of identification, DIDs are not generated by a central authority, such as a government-issued driver’s license, or a bank-issued account number, and they are not stored in a centralized database. A user can create a DID for themselves or an asset using cryptographic or other means.
Public-Private Key Pairs
Medium Series on private keys and their relevance in the Ethereum Network:
Above we discussed the role of identity. Once an identity is established, it exists in a DID registry, but nothing is known about the subject through a digital identity alone. That is where Verifiable Credentials come into play.
A credential is something that we can prove about a subject or individual. Common examples of credentials include a driver's license, that proves that one has passed a test and can drive a particular class of vehicle, or a passport, that proves one is approved to travel internationally until a specified date in the future. These traditional credentials are authorized and issued by a central authority, such as a government bureau or a bank. They are distinct and not interchangeable. For example, you cannot use your passport to show that you can drive a car, and you cannot show your driver's license to prove that you can travel.
Verifiable Credentials are a Web3 standard for digital credentials in a decentralized ecosystem, meaning a system with no central issuer or authority.
Like traditional credentials, VCs are statements or claims made about an identity, which is referred to as the credential subject. If a battery was the credential subject, it could have a verifiable claim that it originated in a particular manufacturing plant, or that it has a specific discharge rate at the time of manufacturing.
There are three primary actors in the facilitation of Verifiable Credentials.
The main difference between traditional, non-digital credentials and verifiable credentials are the way they are verified.
Traditional credentials require manual verification, such as a signature or a stamp. Verifiable Credentials are verified completely through cryptographic means using a digital proof mechanism, such as a digital signature or a JSON Web Token, through a digital trust mechanism, such as a blockchain.
Once an authority verifies a claim, a VC can then be used as an official record to assure others of the truth of the statements. These credentials are linked back to the credential subject’s digital identity. In the case of EW-DOS, credentials are linked back to the user's DID document. A DID Document can amass a rich set of Verifiable Credentials that provide a full picture of its origin, attributes and capabilities.
One goal of our technology is to give every participant in the energy system an identifier to allow for broad participation in decentralized applications built on the Energy Web Chain. Participants include individuals, organizations, applications and energy assets.
EW-DOS can be considered a self-sovereign ecosystem because there is no central administration or server to manage identity or verify attributes. As long as a user has a public-private key-pair, they can create a DID, which is then stored in the DID registry on the Energy Web Chain.
Once identity is established, VCs are the primary mechanism for acquiring attributes and sharing these attributes with other participants through cryptographic consent. VCs then determine if an asset can participate in a particular role or application based on set criteria.
To understand how and why an asset can take on a DID and acquire and use VCs using EW-DOS, let’s use the lifecycle of a battery as an example.
When the battery is manufactured, the manufacturer assigns a DID to the battery, and issues claims on the battery’s physical makeup (date of manufacture, the model, the serial number, the battery capacity.)
The battery is sold. The installer of the battery adds new claims on the battery’s purchaser and its new location.
As the battery performs, the new owner adds claims on the battery’s charge and discharge rate.
The battery reaches the end of its lifecycle. The final owner of the battery adds the date that it is retired, and its final charge and discharge rate.
Because we now have verified information on the battery, the battery can use its DID to participate in various energy markets and provide services to the grid based on its confirmed attributes. This all happens without central oversight of the battery, and the battery is not restricted to participating in only one market. It can participate in any market or application that is using the Energy Web Chain.
The Identity and Access Management stack
EW-DOS’s Identity and Access Management (IAM) technology stack is composed of a decentralized application called Switchboard and several underlying packages listed below that manage the creation, reading, updating and removal of DIDs and VCs on the Energy Web Chain. To read more about Switchboard and its dependencies, go here.
You can see a serviceEndpoint present in a DID document's service array below:
EW-DOS Components that implement functionality for DIDs and VCs in EW-DOS.
Component
Role
A decentralized application for defining a role credential governance framework and issuing role credentials. These functions are performed by interfacing with user's Web3 wallet.
Provides high-level functions for all identity and access management
Provides an abstraction layer to manage and interact with DIDs and Verifiable Claims on Energy Web Chain
Facilitates the credentials exchange between credential requesters and issuers. It also caches smart contract data such DID documents in order to improve read-query performance.
Decentralized DID registry
Off-chain, decentralized, peer-to-peer storage for Verifiable Credentials
Additional Resources on DIDs and VCs in EW-DOS
""
****
A DID for a given system resides in a decentralized . DID Registries, like VCs and DIDs themselves, are developed according to W3C standards. Most DID registries live on a decentralized ledger, or a blockchain. In the case of EW-DOS, the DID registry is on the .
A DID is derived from a public-private key pair that is generated programmatically through a cryptographic algorithm. The algorithm produces a private key and a corresponding public key. Crypto wallets such as will generate these keys for you on creation of an account. The public key can be exposed and shared with others, but the private key should not be shared with anyone. The algorithm used to generate the key-pair makes it virtually impossible for any outsider to guess your private key.
Your public key serves as your address on the blockchain, and your private key serves as your private identifier, similar to a password, and is used to sign on the blockchain. The signature is proof that you initiated that transaction.
DIDs are made up of a , a and a unique method identifier. There are many DID methods that are supported by different blockchain networks. You can see a full list DID methods define operations to create, resolve, update and deactivate DIDs and their associated DID Documents, which are discussed below. DID Methods are often associated with a verifiable data registry, which are registries with store DIDs and their data. If the registry is implemented on a blockchain, smart contracts usually serve as the data registry. An example of this is the .
Energy Web Chain uses the . The string that identifies this DID method is "ethr", and the method identifier is always the user’s public key (also known as an address.)
Every DID resolves to a corresponding , which contains metadata about the subject's authentication mechanisms and attributes, like its public key.
Below is a sample JSON document that was created by the EW-DOS DID library. For a list of required and possible DID Document properties,
MetaMask on key terms:
: makes a claim about a credential subject and correspondingly creates and issues credentials asserting the claim.
: receives, holds and shares credentials
: receives and verifies proofs (proofs can be the entire credential or a piece of info from the credential)
In the context of EW-DOS, a digital cryptocurrency wallet such as , which holds a user’s public and private keys, is used to facilitate a digital signature. This eliminates the need for any interaction between the issuer and the verifier. The blockchain provides the platform and mechanisms of trust.
To see a more exhaustive list of possible interactions and use cases for issuers, holders and verifiers, see w3’s list of .
To see the relationship of DIDs and VCs in the EW-DOS use cases, we recommend that you explore the
The IAM stack provides means for authentication (proving you are who you are via DID) and authorization (proving you have the attributes to participate in a certain role via Verifiable Credentials.) The combination of a user's DID and VCs provide authentication to access multiple systems using role-based permissioning. You can view the components of the IAM stack .
DIDs are anchored on the Energy Web Chain in the DID Library smart contract. The DID library currently implements the for creating and updating identities on the blockchain, but will support other DID methods and standards in the future.
****, a decentralized, peer-to-peer file system that uses content hashing for file location. The credential's corresponding has a service node that holds an array of service endpoints. Each serviceEndpoint points to the location of a Verifiable Credential stored on IPFS. Once retrieved, the VC is decoded and its contents can be read.
