Digital Wallets, Verifiable Credentials, and Decentralized Identifiers were a common theme of the European Identity Conference in 2023. All of which help underpin ideas of digital sovereignty. Digital sovereignty can apply to either you as an individual, the organization you belong to, or to the geopolitical region you are a citizen of.
The sovereignty of the individual allows for personal data ownership and selective data disclosure to requesting parties—taking control over your own ‘digital destiny’ and removing control away from large organisations. This is supported by the ideas of Self-Sovereign Identity (SSI) and digital identity wallets. SSI moves away from centralized models where each service provider manages user identities or federated models where Identity Providers manage user identities (e.g., your government, university, or social platforms such as Google or Facebook). SSI represents a big change in federated identity management practices. The interactions below should be familiar with those that run federated identity management systems today:
Trust is explicitly established between the Identity Provider and Service Provider via a Trust Federation.The Identity Provider directly issues authentication status and identity attributes to the service provider. In most cases, the user needs to consent to the release of attributes but cannot store and present those attributes to different service providers when they choose.
The terminology and roles change in the world of self-sovereign identity:
Sets of identity assertions (or claims) become credentials (e.g., digital representations of physical documents like your driving license or university degree classification). The Identity Provider becomes the Issuer of credentials. The Relying Party becomes the Verifier of credentials. The user-agent would become a digital wallet—which may or may not be supported by a web browser. Trust is decentralized, with no immediate role for federations; although we will come back to this later. The verifiable data registry holds digital identifiers and public keys to authenticate credentials.
A digital identity wallet (Wallet) belongs to a Holder (typically a user) and allows secure identity storage about a subject. Wallets are containers that hold digital credentials—a credential repository. The Wallet allows secure authentication and selective presentation/exchange of identity credentials to any requesting Verifier. In most cases, the wallet will be an application on your mobile device, but it can also be supplied centrally on the web via an online service. A mechanism to delegate the responsibility of identity management is required in cases where a subject is unable to be the holder of their own identity information, e.g., those with no digital capability, such as the elderly or children. In the world of self-sovereign identity, there is a decoupling of the issuance of credentials to a holder and the use of credentials for different audiences (verifiers). Whereas in the world of SAML or OIDC, attributes and claims are bound to, and intended for, a known audience (relying parties) when issued.
The Technical Ecosystem
The W3C’s verifiable credentials are an open standard to represent secure, verifiable, digital credentials. Alternatively, the ISO is expanding the work they undertook for mobile driver’s licenses (mDL ISO/IEC 18013-5) into more general mobile documents (mdocs) and mobile credentials.
In the W3C model, a Subject obtains a verifiable credential from an Issuer e.g. their university, or driver and vehicle licensing agency, and holds them inside their Wallet. Holders of verifiable credentials can then present them to Verifiers as verifiable presentations. Both verifiable credentials and verifiable presentations are secured with digital signatures which the Verifier can validate— proving the integrity and authenticity of the identity claims they contain.
The Verifier validates a verifiable presentation by cryptographically proving it originated from the Issuer and that it belongs to the Subject. Both Issuer and Subject are identified in a verifiable presentation by a Decentralized Identifier (DID). A DID is a permanent, globally unique identifier that references a DID document. The DID document contains, amongst other identity information, the public key of the entity the DID belongs to. Once a DID document is resolved for an Issuer and Subject, it can be used to cryptographically validate the signatures on the verifiable presentation. DID documents can be stored on a decentralized ledger—fulfilling the decentralized promise—such as a blockchain, or centrally in a trusted database. A DID document can be viewed as analogous to a digital certificate but without the requirement of a Certificate Authority. For IdP operators, the analogue with Entity Descriptor in SAML metadata might be more useful.
Digital wallet implementations for SSI are expected from various interested parties. For example, the EU Digital Identity Wallet, The Department for Education in the UK, as well as numerous implementations from commercial companies. If either Apple or Google show significant interest in SSI, would a user choose a different wallet over their implementations that are already present on their device? Notably, in the US, both Apple and Google’s wallets already support your digital state ID and driver’s license credentials using the mdoc format—although not strictly through the same SSI principles described here. In addition, Google are looking at adding APIs to the web browser to request and issue credentials. Outside of these, Microsoft’s Authenticator does support SSI and verifiable credentials using their Entra Verified ID platform.
In addition to the representation and storage of credentials and identifiers, several different transport protocols are being worked on for verifiable credentials and verifiable presentations, for example, the OpenID Foundation is developing OIDC4VC.
Open Questions
In the research and education sector, several open questions remain. See SURF’s publication: SSI Wallets for Research and Education.
The student experience
How will the student experience change? Are students expected to obtain and carry their educational credentials, for example, educational identifiers and academic qualifications, in one or more digital wallets? Will they understand the sometimes complex nature of these credentials? Do they want to control and manage their own credentials and private keys? Will they trust these new implementations?
Changes to institutions
For this to happen, will educational institutions need to become credential issuers using new technologies? Or will public bodies (e.g., the Department for Education in the UK) need to interact more closely with institutions to be the central source of student identifiers, qualifications, and other appropriate credentials?
Changes to authentication practices
Will this change authentication practices? One noteworthy ability of digital wallets and decentralised identifiers is the possibility of using them to sign into websites .
Data Sovereignty
Are you really in ‘control’ of your own identity, or are you just the ‘holder’ of your identity credentials? If a university issues a degree qualification credential, they should also be able to revoke it. Similarly, your student status relies on reliable and fresh information from the institution you are a member of, therefore revocation of any credential you have acquired that asserts this must be timely. Arguably, you are never totally in control of your identity.
Trust and Identity Federations
The trust model underpinning SSI in an open ecosystem is the ‘Trust Triangle’. Instead of relying on central authorities, trust is devolved to the Issuer, Holder, and Verifier. The Issuer cryptographically signs credentials it exchanges with a Holder. The Verifier can then verify a credential it receives from a Holder by checking the validity of that signature. However, even after cryptographic proof checks, the question still remains, is that credential valid? Does the Verifier ‘trust’ the Issuer to assert such a credential? And should the Holder have exchanged their credential with that Verifier? In such a decentralized open ecosystem there does not need to be a legal framework or union between the parties involved, is it the responsibility of the Verifier and Holder to make those decisions for themselves, possibly storing lists of trusted Issuers and Verifiers?
For example, a bad actor sets up a fake university and starts issuing First-Class Honours degrees to students (who is now the Holder of this credential). A Verifier that requires all new employees to have a First-Class Honour degree accepts the credential exchange from a Holder, verifies the credential belongs to the Issuer, and lets the Holder submit a Job application.
The solution to this problem may come from one or more ‘Trust Registries’. A Trust Registry is a governance framework that governs entities which are authorized to issue credentials, such as this proposal. Now a Verifier could determine a) if the given Issuer created the credential by checking its signature, and b) if that Issuer is part of an approved governance framework and was authorized to issue such a credential. Conversely, the Trust Registry could also store Verifiers, allowing a Holder to determine who they should exchange credentials with.
Replacing Issuer with Identity Provider and Verifier with Service Provider, this story sounds all too familiar to those who already run Trust Federations such as the UK Federation. Could Federations provide the Trust Registry for the R&E community? — arguably this model ‘centralizes’ certain components of the otherwise decentralized approach.
Further work
In the European Union, self-sovereign identities and identity wallets are part of the eIDAS 2.0: Interoperability Framework for Digital Identities, 2021 enhancements. Through this framework, EU citizens will have the right to a European Digital Identity Wallet (EUDI Wallet) and a unique, cross-border, national electronic identifier (eID). Digital Credentials for Europe (DC4EU) is a large-scale implementation of the eIDAS 2.0 framework in the Education field. The first implementation of the EUDI Wallet should appear in September 2023 and will be available on GitHub.
The collaboration of European National Research and Education Networks, GÉANT, have numerous Trust and Identity Incubator projects based on Self-Sovereign and Decentralised Identity.
In the United States, Internet2’s Community Architecture Committee for Trust and Identity (CACTI), have recently formed (May 2023) the Next-Generation Credential Use Cases Working Group, looking at how the ‘education identity and access management ecosystem needs to grow and adapt to this new environment and set of expectations’. This should feedback into the wider research and education community at the Internet2 Technology Exchange in September 2023.
In the UK, the Department for Education has been working with Methods on Project Titan since June 2022. A digital wallet holding verified credentials about who a student is, and what qualifications they have, is one part of Project Titan’s workstreams. The project is ongoing with initial prototypes available.