INFORMATION TECHNOLOGY
ENSA: Study on SSI systems for the digital identity released.
The past nearly two years have proven to be a globally challenging period, in which eIDAS has been under revision and the COVID-19 pandemic has urged the development of new models for social life, business, and administration of government. To address these challenges, this report explores the potential of self-sovereign identity (SSI) technologies to ensure secure electronic identification and authentication to access cross-border online services offered by Member States under the eIDAS Regulation. The maintenance of continuity in social life, businesses and administration has accelerated the reflection on the possibility of a need for such decentralised electronic identity.
Over the last few years, a new technology has emerged for identification called "self-sovereign identities" (SSI). This technology gives identity holders greater control over its identity by adding features which provides a degree of distribution of identity related information. This includes the ability of identity holder to have multiple "decentralized identifiers" issued for different activities and to separate out the attributes associated with an identifier in "verifiable credentials". This gives the holder greater control over how its identity is represented to parties relying on the identity information and, in particular greater control over the personal information that it reveals to other parties.
The study critically assesses the current literature and reports on the current technological landscape of SSI and existing eID solutions, as well as the standards, communities, and pilot projects that are presently developing in support of these solutions. The study takes a wide view of decentralised electronic identity, considers possible architectural elements and mechanisms of governance, and identifies security risks and opportunities presented by SSI in view of cross-border interoperability, mutual recognition, and technology neutrality as required by eIDAS.
The following are the main points arising from an analysis of the application of self-sovereign identity standards and implementation as described in this report:
• SSI technology, as applied in the standards and solutions identified in Section 1 and rationalised into a single architecture in Section 2, provides an effective basis for digital identities which protects the privacy of personal data. In particular:
o Decentralised digital identities can be used to support pseudonyms for privacy of identity,
o Verifiable credentials enable the separation of potentially private attributes from the digital identity all the user selection of attributes to be revealed to relying parties to ensure privacy of attributes which it is unnecessary to reveal, and
o The ability to hold multiple authentication keys in a wallet with separate identity documents from different controllers enables the user to cryptographically separate transactions maintaining privacy by avoiding links between the separate transactions.
• For the governance of the elements of the architectural elements of an SSI solution (Section 3), there is a need to consider:
o Certification of wallets, o Audit and oversight of DID controllers,
o Audit and oversight of VC issuers,
Audit and oversight of DID and VC registries, and
o All the above are interdependent and the governance of the DID controller and VC issuer also need to ensure that the other elements of an SSI architecture are also properly governed.
• When risk of the architecture of SSI is considered, the following key security measures need to be implemented:
o Data minimalization – for use only necessary data,
o Consent and choice – in which the user controls the process and data used for identification, and
o Accuracy and quality – in which all parties can trust identification data stored and provided by the wallet.
• Lastly, it is recognised that there may be a role for ongoing support for technologies such as X.509 PKI, OpenID Connect, and existing national identity schemes. Thus, if SSI is to be adopted, further consideration should be given to co-existence between existing technologies and SSI.
Over the last few years, a new technology has emerged for identification called "self-sovereign identities" (SSI). This technology gives identity holders greater control over its identity by adding features which provides a degree of distribution of identity related information. This includes the ability of identity holder to have multiple "decentralized identifiers" issued for different activities and to separate out the attributes associated with an identifier in "verifiable credentials". This gives the holder greater control over how its identity is represented to parties relying on the identity information and, in particular greater control over the personal information that it reveals to other parties.
The study critically assesses the current literature and reports on the current technological landscape of SSI and existing eID solutions, as well as the standards, communities, and pilot projects that are presently developing in support of these solutions. The study takes a wide view of decentralised electronic identity, considers possible architectural elements and mechanisms of governance, and identifies security risks and opportunities presented by SSI in view of cross-border interoperability, mutual recognition, and technology neutrality as required by eIDAS.
The following are the main points arising from an analysis of the application of self-sovereign identity standards and implementation as described in this report:
• SSI technology, as applied in the standards and solutions identified in Section 1 and rationalised into a single architecture in Section 2, provides an effective basis for digital identities which protects the privacy of personal data. In particular:
o Decentralised digital identities can be used to support pseudonyms for privacy of identity,
o Verifiable credentials enable the separation of potentially private attributes from the digital identity all the user selection of attributes to be revealed to relying parties to ensure privacy of attributes which it is unnecessary to reveal, and
o The ability to hold multiple authentication keys in a wallet with separate identity documents from different controllers enables the user to cryptographically separate transactions maintaining privacy by avoiding links between the separate transactions.
• For the governance of the elements of the architectural elements of an SSI solution (Section 3), there is a need to consider:
o Certification of wallets, o Audit and oversight of DID controllers,
o Audit and oversight of VC issuers,
Audit and oversight of DID and VC registries, and
o All the above are interdependent and the governance of the DID controller and VC issuer also need to ensure that the other elements of an SSI architecture are also properly governed.
• When risk of the architecture of SSI is considered, the following key security measures need to be implemented:
o Data minimalization – for use only necessary data,
o Consent and choice – in which the user controls the process and data used for identification, and
o Accuracy and quality – in which all parties can trust identification data stored and provided by the wallet.
• Lastly, it is recognised that there may be a role for ongoing support for technologies such as X.509 PKI, OpenID Connect, and existing national identity schemes. Thus, if SSI is to be adopted, further consideration should be given to co-existence between existing technologies and SSI.
