Self-Sovereign Identity (SSI) platforms are emerging from the decentralization movement citing how they will replace the traditional Public Key Infrastructure (PKI) model where Certificate Authorities (CAs) are in charge of controlling the identities, but that will not be the case unless our society becomes more egalitarian. Until then, a hybrid of centralized and decentralized identity systems that are localized shall prevail.
The innovation of SSI ends at where users are allowed to generate their identifier which is often the public key of an asymmetric key pair. An example of such an identifier is
did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4 using the Ethereum address as a self-managed decentralized identifier.
But that identifier is not useful!
How does one know to trust
did:ethr:0xd858ba2179b471140235fc70c2c87c4a9716b00b more, or at all?
The solution to the trust problem is often “If
did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4 has verifiable credentials from another trusted entity, you can trust it”.
The only problem was that
did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4 presented tons of verifiable credentials from many entities with identifiers as enigmatic as itself:
did:ethr:0x46bD9C0d0bc4264f795baCA1Fd958F37A2BC4F27issued a bank statement to said entity
did:ethr:0x3829cef9502eec6cdbd12010939ef7400a51b3bfissued an alcohol license to said entity
did:ethr:0x1d7B8F194Ca98f596851Ac5F3481C63dc53bb4E7issued a chamber of commerce membership to said entity
Now, you just have to verify if:
did:ethr:0x46bD9C0d0bc4264f795baCA1Fd958F37A2BC4F27is a trusted bank?
did:ethr:0x3829cef9502eec6cdbd12010939ef7400a51b3bfis a trusted government organization?
did:ethr:0x1d7B8F194Ca98f596851Ac5F3481C63dc53bb4E7is a trusted chamber of commerce?
As seen above, without more information from the external world, there is no way to knowing if
did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4 is a business, least to say a trustworthy one, amongst many other questions.
One approach to breaking out of the Catch-22 situation is to leverage existing real-world identifiers that are not self-sovereign but yet allowing users to prove the translation of the two identifiers.
An example of such implementation is binding an SSI identifier (such as an Ethereum address) to a domain name on the OpenAttestation protocol. The protocol binds a DID to a domain name in a two-way fashion. As such, the receiver of a verifiable credential will immediately know who the issuer is without figuring out who is
While this approach translates the identifier from something enigmatic like a DID to a domain name, it doesn't solve the problem of “should I trust this entity?”.
Also, what if I don’t recognize the domain?
To understand if I can trust
did:ethr:0x63b4f3e3fa4e438698ce330e365e831f7ccd1ef4, which is claiming to be an alcohol importer in Singapore, I’ll likely ask myself the following questions:
In the example above, it will likely suffice if I have done business with the entity before and there are records to show.
When thinking about if one should trust an entity with something one would start by asking the most personal question first. In each set of questions, one tries to find if the entity is trustworthy enough within the locality or should more information be provided?
Generally, this means I trust something that is more “local” to me! I would:
With that, we can see that it is insufficient to only have a completely decentralized identity platform that generally operates at the “Earthlings” locale.
As the decentralization movement prevails and we move towards using more SSI identifiers, new opportunities will present to companies to provide localized identity resolution services for SSI. Examples are like:
This will yet create another opportunity for standardization of the methods to resolve SSI once more of such services are around.
In the time being, TradeTrust website provides a reference where it allows viewers of verifiable credentials to make use of localized identity resolvers through their identifier resolution specifications.
Like what you read? Subscribe to my mailing list.