So, OP doesn't really have a solution to the identity fraud problem without centralization?
Ugh, I regret sending merit to this spam ICO
Hi Bluefirecorp, thank you for your enthusiasm in your replies earlier! Not very friendly of you to call me SPAM, no hard feelings, I assume you were waiting for an answer. Apologies for the delay, today was a hectic day.
As you pointed out we need to be able to validate that each self-sovereign identity is who they say they are.
When working with Self Sovereign identities it has to be possible to verify that the identity belongs to a real person meeting the requirements to be eligible for the service in which he wishes to partake, whether voting, trade, or something else.
An example:
1) The person has created his own DID and saves his encrypted private key using, for example, biometric authentication.
2) The DID is registered on the blockchain, along with its public key and an end-point (a way for other users to request identity information from the person)
3) The person can add information to his identity, for example, his student ID number, the information is not stored on the blockchain, the information is only considered 'self-claims' as nobody has validated whether what the person claims is true.
-information cannot be stored on the blockchain as this would fail GDPR, even if encrypted. The solution is to store it off-chain in a private ledger, which would also benefit the identity blockchain itself. The private ledger would exist on the hardware of the person and would be stored with an agency, who itself cannot read the data, allowing for the person to recuperate his data when he loses his hardware. The person is able to remove all data if he desires to do so.
4) The end-point allows third parties to request identity information. However what is important is that the person can be validated first and that the validator is indeed who they say they are too (encrypted exchange signed by private keys). For example, an agency can verify the email address and then issue a claim of authenticity which becomes anchored onto the main identity chain. (with no information recorded on the blockchain revealing the actual information. Another example is that in order for the person to validate the claim that he is the individual with the specific in the above example, he would have to pass the procedure which the University has set forward to validate his claim to link the specific student number to the DID, whether manual or automated. An additional level of security comes into claims only being issued once for a specific attribute, such as a birth certificate can only be linked to one DID.
-After issuing the claim a receipt of this transaction, containing what type of information, not the information itself, that was shared between each party is stored on each parties private ledger. A hash of this is stored on the identity blockchain (legal proof of permission).
5) The university would be claim issuer and validator, the university would publish onto the blockchain a schema for each type of claim they will issue, the schema defines what type of information is involved with the claim (e.g. name, birth date, country of birth). Anyone would be able to look up this schema and determine what type of atomic information they might request from the identity holder who processes such a claim. (only the necessary amount of information may be requested) For example, the only thing a retailer giving discounts to students needs to know is that the claim is for a currently enrolled student.
-The university might also issue a more universal claim that the person is indeed the person as far as it can attest, these relationships then become what we call the web of Trust. (which is very relevant for people without access to a recognized validator such as refugees, as individuals could recognize each other, non-profits could etc.)6) The person will be informed when someone requests information from his Self-Sovereign identity and has the ability to accept to reveal that information or not, with potentially local permissions to automatically grant requests for certain types of information.
-The claim validator does not know the details of the entity requesting information avoiding correlation and the leaking of privacy. (the university if asked to validate a persons age, it would not know why or by whom)
=> Through the web of trust, the validity of claims is built upon, and while a name can be faked, an identifier cannot because of the immutable nature of the blockchain and its trust mechanisms. It does allow people to build up an identity from scratch, such as a refugee, while also allowing a quick entrance from claims issued by trusted authorities such as a government.
How identities without validation from trusted authorities operate, and what trusted authorities are within our legal systems, communities and larger economy is a different question altogether. The web of trust will become a powerful tool, one where service providers will set up and work towards additional validation systems as the market grows. The absence of trusted authorities does not stop Self-Sovereign identities to take off.
A DID absent of certain validations can be excluded by some service providers requiring those validations. For example, a person might not be able to identify himself with an unvalidated DID in a court. What level of validation and by whom in order to be considered a validated identity has no black and white answer.
I would love to continue having a conversation with you, please take into account I am only answering the messages on certain times as these hectic times.
Have a good evening.
Jens
Poll
