The future of digital identities

Decentralized Identity vs Public Key Infrastructure

One of the key problems with user identities today is the need for the involvement of a Trusted Third Party for creating and managing those identities. Whether that trusted third party is a web site creating and managing an account for a user, or a service providing federated single sign-on (commonly called social login) for other services, or a Certificate Authority and related Public Key Infrastructure supporting public key based cryptographic operations - all of these approaches rely on some trusted third party to create and manage the identity.

Decentralized identity takes an approach that removes the need for a Trusted Third Party Service altogether. In its place is blockchain technology, the key innovation that can be used to anchor the identity and provide a trusted source. This system which is acting as a Decentralized Public Key Infrastructure (DPKI) allows users and servers to prove their identity, attributes and relationships, through cryptographically verifiable digital credentials. It also allows organizations to begin forming and maintaining private digital connections with customers, suppliers, partners and regulators.

The Decentralized Identity Ecosystem

The key difference with Decentralized Identity is that every identity in the system is a peer to every other identity. That is, whether it’s a user or a server each has its own identity and can partake in decentralized identity operations with any other identity. And all without the need for any involvement of a separate trusted third party. Instead the identities are anchored on a blockchain and can be used for a range of different activities:

  • Authentication/Authorization: Passwordless authentication and intelligent authorization for faster, easier, safer more privacy-respecting digital experiences.

  • Key Establishment: Key exchange protocols between two or more identities allowing establishment of new cryptographic keys.

  • End to End encryption: Creating secure message and email exchanges using newly established cryptographic keys.

Every identity has its own Decentralized Identity wallet that is used to generate its public key pairs, create a standardized Decentralized Identity (DID) [1], and to request to have a DID written to the blockchain (that acts as the trust anchor). Once an identity has a DID, it can then partake in a range of decentralized activities including authentication, key exchanges, secure communication, and more.

A DID may also be granted a standardized Verifiable Credential [2] by a Credential Issuer that describes attributes, relationships and entitlements for that identity. This Verifiable Credential is held in the wallet until it is presented to a Credential Verifier where it can be used for authorization. For example, an identity may have been granted permission to access a specific file, and can prove this permission by presentation of their Verifiable Credential.

[1] W3C: Decentralized Identifiers (DIDs) v1.0

[2] W3C Verifiable Credentials Data Model 1.0