In this article we will discuss about the 10 principles coined by Christopher Allen, one of the pioneers within this world, concerning the Self-Sovereign Identity (SSI). According to Allen, SSI can be interpreted in two ways: the first is ideological, which (key reading) affirms the importance of being able to control one’s own identity on the network without the need to counter trust; the second is technological, which means analysing which technologies and technological standards can enable this objective.
The 10 principles of the SSI are precisely intended to define what values and goals the idea and technology should pursue. They were first enunciated in Allen’s blog, which, by way of analogy, we can imagine as the famous Bitcoin White Paper by Satoshi Nakamoto.
The 10 principles of the SSI
Let us begin by describing what they mean. Each principle is declined through the technological standards used in the SSI: Decentralised Identifiers, Verifiable Credentials, DKMS, DID-Auth and Blockchain.
- Existence – The user must have an independent existence. This principle is based on the concept of ‘I’, a fundamental component that belongs to the essence of identity. It is something intrinsically linked to self-awareness. However, nowadays with the increasing complexity of society, identity is combined in state-issued credentials such as driver’s licences and social security cards, which suggests that a person can lose his or her identity if a state revokes his or her credentials. Credentials that translate from the physical world to the virtual world, which consequently draw a digital self. This principle states that a user must be able to exist in the digital world, without the need for a third party.
- Control – Users must control their identities. After a number of recent incidents involving identity breaches, such as the Cambridge Analytics scandal, numerous high-profile Equifax-style data breaches and the materialisation of GDPR legislation, many have asked themselves, “who actually owns your data?” Sovereignty allows the user to control how their identity is used without negatively disrupting the way society is organised. Remember that control is not the same as saying that one can decide what data is associated with him. The licence will still be provided to me by the DMV, but the difference is that once it is provided to me, like the plastic one, I can control it, keep it and manage it as I see fit.
- Access – Users must have access to their own data. Users must be able to access their data and any associated claims without the interference of gatekeepers or intermediaries. This does not necessarily mean that the user has the authority to change all aspects and claims associated with their identity; however, it does mean that a user should be able to access records that indicate any changes associated with their identity. In order to protect the sovereignty of other users, an individual should only be granted access to their own identity and not those of others.
- Transparency – Algorithms and infrastructures must be transparent. In tandem with the previous principle, transparency ensures that users can monitor any potential mismanagement of claims, credentials or associations related to their identity. In the broader context of identity, transparency also integrates fairness and support for a balanced identity system. A balanced identity system, according to Allen, will result in a more comprehensive protection of the individual. Systems and algorithms must operate in an intelligible and easily accessible format, using ‘clear and simple language’.
- Persistence – Identities should live in the long term. This principle argues that identities should be long-lived, at the discretion of the user. In the midst of constant changes in data storage and private key rotation (if a user has multiple wallets or identifiers within a blockchain), persistence allows users to maintain their identities, despite having multiple private keys. Persistence is not only exclusive to individuals; other institutions, organisations and collective entities should be subject to having their identities at the discretion of other entities. In the end, identifiers in an SSI system should be the exclusive property of the person or persons who created them.
- Portability – Identity-related information and services should be easily portable. According to Allen, information and services must be easily portable and cannot be held exclusively by a centralised third-party entity. Even if a third party entity works in the best interest of the user, the problem of SPOF (single point of failure) remains. Portability ensures that one’s identity can be transferred and stored in multiple locations, at the user’s discretion.
- Interoperability – Identities can be used as widely as possible. All of Allen’s guiding principles on ISS are related in some way. Interoperability overlaps with persistence and portability. Allen states that the importance of portability in identity is that identity information and services must be portable. This ties in with interoperability, particularly as portable identities are more readily available to cross international borders.
- Consent – The user must agree to use their identity. SSI systems require that personal data be shared only with the user’s consent. When building a decentralised self-sovereign identity, consent must be continuously kept in mind and incorporated into the system. This ensures whether or not the identity data will remain private (at the user’s discretion).
- Minimisation – The disclosure of one’s own data must be minimised. This principle emphasises the importance of protecting users’ personal data when disclosing identity-related information. For example, if a user’s minimum age is required (to access a page), a user should not be required to provide the exact day, month and year of their birth. Instead, user disclosure should be minimised by providing the minimum age requirement. According to Allen, by implementing selective disclosure, range testing and other zero-knowledge techniques, developers can facilitate minimisation to better support privacy. Basically, active minimisation allows for more privacy-preserving interactions between users and systems.
- Protection – Users’ rights must be respected. Christopher Allen states that to ensure user protection, there must be an independent censorship-resistant algorithm that can authenticate user identities. Allen stresses that a self-sovereign identity system should strike a balance between transparency, fairness and user support within the network, while ensuring protection. It could be a double-edged sword if it is not balanced, which is why it needs to be managed in a decentralised way. One of the most promising digital rights regulations would be the European General Data Protection Regulation (GDPR), which came into force in May 2018. It requires organisations to comply with personal data legislation and would be heavily fined for non-compliance.
As you may have noticed, the principles described above have as their main subject the user, his rights and the infrastructure on which this innovative identity management system is based. The ISS stands as a new model in which the user is literally at the centre (i.e. this is why it is defined as user-centric). Allen’s 10 principles were one of the first “formulations” of the concepts that are part of this new world, which through all our guides we try to explain to you every day.