‘How does Solid relate to self-sovereign identity?’
This is a question we get a lot. And by that, I really mean A LOT. That is why, I really want to take the time to explain this well, even if it will make this episode of “Solid in Short” a bit longer than usual.
Let me first start by explaining some key concepts. Bear with me, they will make things way more clear.
Self-sovereign identity is based on blockchain, so, I’m first going to explain what a blockchain actually is.
Let’s go back to the basics and consider blockchain’s most fundamental concept: a registry.
You can find registries everywhere and they can contain much about anything. For example, an accounting ledger is a registry containing transactions, a customer table is a registry containing customer information and a rollordeck is a registry containing contact persons and their information.
Traditionally, the control of such a registry is centralised. And by that I mean that the correctness is controlled and ensured by one party.
It is not to find examples in real life. Indeed, almost all registries that we know of fall under this category. For example, the social security registry is under control of the federal government, a customer registry of a bank is under control of that bank, the credit card transaction registry is under control of your credit card provider and the domain name registry is under control of the ICANN.
With blockchain technology, it is possible to create a registry where the control over a registry is decentralised. This means that there is not just one party that ensures the correctness, but instead, that the correctness of the registry is ensured by ALL parties together.
However, with this, there also come a couple of side effects. For example, you can only add new data to the registry, all data on the registry is visible for all its users, you cannot delete or edit existing data, all parties have a local copy of the registry and ensuring the correctness is computationally very expensive. For example, Bitcoin, which is only one of the blockchain instances that currently exist, requires as much energy as Switzerland.
Another key self-sovereign identity component is cryptography and, more specifically, key pairs and hashes.
Let’s start with hashing. When you hash something, you use an algorithm to transform a piece of data into another piece of data. This transformation will always have the same result and the result cannot be transformed back to the original data. An example of a hashing algorithm is a piece of code that transforms vowels into 1’s and consonants into 2’s. So, TOM will always turn into 212, but based on this 212, you cannot go back to TOM.
Next, let’s take a look at key pairs.
Key pairs are in fact two cryptographic keys that are tied together and, together, have unique characteristics.
Suppose there is a red key and a blue key that, together, form such a cryptographic key pair.
- If you encrypt something with the red key, you can decrypt it with the blue key
- If you encrypt something with the blue key, you can decrypt it with the red key
- You cannot encrypt something with the red (or blue) key and decrypt it with the same key
For example, let’s take a look at what happens with the secret “santa does not exist”.
If we encrypt this secret with the red key, it leads to a text that is meaningless. But if we decrypt this text with the blue key, we can see our original secret again.
However, if we encrypt this secret with the red key and decrypt it with the red key again, it still remains a meaningless piece of text.
The way in which key pairs are typically used is as public and private keys.
In this setting, someone, a person or an organisation, has a key pair and keeps one key a secret while he or she hands multiple copies of the other key to everyone. The key that is kept private is called a private key and the key that is made public is called a public key.
The two components that I just talked about, when used together, enable a whole array of possibilities.
For example, they enable me to send a secret message to someone. Let’s say Bart. To do this, I will first encrypt the message using Bart’s public key and, later, Bart will decrypt that message using his private key.
I can also ensure that a message is actually sent by me, or in other words, digitally sign this message. To do this, I will first hash the message using a well known hashing algorithm. Next, encrypt the hash using my private key.
After that, everyone can use the hashing algorithm to hash the original message, decrypt the hash with my public key and check whether the two.
However, now, the question remains: ‘how can everyone know that my public key actually belongs to me?’.
Well, this problem is currently solved by registries, certificate authorities and others.
Certificate authorities are actual authorities, like governments or trusted organisations that digitally sign messages of the form “this key belongs to this entity”.
Registries are basically lists that say “this key belongs to this entity and that key belongs to that entity”.
The concepts that I’ve just explained make it much easier to position technologies that are related to self sovereign identity: decentralised identifiers, verifiable credentials and blockchain. However, not that decentralised identifiers and verifiable credentials can actually also exist without using blockchain.
So, what are verifiable credentials? Well, this is actually a standard to digitally sign personal data. For example, a verifiable credential of a university diploma is simply a file containing a hash of the diploma and the identifier of the student that are encrypted by the private key of the university.
What are then decentralised identifiers? Well, this is actually a standard to create a registry that links personal identifiers and public keys.
What is then decentralised identity? Well, this is when blockchain is used to store the decentralised identifiers’ registry. Meaning that there is not a single party that has control over that registry, as opposed to now, the government.
However, as good as this may sound, let’s not forget that, in this case, even though the government does not control that registry anymore, this system does assume that the government does use verifiable credentials to prove that you are in fact you. And, that those verifiable credentials can be revoked. Of course, this does only shift the problem, if we assume it would be a problem, from the registry to the issuing of verifiable credentials.
So how does everything relate to each other? Well, decentralised identifiers are pieces of text that identify you, verifiable credentials are pieces of data that are digitally signed and needs to be stored somewhere, a solid pod is a container to store pieces of data in and solid is a standard that combines other standards like WebID’s and verifiable credentials.
If we next take a look at the maturity of all those concepts, we see that decentralised identifiers is an accepted W3C standard, just like verifiable credentials. That Solid is a draft W3C standard combining very mature technologies, that the traditional public key infrastructure is very mature, but that blockchain, a decentralised public key infrastructure, is, in general, not as mature as the traditional public key infrastructure.
Thus, in conclusion, Solid is complementary to other identity related concepts. In addition, we saw that even though on first sight, many identity related concepts seem intertwined with blockchain technology, they can actually exist independently. And lastly, that a registry that links identifiers with public keys can be based on blockchain, but does not have to be.