Industry-Grade Self-Sovereign Identity
On the Realisation of a Fully Distributed Self-Sovereign Identity Architecture
R.M. Chotkan (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Johan Pouwelse – Mentor (TU Delft - Data-Intensive Systems)
A. De Kok – Graduation committee member (The National Office for Identity Data (RvIG))
Fernando Kuipers – Coach (TU Delft - Embedded Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
This research has been performed in pursuit of the MSc Computer Science at Delft University of Technology in collaboration with the Dutch National Office for Identity Data (RvIG), part of the Dutch Ministry of the Interior and Kingdom Relations. Self-Sovereign Identity (SSI) is a relatively new concept part of a movement aspiring to create a universal identity layer for the Internet. SSI aims to put the citizen at the centre of their data, making them the sovereign over their digital presence. Wherein the current ecosystem personal information is stored in centralised or federated settings, SSI delegates this responsibility entirely to the user. Functioning SSI schemes have been proposed and deployed, even with governmental support. However, we identify that the key issue that remains to be solved is revocation: the invalidation of credentials. Proposed revocation mechanisms typically rely on centralised infrastructure for revocations, defying the principles of SSI itself and, furthermore, lack offline verification capabilities. This research addresses these issues and proposes the first fully distributed revocation mechanism in SSI, using a gossip-based propagation algorithm. Our revocation mechanism requires no centralised infrastructure or strict network requirements and enables offline verification of credentials in case of disaster. Propagation is handled by honest clients, requires no direct communication with authorities and is shown to be robust in case of unreliable communication links. Furthermore, revocation acceptance is at the discretion of individual clients, making our mechanism fully adhere to the principles of Self-Sovereignty. This revocation and verification structure is part of our Industry-Grade Self-Sovereign Identity (IG-SSI) architecture. IG-SSI is a purely academic fully distributed SSI scheme with intrinsic equality across the network. Furthermore, communication is facilitated peer-to-peer, requiring no specialised infrastructure. The architecture allows for the signing, verification and presentation of credentials using Zero-Knowledge Proofs. We believe that the characteristics of our system provide it with use for decades to come, hence, we deem it to be industry-grade. Our simulation portrays that a network comprised of 10,000 clients gossips 1 million revocations within 25 seconds. Feasibility on smartphones is shown through a government-backed real-life trial. Based on our results, we claim that IG-SSI is a viable candidate for facilitating the needs for a digital identity of the European Union.