Self-Sovereign Identity: Proving Power over Legal Entities
T. Speelman (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Johan Pouwelse – Mentor (TU Delft - Data-Intensive Systems)
Jan S. Rellermeyer – Graduation committee member (TU Delft - Data-Intensive Systems)
Nava Tintarev – Graduation committee member (TU Delft - Web Information Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Self-Sovereign Identity (SSI) is a new paradigm
in digital identity systems that puts the end-user in control: no other actor
manages, permits or revokes their digital existence. TrustChain is an academic
peer-to-peer networking stack supporting SSI. It delivers passport-grade
assurance by integrating with Dutch government. However, end-user control
requires a programmed user agent with a human interface and protocols that
enable meaningful communication with issuers and verifiers of identity data.
This agent must be inter-operable with a large variety of parties and
credentials. TrustChain lacks such an interface and protocols. This thesis makes three main contributions.
First, a theoretical framework is proposed for aligning notions of
self-sovereignty across contexts, borders and cultures. It provides more
detailed, focused and structured discourse than other work and helps
consolidate design efforts. Second, a design project is done in collaboration
with the Kamer van Koophandel (KVK). It focuses on `authorisation by legal
entities', a class of identity problems that have no satisfactory solution yet.
Third, a generic common `semantic layer' is prototyped, consisting of a
smartphone based user agent and communication protocols. Its wallet-centric
approach allows end-users to retrieve their data without leaving the app. The
practical value of this prototype is evaluated at a construction site. The case study shows that the Kamer van
Koophandel, like other government institutions, can be a valuable data
provider. However, their current legal framework and business model may
restrict them. Absence of such vital institutions invites commercial parties to
close the gap, threatening privacy and independence of end-users. Finally, this work has three implications for
TrustChain. First, attestation metadata must be considered confidential.
Second, single-sided public revocation is required to ensure credential
actuality without re-issuing. And third, non-interactive verification enables
the construction of chains of untrusted issuers. This is a valuable feature as
it enables individuals, not just organisations, to issue claims to others.