Carlos, it’s a good question where “pre-existing claims” about a Sovrin identity owner fit. IMHO the answer aligns directly with the principle of self-sovereignty—that an identity owner must be able to fully control their own identity graph—and the principle of verifiable claims—that every identity owner should be able to make claims about any identity that can be verified as having come from that identity owner.
So let’s walk through applying these two principles to your use case. Let’s say Institution A creates claim X about person B using identifier AB before person B has a self-sovereign identity. That claim might in Institution A’s directory service someplace and can be looked up using the identifier AB that Institution A assigned to person B.
Now person B gets a new Sovrin identity with identifier DID B that person B fully owns and controls, fulfilling the self-sovereignty principle. Person B would like to have Institution A make the same claim X about Person B’s new Sovrin identity. Person B could self-attest that Institution A had made claim X. But because it was self-attested, it would not be verifiable.
The only way for claim X to become a verifiable claim would be for Institution A, with it’s own Sovrin identifier DID A, to make claim X about Person B, and then sign that claim with Institution A’s private key so that it is verifiable. If Institution A shares this verifiable claim X with Person B, now both Institution A and Person B can tell anyone who is interested that Institution A with DID A has made claim X about Person B with DID B, and anyone can verify this signature by looking up DID A on the Sovrin ledger to get the public key for Institution A.
The critical takeaway from this is that neither Institution A or Person B should be trying to create a correlation between Institution A’s original identifier AB for Person B and Person B’s new Sovrin DID B. Institution A’s identifier AB should stay private between Institution A and Person B. Instead, Institution A should make a new claim X against Person B’s Sovrin DID B, as only DID B is self-sovereign and fully under Person B’s control.
Note that this self-sovereignty applies equally to Institution A. In other words, even though Person B is self-sovereign for DID B, Institution A is self-sovereign for the claim X that it makes about Person B. So if for example Institution A needs to revoke claim X (say claim X is a claim that Person B is a student at Institution A, and then the student withdraws from school), then Institution A is able to revoke claim X and does not Person B’s (or anyone else’s) permission to do so.
Now, about your final question, [quote=“cbruguera, post:3, topic:150”]
What if an institution (or any party whatsoever) makes a claim about my persona that I don’t approve?
By following the same two principles—both self-sovereignty of identity owners and self-sovereignty of claims issuers—the answer must be that anyone can create a claim about anyone—true or false, positive or negative. Sovrin infrastructure itself does not say anything about whether a particular claim is true or false or positive or negative. What Sovrin lets you do is verify that a claim was made by the claim issuer and verify that the identity owner presenting that claim really controls that Sovrin identity.
This is important as it means any kind of claim system or reputation system can be built on top of Sovrin and they can all work independently, without needing to interoperate if that is not necessary. If they need to be interoperable, then that puts additional requirements on the format of the claims or reputation statements they make—which is obviously very important—but that level of interoperability lies at a layer above the Sovrin identity layer.