Carlos, you are correct. I’m glad you asked that question, because a detailed description of how the provisioning process works will highlight the crucial distinction between an independent identity owner and a guardian. It comes down to the actual provisioning workflow—not the workflow that interfaces directly with the Sovrin ledger, because that’s the same either way—but the workflow between the actors collaborating to provision a new DID on Sovrin.
Here are the two scenarios—one for the independent identity owner and one for the dependent identity owner.
In the first scenario, when an independent identity owner wants to be initially provisioned onto the network, the first step is for the owner to generate their own Ed25519 key pair. They should NEVER rely on third party to do this, because if they do, it is impossible for them to guarantee that the third party does not retain a copy of those keys (I’m not a deep math guy, but I understand it requires a proof of non-existence of something that must in fact exist.)
Note that the first half of the public key (the “verification key” in elliptic curve parlance) becomes the DID that will be registered on the Sovrin ledger.
The second step is for the independent identity owner (or a trust anchor the owner trusts) to create the DDO. (For more on DDOs, see the DID spec.)
The third (optional) step is for the independent identity owner to sign the DDO as proof the owner controls the private key. (This step is optional because a relying party can always confirm the independent identity owner’s control of the private key later by sending a challenge message for the owner to sign in real time.)
The fourth step is for the independent identity owner to request a trust anchor—who by definition has permission to provision DIDs for new identity owners—to write the transaction with the new DID and DDO to the Sovrin ledger.
The trust anchor then sends an acknowledgement to the identity owner, at which point the optional (but recommended) fifth step is for the independent identity owner to do its own lookup of the new DID on Sovrin to ensure that neither the trust anchor or anyone else tampered with the DDO before it was written to the ledger.
Note that throughout all of this, the independent identity owner NEVER shares the private keys with anyone else, including the trust anchor. That’s a very concrete definition of “controlling the private keys”.
Now, here’s the second scenario for a dependent identity owner. By definition, the dependent identity owner does NOT have control of the private keys. So the dependent identity owner cannot generate the DID or compose the DDO to be registered. The dependent identity owner has no choice but to trust a third party to perform all those steps on their behalf.
That third party is the guardian, who by definition MUST be a trust anchor and therefore has permission to provision a new DID and DDO onto the ledger.
So in this second scenario, the situation is the exact opposite. It’s the guardian who takes the same steps an independent identity owner would takje, starting with generating the Ed25519 key pair and then guarding it—just as an independent identity owner would guard it—on behalf of the dependent identity owner. The dependent identity owner NEVER has control of the private key because it must stay completely with the guardian in order to be safe (and to maintain accountability when that private key is used).
That’s why the dependent identity owner needs such a strong trust relationship with the guardian—the guardian literally “has the keys” to the dependent identity owner’s identity.
With this explained, I can finally answer this specific question you posed:
For independent identity owners, the answer to that question is easy: they ALWAYS control the private keys for their DIDs and never give it up to anyone (except by conscious delegation, as I mentioned in my previous reply to @danielh). So they begin and stay truly self-sovereign.
For a dependent identity owner, the exact opposite is true—they NEVER control the private keys for their DIDs. That’s what makes them dependent. But that doesn’t mean they are not self-sovereign.
You ask, “How can they not control their DIDs and still be self-sovereign?”
The answer is a legal one, not a technical one—which is the reason the Sovrin Trust Framework is so important. The Sovrin Trust Framework will require that a guardian has a legal obligation to act in the best interests of the dependent identity owner (the attorneys will choose the right legal term for this, but in the financial world, it’s called a fiduciary).
So even though the dependent identity owner does not technically control their private keys, the dependent identity owner is legally in control of their Sovrin identity, and that’s what makes it self-sovereign.
What really puts a nail in this definition is what happens when a dependent identity owner wants to become an independent identity owner. In this scenario, the dependent identity owner, having now the means to generate and store his/her/its own private keys, takes the exact same steps as an independent identity owner takes when they first register. But instead of generating a new DID, the dependent identity owner just generates a new DDO for their existing DID—the DID the guardian has been maintaining on their behalf. This new DDO contains the owner’s new public key(s)—the ones the owner generated directly and now controls completely.
The dependent identity owner sends this new DDO to the guardian and instructs the guardian to write it to Sovrin. The very moment that new DDO transaction is accept on the ledger, the owner turns from a dependent identity owner into an independent identity owner.
It’s like Pinocchio turning into a real boy (to use a literary analogy ).
So this is my (long) way of explaining that on the Sovrin network, all identity owners are in fact self-sovereign, whether no matter whether they are dependent or independent.