How does self-sovereignty at the level of agents or agent-endpoints work?


#1

From the Technical Foundations whitepaper:

“Sovrin agent endpoints are always under the identity owner’s control, so the identity owner can port their Sovrin agent service to a new host at any time.”

How does this happen? How can the user control his/her user endpoint? Isn’t this supposed to be a third-party service provided by an (trusted) Agency?


#2

Carlos,

I’m not as close to the whitepaper as others, but I believe this means that your agent may be physically under your control (i.e. on your own hardware), or hosted by an agency, in which case it will still be “under your control” thanks to the Sovrin Trust Framework, which will enforce rules such as portability through a mix of technology and human governance.

Markus


#3

Yes, that’s correct. It’s useful that the IIW attendees are working on standards for data “containers” this week in California.

So the aim is for you to either host your own container or have someone else host it for you (an agent), or possibly both, with backups that you can bring back online at will.


#4

One other bit of color.

An agency that provides software/services to use sovrin will certainly play a role in the ecosystem. The company I work for, Evernym, is an example of such an agency, and there are others as well.

However, I wouldn’t describe the agency as “trusted”–at least, not in the way that cybersecurity people use that word. You don’t give your secrets to an agency to hold for you; you use it to move encrypted bits around, maybe host an endpoint for you, maybe do backups, etc. You assume that your agency is largely delivering the services you pay it for–but that’s as far as the trust goes. This is an important point, because if you have that mindset, you build an architecture where a hacked agency doesn’t endanger you as a user.


#5

Hey Daniel, that’s a very good point.

So far, I was maybe putting too much “trust” on agencies, and unquestionably it’s way more advisable to design agencies as decoupled as possible from sensitive data or control of sensitive data. Definitely the ecosystem is in the need for standards and frameworks that aid in the implementation of agents with low or no risk.

I’m eagerly looking forward to see how could agents be implemented to remain portable and “trustless”… Is any work being done on releasing any sort of basic agent specs or even some sample service/code?


#6

There is a “reference agent” codebase that will be released by Sovrin in the near future. I am not the right spokesman for an official date, but I know that the core coding will be complete within weeks. There is also more formal work to create a spec and other design artifiacts for an agent; I’m not sure if that will produce tangible items for you before or after the reference agent is released. I recommend that you ask about this in the next user community call.