Meatspace to Bitspace


#1

I had a very interesting email conversation with a chap in Australia about Sovrin and the whole idea of self-sovereign identity. There was a particular element of the discussion which I thought worthwhile sharing.

His view was as follows:

Hmmm, interesting idea. But you still need other out of band systems to
link the DID to the licence then. You also will need a way to assert
someone has one and only one licence. For example, I go to the
Goverment TMR department. “Hi I want my licence”. Well, how do they now
assert if I already have one or not? They can not compel me to "provide"
the existing DID, so they would make me a new one, and I get another
licence. We need that out of band proof to create the identity such as
birth certificate, passport etc. This can then confirm I posses only a
single licence. But the point of this system is they wouldn’t keep a
copy of these, so no longer can they make such an assertion.

My response follows. I always find it useful to relate these sort of discussions to real world examples. In this case I used the common root of trust that is a driving licence issuer. While digging into this I found out how difficult it is to get a full licence in Australia, but that’s a different topic.

You are correct that you need a way to link the actual person to the DID. This is no different to current practices.

Think of how it works at the moment.

You go to the TMR to get your first ever license. In NSW, when you go to the test centre they ask you to take proof of identity such as your birth certificate or passport. This is the very first time anyone sees a real person during the licence application process. Lets say you don’t have a digital version of these at this point, just the physcial versions.

Someone there will look at your birth cert or passport and do some relatively rudimentary checks that it is you. It is obviously simple enough to cheat this process with a suitably well forged birth cert or passport, and that risk is generally accepted by anyone who relies just on a driving licence as proof of ID.

Once you’ve got your P1, and are ready to do your P2 test, you need to visit the test centre and this time you take your licence you obtained above, plus “proof of identity” which is the same birth cert or passport.

After 24 months, of having your P2 you can get your full licence. You do this by booking a test, and turning up with the licence as above, plus proof of identity in the form of the same birth cert or passport. If you pass, your licence is upgraded to a full licence.

So, your driving licence, which is then a root of trust for so many other identity transactions like opening a bank account etc etc, is based on the provision of a piece of paper at a driving test centre.

Obviously this approach is not infallible, but it serves as state of the art at the moment.

So lets say in a Sovrin scenario, you’d be doing exactly the same thing. You provide a paper passport/birth cert at each stage of the process. But in addition, once you do the first verification at the test centre they write a claim to your Sovrin persona using a DID you’ve provided to TMR for this purpose. This is a pairwise DID between you and the TMR. The claim says “William has applied for a P1 and I’ve seen and verified his birth cert/passport” or suchlike. The level of “certainty” that you are you has not changed. What has changed is that you have a new digital way of presenting that P1 licence to someone else, rather than just having the physical version of it.

The TMR still retain records of your progress - nothing changes as they are the “master” record holder.

When you return for your P2, you could present your Sovrin claim (which only you can present, that can only have been issued by them, and only to you) as the driving licence proof, plus you can present your paper passport and birth cert if they really need it (but you have proof they verified it previously). When you pass your P2, they can issue you with the updated physical driving licence and also an electronic version as an additional Sovrin claim to your DID that you have shared with them. You’d use the same DID as first time here as you’ve presented your P1 proof which was written to that DID.

And when you get your full licence, they give you a physical version of that plus an electronic version as another claim for that DID.

So now you’ve got 3 digital claims (P1, P2 and full), written by the TMR, who have had to go through certain checks in meatspace that you are you.

Assuming a relying party trusts TMR, you can now use any of those claims to prove digitally who you are to that relying party. This is no different to you providing a physical driving licence - the relying party trusts the TMR as the issuer so accepts it.

So Sovrin does not replace the need for a meatspace identity check. What it does is enable digital representations of identity proofs to be accumulated and used. In more complex ID checks where multiple issuers are required (e.g. driving licence, 2 proofs of address from different utility companies), being able to provide those proofs digitally, with the relying party able to verify them digitally, will be much more effective, cheap and simple than the paper-based approaches currently used.

Ideally in the driving licence example above, you’d go along with a digital version of your passport/birth cert as well, which would make things much easier.

On cost savings, some banks use document verification processes to verify (though not perfect degrees of accuracy) a photo of a driving licence in an effort to digitise the application process. These checks can cost upwards of £2/time here in the UK. It’s a sticking plaster covering the problem of having no way to present a digital version of your driving licence and have it verified digitally. My reference to “near zero cost” referred to the potential to do away with such 3rd party checks because the bank can carry out the validity check on the digital proof themselves in real time with very little effort (it’s just a Sovrin lookup).

So nobody is saying that the driving licence authority no longer needs to keep a record of who has a driving licence. Sovrin simply enables them to provide drivers with a digital version which can then be used elsewhere for digital interactions, allowing any relying party to confirm its authenticity.

It also allows that relying party to throw away that data once they have checked it, as they can always ask for it again from the identity owner at any time (and the identity owner’s agent will most likely provide it as long as the link contract between both parties is still in force). In this way the relying party can minimise their internal data storage while being highly confident that the identity owner is presenting valid credentials.


#2

interesting topic for conversation Andy. What Estonia is doing with PKI tied to national identity is an interesting case study. However, their PKI is not quite open and most governments are very reluctant at this point to open up an API of sorts to any of their identity databases. MyInfo in Singapore is something I’ve been following closely and I’m in talks with the relevant parties there. Also India with their Aadhaar is topical as it clearly connects the meatspace with digital with biometric data.

If you look very specifically at the question asked, it’s really not how to connect meatspace to bitspace but how to prevent (if one were to prevent) signing up mulitple DID’s. You could use a real world paper document, but perhaps there is also a way to assert Proof of Individuality without government intervention. I’ve written a white paper about this particular concept (POI) using biometric data.


#3

Hi Edmund - yes there was an earlier conversation about multiple DIDs, but the upshot of it was the need to confirm a person is THE person.

To avoid the multiple DID situation in the driving licence example above, the authority could simply insist that it writes the subsequent test evidence (the claim) to the DID they originally wrote the first one to, which is the pairwise DID you have for your relationship with the driving licence authority which you could present when registering for the subsequent test.

If you didn’t already have a pairwise DID with the driving licence authority, they’d be doing the ID checks that they are doing already, at which point they you and they could set up the Sovrin relationship with pairwise DIDs.


#4

Good point.
To reinforce, there are several unexploited processes which produce “meat-to-bit binding” as a by-product, and simply discard it:
consider, for instance, how many times in our lives we undergo a f2f identification process by some agency, e.g., hospital admission, university enrolment, identity document release, public notary practices, …
There is presently no way to exploit these costly (and often paid by public finance) processes for producing widely available trusted /authoritative identities owned by the user.


#5

A quick way to summarize the issue here is Proof of Ownership (you control a DID) vs. Proof of Uniqueness (you can prove you have only DID in a particular context).

The Sovrin ledger + private key management by identity owners can solve the Proof of Ownership problem. But it doesn’t solve the Proof of Uniqueness problem. Indeed, a particular identity owner may have hundreds of Sovrin DIDs to maintain contextual separation of identity for privacy purposes.

I agree with Andy that Proof of Uniqueness is going to be a very common requirement of relying parties. The canonical example is voting: it’s not enough to prove that you have the credential needed to vote; you must also prove you have voted exactly once.

The latter is much harder to do. It requires a credential (set of claims) from an Issuer that enforces uniqueness (i.e., one DID per human). The majority of issuers (governments, driver’s license agencies, professional associations, etc.) have a uniqueness requirement. So most relying parties who need Proof of Uniqueness will request a credential from an issuer who enforces Proof of Uniqueness. That’s the scenario Andy describes of when you need a credential like a government passport.

The only part of Proof of Uniquess that Sovrin can help with directly is the digital transfer of a claim from an issuer who enforces uniqueness. As long as relying parties trust that issuer to enforce uniqueness, then they can rely on that claim to establish uniqueness of a DID in their own domain.

As a footnote, privacy is considerably enhanced if the Proof of Uniqueness claim is an anonymous credential. Otherwise relying parties will be able to correlated an identity owner based on the Proof of Uniquess claim from a particular issuer (which, after all, is unique), defeating the anti-correlation protection of pairwise DIDs.


#6

Yes, exactly Luca. How good would it be if we could accumulate those f2f checks digitally and simply, and re-use them at will.


#7

It seems that India made it quite well in proofing identities:


To a first reading, Adahar+India Stack share many similarities with sovrin as for functionalities. It differs because it is a state-run, centralized system, self-sovereignity and privacy are not main issues.
Any idea on how sovrin could relate to similar initiaives?


#8

Luca, the “Adahar+India Stack” comparison has come up in at least one other conversation I’ve been part of. I think your conclusion—that Sovrin infrastructure is similar to Adahar+India Stack but is global, decentralized, and privacy-respecting—is exactly right.

I think any country that insists on developing a centralized, state-run ID system can still be interoperable with Sovrin—and indeed those state-run systems can be a valuable source of verifiable claims for a Sovrin identity. But no state-run ID system can directly compare with the Sovrin identity network itself precisely because it must be decentralized and serve identity owners who are ultimately self-sovereign.