Identity 3.0: Understanding Self Sovereign Identity and Building Self-Sovereign Revolution

John NdigirigiJohn Ndigirigi
10 min read

Table of contents

A random developer’s day

"The specification is 'straightforward' and 'simple to implement'..." Right up there with "this will only take 5 minutes" in the hall of fame of tech industry myths. Yet here I was, staring at my screen, first thinking "I'll just ask AI to interpret this spec and give me the code." A 'few' prompts later, the updates to our C# did:peer implementation for the DIDComm mediator are still not working as expected. Just another random day as a developer 🙂

As I take a break from staring at the stubborn code to check my socials, a status from one of the tech community leaders catches my eye: "call for speakers for DevFest Mt. Kenya". And I think to myself – "SSI, this intriguing technology, I can't be keeping this to myself, more people should learn it". That's how I ended up having a Self Sovereign Identity technical session at DevFest Mt. Kenya.

Having built SSI solutions for more than one year now, interacted with the tech communities, listened to industry leaders and presented SSI to both developers and non-developers, I have learned the need for more education on identity management with an aim of promoting user-centered systems and addressing privacy issues. Particularly, my SSI presentation at DevFest Mt. Kenya motivated me to write and engage more on Identity management as I learned that people (in this case my audience who were mostly young developers) are a little aware and some understand the problems with current identity solutions - centralized identity management, but hardly know how to go about solving these problems.

The Current State of Digital Identity

Picture this: It's Monday morning, and you're trying to log into your work system. Was it "ILovePizza2023!" or "ILovePizza2024!" this time? Oh wait, maybe it was "ILovePizza2023@"... Sound familiar? 🤔

In today's digital world, we're all juggling more passwords than a circus performer juggles balls. And just like those circus acts, sometimes things come crashing down – usually right when we need access the most. Each service provider maintains its own identity silo, leading to:

  1. Security Vulnerabilities: Remember that one password you use everywhere? Yeah, hackers remember it too.

  2. Privacy Concerns: "Please accept our cookies" – at this point, we've given away more cookies than a bakery.

  3. User Experience: "Please fill in these 15 fields to create an account" – just to leave a comment on a cat video?

  4. Data Control: Once shared, your data has more copies than your high school yearbook photo.

"But wait!" you might say, "I just click 'Continue with Google' everywhere!" Ah yes, federated authentication seems like the perfect escape from password hell. Just let the tech giants handle your identity, right? Well, that's like solving your storage problem by keeping all your eggs in someone else's basket – convenient until the basket breaks, or worse, the basket-holder decides to peek at your eggs. Every "Sign in with Google/Facebook/Apple" click is essentially saying, "Please, mighty tech overlord, track one more piece of my digital life!"

Key challenges with federated identity include:

  • Single Point of Failure: When your Google account gets compromised, so do all your linked services

  • Privacy Concerns: Identity providers can track your service usage, login patterns, and digital behavior

  • Vendor Lock-in: Switching costs become astronomical once you've linked dozens of services

  • Service Dependency: When the identity provider is down, you're locked out of everything

  • Limited Control: Identity providers can change terms, revoke access, or modify data sharing policies at will

  • Cross-border Complications: Different regions have different regulations about data storage and sharing

  • Trust Issues: You're essentially trusting a third party with the keys to your entire digital kingdom

Sure, you've escaped password management, but at what cost? When your federated account gets compromised, it's not just one service at risk – it's all of them. When these services go down (and they do), you're locked out of half the internet because you trusted a single company with all your digital keys. And let's not forget, these tech giants now know every service you use, when you use them, and probably your embarrassing late-night shopping habits too.

And that's just the digital authentication world! Let's talk about the rest of your identity. Your physical wallet is probably bulging with various forms of identification: driver's license, national ID, student cards, professional certifications, health insurance cards – each one a separate piece of your identity puzzle. Need to prove your age? Show your ID. Want to prove your qualifications? Pull out those certificates. Getting a new job? Time to gather every piece of paper that proves you're you.

These traditional identity credentials come with their own set of headaches:

  • Physical documents can be lost, stolen, or damaged

  • Getting copies or replacements often involves lengthy bureaucratic processes

  • Verification is manual and time-consuming (ever waited while someone squints at your ID photo?)

  • Paper certificates can be forged

  • Each credential exists in isolation (your driver's license doesn't know about your professional certifications)

  • You often have to share more information than necessary (showing your full ID just to prove your age)

  • Different documents follow different standards across countries and organizations

  • Some credentials expire right when you need them most

So whether it's passwords, federated logins, or physical documents, our current identity systems are fragmented, insecure, and often frustrating. There has to be a better way to prove who we are and what we can do, right?

Understanding Self-Sovereign Identity

Self-Sovereign Identity (SSI) is revolutionizing how we manage digital identity by giving users control over their personal information. It uses blockchain (often), verifiable credentials, and decentralized identifiers to create a trust framework that's secure, private, and user-centric.

Think of SSI as your digital wallet, but way cooler than that crypto wallet your friend won't stop talking about 😀. It's like having a smart version of your physical wallet – one that can prove you're old enough to buy that energy drink without showing the cashier your entire life history.

Core Principles

  1. Existence: Users must have an independent existence

  2. Control: Users must control their identities

  3. Access: Users must have access to their own data

  4. Transparency: Systems and algorithms must be transparent

  5. Persistence: Identities must be long-lived

  6. Portability: Information and services about identity must be transportable

  7. Interoperability: Identities should be as widely usable as possible

  8. Consent: Users must agree to the use of their identity

  9. Minimization: Disclosure of claims must be minimized

  10. Protection: The rights of users must be protected

SSI Architecture: The Trust Triangle

Before we dive deeper into the technical bits, let's understand how trust works in SSI. Remember playing "telephone" as a kid where messages got distorted as they passed along? Well, SSI solves that trust problem with what we call the Trust Triangle:

  1. Issuer: The entity that creates and signs credentials (like a university issuing diplomas)

  2. Holder: That's you, holding credentials in your digital wallet (like having that diploma on your phone)

  3. Verifier: Anyone who needs to check your credentials (like that dream company you're applying to)

Think of it like this: The issuer vouches for something about you, you hold onto that proof, and you can show it to anyone who needs to verify it. The beauty? The verifier can check the credential's authenticity without having to call up the issuer every time.

Blockchain as a Trust Anchor

Remember the old days when we kept important documents in a safe? Blockchain serves as our digital safe, but with better backup plans than "hope the house doesn't flood." Let's look at some real-world implementations:

Cardano and did:prism

PRISM is a DID method built on the Cardano blockchain. Cardano in this case is like that super-organized friend who keeps track of everything. It maintains:

  • DIDs: Your digital identity anchors

  • Credential Schemas: The templates for your digital credentials

  • Revocation Registries: A fancy way of saying "who's still valid?"

For example, a university using did:prism could issue digital diplomas that are:

  • Instantly verifiable (no more calling the university to check if someone really graduated)

  • Tamper-proof (sorry, Photoshop wizards)

  • Always available (goodbye, certified copies)

Other Blockchain DID Methods

Take did:ion on Bitcoin, for instance. It's like did:prism's cousin who chose a different path in life but still gets the job done. Both methods achieve similar goals through different approaches, kind of like how some people prefer tabs over spaces in their code (we won't judge... much).

Real-World Applications

Healthcare

Imagine walking into a new doctor's office and instead of filling out the same forms for the millionth time (did I break my arm at 7 or 8 years old?), you just share the relevant credentials from your digital wallet. The doctor gets verified information, and you get to keep your arm-breaking age a secret if you want to.

Education

Remember trying to get your transcript from your university? The process usually involves:

  1. Finding out where to request it

  2. Proving you're really you

  3. Paying a fee

  4. Waiting

  5. Waiting some more

  6. Finally getting it, only to realize they spelled your name wrong

With SSI, it's more like: click, share, done. Your digital credentials are always correct and easily verifiable.

Technical Implementation

Decentralized Identifiers (DIDs)

DIDs are the foundation of SSI, providing globally unique identifiers that are:

  • Decentralized: No central authority needed

  • Persistent: Lasting and unchangeable

  • Cryptographically verifiable: Provably owned and controlled

  • Resolvable: Can be looked up or decoded to get associated information

Verifiable Credentials

Think of these as your digital certificates, but smarter:

  • Cryptographically secure

  • Privacy-preserving

  • Instantly verifiable

  • Revocable when needed

DIDComm

The secure messaging protocol that lets DIDs talk to each other:

  • End-to-end encrypted

  • Transport agnostic

  • Protocol-based interactions

Frequently Asked Questions

Do I need blockchain for every SSI solution?

Nope! While blockchain is great for some SSI use cases, not everything needs to be broadcast to the world. Think about it - when you show your ID at a coffee shop, you don't announce it to the whole city, right? Same principle applies here.

  • Peer-to-peer interactions can work just fine without blockchain. For example, two parties can exchange verifiable credentials directly using DIDComm.

  • Private DIDs (like did:peer) are perfect for one-on-one relationships without any blockchain involvement.

  • Blockchain comes in handy when you need public verifiability or to publish things like schemas and revocation registries.

What about privacy? Isn't blockchain public?

Good question! While blockchains are public, we never store personal data on them. The blockchain only stores things like:

  • Public DIDs of institutions

  • Credential definitions

  • Revocation registries

  • Schema definitions

Your personal information stays with you, in your wallet, where it belongs.

How is this different from existing digital ID systems?

Unlike current systems where every service provider keeps a copy of your data:

  • You control your information

  • You choose what to share

  • Your data isn't scattered across countless databases

  • No more creating new accounts everywhere you go

Getting Started with SSI

Want to dive into SSI development? Here are some resources to get you started:

  1. W3C Specifications: Start with the DID and VC specs

  2. Development Frameworks and tools:

    • Hyperledger Aries

    • Hyperledger Identus

    • Privado ID

  3. Community: Join SSI communities on various platforms to learn and contribute

The End of Our Journey (But Just the Beginning of SSI)

Oh, and about that C# implementation I was struggling with at the beginning? Yes, I fixed it. Turns out reading the spec wasn't such a bad idea after all. It's these small victories that make building in the SSI space so captivating – every solved puzzle brings us closer to a future where digital identity actually makes sense.

The field of SSI is like a giant puzzle where we're all working together to create something revolutionary. Some days you're scratching your head over understanding DIDComm, and other days you're watching someone's eyes light up when they realize they can prove their identity without sharing all their life history !

So whether you're a developer diving into the specs, an organization looking to innovate, or just someone tired of resetting passwords, welcome to the future of digital identity. It's a beautiful wild ride, but I promise it's worth it.

And yes, while I type this, I'm probably also debugging another DID issue... because that's just how we roll in the SSI world. 😉

This article was written based on experiences implementing SSI solutions and presenting at DevFest Mt. Kenya. If you're interested in learning more or have questions, feel free to reach out!

10
Subscribe to my newsletter

Read articles from John Ndigirigi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

digital identitydigital identity managementself-sovereign identitycommunity#UserCentricDeveloper

Written by

John Ndigirigi
John Ndigirigi