Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference


(Niels van Dijk)

Session board photo

About the idea that the users should be able to be owners of their identity stuff.

The oldest model is having a service, and as a user, you’d create an account, get username and password and you only exist in this context.

2.0 version is where there are you and other identity managing your identity on your behalf, which is connected to an SP

?: IDP manages your identity for on the behalf of your employer, not on behalf of you.

N: You are correct. Good point. IDP has a profile of you and they manage you on your behalf. To self govern your data, 2.0 doesn’t work. You cannot exist with your identity data.

In the self-sovereign model is, you have a device, they call it a wallet for example and you have several entities that are allowed to make statements about you, government, IDP, you load these statements into your wallet. And an SP receives that data upon request.

How do I know as an SP that a statement is authentic? To mitigate that is that they created a way to verify that the statements were made by the entities. They created a ledger to allow the interactions to be recorded. Not the value but that the statement was made.

The SP can then look into the ledger for data. They secure it with keys, public and private.

Trust anchor whereabouts are not known. Such a transaction like a Niels statement gets an ID nad in principle they left it open what this methodology is.

Most of the DID use blockchain technologies to describe if you’re represented as a DID something as part of the DID this is deserved that it’s coming from the sovereign methodology.

It doesn’t require a leap of faith. By accepting the DID and trusting the methodology in the ledger.

If it’s a government established DID and gov run ledger, because the DID are extensible it’s not a single trust framework, but you can have a mix. The SP will still have to decide whom to trust but the mixing can be made much easier.

?: In saml it was too difficult to have multiple sources. with OpenID connect it’s feasible and you can explain the same graph and end up with the same content. Does anyone in this room know reasons, why it didn’t, happen with oidc?

N: No idea. one of the premises a lot of solutions were in saml space, there is no proxy. IT wants to deal and you’d want to have the control of where data flows, whether it works it’s unknown. The institution that has the data can make the claim, not a single person can make this claim.

This is a way of replicating the analog experience.

There are 6 or 7 DID schemes but nobody built a wallet that could accept all of them. Many of the scenarios build on blockchain.

P: You have to be very careful to not use proof of work blockchains.

We don’t have the trust problem to such an extent. For us, it could be that the ledger is not that big of an issue. The fact that you have a record of the transaction might be very valuable.

We have our validation of DID in edugain. Eduroam is the wifi federation. I can validate with a local authority with a DID and but who would run a ledger on that level, a country level ledger?

You can have this mechanism and it would be compatible with all of the SSI stuff. We would be able to ignore blockchain but to leverage some of the statements coming to the wallet.

If you spend 5 minutes at IIW, there is a lot of interest from governments, something will happen with this technology.

?: In PKI thereis a clear trust anchor, of cross signing you join a federation and sign up, chain to the last bit, I am missing the pre-configured trust that will let me jump on any ledger.

Under GDPR the IDP collected data for a purpose, which means that they are reluctant to release attributes. How would that work in this case? this idk would give an attribute to the wallet but it’s the end-user.

You can’t put the data in there, but you can put the data in a statement. The owner is in charge of the wallet.

It’s a good idea is to have your own DID method.

We want to be able to engage with this tech, it’s in heavy development. If you go back but a lot of ideas that the user is the owner of his own data. If the researcher was able to load his roles into the wallet, that would be really strong and it would immediately make a few proxies no longer needed.

Another scenario - IDPs under GDPR wouldn’t want to release to anything, you’d allow the entities on the left to add a scope for the stuff that gets released. YOu cannot just release to anyone but a specific subset.

By law, only healthcare and government SPs are allowed to get the data like my citizen number.

P: You’d limit self-sovereignty with that.