Here’s some answers to the questionnaire. Let me know if something doesn’t make sense or needs more explanation. 

Deficits and benefits of how the problem space was/is being solved

The Internet was built without a standard, explicit way of identifying people or organisations. So websites simply began offering their own local accounts with usernames and passwords, and this has been the predominant solution ever since. 

But the Internet has expanded hugely, and people use more and more services daily. This silo-based approach, where users must maintain identities for every site they interact with, has become untenable. It is not just a usability disaster for individuals, it also creates a multitude of data honeypots for hackers—the breach of which compromises trust in all Internet services. 

To solve this problem we have tried to connect different identity silos together in various federated models. However these have produced inadvertent side effects such as concentrating control around a small number of providers, correlation of personal data through multiple seemingly unrelated transactions, increasing data leakage through inadvertent sharing, and raising privacy concerns, all while not actually giving the individual real control. At the same time, there is a growing economic inefficiency when organisations all around the world have to collect, store and protect the same sort of personal data in their own silos. It is reaching a tipping point. 

The next evolution of the Internet will be the creation of a common identity layer that allows people, organisations and things to have their own self-sovereign identity—a digital identity they own and control, and which cannot be taken away from them. Self-sovereign identity is the natural evolution of an ecosystem which has moved faster than its supporting capabilities.

Proposed benefits of the new solution space

To create the long-missing identity layer of the Internet, a new, trusted infrastructure is required which enables identity owners to share not only identity, but also verified attributes about people, organizations and things, with full permission and consent. 

 

For identities to be truly self-sovereign, this infrastructure needs to reside in an environment of diffuse trust, not belonging to or controlled by any single organisation or even a small group of organisations. Nobody can “turn the lights out”. Distributed ledger technology (DLT) is the breakthrough that makes this possible. It enables multiple institutions, organisations and governments to work together for the first time by forming a decentralised network much like the Internet itself, where data is replicated in multiple locations to be resistant to faults and tampering.

 

When combined with distributed key management and peer-to-peer sharing of encrypted claims, DLT is what finally makes self-sovereign identity possible. Within this identity layer, mechanisms for discovery, routing of requests, secure exchange of information and management of consent, under the full control of the identity owner, finally becomes possible.

 

The Sovrin Identity Network has been design specifically to deliver a globally scalable self-sovereign identity solution. But to be truly self-sovereign, it cannot be owned by anyone. Similarly, to be fully trusted, and to avoid the pitfalls of other initiatives in the distributed ledger space, Sovrin needs a lightweight governance layer. To achieve this, the developers of Sovrin have given away the source code to the Sovrin Foundation, a not-for-profit organisation whose role is to provide a thin layer of governance to Sovrin while not owning or managing any infrastructure. The Sovrin Foundation ensures the effective distribution of the decentralised network and ensures that the network itself functions in the best interest of its users.

Different approaches being taken in the new solution space, e.g. if other approaches are being taken outside of Sovrin

Early examples of identity solutions using distributed ledger technology used ledgers built for other purposes such as the Bitcoin ledger, or general purpose ledgers such as Ethereum. While these capabilities are able to provide fairly simple proofs that something took place on a certain date & time, they are not dedicated to the particular nuances of the identity ecosystem such as non-correlation, revocation and anonymous zero-knowledge proofs. 

 

They also lack governance. For example, the need to secure the network by using hashing power has resulted in a concentration of Bitcoin mining in China. Who are these miners, do we trust them, do they jointly exert too much influence. What governance is in place? The recent forking of Ethereum has also shown the consequences of a lack of governance and direction.

 

Sovrin is the first public-permissioned distributed ledger. It is publicly accessible by anyone, but in order to run one of the nodes which validates the integrity of the network, you need to be permitted to and you must abide by certain rules which include the Sovrin Trust Framework. 

 

Non-distributed ledger solutions are attempting to paper over the problems with silo-based identity. Examples are federated identity models such as the gov.ukVerify system, which uses attribute sharing hubs and identity providers to move information from one silo to another, but without giving the identity owner real control. Personal information management solutions are going a step further, in enabling identity owner control of their data, but are still somewhat lacking in portability and therefore remain as silos.

Strengths, weaknesses, risks, and open issues being seen in practice

The ability for an identity owner to assert multiple verifiable claims about their identity, anonymously if required, and without possibility of correlation, is central to the architecture of Sovrin. With discovery capabilities to ensure that party A can confirm the identity of party B, and vice versa, direct party-to-party data sharing can take place with no need for intermediaries and with full evidence of consent. 

By replacing intermediaries with protocols, immediate digital identity verification can take place with no 3^rd party involvement. There are too many benefits to list, bur here are a few that we are working on: instant employment screening; frictionless bank KYC, identity for the stateless, fast online checkout, globally portable digital identity for travellers, and vaccination recording for developing countries.

Challenges to adoption of Sovrin are those typical of a two-sided market. Both identity issuers and relying parties need to come on board. Sovrin partners are taking a simple approach to this – the initial partners will be both issuers and relying parties. They will provide new identity services for their users to be utilised within their own ecosystem. These islands of functionality will expand and intersect with other islands, and individuals will find that they can use their identity information from one issuer with a completely different relying party. In other cases, coalitions of organisations which are all trying to solve the same problem are coming together to create an ecosystem where they can all use Sovrin to their mutual benefit.

The other major challenge is an educational one. Trying to explain self-sovereign identity to a layman is difficult. Because people have been brought up to understand that the only way the internet works is to give their details to many different organisations repeatedly, they cannot conceive of a better way. Being able to get across the power of every individual having their own digital identity which they control and own and which cannot be taken away, is a new concept which needs to be communicated effectively.

Whether other technologies and techniques are being brought to bear (you can see a list of technologies and techniques we are analyzing in our report TOC)

Sovrin enables/uses the following

-          Public-permissioned distributed ledger technology based on the Plenum Consensus Protocol, involving multiple specialised legers (identity ledger, config ledger etc)

-          Verifiable claims

-          Anonymous credentials

-          Revocation, anonymous if required

-          Distributed and cryptographic identifiers

-          Link contracts & consent receipting

-          Persistent P2P messaging endpoints

-          Key discovery, management recovery & rotation

-          Portable off-ledger private data storage e.g. IPFS/BigChainDB etc.

-          Identity, relationship and reputation graphs

-          3^rd party attested and self-attested claims

On Oct 11, 2016, at 9:41 AM, Eve Maler <eve.maler@forgerock.com> wrote:

Hi Phil-- Thanks for being willing to help the Blockchain and Smart Contracts group understand what Sovrin is doing in the context of our analysis efforts!

If you look at the first paragraph of our draft report's introduction, you'll see a statement of our scope:

• Solving use cases for empowering traditionally disempowered parties (such as individuals)
• taking part in transactions (such as entering into contracts and information-sharing agreements)
• with parties that traditionally hold greater power (such as companies and large countries)
• in the context of decentralization technologies and techniques (such as blockchain and smart contracts)
• and their mixture with identity (both in the course of conducting business/legal transactions and to solve digital identity use cases).

Our Discussion Group is time-boxed to six months, and so we plan to go into only as much depth as can be covered in this time frame. (We started in July!)

With all of this in mind, could you please comment on the following aspects of Sovin?

• Deficits and benefits of how the problem space was/is being solved
  
• Proposed benefits of the new solution space
  
• Different approaches being taken in the new solution space, e.g. if other approaches are being taken outside of Sovrin
  
• Strengths, weaknesses, risks, and open issues being seen in practice
  
• Whether other technologies and techniques are being brought to bear (you can see a list of technologies and techniques we are analyzing in our report TOC)
  

Many thanks! If you have any questions, or would like to discuss responses in a phone call, don't hesitate to let me know.

Eve Maler
ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
ForgeRock Summits are coming to London and Paris!