The first two parts of this short series touched on a couple of newer ideas about digital identity, namely, Decentralised Public Key Infrastructure (DPKI) and Self-Sovereign Identity (SSI). Both of these ideas look to improve upon the more traditional ways of working related to PKI, and reduce reliance on central figures in services, like the Certificate Authorities (CA) that act as the root of trust. In an attempt to replace the trust offered by CAs, DPKI and SSI both look towards blockchain technology as the key to solving this puzzle. I use the word “puzzle”, because “problem” doesn’t seem appropriate. In summing up this series, this final post will be focused on that word and the question, “what is the problem that needs to be solved?”.
Both DPKI and SSI have honourable and topical values that genuinely align with the way society is moving, as can be seen by new data regulations such as GDPR and CCPA. These identity systems look to put the user in control and distribute the power in the service more evenly, avoiding single points of control or data collection. Blockchain brings with it the idea of decentralisation and distribution; the idea that if we want to share concepts like control and trust, blockchain is the key. It’s not too hard to understand why this is the case. Blockchains store data in a way that can let a set of nodes store the same data in different places. To modify that data, the majority, or a set ratio of the nodes must agree. No node can make changes without a consensus. The composition of the data also means it is mathematically impossible for changes to stored data to go unnoticed. Both of these are interesting, valuable concepts. Setting up a blockchain though, isn’t necessarily the simplest or most cost-effective way of achieving them, and we must ask whether acting in this new way is a genuine solution to a persistent problem in national digital identity solutions.
Looking to Estonia and the X-Road
I’ll refer to Estonia as a part of the answer, as it is an excellent example of where a national digital identity solution has been running for twenty years, as well as an example of where blockchain is nothing new. Estonia started looking into blockchain in 2008, with significant research being carried out. The main use case for blockchain now, specifically KSI Blockchain, is one method of providing integrity to the data exchange transactions made over the X-Road for a certain set of government registries. The X-Road is a decentralised platform used for secure data exchange between hundreds of public and private sector organisations. The X-Road has been around for as long as digital identity. It has created many benefits with regards to data and attribute sharing, utilising trust services such as CAs, online certificate status protocols (OCSP), and time-stamping authorities to achieve a high level of trust in the system. It also reduces the need for data duplication and enables peer-to-peer data exchange from the source, ensuring the data is shared securely and is the most up-to-date.
The X-Road is just one example of a solution that can achieve the majority of the principles touted by DPKI and SSI. Tools such as consent management, where users must provide consent for their data to be shared, and data access tracking, where users can see when, who, and for what reason their data has been accessed, puts control in the users’ hands and brings transparency to the solution. Furthermore, the X-Road is interoperable and can be federated, like with the example of the Finnish and Estonian X-Roads being connected, enabling digital identity recognition and data exchange across borders. The principles and technology behind the X-Road have been around for twenty years and the value has been proven beyond doubt.
The Value of SSI and DPKI
I don’t mean to be negative about blockchain, DPKI, or SSI. They may each have their place and solve genuine problems. But I believe these are problems far more commonly experienced with the kind of digital identity I have not been discussing, but referenced in the first post in this series. I referred to an identity that is built up around us as we use the internet and participate in the world wide web society. It’s a more holistic view of digital identity, and brings into frame the idea that all the actions we make online and all the data we share, builds a persona for us. This is not necessarily linked to a real-world identity, but has input from one. A very real character is created, one that can be tracked and sold to, one that can be stolen from.
What DPKI and SSI look to achieve is a way for individuals to act online with identities that can’t be tracked; with identities that don’t need to be 100% trusted at their core, but can provide attributes that can be trusted to a degree. SSI looks to remove the reliance from the mega data miners like Google and Facebook who offer “sign in with” services that might be convenient and free, but do come with a cost - our data. Here, we’re not looking to interact with governments or participate in a government-led society with taxes, healthcare, banking, and insurance. We’re looking to stream videos and music, find others with common interests, play games, buy products and services, all in a way that puts us in control of what data we share. Facebook and Google solved the problem of internet users having too many log-in credentials and sign-up processes taking too long, but in doing that, created the problem of internet users having to sacrifice some of their data for this convenience. SSI is pushing to solve this new problem by replacing the offerings from Facebook and Google with identities built on data possessed by the person they refer to. They have to move quick though, as these giants start trying to solve this problem themselves.
An individual may possess as many identities as they like, and use them for different kinds of services. Another option is that each time a user logs in using an SSI or DID (Decentralised Identifier) service, a new identity is presented to the service provider, making it impossible to track that particular identity to the next service. There is a good set of principles behind SSI, but bringing the conversation back to blockchain, I struggle to find its unique value. Where SSI positions blockchain is in storing signed hashes of verified attributes, which might make sense. But the question arises, “how are these attributes signed?” The most trusted method of digital signature remains PKI, those signatures that rely on Certificate Authorities to verify the identity of the signer, and subsequently offer the OCSP to confirm the validity of the signatures at a later date. If blockchains have a place here, it is with the CAs. These are the trust organisations, heavily audited, and dealing in trusted processes. As far as I can see, I haven’t seen a shift in this direction.
Let’s Look to What We Already Have
None of this is to say that blockchains are not useful, it is just to say I don’t believe they are useful with respect to digital identity, and more specifically, the kinds of digital identity services governments require. Blockchains are not free. In fact, they can be quite expensive and resource intensive to operate. They are not infallible, as unfortunately, where there are humans, there is fallibility. When it comes to national digital identities, trust is paramount. Trust that must be maintained through processes, laws and regulations, and technology, the latter often playing just a small role in the wider scheme of things.
Major companies like Mastercard and Microsoft are looking in this direction with pilots running in a few countries around the world. When I see quotes like, “In the NHS system, at each hospital healthcare workers go to, it used to take months of effort to verify their credentials before they could practice," I don’t think of blockchain. Instead, I think, “Why on earth haven’t you considered the 20-year-old digital signature?”. The issuing university or hospital signs a certificate or right to work document and e-mails it. The receiver is able to check the signature using the OCSP, and we’re done. This feels like yet another case of suitable, tried and tested methods being pushed to the side for blockchain, for no valid reason.
To conclude this short series on blockchain and its place in digital identity, I’ll simply say where we need trust, there are trust service providers. Where we need security, we have advanced methods of private key protection. Where we need transparency, privacy, and control, we have concepts like the X-Road and UXP in Estonia, Finland, Ukraine, Benin, Namibia, Greenland, etc. Where we need governance, we have processes, laws, and regulations, and it is most likely here, where blockchain has the most to prove. I’m struggling to see the problem with digital identity that blockchain solves. What I have no difficulty in seeing are the problems that must be solved if we do look to use blockchain here.
Written by Maximiliaan van de Poll
Digital Identity Product Manager