Self-sovereign identity meets Blockchain: Is it meant to be?

It is most likely the most popularized, recycled, and media divulged tech term of recent years - Blockchain. Thrown around so much that one must wonder what miraculous gifts this technology is bearing for the humankind. The mainstream view holds that Blockchain is the genesis of self-sovereign identity in the digital future. Yet we must equally ponder to what extent are these two the perfect match to do such a job? Is it truly meant to be? Or is it just a blind date?

To start off, let's explore a simplified version of the first part of the equation - digital identity. So, what is digital identity? For sure, it is all the things that uniquely identify a given person in an online world. It is also a means for digital ownership - what binds us to our personal & non-personal data, and our assets in the digital space.

With self-sovereign identity (SSI), the goal is to give the user maximum control over their own digital identity. To achieve this, we must bind a real person of flesh and blood with their digital assets on the internet. And this must be done continuously over time. For this to work, authenticity, integrity, and sometimes privacy must be achieved as a backbone for online trust. So how to make all this work?

Allow us to introduce Blockchain into our excellent equation. Its purpose should be simple. To technically facilitate trust online in a way that doesn’t rely on any third-party. The idea is you only have to trust the blockchain design, instead of having to trust organizations. Sounds marvelous. But does it really work? Is it truly the answer to our identity problems?

To find out, let's shed a bit of light on how Blockchain does its business. To avoid overheating our precious neurons, it is enough to know this: the Blockchain operates as a shared book of records that stores any information you give it. These can be anything: from coin to transaction of goods in the logistics, to identity data. The great thing about the Blockchain is that it makes sure the Blockchain data can't change; hence, it can also be trusted from a particular perspective. But what does this have to do with identity?

The last and most important thing has to do with how PEOPLE use the Blockchain in a self-sovereign identity-like schema—introducing the Wallet! A genie that makes your wish come true! The Wallet is just something that stores the users' unique private key(s) on their device. It also protects the key so that only the one and only user has access to it. So how do we use this magic? In principle, the private key is what binds the information that's stored on the Blockchain to a single user. It's used to encrypt stuff, including transactions or your personal data.

Okay, now the simple version.

In bitcoin: you make a transaction with your Wallet's key to cryptographically inscribe it onto the blockchain record forever.

With SSI: you store on the Blockchain with your Wallet's private key some identity data (like your health records, or some data that leads to your health records). And perhaps you encrypt it with your Wallet as well so that only you can gain/grant access to it. You would encrypt it with your key so that no one else can read it without your permission.

In short, your Wallet and its key(s) are what binds anything on the Blockchain to you.

Important note about the private key:

1. Your private key is what cryptographically binds stuff on the Blockchain to you.

2. Your private key must be unique and accessible only by you, which means it cannot be made possible to regenerate or copy it, even by you.

3. These are the harsh realities of how cryptography works. ☺

Let’s see what happens when we test our blockchain SSI against some of the fundamental digital identity requirements. Specifically, let's consider a mix of security, resilience over time, privacy-by-design, and service availability.

If you look at them separately, it seems like there is always a neat solution at hand. What happens when you mix and match? Let’s see.

A private blockchain?

Like to keep things confidential? What if we want to make some data private? No problemo! Just encrypt some sensitive personal data so that only you have access to it, right?

No. This gets us to the first problem. Ensuring privacy with encrypting things as the lone measure is not privacy-by-design. Especially when it’s done with the user’s private key. Why? There are two reasons: first, cryptography ages with passing time – what if users don’t re-encrypt their personal data over time? Does that mean they are no longer protected? Another issue with this cryptography-for-privacy approach is that experts know that crypto-algorithms, random-number regenerators, and all that fun stuff needed for encryption can be found to be detect in the past. What do we do when all the users' records are kept private by means that are found to be vulnerable (e.g., ROCA)  ? Remember, the Blockchain is a shared record, so in principle, anyone has access to the raw data.

For privacy-by-design systematic protection needs to be employed instead of doing a better job.

A long-lasting SSI on the Blockchain?

Let's get one thing straight. For SSI we need robust security. Okay, so let's say we have a blockchain system that is secure i.e., it uses cryptography for user authentication, data binding, and possibly privacy.

We also need an SSI that people can use for a long time. How long have you had your banking or email account? You’ve likely been using the same one for a while.

Recap: how do people get access to data and assets on the Blockchain? You guessed it; we're back to cryptography and private keys to make SSI bombenfest. BUT we also have to realize that to make it bombenfest; there really isn’t another way to claim anything on the Blockchain without the private key.

Simply put: stuff like money, transaction records, or encrypted personal data on the Blockchain are systematically deadlocked to the private key. Now, we're really getting into trouble. What if the user loses their unique, no-other-copy-exists key? From the very principles of cryptography, we know that the private key must be unique and only one copy. That means you can't just regenerate it or simply back it up on another device. No way, Jose. Does that mean you just lose access to everything if you lose your Wallet? Losing or forgetting things is quite a common thing, is it not? To translate this into reality - unless there is some backdoor security workaround, you can wave farewell to anything stored with your private key. Workarounds like your mother's maiden name undermine the security of the whole concept and make it into an easy prairie prey for hackers.

Here you also might be tempted to say: hey, why don't we save these private keys with some sort of identity banks for private keys? But wouldn't that defy the whole point of having a blockchain in the first place entirely? Unfortunately, this has been here before. It's called PKI. Back to square one.

The train has arrived at its final destination. Blockchain & self-sovereign identity might look good on the front cover of the acclaimed magazines. Nevertheless, the beautiful illusion of their long-term relationship seems to end right after the appetizer is served. Some things are just not meant to be, or better to say - built to be.

I get it Blockchain stands for essential values: a distributed future where individuals are no longer at the mercy of powerful organizations. These are well essential goals that deserve attention. A distributed identity is indeed what we need for a future of trustworthy and fair internet. We just mustn't get hung up on a single technical approach that fails to reflect all the internet identity laws. Is this the end of this grand vision of distributed identity? No! Let's not throw in the towel so quickly. Could we, after all, find a better match for the future of our identity? Where there is a will, there is a way. Stay tuned.