SSI, will it work? GB

Report out – Seminar on SSI – Security Leadership Brussels

On October 5th 2022 there was workshop at the Security Leadership event in Brussels (by Heliview Conferences & Training) discussing Self Sovereing Identity (SSI), and wondering ‘will it work?’. Jacoba Sieders facilitated this workshop and she started with a poll by raise of hands: “Who thinks that SSI will work?” Just over 60% of the attendees thought it would work (in other words, they were believers). Towards the end of the conversation the poll was repeated, and the 60% dropped slightly, however one unbeliever was converted and some lost their faith.

Jacoba explained SSI including the European context (European identity ambition with wallets). Traditionally identity management means that a user interacts with an organization, and that organizations registers, stores and manages the (digital) identity of that user. Evolved identity management means that a user interacts with an organization and the user himself takes care of the (digital) identity, stores and manages it, and presents it to the organization. The difference is that the organization has no identity store to maintain, but relies on the (verified) credentials that the user presents. That is called ‘self-sovereign identity’, because the user self rules (sovereign) over his (or her) identity.

Then we discussed what would determine success or failure, roughly speaking, of SSI. The list below is the rough output of this workshop and certainly not a complete or finite list. It is not even thoroughly worked through. Yet, this session and the interaction created quite a lot of interesting gems which we thought we’d share anyway. So here we go:

Indicators that SSI might work

The legal endorsement is coming into place, California (US) for example legislated the use of wallets for birth right and death registration. When there is legal endorsement, and a legal ground for use, then it can more easily be used/increase the uptake.
Efficiency and cost savings (mainly for the relying party – they don’t need to verify a paper document or keep an administration) – an example was given that a process went from 72 hours back to 6 hours (duration).
Increased privacy and security, because the data is no longer centrally stored at an organization in multiple silos, but in one wallet. The breach of the Australian Telco was referenced here.
GAIAX development, developing it’s own wallet (and thereby promoting SSI). Note: others are also working on SSI solutions, including GAIN and others.
Useability (for the end user)
It goes beyond the identity, because it includes also attributes, verified credentials and self-declared credentials.
Prevents disintermediation, large organizations need to get along otherwise they will lose customer (interaction).
SSI guards privacy in a better way and in that suffices GDPR very well.
The digital generation expects a smooth digital experience (because the big techs have spoiled them), and a wallet could match that expectation.

Indicators that SSI might not work

Key management remains difficult, once your key to your wallet is lost, all your identity data and credentials become unavailable.
A scattered landscape of approaches and solutions to do SSI.
User adoption
Privacy paradox, users can now control their own data, but are the equipped to do this properly, or (privacy paradox:) do they keep their data very secure until sharing it gives them a discount or a candy bar.
Correlation
Legal context
Hostile environment and abuse
New solutions still need to work with legacy IT, which is always a challenge.

Conditions and ‘if’ statements related to SSI

Use cases required for it to work
Political will to move SSI approach and solutions forward
Standardization and interoperability of SSI solutions
Trust lists and revocation lists (in order to make it work you need to find trusted wallets and issuers and know which/when is revoked)
From an inclusive lense, who should be able to use it
You still need to solve a lot of traditional identity issues, like enrolment, federation, etcetera.

So, will SSI work and when?

The way SSI may works may be different per industry (for example monopolist industries vs industries with strong competition). And once you start rolling it out you need to realize that you need to support both the SSI/digital and the ‘traditional’ solutions for quite some time. Other questions that were asked, like should it be blockchain or not, should it be open source, and what is the exact label that it should have, were not further discussed.

Towards the end we realized that timing is a factor, so when this will be realized also depends on the factors above. The general consensus in the group what that between 10 – 15 years a truly working solution should be available. But the question then ofcourse is; how did the world evolve in the mean time? Because the Roblox generation that has grown up online is going to conquer the world quite soon, and they may flip the table on those who still knew a world that existed mainly analogue.

Note: this write-up is a co-creation of Henk Marsman and Jacoba Sieders. It in no means has the pretence to be complete or perfect. It aims to contribute to the developments of SSI understanding and solutions.

About the authors

Henk Marsman
Digital Identity Thinker & Principal consultant

henk.marsman@sonicbee.nl

Henk Marsman is pricipal consultant at SonicBee and has over 20 years of experience in cybersecurity and identity and access management (IAM) specifically. As expert in that field he is a frequent chair, moderator and public speaker at various conferences and events. Through his research on ethical aspects of national digital identity systems he contributes to a sustainable, inclusive digital society.

Jacoba Sieders
Independent Digital Identity / IAM strategist

Jacoba Sieders is an independent digital identity expert. She spent more than 20 years in leadership positions on IAM and KYC at major banks in the Netherlands, in Luxembourg at the European Investment Bank and in India for ING Group. She is a member of several international expert groups and think tanks, was part of the Dutch Blockchain Coalition’s SSI initiative and was a member of the NEN/ISO technical working group. Jacoba was a member of the Advisory Board of ID-Next, the independent European think tank on identity, and of the Advisory Board for the EU ESSIF Lab on SSI. She is also on the Advisory Board of SonicBee, and works with Capitar Security.

About SonicBee

SonicBee is the Identity and Access management (IAM) company providing innovative and intelligent managed services and business consultancy to make businesses faster, smarter and more secure. We ensure that everything and everyone within your environment can access information in a safe, compliant and smart way.

We challenge the existing market by looking at identities and data in a new way. SonicBee provides managed services, advisory services and trainings focused on increasing our society’s cyber security and creating business value.