SSI, will it work?
Report out – Seminar on SSI – Security Leadership Brussels
On October 5th 2022 there was workshop at the Security Leadership event in Brussels (by Heliview Conferences & Training) discussing Self Sovereing Identity (SSI), and wondering ‘will it work?’. Jacoba Sieders facilitated this workshop and she started with a poll by raise of hands: “Who thinks that SSI will work?” Just over 60% of the attendees thought it would work (in other words, they were believers). Towards the end of the conversation the poll was repeated, and the 60% dropped slightly, however one unbeliever was converted and some lost their faith.
Jacoba explained SSI including the European context (European identity ambition with wallets). Traditionally identity management means that a user interacts with an organization, and that organizations registers, stores and manages the (digital) identity of that user. Evolved identity management means that a user interacts with an organization and the user himself takes care of the (digital) identity, stores and manages it, and presents it to the organization. The difference is that the organization has no identity store to maintain, but relies on the (verified) credentials that the user presents. That is called ‘self-sovereign identity’, because the user self rules (sovereign) over his (or her) identity.
Then we discussed what would determine success or failure, roughly speaking, of SSI. The list below is the rough output of this workshop and certainly not a complete or finite list. It is not even thoroughly worked through. Yet, this session and the interaction created quite a lot of interesting gems which we thought we’d share anyway. So here we go:
Indicators that SSI might work
- The legal endorsement is coming into place, California (US) for example legislated the use of wallets for birth right and death registration. When there is legal endorsement, and a legal ground for use, then it can more easily be used/increase the uptake.
- Efficiency and cost savings (mainly for the relying party – they don’t need to verify a paper document or keep an administration) – an example was given that a process went from 72 hours back to 6 hours (duration).
- Increased privacy and security, because the data is no longer centrally stored at an organization in multiple silos, but in one wallet. The breach of the Australian Telco was referenced here.
- GAIAX development, developing it’s own wallet (and thereby promoting SSI). Note: others are also working on SSI solutions, including GAIN and others.
- Useability (for the end user)
- It goes beyond the identity, because it includes also attributes, verified credentials and self-declared credentials.
- Prevents disintermediation, large organizations need to get along otherwise they will lose customer (interaction).
- SSI guards privacy in a better way and in that suffices GDPR very well.
- The digital generation expects a smooth digital experience (because the big techs have spoiled them), and a wallet could match that expectation.
Indicators that SSI might not work
- Key management remains difficult, once your key to your wallet is lost, all your identity data and credentials become unavailable.
- A scattered landscape of approaches and solutions to do SSI.
- User adoption
- Privacy paradox, users can now control their own data, but are the equipped to do this properly, or (privacy paradox:) do they keep their data very secure until sharing it gives them a discount or a candy bar.
- Legal context
- Hostile environment and abuse
- New solutions still need to work with legacy IT, which is always a challenge.
Conditions and ‘if’ statements related to SSI
- Use cases required for it to work
- Political will to move SSI approach and solutions forward
- Standardization and interoperability of SSI solutions
- Trust lists and revocation lists (in order to make it work you need to find trusted wallets and issuers and know which/when is revoked)
- From an inclusive lense, who should be able to use it
- You still need to solve a lot of traditional identity issues, like enrolment, federation, etcetera.
So, will SSI work and when?
The way SSI may works may be different per industry (for example monopolist industries vs industries with strong competition). And once you start rolling it out you need to realize that you need to support both the SSI/digital and the ‘traditional’ solutions for quite some time. Other questions that were asked, like should it be blockchain or not, should it be open source, and what is the exact label that it should have, were not further discussed.
Towards the end we realized that timing is a factor, so when this will be realized also depends on the factors above. The general consensus in the group what that between 10 – 15 years a truly working solution should be available. But the question then ofcourse is; how did the world evolve in the mean time? Because the Roblox generation that has grown up online is going to conquer the world quite soon, and they may flip the table on those who still knew a world that existed mainly analogue.
Note: this write-up is a co-creation of Henk Marsman and Jacoba Sieders. It in no means has the pretence to be complete or perfect. It aims to contribute to the developments of SSI understanding and solutions.