Every vault has a key that needs to be secured outside the vault. Role of central entities at the periphery (edges) of SSI ecosystem. Seeking answers to questions faced when presenting SSI to consultants/customers/users.
Every Vault Has A Key That Needs To Be Secured Outside The Vault. Role of Central Entities At the Periphery (Edges) of SSI Ecosystem: Seeking Answers to Questions Faced When Presenting SSI To Consultants/Customers/Users
Session: 10E
Convener: Venu Reddy
Notes-taker(s):
Tags for the session - technology discussed/ideas considered:
- Credential Verification
- Identity Recovery
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Relevance of existing techniques – PKI, central administration.
- For users “identity management is not a primary goal”
- IdM schemes with a novel technological underpinning without improved end-user interaction are unlikely result in widespread use
- Key management remains to be a principal source of concern for users of Bitcoin/Blockchain
- Non-technical users may be alienated by the technology
- When things go wrong these users will be unable to recover resources or reputation attached to lost keys
Credential Verification
- DID resolution to obtain metadata (DID Doc)
- How do we prevent spoofing of meta data?
- Authoritative Issuers
- How does the verifier verify that the Issuer DID belongs to the issuer and the issuer is authorized?
- Governance (Trust over IP - John Jordan and Drummond Reed)
- At run time – the mechanism is likely to be similar to PKI
- Well known DIDs (PKI root certificates) and their metadata known to every agent/wallet
- Credentials (CA certificates) to certify the issuers and their DIDs
- Transitive trust
Concluded that PKI-like mechanism is needed.
Identity Recovery
- Key rotation – prevent key rotation by identity thieves after recovery
- Device transfer/replace a lost device
- 3rd party access (legal, health and other life events) – trigger and
- Portability
- Recovery of a compromised identity
Use of multiple factors can improve security and persistence of recovery
Example
- Two factors to perform any of the above
- Three factors to change the factors themselves
Today, loss of access can be remedied using predefined processes with a fallback where system administrators can potentially intervene.
What is the fallback in case of SSI if identity is irrevocably compromised?
- Suspend the use of the identity
- Revoke credentials
A mechanism external to SSI ecosystem may be needed.
- Controlled manual intervention
- Bank safe deposit access pattern?
No solution can be found. Best case is to use multiple factors. User has the responsibility to secure and keep track of the factors:
- device based factors
- external factors