Agents — Identities — Seals — Collaboration
Notarizing–Proofing–Delegating–Prototype
Identity Agents
The architecture is comprised of identity agents installed on user and provider devices. They deploy digital identities for device owners and work in their best interests. An owner can direct their identity agent to conduct incognito (anonymous, pseudonymous) web browsing and content sharing; or use selected digital identities to secure user-to-user messaging and user-to-provider (online) transactions. Identity agents capture authentication data (passwords, PINs, biometrics) strongly binding the owner to encapsulated digital identities thus rendering them verifiably owner-controlled (self-sovereign). Identity agents use digital identities, digital seals and identity proofing to secure transactions and private data, notarize documents, and delegate consent.
Digital Identities
Mimicking physical credentials “in your wallet”, digital identities are intuitive and easy-to-use. Digital business IDs, medical IDs, drivers licenses, passports, bank IDs, and other such IDs can be created. Each digital identity has owner-specified properties including an identifier, a user image, a “sealing image”, expiry date, attributes, and three (3) private/public key-pairs. They are used to identify and authenticate owners; emboss and inspect (verify) digital seals, and secure (sign/encrypt) transactions. The “sovereign copy” of a digital identity is tightly controlled by the owner. “Public copies” inherit the owner-specified properties and the public keys but not the private keys. Public copies are used to identify and authenticate the owner when presented. Custom digital identity containers can be created to brand digital identities across customer and user groups. Pseudonymous and anonymous IDs can be created for incognito browsing and content sharing.
Digital Seals and Attestations
A digital seal is like a physical seal affixed to a document by a notary using an embosser. Digital seals include a “sealing image“, attestation, issue date, digital identity identifier, artifact identifier, and digital [seal] signature. An identity agent owner can use the [private] embossing key and sealing image of a digital identity to create a digital seal affixing an attestation to a digital artifact binding the owner, attestation and artifact. The public inspection key of the owner’s public copy verifies the digital signature. Digital seals can be used as follows:
Digital identities and public copies are self-sealed when created. Upon receipt, self-seals affixed to public copies are verified.
Exchanging public copies and cross-sealing digital identities builds a “web of mutual trust” among collaborating owners.
Notaries digitally sealing documents certify them. Identity-proofers sealing digital identities elevate identity assurances.
Data owners, custodians and requesters digitally seal and attest delegated consent tokens controlling their mutual commitments.
Secure Collaboration
Exchanging — Identifying — Authenticating
To establish a secure channel between owners they use their identity agents to exchange public copies of their digital identities. If they agree the identifying information disclosed by the public copies are for intended purposes, the inspecting keys are used to authenticate (verify) the affixed self-seals. If successfully authenticated, the public copies are cross-sealed using the owners’ sovereign copies; returned; and thereby “registered”. The cross-seals are attached to their sovereign copies.
Exchanging Public Copies: Identity agents can safely exchange public copies for their owners in-person using private WiFi and Near Field Communications (NFC). When man-in-the-middles (MITM) risk is low, proof-of-existence (PoE) can be used to verify public copies exchanged person-to-person via email and SMS. When MITM risk is significant, Diffie-Hellman (D-H) can be used to exchange public copies securely. HTTPS can be used to exchange public copies securely between users and providers.
Authenticating Public Copies: Self-seals affixed to received public copies are verified using the inspecting key of the public copy. Proof-of-possession (PoP) testing verifies that the originating identity agent holds the embossing key used to self-seal a received public copy. Proof-of-custody (PoC) demands issued by receiving identity agents to verify that originating owners verifiably control their digital identities.
Collaborating Securely: Having successfully exchanged public copies, identity agents use the signing/verifying and decrypting/encrypting keys of their owners digital identities to collaborate securely. When sending, the signing key of the sender’s sovereign copy is used to digitally sign payloads, and the encrypting key of the receiver’s public copy is used to encrypt payloads. When receiving, the decrypting key of the receiver’s sovereign copy is used to decrypt payloads, and the verifying key of the sender’s public copy is used to verify payloads.
Notarizing Documents
Consider a notary public certifying a customer’s identifying document in-person. The customer uses the embossing key of a selected digital identity to digitally seal her document. The notary public then uses the inspecting key of the customer’s public copy to verify the digital seal. Finally, the notary public uses the embossing key of his digital identity to digitally seal (“notarize”) the document. Other owners can verify the notarizing seal by obtaining the notary’s public copy and applying the inspecting key to verify the digital [seal] signature.
Identity-Proofing
Owners can use their identity agents to proof, attest and digitally seal each other’s digital identities. A requesting owner seeking to elevate identity assurances submits a public copy of her digital identity plus identifying document to an “identity-proofer”. If the identity-proofer agrees the identifying document represents the requester, his identity agent uses the embossing key of his sovereign copy to affix his digital seal to her public copy. Her digitally sealed public copy and the proofer’s public copy are returned to her identity agent which applies the digital seal to her sovereign copy thereby elevating associated identity assurances. Other owners can use their identity agents to verify the digital seal by obtaining the identity-proofer’s public copy and inspection key. Multiple seals affixed to digital identities establishes a “web of mutual trust”.
Delegating Consent
In contrast to server-centric consent models, the architecture decentralizes access to private data of owners by circulating consent tokens digitally sealed by stakeholders attesting to their commitments. Resource owners use consent tokens to reliably grant and expire access to their private resources. Custodians hosting a given owner’s resources use consent tokens to clear and terminate access to the resources. Requesters present access tokens to custodians to access (read, write, update) resources. Consent tokens are archived for audit.
Proof-of-Concept Prototype
The proof-of-concept prototype illustrates identity agents creating, exchanging and using digital identities; creating and verifying digital seals; mutually identifying and authenticating owners; securing messages, transactions, and private information; notarizing documents; identity-proofing owners; and delegating consent to access private information. HTML, CSS, JavaScript, JSON, and node.js have been used to develop the prototype software.