Q1. What are your plans going forward?
We plan to specify a reference model for development based on the described identity architecture and continue to develop prototypes across a range of platforms. To assess feasibility and market potential, we will conduct a representative field trial deploying digital business cards to members of a web service who use them to log into the service and securely collaborate with one another. We are seeking partners and investors to support our project.
Q2. What critical problems do you address?
The Internet does not have a reliable identity layer with common interfaces, protocols and data structures that all users and providers can intuitively and easily use. As a result, identity provisioning and authentication on the web consists of a patchwork of identity and logon schemes using web browsers. Web browsers have latent weaknesses; users maintain countless online profiles and passwords, many of them weakly specified or reused; service providers are obliged to constantly reset forgotten passwords; and online accounts are named using email addresses that specify personally identifying information. No wonder today’s identity schemes are being actively exploited to penetrate web sites, compromise privacy, steal identities, impersonate and commit fraud on a large scale. Continuing to patch the current identity ecosystem is more likely to worsen security and privacy problems than solve them.
Q3. How are these problems being addressed?
Sovereign Image’s identity architecture organically builds an identity layer for device owners by progressively deploying interoperable identity agents (“apps”) that act in the best interests of their owners. Identity agents are verifiably controlled by device owners, collaborate by means of the Internet’s transport layer, and are trustworthy. The architecture implements these capabilities by uniquely combining authentication, identity virtualization, cryptography, and identity proofing. Authentication data is encapsulated enabling device owners to tightly control their private and identifying information. Digital identities are virtualized versions of identities commonly used in the physical world. Digital identities have cryptographic keys enabling them to cryptographically protect, secure and bind pertinent digital artifacts. Identity proofing and attestation conducted in-person or online, possibly assisted by teleconferencing, elevates identity assurances for relying parties. Owner control is verified by conducting proof-of-existence, proof-of-possession and proof-of-custody challenges.
Q4. What features distinguish the architecture?
Device owners can create “self-sovereign digital identities” that have the look and feel of physical credentials. For example, identity agents can render and manage virtualized business cards, health cards, corporate identity cards, driver’s licenses, banking cards, and other such credentials. They are more intuitive to use than passwords for proving identity and deciding what private information to disclose. User frustration and friction is reduced because users can maintain their identifying and private information on their personal devices rather than maintaining user profiles across countless websites. Identity agents exploit native authentication mechanisms of the owner’s device ensuring that owners tightly control their digital identities. Digital identities of the owner are securely stored in the owner’s digital wallet while digital identities acquired from other owners are stored in the owner’s list of contacts. Every digital identity has public-private encryption keys used to sign, encrypt and digitally seal artifacts including digital identities and consent tokens. Owners can use their identity agents to elevate identity assurances by leveraging in-person and/or online identity-proofing, and attesting and digital sealing the digital identities of other owners. Online proofing is enhanced when conducted by way of audio-video conferencing. Furthermore, they can leverage our adapted Diffie-Hellman method to safely exchange digital identities, use a proof-of-existence registry to verify acquired digital identities, and conduct proof-of-possession and proof-of-custody challenges when presented digital identities. Collectively, these features enable identity agents to reliably prove their identities, detect impersonation, protect their identifying and private information, securely collaborate, and reliably delegate consent.
Q5. What capabilities does the architecture deliver?
- Identity agents enable owners to control their private and identifying data by exploiting authentication data [Q6]
- Digital identities use an identity data model to specify identifiers, attributes (claims) and images [Q7]
- Digital identities have multiple public/private keys for reliably signing, encrypting and digitally sealing artifacts [Q8]
- Owners can use their identity agents and digital identities to secure private data stored locally and remotely [Q9]
- Owners can meet in-person and use their identity agents to exchange digital identities directly [Q10]
- The Diffie-Hellman key agreement method has been adapted for exchanging digital identities securely [Q11]
- Identity agent owners can transition from using passwords to using digital identities to access web services [Q12]
- Owners can use their identity agents and digital identities to secure transactions end-to-end [Q13]
- Identity agents verify owner control of digital identities via proof-of-possession and custody challenges [Q14]
- Identity-proofing, attestations and digital seals elevate identity assurances for relying parties [Q15]
- Digital seals affixing attestations to digital artifacts elevates non-repudiation strength over digital signature [Q16]
- Identity agent owners can register and verify digital identities using a proof-of-existence registry [Q17]
- Owners can use their digital identities to secure transactions when using collaborative application services .
Q6. How is control over digital identity achieved?
Identity agents decentralize identity by shifting responsibility and control over identity and privacy from web services to users without diminishing the essential transactional purpose of web browsers. Identity agents achieve sovereign control over an owner’s digital identities by encapsulating owner authentication data and using an application programming interface to expose this data to the device’s authentication mechanism(s). By capturing and controlling locally enrolled biometric minutia and PIN(s), the device owner is strongly bound to her device, identity agent, digital identities, consent tokens and other private data. Tight owner control potentially eliminates the need for remote access passwords and avoid risks associated with maintaining authentication data (e.g. biometrics) on web servers. Identity agents thereby establish a reliable channel between the device owner and collaborating web services and users they trust. Identity agents also elevate identity assurances and control for owners by way of verifying existence, possession and custody of digital identities, identity proofing and attestation, helping owners assess risk and trust levels, assisting them to decide what private and identifying data to disclose, and minimizing private information leakage (see [Q19]).
Q7. How are digital identities structured?
Similar in certain respects to the W3C Verifiable Credentials and ABC4Trust models, digital identities created by identity agents leverage an identity data model to specify identifiers, attributes (claims) and images (photos, logos) for the owner. Identifiers can specify legal names, globally distinct values (see W3C DID), unique values across a given context, or pseudonyms. Anonymous browsing can be achieved using digital identities that specify no identifying information. Identity agents warn and assist owners when deciding which digital identities and private data to disclose.
Q8. How are encryption mechanisms exploited?
When a new digital identity is needed, the owner’s identity agent creates a master copy (the “sovereign image”) which specifies the digital identity’s attributes plus allocated public/private encryption key-pairs: a signing/verifying key-pair; a decrypting/encrypting key-pair; and an embossing/inspecting key-pair used to create and verify digital identities. By controlling the owner’s authentication data, identity agents control and protect the sovereign image, including attributes, images and key-pairs, from tampering. The owner’s private keys are not revealed to other parties. However, identity agents can disclose “public copies” of digital identities to relying parties, that is, selected attributes and images and public keys (only) of the digital identity.
Q9. How do digital identities protect private data?
An owner can direct her identity agent to use the public encryption key of a selected digital identity of the owner to encrypt sensitive data including private and identifying information. This data can be stored locally and/or remotely and can be decrypted by the owner (only) using the paired private decryption key.
Q10. How are digital identities exchanged securely?
To prevent man-in-the-middle and impersonation attacks, digital identities need to be securely exchanged between collaborating identity agent owners. Only the public copies of digital identities are exchanged. Owners can use their identity agents to securely exchange digital identities between their devices directly (e.g. using NFC). They can also securely exchange them online using our adapted Diffie-Hellman key exchange method [Q11]. When acquiring the pubic copy of a digital identity, it is stored in the recipient’s list of contacts.
Q11. How has Diffie-Hellman been adapted?
Collaborating owners can use their identity agents to leverage the Diffie-Hellman key agreement method to securely exchange digital identities. Their identity agents first store the public keys of the digital identity they wish to exchange in a digital identity exchange service at locations determined by hashing identifiers they have each specified. They then securely exchange these identifiers out-of-band, hash them, and retrieve the public keys of the other owner from the exchange service. Next, they apply the Diffie-Hellman key exchange method, combining their own private keys with the public keys of the other owner thereby creating the same symmetric key for each owner. Finally, they apply the symmetric keys to securely exchange their digital identities, end-to-end. The adapted Diffie-Hellman method ensures identifiers, attributes, images and public keys of owners are not revealed when exchanged.
Q12. Can digital identities replace passwords?
Potentially yes. If a given web service has an installed identity agent, a user with legacy account/password access to a web service can use her identity agent to present one of her digital identities to the identity agent of the web service. If found acceptable, she can subsequently use her identity agent to present her digital identity to log in rather than entering her password, thereby transitioning from password to digital identity usage.
Q13. How do digital identities secure transactions?
Having securely exchanged digital identities, owners can use their identity agents to secure transactions and messages, end-to-end. When sending, the private signing key of the sender’s digital identity is used to digitally sign the transaction, and the public encrypting key of the recipient’s digital identity is used to encrypt the transaction. When receiving, the private decrypting key of the recipient’s digital identity is used to decrypt the transaction, and the sender’s public verification key is used to verify the digital signature.
Q14. How is verifiable owner control achieved?
When online, an identity agent receiving a digital identity presented by another owner can verify that the originating identity agent controls her digital identity by conducting a cryptographic proof-of-possession challenge. Additionally, the receiving identity agent can verify that the originating owner controls her identity agent by sending a proof-of-custody challenge (remote demand to authenticate) to the identity agent of the originating owner. The originating identity agent re-authenticates the owner, sending a success or failure notification to the receiving identity agent. Verifiable control is achieved if both the proof-of-possession challenge and the proof-of-custody challenge are successful.
Q15. How are identity assurances elevated?
Owners can use their identity agents to proof, attest and digitally seal the digital identities of other owners. The requesting owner submits a digital identity and identifying information to the attesting owner (a.k.a. issuer). They may meet in-person or online, possibly using a web conferencing tool. If the attester successfully identity-proofs the requester, the attester uses his identity agent to affix an attestation (e.g. “proofed”) to the requester’s digital identity by means of a digital seal. The digital seal is created by using a pre-determined sealing image and the private embossing key of the attester’s digital identity. The action of creating a digital seal and using it to affix an attestation elevates identity assurances associated with the requester’s digital identity. Relying parties can acquire the attester’s digital identity and use the public inspection key of the attester to verify the digital seal and attestation. Multiple parties can proof, attest and digitally seal the digital identity of a requester thereby incrementally elevating identity assurances for relying parties.
Q16. How do digital seals enhance non-repudiation?
The identity agent of an issuing owner can apply the private embossing key of a selected digital identity to create a digital seal that cryptographically affixes an attestation to a digital identity, a consent token or some other digital artifact. A relying identity agent having a public copy of the issuer’s digital identity can use the public inspection key to verify that the issuer must have digitally sealed and attested the artifact. Digital sealing elevates non-repudiation strength over traditional digital signature because identity agents exploit native authentication mechanisms binding owners to their devices. This ensures that an owner is tightly bound to her digital identity and embossing key when used to cryptographically bind the issuer’s identity and attestation by means of a digital seal. A relying identity agent can obtain objective proof that the issuer controlled her private embossing key when affixing a digital seal and attestation by launching proof-of-possession and proof-of-custody challenges. Potentially these properties of digital seals may satisfy eIDAS guidelines at an elevated level.
Q17. How is proof-of-existence leveraged?
Owners can use their identity agents to register their digital identities in a proof-of-existence registry. The registry initially conducts proof-of-possession and proof-of-custody challenges when verifying a registering owner. If successfully verified, the owner’s identity agent hashes the digital identity to be registered, digitally seals the hash, and submits the resulting record including digital seal to the registry for retention in the registry’s repository. A party acquiring a digital identity from another owner can use her identity agent to search the registry to verify whether the digital identity is registered. Attributes of registered digital identities will not be revealed if the registry is hacked because registry records are hashed.
Q18. How are identities and services integrated?
When launching a collaborative application service like email, text messaging, or video conferencing, the identity agent of the owner launching the service selects a suitable digital identity from her digital wallet to identify herself, and a digital identity of the owner with whom she wishes to collaborate from her list of contacts. When one of the owners originates a message, the identity agent of the originating owner uses designated keys held by their digital identities to sign and encrypt the message and create a digital fingerprint, sending this data to the receiving owner’s identity agent. The identity agent of the receiving owner uses designated keys held by their digital identities to decrypt the received message, verify the digital signature, and verify the received fingerprint, delivering the decrypted message to the application service of the receiving owner if successfully verified.
Q19. What improvements are planned?
We plan to progressively extend and optimize identity agent features and capabilities by applying formal software engineering methods and open source development to increase trustworthiness; leveraging trusted platform modules, trusted execution environments and trust zones; exploiting artificial intelligence and machine learning to optimize decision making (see Tomko regarding the potential of Intelligent Agents); adopting methods for avoiding privacy correlation and linkability (see W3C Verifiable Credentials and ABC4Trust); and adopting elements of the Signal messaging protocol including ephemeral keys and Signal’s ratchet protocol (see Analysis of Signal Messaging Protocol).
Q20. How will the architecture be rolled out?
The approach we plan to adopt will be to start by fielding a basic version of the architecture, iteratively building in architectural capabilities and improvements driven by what we learn. Motivated by the work of Asokan et. al., digital identities nominally have three public/private key-pairs, each for designated purposes. To simplify matters, we plan to initially specify a single key-pair per digital identity. To increase cryptographic strength, additional key-pairs allocated to the designated purposes will be subsequently integrated. Identity agents will initially bind their owners by way of a local PIN. Native biometric authentication mechanisms and data will be integrated into the solution in stages. The Diffie-Hellman identity service for securely exchanging digital identities and the proof-of-existence identity registry for verifying acquired digital identities will be incorporated thereafter.