Q1. What are your priority goals and plans?
Sovereign Image has created an identity architecture that satisfies the principles of privacy by design while delivering digital identities that are intuitive and easy to use. We believe these features will significantly facilitate technology adoption. Rather than using passwords to remotely authenticate, our agent-based identity architecture deploys digital identities to consumers and providers that they control and use to prove who they are – whether meeting face-to-face or collaborating online. Owners can also use their digital identities to protect private data, secure transactions, elevate identity assurances, and delegate consent to access private data. Prototypes have been developed on popular Internet-enabled devices to evaluate selected capabilities. A reference model for open source development is planned. To assess feasibility and market potential, a representative field trial leveraging existing standards and tools will be conducted [Q18]. We are seeking partners and investors.
Q2. What critical problems are addressed?
The Internet does not have an identity layer offering common data structures, protocols and interfaces that web users and web services can use to consistently and accurately identify each other. As a result, identity provisioning and verification on today’s web consists of a server centric patchwork of authentication schemes. These schemes rely on web browsers characterized by burgeoning complexity leaving them vulnerable to attack. Users are obliged to maintain countless online profiles and passwords, many of them weakly specified and/or reused. Service providers are constantly resetting forgotten passwords. Online accounts are routinely named using email addresses specifying identifying information. No wonder web sites are routinely compromised, identifying information is stolen, users are impersonated, and fraud is escalating. Continuing to patch the current identity ecosystem is more likely to worsen these problems than solve them.
Q3. How are these problems addressed?
The identity architecture addresses these problems holistically by deploying identity agents (software apps) and digital identities that are verifiably owner-controlled and identity-assured [Q5, Q13]. A virtual identity layer is progressively constructed by owners as they install identity agents on their devices and grow the network. Each identity agent compartmentalizes identity handling for the owner, provides a common user interface, uses the transport layer to interoperate with other identity agents, and exposes application programming interfaces used to integrate browsers, client-side apps, and web services. Identity agents thereby off-load browsers, applications and web services from these responsibilities, complexities and risks (see [Q19] re. trustworthiness).
Identity agents leverage public/private encryption keys allocated to digital identities to remotely authenticate other owners thereby enabling them to achieve elevated binding strength compared to password-based schemes. These cryptographic capabilities are also used to verify that owners control their digital identities. Because owners can use their identity agents to specify and update their digital identities in situ, they avoid the frustration of maintaining countless identities and passwords across the web (see [Q19] re. backup and escrow). Identity agent owners can also proof and attest the digital identities of other owners to elevate associated identity assurances. The reference model will specify the requisite data structures, interfaces and protocols needed to support open source software development across a range of computing platforms.
Q4. How is technology adoption facilitated?
Technology adoption has been facilitated by baking usability, privacy and security into the architecture. Consumers and providers use their identity agents to create “self-sovereign digital identities” that have the look and feel of physical credentials held in one’s wallet. With the assistance of their identity agents, owners can safely exchange and use their digital identities to collaborate in-person and online. An identity agent owner can render virtualized business cards, health cards, driver’s licenses, traveler cards, banking cards, and other such digital identities. An owner can also create and affix virtualized seals to digital identities and other artifacts to show that she has attested, endorsed, approved, notarized, or otherwise qualified the artifact. Virtualization helps her decide which digital identities and seals to use for given purposes.
Digital identities and digital seals are more intuitive to use than passwords when launching a remote web service or when connecting with another user. For example, an owner can use her smartphone to display her digital business card to another person to demonstrate who she is. She can exchange digital business cards with him, subsequently using their digital business cards to securely collaborate, and endorse him by applying a digital seal to his digital business card thereby elevating identity assurances associated with his card. To cloak her identity, she can create and use a pseudonymous credential when browsing web sites. When requesting her physician to provide evidence that she has been vaccinated, he can use a digital seal to affix an attestation to her digital traveler card. When using her digital banking card to access her account, the banking system verifies that the bank’s digital seal has been affixed to her card. The motor vehicle department having proofed her identity when issuing her a digital driver’s license enables her to use her digital driver’s license to digitally seal one of her other digital identities thereby elevating associated identity assurances.
Q5. How is control over digital identity exerted?
Identity agents decentralize identity by shifting responsibility and control over identity and privacy from web services to users without diminishing the essential transactional purpose of web browsers. Identity agents achieve sovereign control over an owner’s digital identities by encapsulating owner authentication data and using an application programming interface to expose this data to the device’s authentication mechanism(s). By controlling locally enrolled biometric minutia and PIN(s), the device owner is strongly bound to her device, identity agent, digital identities, consent tokens and other private data. Tight owner control potentially eliminates the need for remote access passwords and avoid risks associated with maintaining authentication data (e.g. biometrics) on web servers. Identity agents thereby establish a reliable channel between the device owner and collaborating web services and users they trust. Identity agents also elevate identity assurances and control for owners by verifying digital identity existence, possession and custody; proofing and attesting digital identities; helping owners assess risk and trust levels; helping them to decide what private and identifying data to disclose; and minimizing private information leakage (see [Q19]).
Q6. How are digital identities structured?
Similar in certain respects to the W3C Verifiable Credentials and ABC4Trust models, digital identities created by identity agents leverage an identity data model to specify identifiers, attributes (claims) and images (photos, logos) for the owner. Identifiers can specify legal names, globally distinct values (see W3C DID), unique values across a given context, or pseudonyms. Anonymous browsing can be achieved using digital identities that specify no identifying information. Identity agents warn and assist owners when deciding which digital identities and private data to disclose.
Q7. How are encryption mechanisms exploited?
When a new digital identity is needed for a given purpose, the owner’s identity agent creates a master copy known as the “sovereign image” specifying requisite attributes, images and public/private key-pairs. Public copies of sovereign images include only the public keys. Motivated by the work of Asokan et. al., each digital identity has a signing/verifying key-pair; a decrypting/encrypting key-pair; and an embossing/inspecting key-pair. An owner’s identity agent protects her sovereign images from tampering by other parties. Under the direction of the owner, an identity agent can disclose “public copies” of digital identities including the public keys (but not the private keys) to relying parties.
Q8. How do digital identities protect private data?
An owner can direct her identity agent to use the public encryption key of a selected digital identity of the owner to encrypt sensitive data including private and identifying information. This data can be stored locally and/or remotely and can be decrypted by the owner (only) using the paired private decryption key.
Q9. How are digital identities exchanged securely?
To prevent man-in-the-middle and impersonation attacks, digital identities need to be securely exchanged between collaborating identity agent owners. Only the public copies of digital identities are exchanged. Owners can use their identity agents to securely exchange digital identities between their devices directly (e.g. using NFC). They can also securely exchange them online using our adapted Diffie-Hellman key exchange method [Q10]. When acquiring the pubic copy of a digital identity, it is stored in the recipient’s list of contacts.
Q10. How has Diffie-Hellman been adapted?
Collaborating owners can use their identity agents to leverage the Diffie-Hellman key agreement method to securely exchange digital identities. Their identity agents first store the public keys of the digital identity they wish to exchange in a digital identity exchange service at locations determined by hashing distinct identifiers each owner has specified. They then securely exchange these identifiers out-of-band, hash them, and retrieve the public keys of the other owner from the exchange service. Next, they apply the Diffie-Hellman key exchange method, combining their own private keys with the public keys of the other owner thereby creating the same symmetric key for each owner. Finally, they apply the symmetric keys to securely exchange their digital identities, end-to-end. The adapted Diffie-Hellman method ensures identifiers, attributes, images and public keys of owners are not revealed when exchanged.
Q11. Will digital identities replace passwords?
Potentially yes. If a given web service has an installed identity agent, a user with legacy account/password access to a web service can use her identity agent to present one of her digital identities to the identity agent of the web service. If found acceptable, she can subsequently use her identity agent to present her digital identity to log in rather than entering her password, thereby transitioning from using a password to using a digital identity.
Q12. How do digital identities secure transactions?
Having securely exchanged digital identities, owners can use their identity agents to secure transactions and messages, end-to-end. When sending, the private signing key of the sender’s digital identity is used to digitally sign the transaction, and the public encrypting key of the recipient’s digital identity is used to encrypt the transaction. When receiving, the private decrypting key of the recipient’s digital identity is used to decrypt the transaction, and the sender’s public verification key is used to verify the digital signature.
Q13. How is verifiable owner control achieved?
When online, an identity agent receiving a digital identity presented by another owner can verify that the originating identity agent controls her digital identity by conducting a cryptographic proof-of-possession challenge. Additionally, the receiving identity agent can verify that the originating owner controls her identity agent by sending a proof-of-custody challenge (remote demand to authenticate) to the identity agent of the originating owner. The originating identity agent triggers owner re-authentication, sending a success or failure notification to the receiving identity agent. Verifiable control has been achieved if both the proof-of-possession and the proof-of-custody challenges are successful.
Q14. How are identity assurances elevated?
Owners (users and providers) can use their identity agents to proof, attest and digitally seal each other’s digital identities. The requesting owner submits a digital identity and identifying information to the attesting owner (a.k.a. issuer). They may meet in-person or online and possibly use a web conferencing tool. If the attester successfully identity-proofs the requester, the attester uses his identity agent to affix an attestation (e.g. “proofed”) to the requester’s digital identity by means of a digital seal. The digital seal is created by using a pre-determined sealing image and the private embossing key of the attester’s digital identity. The action of creating a digital seal and using it to affix an attestation elevates identity assurances associated with the requester’s digital identity. Relying parties can acquire the attester’s digital identity and use the public inspection key of the attester to verify the digital seal and attestation. Multiple parties can proof, attest and digitally seal the digital identity of an owner thereby incrementally elevating associated identity assurances.
Q15. How do digital seals enhance non-repudiation?
The identity agent of an issuing owner can apply the private embossing key of a selected digital identity to create a digital seal that cryptographically affixes an attestation to a digital identity, a consent token or some other digital artifact. A relying identity agent having a public copy of the issuer’s digital identity can use the public inspection key to verify that the issuer must have digitally sealed and attested the artifact. Digital sealing elevates non-repudiation strength over traditional digital signature because identity agents exploit native authentication mechanisms binding owners to their devices. This ensures that an owner is tightly bound to her digital identity and embossing key when used to cryptographically bind the issuer’s identity and attestation by means of a digital seal. A relying identity agent can obtain objective proof that the issuer controlled her private embossing key when affixing a digital seal and attestation by launching proof-of-possession and proof-of-custody challenges. Possibly, these properties of digital seals can satisfy eIDAS guidelines.
Q16. How is proof-of-existence conducted?
Owners can use their identity agents to register their digital identities in a proof-of-existence registry. The registry initially conducts proof-of-possession and proof-of-custody challenges when verifying a registering owner. If successfully verified, the owner’s identity agent hashes the digital identity to be registered, digitally seals the hash, and submits the resulting record including digital seal to the registry for retention in the registry’s repository. A party acquiring a digital identity from another owner can use her identity agent to search the registry to verify whether the digital identity is registered. Attributes of registered digital identities will not be revealed if the registry is compromised because registry records are hashed.
Q17. How are identities and services integrated?
When launching a collaborative web service such as email, text messaging, or conferencing, the identity agent of the owner launching the service selects a suitable digital identity from her digital wallet to identify herself, and a digital identity of the owner with whom she wishes to collaborate from her list of contacts. When sending a message, the identity agent of the sending owner uses a designated key of her digital identity to sign the message; uses a designated key of the public copy of the receiving owner’s digital identity to encrypt the message; creates a digital fingerprint; and forwards this data packet to the receiving owner’s identity agent by way of the web service. The identity agent of the receiving owner uses a designated key of his digital identity to decrypt the received message; uses a designated key of the public copy of the sender’s digital identity to verify the digital signature; verifies the received fingerprint; and releases the decrypted message to the recipient if the fingerprint is successfully verified.
Q18. How will feasibility be assessed?
We will conduct a representative field trial where members of a web service use digital identities to collaborate with each other and log into the web service. Members will have identity agents used to enroll a PIN to locally authenticate and a passphrase to encrypt digital identities and private keys. Each digital identity will initially specify a single key-pair. Public copies of digital identities will be exchanged using an HTTPS web service. Signed and encrypted messages will be exchanged by way of a messaging service or a share area supported by the web service.
Q19. How can the technology be hardened?
Risks can be reduced by off-boarding private keys, digital identities and other sensitive data to flash drives and smart cards – such devices can also be used to enable backup and escrow; formal software engineering methods can be applied to increase trustworthiness; trusted platform modules, secure enclaves, and trusted execution environments can be exploited to protect an owner’s identity agent, digital identities and private keys from malware; data correlation and linkability risks threatening privacy can be introduced (see W3C Verifiable Credentials and ABC4Trust); quantum computing risks can be countered by lengthening encryption keys and rotating ephemeral keys countered by lengthening encryption keys and rotating ephemeral keys (see Analysis of Signal Messaging Protocol).
Q20. Can blockchain technology be exploited?
Potentially, the properties of distributed ledger (blockchain) technology (e.g. immutability, provenance) can be exploited to facilitate digital identity discovery and distributing proof-of-existence registries. Public DLT is appropriate for posting public copies of digital identities of branded sites as well as those of users electing to disclose essential information (only) to the public. Public DLT can be used to safely distribute proof-of-existence registries since registered data is hashed. Enterprises should deploy permissioned DLTs to limit the discovery of designated public copies of digital identities controlled by enterprise users and providers.