Self-Sovereign Identity: far more than a digital identity
From the moment Self-Sovereign Identity (SSI) was identified as a possible solution for the new Swiss E-ID, this new technology has moved into the spotlight – even more so following the Decision of the Federal Council of December 17, 2021. It becomes increasingly clear that SSI goes far beyond issuing a digital identity card. It unlocks its full potential in the context of an ecosystem of digital credentials. The federal government has confirmed this in its Discussion paper on the target vision for an e-ID and illustrated the potential by means of three levels of ambition:
- Levels of ambitions (Source: Federal Office of Justice)
Yet how do this technology and this concept now fit into reality?
Scope and participants of our SSI initiative
There is no better way to understand a new technology and assess its potential added value than a real implementation based on representative use cases. Together with SwissSign, the canton of Aargau and the cardossier association, we have therefore launched an initiative aiming to build an exemplary SSI ecosystem. In doing so, we want to lay the foundations for investigating the following questions in more detail and, if possible, answering them:
- Technology: What is the maturity and complexity of SSI in relation to the development and operation of SSI-based solutions? What does the appropriate technology stack look like for the respective application?
- User Experience: How should the user experience (UX) be designed to ensure a high user acceptance and to make the concept of the end-user wallet understandable?
- Business: Which are the added values and possible use cases for our clients acting as issuers or verifiers (service providers) as well as their customers?
- Compliance: Which governance, processes and best practices have to be put in place in order to assure ideal compliance?
The exemplary SSI ecosystem consists of three use cases that build on each other and highlight the issuance and use of digital credentials in the form of SSI Verifiable Credentials (VC).
These are the three use cases reflecting the levels of ambition illustrated above:
1. Issuing a basic identity or basic ID on the grounds of a SwissID: A number of users had the opportunity to test our SSI initiative hands-on with a verified SwissID account. In use case 1, users logged in to the SwissID portal with their productive SwissID login. On the portal, users are visually guided – from the installation of a suitable wallet to the issuance and storage of the basic ID as a verifiable credential on the smartphone.
2. Issuing a certificate of residence in the eGov portal: Using the basic ID created in step 1, the user logs in to the eGov portal of the canton of Aargau. The login is done by SSI and requires e-mail, last name and first name from the basic ID. The other data of the basic ID is not disclosed. The eGov portal can trust the data of the basic ID and verify it. The data is used to load a residential address for the person from the system. The user can then store the residential address as a verifiable credential in his mobile wallet. At the end of use case 2, the user has a basic ID and the residential address is stored in his wallet.
3. Initiating a temporary traffic authorization on the cardossier portal: The registration of a car involves many players such as the policyholder, the insurance company, the garage and, of course, the road traffic authority. In addition, there are many formalities associated with it. The goal of this use case is to facilitate the registration of a vehicle by providing the cardossier platform with the identity and certificate of residence of the policyholder as verifiable credentials. cardossier then automatically carries out the further registration steps together with the relevant insurance company and the road traffic authority.
- Use case overview of the SSI Initiative
What have we implemented so far and how?
Use cases 1 and 2 were implemented in an agile approach within six weeks in the summer of 2021. The project partners were actively involved in the design, implementation, and evaluation. They were able to gain hands-on experience, unfiltered insights, and take the pulse of the project during weekly sprint reviews.
The use of productive data and the connection of productive systems reflect realistic framework conditions, making it possible to reveal conceptual and technical weaknesses.
Thanks to the support of publicly available wallets (esatus, Trinsic and Lissi), we were able to easily onboard test subjects and assess the maturity of products on the market, which is key to the success of an SSI-based ecosystem.
Using open-source components (Hyperledger Indy and Aries) for use case 1 and products (esatus SOWL) for use case 2 helped us to dive deep into (and understand) the technology as well as assess the added value of the products.
Usability testing with end users completed the project and allowed us to measure user acceptance of the solution.
The following video shows the different steps of use cases 1 and 2, for which the Trinsic Wallet was used:
Instructional implementation and pointed insights
The SSI initiative allowed us to gain the following important positive insights into the issues mentioned above:
- The test users felt very positive about having control over their own data and appreciated the transparency of the process.
SSI enables new paradigms in terms of data protection in the development of applications:
- For example, a service provider no longer needs to store user data, but can request it from the user as needed. Thus, he can more easily meet his GDPR obligations regarding data minimization.
- Use of so-called Zero Knowledge Proofs: For example, the user can prove that he or she is resident in the canton of Aargau without providing his or her home address.
- Integration with existing IdP infrastructures via the well-known protocols (such as OIDC or SAML) is easily possible.
- The publicly available wallets, the commercial SSI solution and the open-source components are compatible.
- Established compliance processes such as Key Ceremony can also be used in the SSI context.
- The trust levels of existing digital credentials can be transferred to new verifiable credentials.
On the other hand, negative aspects also emerged:
- SSI is a challenge in terms of UX because it requires many interactions between the browser and the smartphone and, as a consequence, the user.
- The wallets available on the market are more about technical demonstration than user friendliness, which many test users criticized.
- As a distributed system, SSI comes with a certain complexity and requires a basic understanding of the cryptographic protocols used.
- The identification of the individual service providers as verifiers has not yet been fully resolved.
- When choosing the distributed ledger (blockchain) to use, interoperability with the software stack used must also be considered in addition to governance aspects.
In early 2022, use case 3 will go live with cardossier. It will demonstrate the possibility of combining two verifiable credentials (basic ID and certificate of residence) and using them in a digitalized process. In this process, the wallet serves as a kind of «integration tongs» and enables data minimization, since only relevant data from the two verifiable credentials is disclosed.
Join our initiative
Due to the promising results, we would like to extend the initiative to other use cases, on the one hand to apply the issued credentials in other business contexts, and on the other hand to deepen the interoperability and governance aspects, which are particularly critical in the context of a larger ecosystem.
We are therefore opening the initiative to other players interested in completing our ecosystem and enriching it with use cases, so that together we can better leverage the potential of SSI in Switzerland.
Get in touch to find out more!