[DG-BSC] Fwd: Questionnaire for the Sovrin Foundation for the BSC report

Eve Maler eve.maler at forgerock.com
Sun Oct 23 18:44:00 CDT 2016

Hi folks-- Following is the material I was supplied by the Sovrin
Foundation folks in answer to the questionnaire. Hopefully we can use this
as a discussion topic on the next call (unless there's a more pressing set
of material ahead of it).

*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*

---------- Forwarded message ----------
From: Eve Maler <eve.maler at forgerock.com>
Date: Sun, Oct 23, 2016 at 4:42 PM
Subject: Re: Questionnaire for the Sovrin Foundation for the BSC report
To: Phil Windley <phil at windley.org>

Belated ack/thanks for this! I'm going to send it to our DG for question
and comment as we work through it. What we publish may be a combination of
quoted sections, paraphrases, commentary, and so on, and since we do our
work in the open anyway, of course we'll invite and welcome comment back on
the draft.

*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*

On Fri, Oct 14, 2016 at 8:30 AM, Phil Windley <phil at windley.org> wrote:

> Here’s some answers to the questionnaire. Let me know if something doesn’t
> make sense or needs more explanation.
> *Deficits and benefits of how the problem space was/is being solved*
> The Internet was built without a standard, explicit way of identifying
> people or organisations. So websites simply began offering their own local
> accounts with usernames and passwords, and this has been the predominant
> solution ever since.
> But the Internet has expanded hugely, and people use more and more
> services daily. This silo-based approach, where users must maintain
> identities for every site they interact with, has become untenable. It is
> not just a usability disaster for individuals, it also creates a multitude
> of data honeypots for hackers—the breach of which compromises trust in all
> Internet services.
> To solve this problem we have tried to connect different identity silos
> together in various federated models. However these have produced
> inadvertent side effects such as concentrating control around a small
> number of providers, correlation of personal data through multiple
> seemingly unrelated transactions, increasing data leakage through
> inadvertent sharing, and raising privacy concerns, all while not actually
> giving the individual real control. At the same time, there is a growing
> economic inefficiency when organisations all around the world have to
> collect, store and protect the same sort of personal data in their own
> silos. It is reaching a tipping point.
> The next evolution of the Internet will be the creation of a common
> identity layer that allows people, organisations and things to have their
> own self-sovereign identity—a digital identity they own and control, and
> which cannot be taken away from them. Self-sovereign identity is the
> natural evolution of an ecosystem which has moved faster than its
> supporting capabilities.
> *Proposed benefits of the new solution space*
> To create the long-missing identity layer of the Internet, a new, trusted
> infrastructure is required which enables identity owners to share not only
> identity, but also verified attributes about people, organizations and
> things, with full permission and consent.
> For identities to be truly self-sovereign, this infrastructure needs to
> reside in an environment of diffuse trust, not belonging to or controlled
> by any single organisation or even a small group of organisations. Nobody
> can “turn the lights out”. Distributed ledger technology (DLT) is the
> breakthrough that makes this possible. It enables multiple institutions,
> organisations and governments to work together for the first time by
> forming a decentralised network much like the Internet itself, where data
> is replicated in multiple locations to be resistant to faults and tampering.
> When combined with distributed key management and peer-to-peer sharing of
> encrypted claims, DLT is what finally makes self-sovereign identity
> possible. Within this identity layer, mechanisms for discovery, routing of
> requests, secure exchange of information and management of consent, under
> the full control of the identity owner, finally becomes possible.
> The Sovrin Identity Network has been design specifically to deliver a
> globally scalable self-sovereign identity solution. But to be truly
> self-sovereign, it cannot be owned by anyone. Similarly, to be fully
> trusted, and to avoid the pitfalls of other initiatives in the distributed
> ledger space, Sovrin needs a lightweight governance layer. To achieve this,
> the developers of Sovrin have given away the source code to the Sovrin
> Foundation, a not-for-profit organisation whose role is to provide a thin
> layer of governance to Sovrin while not owning or managing any
> infrastructure. The Sovrin Foundation ensures the effective distribution of
> the decentralised network and ensures that the network itself functions in
> the best interest of its users.
> *Different approaches being taken in the new solution space, e.g. if other
> approaches are being taken outside of Sovrin*
> Early examples of identity solutions using distributed ledger technology
> used ledgers built for other purposes such as the Bitcoin ledger, or
> general purpose ledgers such as Ethereum. While these capabilities are able
> to provide fairly simple proofs that something took place on a certain date
> & time, they are not dedicated to the particular nuances of the identity
> ecosystem such as non-correlation, revocation and anonymous zero-knowledge
> proofs.
> They also lack governance. For example, the need to secure the network by
> using hashing power has resulted in a concentration of Bitcoin mining in
> China. Who are these miners, do we trust them, do they jointly exert too
> much influence. What governance is in place? The recent forking of Ethereum
> has also shown the consequences of a lack of governance and direction.
> Sovrin is the first public-permissioned distributed ledger. It is publicly
> accessible by anyone, but in order to run one of the nodes which validates
> the integrity of the network, you need to be permitted to and you must
> abide by certain rules which include the Sovrin Trust Framework.
> Non-distributed ledger solutions are attempting to paper over the problems
> with silo-based identity. Examples are federated identity models such as
> the gov.ukVerify system, which uses attribute sharing hubs and identity
> providers to move information from one silo to another, but without giving
> the identity owner real control. Personal information management solutions
> are going a step further, in enabling identity owner control of their data,
> but are still somewhat lacking in portability and therefore remain as silos.
> *Strengths, weaknesses, risks, and open issues being seen in practice*
> The ability for an identity owner to assert multiple verifiable claims
> about their identity, anonymously if required, and without possibility of
> correlation, is central to the architecture of Sovrin. With discovery
> capabilities to ensure that party A can confirm the identity of party B,
> and vice versa, direct party-to-party data sharing can take place with no
> need for intermediaries and with full evidence of consent.
> By replacing intermediaries with protocols, immediate digital identity
> verification can take place with no 3rd party involvement. There are too
> many benefits to list, bur here are a few that we are working on: instant
> employment screening; frictionless bank KYC, identity for the stateless,
> fast online checkout, globally portable digital identity for travellers,
> and vaccination recording for developing countries.
> Challenges to adoption of Sovrin are those typical of a two-sided market.
> Both identity issuers and relying parties need to come on board. Sovrin
> partners are taking a simple approach to this – the initial partners will
> be both issuers and relying parties. They will provide new identity
> services for their users to be utilised within their own ecosystem. These
> islands of functionality will expand and intersect with other islands, and
> individuals will find that they can use their identity information from one
> issuer with a completely different relying party. In other cases,
> coalitions of organisations which are all trying to solve the same problem
> are coming together to create an ecosystem where they can all use Sovrin to
> their mutual benefit.
> The other major challenge is an educational one. Trying to explain
> self-sovereign identity to a layman is difficult. Because people have been
> brought up to understand that the only way the internet works is to give
> their details to many different organisations repeatedly, they cannot
> conceive of a better way. Being able to get across the power of every
> individual having their own digital identity which they control and own and
> which cannot be taken away, is a new concept which needs to be communicated
> effectively.
> *Whether other technologies and techniques are being brought to bear (you
> can see a list of technologies and techniques we are analyzing in
> our report
> <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group> TOC)*
> Sovrin enables/uses the following
> -          Public-permissioned distributed ledger technology based on the
> Plenum Consensus Protocol, involving multiple specialised legers (identity
> ledger, config ledger etc)
> -          Verifiable claims
> -          Anonymous credentials
> -          Revocation, anonymous if required
> -          Distributed and cryptographic identifiers
> -          Link contracts & consent receipting
> -          Persistent P2P messaging endpoints
> -          Key discovery, management recovery & rotation
> -          Portable off-ledger private data storage e.g. IPFS/BigChainDB
> etc.
> -          Identity, relationship and reputation graphs
> -          3rd party attested and self-attested claims
> On Oct 11, 2016, at 9:41 AM, Eve Maler <eve.maler at forgerock.com> wrote:
> Hi Phil-- Thanks for being willing to help the Blockchain and Smart
> Contracts group understand what Sovrin is doing in the context of our
> analysis efforts!
> If you look at the first paragraph of our draft report's introduction
> <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group#ReportfromtheBlockchainandSmartContractsDiscussionGroup-Introduction>,
> you'll see a statement of our scope:
>    - Solving use cases for *empowering traditionally disempowered parties*
>    (such as individuals)
>    - taking part in *transactions* (such as entering into contracts and
>    information-sharing agreements)
>    - with *parties that traditionally hold greater power* (such as
>    companies and large countries)
>    - in the context of *decentralization technologies and techniques*
>    (such as blockchain and smart contracts)
>    - and their mixture with *identity* (both in the course of conducting
>    business/legal transactions and to solve digital identity use cases).
> Our Discussion Group is time-boxed to six months, and so we plan to go
> into only as much depth as can be covered in this time frame. (We started
> in July!)
> With all of this in mind, could you please comment on the following
> aspects of Sovin?
>    - Deficits and benefits of how the problem space was/is being solved
>    - Proposed benefits of the new solution space
>    - Different approaches being taken in the new solution space, e.g. if
>    other approaches are being taken outside of Sovrin
>    - Strengths, weaknesses, risks, and open issues being seen in practice
>    - Whether other technologies and techniques are being brought to bear
>    (you can see a list of technologies and techniques we are analyzing in our
>    report
>    <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group>
>    TOC)
> Many thanks! If you have any questions, or would like to discuss responses
> in a phone call, don't hesitate to let me know.
> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
> Technology
> Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
> *ForgeRock Summits* are coming to <http://summits.forgerock.com/> *London
> and Paris!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-bsc/attachments/20161023/de7f9923/attachment-0001.html>

More information about the DG-BSC mailing list