[DG-BSC] Fwd: Questionnaire for the Sovrin Foundation for the BSC report

Thorsten H. Niebuhr [WedaCon GmbH] tniebuhr at wedacon.net
Tue Oct 25 02:31:38 CDT 2016

Hi Eve,

thanks for sharing this! Beside more detailde informations on the sovrin
page (https://www.sovrin.org/docs.html) there is a new technical paper
which was presented in conjunction with the reboot of the 'web of Trust':



On 24.10.2016 01:44, Eve Maler wrote:
> Hi folks-- Following is the material I was supplied by the Sovrin
> Foundation folks in answer to the questionnaire. Hopefully we can use
> this as a discussion topic on the next call (unless there's a more
> pressing set of material ahead of it).
> *Eve Maler
> *ForgeRock Office of the CTO | VP Innovation & Emerging Technology
> Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
> *The ForgeRock Identity Summit* is coming to
> <http://summits.forgerock.com/> *Paris in November!*
> ---------- Forwarded message ----------
> From: *Eve Maler* <eve.maler at forgerock.com
> <mailto:eve.maler at forgerock.com>>
> Date: Sun, Oct 23, 2016 at 4:42 PM
> Subject: Re: Questionnaire for the Sovrin Foundation for the BSC report
> To: Phil Windley <phil at windley.org <mailto:phil at windley.org>>
> Belated ack/thanks for this! I'm going to send it to our DG for
> question and comment as we work through it. What we publish may be a
> combination of quoted sections, paraphrases, commentary, and so on,
> and since we do our work in the open anyway, of course we'll invite
> and welcome comment back on the draft.
> *Eve Maler
> *ForgeRock Office of the CTO | VP Innovation & Emerging Technology
> Cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl |
> Twitter: @xmlgrrl
> *The ForgeRock Identity Summit* is coming to
> <http://summits.forgerock.com/> *Paris in November!*
> On Fri, Oct 14, 2016 at 8:30 AM, Phil Windley <phil at windley.org
> <mailto:phil at windley.org>> wrote:
>     Here’s some answers to the questionnaire. Let me know if something
>     doesn’t make sense or needs more explanation. 
>     *Deficits and benefits of how the problem space was/is being solved*
>     *
>     *
>     The Internet was built without a standard, explicit way of
>     identifying people or organisations. So websites simply began
>     offering their own local accounts with usernames and passwords,
>     and this has been the predominant solution ever since. 
>     But the Internet has expanded hugely, and people use more and more
>     services daily. This silo-based approach, where users must
>     maintain identities for every site they interact with, has become
>     untenable. It is not just a usability disaster for individuals, it
>     also creates a multitude of data honeypots for hackers—the breach
>     of which compromises trust in all Internet services. 
>     To solve this problem we have tried to connect different identity
>     silos together in various federated models. However these have
>     produced inadvertent side effects such as concentrating control
>     around a small number of providers, correlation of personal data
>     through multiple seemingly unrelated transactions, increasing data
>     leakage through inadvertent sharing, and raising privacy concerns,
>     all while not actually giving the individual real control. At the
>     same time, there is a growing economic inefficiency when
>     organisations all around the world have to collect, store and
>     protect the same sort of personal data in their own silos. It is
>     reaching a tipping point. 
>     The next evolution of the Internet will be the creation of a
>     common identity layer that allows people, organisations and things
>     to have their own self-sovereign identity—a digital identity they
>     own and control, and which cannot be taken away from them.
>     Self-sovereign identity is the natural evolution of an ecosystem
>     which has moved faster than its supporting capabilities.
>     *
>     *
>     *Proposed benefits of the new solution space*
>     To create the long-missing identity layer of the Internet, a new,
>     trusted infrastructure is required which enables identity owners
>     to share not only identity, but also verified attributes about
>     people, organizations and things, with full permission and consent. 
>     For identities to be truly self-sovereign, this infrastructure
>     needs to reside in an environment of diffuse trust, not belonging
>     to or controlled by any single organisation or even a small group
>     of organisations. Nobody can “turn the lights out”. Distributed
>     ledger technology (DLT) is the breakthrough that makes this
>     possible. It enables multiple institutions, organisations and
>     governments to work together for the first time by forming a
>     decentralised network much like the Internet itself, where data is
>     replicated in multiple locations to be resistant to faults and
>     tampering.
>     When combined with distributed key management and peer-to-peer
>     sharing of encrypted claims, DLT is what finally makes
>     self-sovereign identity possible. Within this identity layer,
>     mechanisms for discovery, routing of requests, secure exchange of
>     information and management of consent, under the full control of
>     the identity owner, finally becomes possible.
>     The Sovrin Identity Network has been design specifically to
>     deliver a globally scalable self-sovereign identity solution. But
>     to be truly self-sovereign, it cannot be owned by anyone.
>     Similarly, to be fully trusted, and to avoid the pitfalls of other
>     initiatives in the distributed ledger space, Sovrin needs a
>     lightweight governance layer. To achieve this, the developers of
>     Sovrin have given away the source code to the Sovrin Foundation, a
>     not-for-profit organisation whose role is to provide a thin layer
>     of governance to Sovrin while not owning or managing any
>     infrastructure. The Sovrin Foundation ensures the effective
>     distribution of the decentralised network and ensures that the
>     network itself functions in the best interest of its users.
>     *
>     *
>     *Different approaches being taken in the new solution space, e.g.
>     if other approaches are being taken outside of Sovrin*
>     Early examples of identity solutions using distributed ledger
>     technology used ledgers built for other purposes such as the
>     Bitcoin ledger, or general purpose ledgers such as Ethereum. While
>     these capabilities are able to provide fairly simple proofs that
>     something took place on a certain date & time, they are not
>     dedicated to the particular nuances of the identity ecosystem such
>     as non-correlation, revocation and anonymous zero-knowledge proofs. 
>     They also lack governance. For example, the need to secure the
>     network by using hashing power has resulted in a concentration of
>     Bitcoin mining in China. Who are these miners, do we trust them,
>     do they jointly exert too much influence. What governance is in
>     place? The recent forking of Ethereum has also shown the
>     consequences of a lack of governance and direction.
>     Sovrin is the first public-permissioned distributed ledger. It is
>     publicly accessible by anyone, but in order to run one of the
>     nodes which validates the integrity of the network, you need to be
>     permitted to and you must abide by certain rules which include the
>     Sovrin Trust Framework. 
>     Non-distributed ledger solutions are attempting to paper over the
>     problems with silo-based identity. Examples are federated identity
>     models such as the gov.uk <http://gov.uk>Verify system, which uses
>     attribute sharing hubs and identity providers to move information
>     from one silo to another, but without giving the identity owner
>     real control. Personal information management solutions are going
>     a step further, in enabling identity owner control of their data,
>     but are still somewhat lacking in portability and therefore remain
>     as silos.
>     *
>     *
>     *Strengths, weaknesses, risks, and open issues being seen in practice*
>     The ability for an identity owner to assert multiple verifiable
>     claims about their identity, anonymously if required, and without
>     possibility of correlation, is central to the architecture of
>     Sovrin. With discovery capabilities to ensure that party A can
>     confirm the identity of party B, and vice versa, direct
>     party-to-party data sharing can take place with no need for
>     intermediaries and with full evidence of consent. 
>     By replacing intermediaries with protocols, immediate digital
>     identity verification can take place with no 3^rd  party
>     involvement. There are too many benefits to list, bur here are a
>     few that we are working on: instant employment screening;
>     frictionless bank KYC, identity for the stateless, fast online
>     checkout, globally portable digital identity for travellers, and
>     vaccination recording for developing countries.
>     Challenges to adoption of Sovrin are those typical of a two-sided
>     market. Both identity issuers and relying parties need to come on
>     board. Sovrin partners are taking a simple approach to this – the
>     initial partners will be both issuers and relying parties. They
>     will provide new identity services for their users to be utilised
>     within their own ecosystem. These islands of functionality will
>     expand and intersect with other islands, and individuals will find
>     that they can use their identity information from one issuer with
>     a completely different relying party. In other cases, coalitions
>     of organisations which are all trying to solve the same problem
>     are coming together to create an ecosystem where they can all use
>     Sovrin to their mutual benefit.
>     The other major challenge is an educational one. Trying to explain
>     self-sovereign identity to a layman is difficult. Because people
>     have been brought up to understand that the only way the internet
>     works is to give their details to many different organisations
>     repeatedly, they cannot conceive of a better way. Being able to
>     get across the power of every individual having their own digital
>     identity which they control and own and which cannot be taken
>     away, is a new concept which needs to be communicated effectively.
>     *
>     *
>     *Whether other technologies and techniques are being brought to
>     bear (you can see a list of technologies and techniques we are
>     analyzing in our report
>     <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group> TOC)*
>     Sovrin enables/uses the following
>     -          Public-permissioned distributed ledger technology based
>     on the Plenum Consensus Protocol, involving multiple specialised
>     legers (identity ledger, config ledger etc)
>     -          Verifiable claims
>     -          Anonymous credentials
>     -          Revocation, anonymous if required
>     -          Distributed and cryptographic identifiers
>     -          Link contracts & consent receipting
>     -          Persistent P2P messaging endpoints
>     -          Key discovery, management recovery & rotation
>     -          Portable off-ledger private data storage e.g.
>     IPFS/BigChainDB etc.
>     -          Identity, relationship and reputation graphs
>     -          3^rd  party attested and self-attested claims
>>     On Oct 11, 2016, at 9:41 AM, Eve Maler <eve.maler at forgerock.com
>>     <mailto:eve.maler at forgerock.com>> wrote:
>>     Hi Phil-- Thanks for being willing to help the Blockchain and
>>     Smart Contracts group understand what Sovrin is doing in the
>>     context of our analysis efforts!
>>     If you look at the first paragraph of our draft report's
>>     introduction
>>     <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group#ReportfromtheBlockchainandSmartContractsDiscussionGroup-Introduction>,
>>     you'll see a statement of our scope:
>>       * Solving use cases for *empowering traditionally disempowered
>>         parties* (such as individuals)
>>       * taking part in *transactions* (such as entering into
>>         contracts and information-sharing agreements)
>>       * with *parties that traditionally hold greater power* (such as
>>         companies and large countries)
>>       * in the context of *decentralization technologies and
>>         techniques* (such as blockchain and smart contracts)
>>       * and their mixture with *identity* (both in the course of
>>         conducting business/legal transactions and to solve digital
>>         identity use cases).
>>     Our Discussion Group is time-boxed to six months, and so we plan
>>     to go into only as much depth as can be covered in this time
>>     frame. (We started in July!)
>>     With all of this in mind, could you please comment on the
>>     following aspects of Sovin?
>>       * Deficits and benefits of how the problem space was/is being
>>         solved
>>       * Proposed benefits of the new solution space
>>       * Different approaches being taken in the new solution space,
>>         e.g. if other approaches are being taken outside of Sovrin
>>       * Strengths, weaknesses, risks, and open issues being seen in
>>         practice
>>       * Whether other technologies and techniques are being brought
>>         to bear (you can see a list of technologies and techniques we
>>         are analyzing in our report
>>         <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group>
>>         TOC)
>>     Many thanks! If you have any questions, or would like to discuss
>>     responses in a phone call, don't hesitate to let me know.
>>     *Eve Maler
>>     *ForgeRock Office of the CTO | VP Innovation & Emerging Technology
>>     Cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl |
>>     Twitter: @xmlgrrl
>>     *ForgeRock Summits* are coming to <http://summits.forgerock.com/>
>>     *London and Paris!*
> _______________________________________________
> DG-BSC mailing list
> DG-BSC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-bsc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-bsc/attachments/20161025/51f125a9/attachment-0001.html>

More information about the DG-BSC mailing list