[DG-BSC] Fwd: Questionnaire for the Sovrin Foundation for the BSC report

Eve Maler eve.maler at forgerock.com
Tue Oct 25 09:02:50 CDT 2016

Thanks, Thorsten!

*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*

On Tue, Oct 25, 2016 at 12:31 AM, Thorsten H. Niebuhr [WedaCon GmbH] <
tniebuhr at wedacon.net> wrote:

> Hi Eve,
> thanks for sharing this! Beside more detailde informations on the sovrin
> page (https://www.sovrin.org/docs.html) there is a new technical paper
> which was presented in conjunction with the reboot of the 'web of Trust':
> https://github.com/WebOfTrustInfo/rebooting-the-
> web-of-trust-fall2016/blob/master/topics-and-advance-
> readings/Sovrin--digital-identities-in-the-blockchain-era.pdf
> Thorsten
> On 24.10.2016 01:44, Eve Maler wrote:
> Hi folks-- Following is the material I was supplied by the Sovrin
> Foundation folks in answer to the questionnaire. Hopefully we can use this
> as a discussion topic on the next call (unless there's a more pressing set
> of material ahead of it).
> *Eve Maler *ForgeRock Office of the CTO | VP Innovation & Emerging
> Technology
> Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
> *The ForgeRock Identity Summit* is coming to
> <http://summits.forgerock.com/> *Paris in November!*
> ---------- Forwarded message ----------
> From: Eve Maler <eve.maler at forgerock.com>
> Date: Sun, Oct 23, 2016 at 4:42 PM
> Subject: Re: Questionnaire for the Sovrin Foundation for the BSC report
> To: Phil Windley <phil at windley.org>
> Belated ack/thanks for this! I'm going to send it to our DG for question
> and comment as we work through it. What we publish may be a combination of
> quoted sections, paraphrases, commentary, and so on, and since we do our
> work in the open anyway, of course we'll invite and welcome comment back on
> the draft.
> *Eve Maler *ForgeRock Office of the CTO | VP Innovation & Emerging
> Technology
> Cell +1 425.345.6756 <%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter:
> @xmlgrrl
> *The ForgeRock Identity Summit* is coming to
> <http://summits.forgerock.com/> *Paris in November!*
> On Fri, Oct 14, 2016 at 8:30 AM, Phil Windley <phil at windley.org> wrote:
>> Here’s some answers to the questionnaire. Let me know if something
>> doesn’t make sense or needs more explanation.
>> *Deficits and benefits of how the problem space was/is being solved*
>> The Internet was built without a standard, explicit way of identifying
>> people or organisations. So websites simply began offering their own local
>> accounts with usernames and passwords, and this has been the predominant
>> solution ever since.
>> But the Internet has expanded hugely, and people use more and more
>> services daily. This silo-based approach, where users must maintain
>> identities for every site they interact with, has become untenable. It is
>> not just a usability disaster for individuals, it also creates a multitude
>> of data honeypots for hackers—the breach of which compromises trust in all
>> Internet services.
>> To solve this problem we have tried to connect different identity silos
>> together in various federated models. However these have produced
>> inadvertent side effects such as concentrating control around a small
>> number of providers, correlation of personal data through multiple
>> seemingly unrelated transactions, increasing data leakage through
>> inadvertent sharing, and raising privacy concerns, all while not actually
>> giving the individual real control. At the same time, there is a growing
>> economic inefficiency when organisations all around the world have to
>> collect, store and protect the same sort of personal data in their own
>> silos. It is reaching a tipping point.
>> The next evolution of the Internet will be the creation of a common
>> identity layer that allows people, organisations and things to have their
>> own self-sovereign identity—a digital identity they own and control, and
>> which cannot be taken away from them. Self-sovereign identity is the
>> natural evolution of an ecosystem which has moved faster than its
>> supporting capabilities.
>> *Proposed benefits of the new solution space*
>> To create the long-missing identity layer of the Internet, a new, trusted
>> infrastructure is required which enables identity owners to share not only
>> identity, but also verified attributes about people, organizations and
>> things, with full permission and consent.
>> For identities to be truly self-sovereign, this infrastructure needs to
>> reside in an environment of diffuse trust, not belonging to or controlled
>> by any single organisation or even a small group of organisations. Nobody
>> can “turn the lights out”. Distributed ledger technology (DLT) is the
>> breakthrough that makes this possible. It enables multiple institutions,
>> organisations and governments to work together for the first time by
>> forming a decentralised network much like the Internet itself, where data
>> is replicated in multiple locations to be resistant to faults and tampering.
>> When combined with distributed key management and peer-to-peer sharing of
>> encrypted claims, DLT is what finally makes self-sovereign identity
>> possible. Within this identity layer, mechanisms for discovery, routing of
>> requests, secure exchange of information and management of consent, under
>> the full control of the identity owner, finally becomes possible.
>> The Sovrin Identity Network has been design specifically to deliver a
>> globally scalable self-sovereign identity solution. But to be truly
>> self-sovereign, it cannot be owned by anyone. Similarly, to be fully
>> trusted, and to avoid the pitfalls of other initiatives in the distributed
>> ledger space, Sovrin needs a lightweight governance layer. To achieve this,
>> the developers of Sovrin have given away the source code to the Sovrin
>> Foundation, a not-for-profit organisation whose role is to provide a thin
>> layer of governance to Sovrin while not owning or managing any
>> infrastructure. The Sovrin Foundation ensures the effective distribution of
>> the decentralised network and ensures that the network itself functions in
>> the best interest of its users.
>> *Different approaches being taken in the new solution space, e.g. if
>> other approaches are being taken outside of Sovrin*
>> Early examples of identity solutions using distributed ledger technology
>> used ledgers built for other purposes such as the Bitcoin ledger, or
>> general purpose ledgers such as Ethereum. While these capabilities are able
>> to provide fairly simple proofs that something took place on a certain date
>> & time, they are not dedicated to the particular nuances of the identity
>> ecosystem such as non-correlation, revocation and anonymous zero-knowledge
>> proofs.
>> They also lack governance. For example, the need to secure the network by
>> using hashing power has resulted in a concentration of Bitcoin mining in
>> China. Who are these miners, do we trust them, do they jointly exert too
>> much influence. What governance is in place? The recent forking of Ethereum
>> has also shown the consequences of a lack of governance and direction.
>> Sovrin is the first public-permissioned distributed ledger. It is
>> publicly accessible by anyone, but in order to run one of the nodes which
>> validates the integrity of the network, you need to be permitted to and you
>> must abide by certain rules which include the Sovrin Trust Framework.
>> Non-distributed ledger solutions are attempting to paper over the
>> problems with silo-based identity. Examples are federated identity models
>> such as the gov.ukVerify system, which uses attribute sharing hubs and
>> identity providers to move information from one silo to another, but
>> without giving the identity owner real control. Personal information
>> management solutions are going a step further, in enabling identity owner
>> control of their data, but are still somewhat lacking in portability and
>> therefore remain as silos.
>> *Strengths, weaknesses, risks, and open issues being seen in practice*
>> The ability for an identity owner to assert multiple verifiable claims
>> about their identity, anonymously if required, and without possibility of
>> correlation, is central to the architecture of Sovrin. With discovery
>> capabilities to ensure that party A can confirm the identity of party B,
>> and vice versa, direct party-to-party data sharing can take place with no
>> need for intermediaries and with full evidence of consent.
>> By replacing intermediaries with protocols, immediate digital identity
>> verification can take place with no 3rd party involvement. There are too
>> many benefits to list, bur here are a few that we are working on: instant
>> employment screening; frictionless bank KYC, identity for the stateless,
>> fast online checkout, globally portable digital identity for travellers,
>> and vaccination recording for developing countries.
>> Challenges to adoption of Sovrin are those typical of a two-sided market.
>> Both identity issuers and relying parties need to come on board. Sovrin
>> partners are taking a simple approach to this – the initial partners will
>> be both issuers and relying parties. They will provide new identity
>> services for their users to be utilised within their own ecosystem. These
>> islands of functionality will expand and intersect with other islands, and
>> individuals will find that they can use their identity information from one
>> issuer with a completely different relying party. In other cases,
>> coalitions of organisations which are all trying to solve the same problem
>> are coming together to create an ecosystem where they can all use Sovrin to
>> their mutual benefit.
>> The other major challenge is an educational one. Trying to explain
>> self-sovereign identity to a layman is difficult. Because people have been
>> brought up to understand that the only way the internet works is to give
>> their details to many different organisations repeatedly, they cannot
>> conceive of a better way. Being able to get across the power of every
>> individual having their own digital identity which they control and own and
>> which cannot be taken away, is a new concept which needs to be communicated
>> effectively.
>> *Whether other technologies and techniques are being brought to bear (you
>> can see a list of technologies and techniques we are analyzing in
>> our report
>> <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group> TOC)*
>> Sovrin enables/uses the following
>> -          Public-permissioned distributed ledger technology based on
>> the Plenum Consensus Protocol, involving multiple specialised legers
>> (identity ledger, config ledger etc)
>> -          Verifiable claims
>> -          Anonymous credentials
>> -          Revocation, anonymous if required
>> -          Distributed and cryptographic identifiers
>> -          Link contracts & consent receipting
>> -          Persistent P2P messaging endpoints
>> -          Key discovery, management recovery & rotation
>> -          Portable off-ledger private data storage e.g. IPFS/BigChainDB
>> etc.
>> -          Identity, relationship and reputation graphs
>> -          3rd party attested and self-attested claims
>> On Oct 11, 2016, at 9:41 AM, Eve Maler <eve.maler at forgerock.com> wrote:
>> Hi Phil-- Thanks for being willing to help the Blockchain and Smart
>> Contracts group understand what Sovrin is doing in the context of our
>> analysis efforts!
>> If you look at the first paragraph of our draft report's introduction
>> <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group#ReportfromtheBlockchainandSmartContractsDiscussionGroup-Introduction>,
>> you'll see a statement of our scope:
>>    - Solving use cases for *empowering traditionally disempowered
>>    parties* (such as individuals)
>>    - taking part in *transactions* (such as entering into contracts and
>>    information-sharing agreements)
>>    - with *parties that traditionally hold greater power* (such as
>>    companies and large countries)
>>    - in the context of *decentralization technologies and techniques*
>>    (such as blockchain and smart contracts)
>>    - and their mixture with *identity* (both in the course of conducting
>>    business/legal transactions and to solve digital identity use cases).
>> Our Discussion Group is time-boxed to six months, and so we plan to go
>> into only as much depth as can be covered in this time frame. (We started
>> in July!)
>> With all of this in mind, could you please comment on the following
>> aspects of Sovin?
>>    - Deficits and benefits of how the problem space was/is being solved
>>    - Proposed benefits of the new solution space
>>    - Different approaches being taken in the new solution space, e.g. if
>>    other approaches are being taken outside of Sovrin
>>    - Strengths, weaknesses, risks, and open issues being seen in practice
>>    - Whether other technologies and techniques are being brought to bear
>>    (you can see a list of technologies and techniques we are analyzing in our
>>    report
>>    <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group>
>>    TOC)
>> Many thanks! If you have any questions, or would like to discuss
>> responses in a phone call, don't hesitate to let me know.
>> *Eve Maler *ForgeRock Office of the CTO | VP Innovation & Emerging
>> Technology
>> Cell +1 425.345.6756 <%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter:
>> @xmlgrrl
>> *ForgeRock Summits* are coming to <http://summits.forgerock.com/> *London
>> and Paris!*
> _______________________________________________
> DG-BSC mailing listDG-BSC at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-bsc
> _______________________________________________
> DG-BSC mailing list
> DG-BSC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-bsc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-bsc/attachments/20161025/44452b97/attachment-0001.html>

More information about the DG-BSC mailing list