The decentralized identity community is aggressively tackling many challenges to solve the missing layer of identity on the internet. Individuals seek to take back control of their identity for privacy and transparency – governments and businesses are also looking to bridge their business process workflow they’ve been accustomed to for many years to modernize how they engage with end users in an ever evolving digital first world, without compromising trust. Decentralized identity promises to provide the digital trust infrastructure necessary to change how we interact with one another – more trust, more control, privacy by design, point to point.
There has been a lot of explanations on decentralized identity but to put it simply, we are manifesting how we’ve done identity for thousands of years in the physical world and bringing it into the digital world. Digital credentials, just like physical credentials, will be accumulated from issuing entities, stored in wallets, and presented, by choice and control, to verifying parties to establish trust across any relationship.
To date, we haven’t had the right ingredients to enable such a trust model that allows for point to point exchanges of information, emulating how we exchange information in the physical world. With blockchain, cloud, mobile devices, and other technology enablers, the compendium of these technologies now allow advancements to a trust model that has never been possible. Although the technology may be different, the processes and spirt of digital information exchange is mirrored and in some cases better than physical world interactions.
Participate in Decentralized Identity Ecosystems
Our strategy is geared towards making decentralized identity a reality for all persona, as individuals holding the presenting credentials, organizations issuing and verifying credentials, entities managing and operating networks, and more. In August 2018 we introduced an offering to establish decentralized identity networks, addressing a piece of our enterprise focused strategy.
As we’ve worked with clients, primarily enterprise clients, we’ve noticed an early business pattern for leveraging decentralized identity – passwordless authentication. Passwordless authentication has been seen as an entry point for decentralized identity, both in public and private sectors, enabling real-time authentication without having to deal with the overhead and complexities of username and passwords. Because of this emerging pattern, integration with legacy IT and existing identity and access management (IAM) systems will be critical for enterprises as decentralized identity is adopted. The need for a journey that includes optimizing existing investments with line of sight on emerging IAM models requires the thinking for new and existing technology co-existing as we transform identity issuing and verifying process workflows. The passwordless authentication business pattern represents an on-ramp for enterprises to begin their decentralized identity journey. Governments and businesses can use cloud-based identity services to define authentication policies that require cryptographic-based verifiable proofs and then upon the establishment of trust, these same entities can become issuers of new digital credentials - accelerating the trusted data needed for a permissioned attribute exchange.
To make this enterprise identity journey a reality and deliver on the second aspect of our decentralized identity strategy – participating in a world of heterogenous networks – we’ve been working with clients, understanding use cases and business patterns, and building corresponding feature functionality.
IBM’s Decentralized Identity Technology Preview
As a result of our collaborations with clients and community members, while also observing the market trends, IBM is excited to announce the availability of a decentralized identity technology preview, an offering suite to manage the lifecycle of digital credentials within a decentralized identity ecosystem. The goal of this technology preview is to help clients start their journey with decentralized identity by delivering developer time to value for building their first decentralized identity application. Our decentralized identity technology preview and open source contributions comprises of:
- IBM’s Decentralized Identity Agency – deploy and manage Hyperledger Indy/Aries agents to exchange decentralized identity
- SDKs and samples – explore decentralized identity uses and develop decentralized identity applications
- IBM’s Decentralized Identity Mobile and Browser Extension – hold, manage, and present credentials across mobile and desktop experiences
IBM’s Decentralized Identity AgencyOur Agency allows clients to:
- Manage the lifecycle of an IBM Verify Credentials Agency account
- Manage the lifecycle of agents, decentralized identity processes, within an Agency account deployed on IBM Cloud for issuers, holders, and verifiers built on top of Hyperledger Indy/Aries (current work is ongoing to implement and refactor to Aries protocols). Agents are required by all entities to participate in decentralized identity ecosystems. Agents deployed through IBM’s decentralized identity agency are deployed in a multi-zone deployment for redundancy and availability.
- Manage agents through a single experience, add/delete as required and manage credentials, connections, and devices across all agents. The single experience also allows deploying up to 10 agents in the technology preview as any combination of decentralized identity issuer and verify applications are developed.
- Simplified experiences to register mobile and desktop devices, allowing N number of edge devices to connect to a single agent, for credential portability and device synchronization across various device types.
- Selective disclosure and zero-knowledge proofs protocols rooted in Indy/Aries protocols surfaced through the agency
- Build decentralized identity applications with line of sight on interoperability – IBM’ decentralized identity agency will provide interoperability rooted in Aries protocols in the future.
SDKs and samples
Our SDK and samples:
- Enable developer and other persona’s, such as Line of Business, to explore the use of decentralized identity through public samples to emulate digital interactions with government, employer, and banking entities
- Provides developers an easy to use, programmatic SDK to issue and verify digital credentials as decentralized identity applications are developed. This SDK is written for Node.js.
IBM’s Decentralized Identity Mobile App and Browser Extension
Our credential managers allow clients to:
- Synchronize credentials across N number of edge mobile and desktop devices for credential presentment portability (ex: use a browser extension when at desktop or mobile app for mobile/tablet interactions)
- Hold, manage, and present credentials through a single mobile device/tablet experience across multiple agents within an agency and across agency accounts (ex: manage credentials through a single experience across an agent designated for personal connections, an agent designated for professional connections, etc)
- Perform device to device verification through mobile device/tablet experience (ex: police traffic stop scenario)
- Selectively disclose credentials as part of fulfilling a proof request through mobile deice/tablet experience
- Interoperability with existing identity readers with barcode and digital credential image rendering on a mobile device/tablet experience (ex: TSA scanner/barcode reader)
- Present credentials through a desktop experience with a browser extension
Credential Lifecycle Management Roles
The relationships between the offering components and the broader ecosystem depend on the role each entity plays within the decentralized identity ecosystem, as defined by W3C Verifiable Credentials specification. At its rudimentary state, individuals and organizations will be issuers, verifiers, and/or holders. All roles will interact with an agency to deploy agents. Holders will register their edge devices (mobile or desktop) with their agent, creating the corpus of their digital wallet to hold, manage, and present their digital credentials.
Depending on your role, we have built an experience for developer and other personas, such as Line of Business, to prepare decentralized identity environments, explore the use of decentralized identity components, and build decentralized identity applications.
Community Collaboration
As a result of the need for a reference architecture to drive to interoperability and a standards based approach for decentralized identity, the community has collaborated in creating one, referred to as the Trust over IP Stack (ToIP). ToIP consists for all four layers needed in a scalable decentralized identity implementation.
- Layer 1 – DID Networks: Decentralized Identity networks (ledgers) for decentralized key management and global, public Decentralized Identifier (DID) resolution. DIDs are a standard rooted in W3C DID specification
- Layer 2 – DIDComm: Agent to agent, secure cryptographic communication and wallet capabilities to enable credential exchange
- Layer 3 – Credential Exchange: The standard to exchange credentials between issuer, holder, and verifier rooted in W3C Verifiable Credentials data model
- Layer 4 – Governance Frameworks: Business and legal frameworks coinciding with technical frameworks (layers 1-3) to provide industry accepting and compliant exchange of digital credentials
IBM provides decentralized identity solution capabilities inline with ToIP reference architecture that is built on open source technology and defacto standards. As the landscape of decentralized identity technologies evolve, IBM will extend and mature this technology preview.
Getting started
Visit our Trusted Identity page to learn about decentralized identity and get started with the IBM’s Decentralized Identity Technology Preview. There is an access code, given the state of being a technology preview, so please contact your sales representative or open up a ticket.
Another way clients can engage with us in the decentralized identity space is through our design thinking methodologies through Security Experts Labs. This allows clients to think through business problems and how decentralized identity can provide value in their business process workflow. To engage with Security Experts Labs, please contact your sales representative or start a chat with visiting the Security Experts Labs page.
As with any innovative, emerging technology, it requires a confluence of business, legal, and technical thinking to transform business process workflows. The technology preview provides an onramp to the technical thinking and our Security Experts Labs help put the business and legal thinking into a persona and use case driven approach based on desired business outcomes.
Our goal, with both the technology preview and Security Experts Labs working in harmony, is to help clients innovate and transform in the decentralized identity space while considering existing processes with traditional IAM workflows and other pertinent use cases - this will start the journey to modernizing new, trusted interactions that drive business outcomes.
We are very excited about this milestone to provide the fundamental technology and persona driven thinking to help individuals, organizations, and things exchange identity with more control, trust, and transparency.
Happy developing!
Authors:
Dan Gisolfi - CTO, IBM Decentralized Identity
Milan Patel - Product Manager, IBM Security