A few years ago, along with colleagues at Consult Hyperion, I was looking at the potential for the blockchain in the identity space.
(Put to one side what is meant by blockchain and what is meant by identity.)
One of the ideas that came out at that time was to record the create, read, update and delete (CRUD) operations on the virtual identities (personas, if you like, each containing an identifier and credentials) in a virtual shared ledger (VSL, aka the “CRUDchain") and then anchor the VSL in one or more actual shared ledgers, including one or more public blockchains.
As it turned out, no-one was much interested in this idea. Three years ago I took it to the Dutch Blockchain Innovation Conference in Amsterdam. Here are a couple of diagrams from that presentation. First here’s the CRUDchain...
And here is the idea of gathering the CRUDchain transactions and putting them on the blockchain.
Of course, what I envisaged those CRUD transactions operating on were public key certificates rather than W3C decentralised identifiers (DIDs) but you get the general point.When you want to prove to a web site that you are over 18, you point them to an entry the CRUDchain contains the relevant credential. This entry (whether a PKC or DID) contains a public key. The web site generates a challenge using this key: only you can answer the challenge because you are the only person with the corresponding private key. Therefore the web site can be sure that you are the holder of the credential. It all works.
Hence I was interested to note Microsoft’s Consensus 2019 announcement that they intend to implement something along these lines, as adumbrated in their October 2018 white paper on Decentralized Identity. They are creating an Identity Overlay Network (ION) using the Sidekeep protocol. This project uses IFPS to manage the CRUD entries at scale and Microsoft intend, in the short term at least, to anchor these transactions in the Bitcoin blockchain which is, as the respected cryptographer Ari Juels (a professor at Cornell and former chief scientist at RSA) said in Wired magazine, “surprising”. If the approach gains transaction, however, I’m sure they will use other shared ledgers.
As Microsoft put it in their blog post on the topic, "All nodes of the network are able to arrive at the same Decentralized Public Key Infrastructure (DPKI) state for an identifier based solely on applying deterministic protocol rules to chronologically ordered batches of operations anchored on the blockchain, which ION nodes replicate and store via IPFS”. In this architecture, you don’t use “the blockchain” to store personal information, you use it to prove the ordering of identity transactions elsewhere. If I’ve understood things correctly, they key point is this: the public blockchain is used as a verification platform, not as a transaction platform. And I think that makes sense.
What’s probably most important about the Microsoft approach is the integration with Active Directory. If anything is a step towards corporates accepting some new identity service (whether decentralised, self-sovereign or anything else) it is this integration. It’s first step, but an important step.
Comments
Post a Comment