Can LESS be more?

Self-Sovereign Identity (SSI) is a term that invokes a variety of emotions. Is it a technology, a standard or a movement? Or does the term not matter?

I am writing this as the whole world is at a standstill due to the Coronavirus COVID-19 pandemic, and the Johns Hopkins University Coronavirus COVID-19 Global Cases Map is currently showing the horrifying global number of 1,754,457 confirmed cases and 107,520 deaths.

I choose to believe that we will get thru this, but also that our future will be shaped profoundly by our globally shared experience of physical distancing combined with the increased comfort with and expectations of entirely digital person-to-person, person-to-group, person-to-organization and organization-to-person interactions. This is a place where the ideals of SSI need to inform the implementation and delivery of pragmatic solutions for the common good.

First, in reading the discussions regarding the concepts and foundations of SSI and depending on who you are speaking with, there appears to be a desire to bucket them into two tracks - LESS (Legally Enabled Self-Sovereign) Identity and Trustless Identity.

This naturally supports the human desire for creating pro-and-con listings, but because it is framed as a choice, it makes you miss options. I would urge you to reject this narrow framing by thinking “AND not OR” i.e. It is entirely possible to ensure that the ideals of Trustless Identity be implemented using the pragmatism of LESS Identity by combining thoughtful, careful design and architecture with technologies that are open, standards based and community driven.

Second, the implementation of SSI/LESS/Trustless solutions are based on a core set of standards and specifications, the most important of them being the “Verifiable Credentials (VC) Data Model” and “Decentralized Identifiers (DIDs)”. Both are managed by the World Wide Web Consortium (W3C), the global standards development organization led by the inventor of the web, Sir Tim Berners-Lee.

Finally, this is where the rubber needs to meet the road as we get to the other side of this pandemic. In our lives right now, we are seeing a variety of situations playing out that may continue post-pandemic where digital credentials are going to play an increasingly critical role.

• Education moving entirely online with teachers and students needing to be credentialed
• Increased use of tele-medicine with the need to verify the credentials of doctors and their ability to “write” digital prescriptions
• Employers seeking global work from home talent where potential employees need to provide digital credentials of their qualifications and job experiences
• Essential travel certification of those who are part of critical supply chains
• …

The traditional technical and usability pain point here has been around ‘consent based attribute aggregation’. For those who understand whereof I speak, I would urge you to look in depth into how the combination of a digital wallet under the control of a Holder with open APIs that can store multiple credentials can use the Verifiable Credential Presentation mechanism to provide a relatively straight forward solution to this traditionally hard problem.

I will close by noting that in this new era, humans being human, there will continue to be those who try to take advantage of the situation to their benefit, whether that be entrenched global technology platforms who use the pandemic as an opportunity to launder their reputation while seeking to increase their market share, or other state or non-state actors pursuing more nefarious ends.

"Your papers, please" (or "Papers, please") is an expression or trope associated with police state functionaries, as popularized in Hollywood movies featuring Nazi Party officials demanding identification from citizens during random stops or at checkpoints. It is a cultural metaphor for life in a police state.

Wikipedia

What is important to realize is that, there exists at this time a clear opportunity to use this secure and privacy-respecting technology to address challenges in a manner that is viable from a business perspective, while serving the common good. Are you ready?

cyberLinks: random and relevant

• Privacy-Preserving Contact Tracing partnership between Apple and Google “… to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.” Bluetooth Specification here (PDF). Cryptography Specification here (PDF). Framework API here (PDF). Overview by TechCrunch here.

• Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) supporting centralized and decentralized approaches while enforcing data protection, anonymization, GDPR compliance, and security. Privacy enforcing flow details here. Decentralized implementation of cryptography here.

• Andreessen Horowitz has translated into english screenshots of COVID-19 app features from China and beyond “… in the hope of inspiring tech companies to innovate for this time of crisis …”