The current focus of the digital identity community is on interoperability. That is critical work, but only a starting point for the long-term goal of enabling true front-end and back-end portability.
The focus of interoperability in the DID/VC/SSI/OIDC/SAML/PKI eco-system is analogous to enabling mobile phones on different carriers such as AT&T, Verizon, Rogers, T-Mobile, Vodaphone and others to communicate with each other. We have not yet reached the maturity of interoperability that allows for the equivalent of number portability at this time.
That level of interoperability requires us to invest time, thinking and treasure across two dimensions (1) front-end portability and (2) backend portability.
Front-end portability, particularly within the context of the W3C Decentralized Identifier (DID) ecosystem, means that a person should have the ability to move the identifier(s) they own and control from one system to another without any loss of functionality.
This would analogous to someone porting a mobile phone number from one carrier to another and being able to send and receive calls at the same number.
The current work in the DID/VC ecosystem is focused on getting an organization or a person to buy into utilizing a DID issued by its supporting infrastructure and then ensuring the cross-infrastructure resolution of that DID.
It does not allow a person to move this identifier from one issuance infrastructure to another.
What I am envisioning is the ability to generate multiple DIDs for myself …
did:me:7fcdc213-7713-4004-9cf8-b2c645517365 « Something I use for financial transactions
did:me:95c6e3f6-4e12-4b96-bee7-35adcd84dd4d « Something I use for government transactions
did:me:0b681aa0-95c8-4748-b3f4-95d264eeaa57 « Something I use for social media
did:me:f20a8f0c-865b-4826-bdae-23bc5a68bc3a « Something I used one time only
… and then have the ability to associate my DID, at a time and place of my choosing, with a particular “support infrastructure” a.k.a back-end. You will note that I deliberately did not use the word “issuance infrastructure” here.
Some additional points worth thinking about:
- It would be interesting if the W3C DID WG chose to ‘reserve’ some DID method names (e.g. did:me, did:self etc.) in anticipation of this type of a portable future
- The DID method-specific-string is generated as a Version 4 UUID, using a secure random number generator and conformant to RFC 4122. I think you want to enforce true randomness and global uniqueness here and prevent leaking of any PII.
- It is VERY IMPORTANT to allow a person to have as many DIDs as they want to mitigate correlation risk. This should fully support a unique DID for every major relationship a person may choose to have or even support single use DIDs.
- While not a DID based infrastructure, the Government of Canada’s GCKey Infrastructure is a good working example of allowing a single person to generate multiple identifiers. I truly appreciated this as a US Citizen seeking to reserve a backcountry permit in a Canadian National Park!
- It is important to always keep in mind that a strong assertion of ‘sameness’ is NOT the same as a strong assertion of ‘identity’, and that multiple DIDs enable the first and can support the second.
However, in order to enable portable identifiers, the current generation of DID issuance infrastructure needs to evolve into DID support infrastructure that can support someone bringing their own DID.
A starting point for this is the joint work of the W3C CCG and the DIF on “Encrypted Data Vault / Secure Data Store” which “… describes a privacy-respecting mechanism for storing, indexing, and retrieving encrypted data at a storage provider. It is often useful when an individual or organization wants to protect data in a way that the storage provider cannot view, analyze, aggregate, or resell the data. This approach also ensures that application data is portable and protected from storage provider data breaches.”
The future is … portable
There remains much work to do to ensure interoperability of current systems and we should absolutely do that. At the same time, we also need to realize that interoperability is a stepping stone to a future that provides true choice and agency to an individual. And that future requires us to think about how best we can ensure portability in addition to interoperability.
cyberforge: random and relevant
Self-Sovereign Identity Principles #6 - Portability. Information and services about identity must be transportable. Identities must not be held by a singular third-party entity, even if it’s a trusted entity that is expected to work in the best interest of the user. The problem is that entities can disappear — and on the Internet, most eventually do. Regimes may change, users may move to different jurisdictions. Transportable identities ensure that the user remains in control of his identity no matter what, and can also improve an identity’s persistence over time. This principle is currently being revised.
Finalists Announced in Digital Wallets Prize Challenge. Dignari, LLC, Indicio.tech and Trinsic were the winners of the Stage 1 prize (each taking home US$5000) in the DHS Science and Technology Directorate (SVIP Sponsored) Digital Wallet UI/UX Prize Challenge!