The new Lace wallet allows you to create your own digital identity. Lace will be integrated with a self-sovereign identity (SSI) platform called Atala PRISM, which uses the Cardano blockchain to function. Come explore the innovative Web3 concept which is built on the W3C standard. Decentralized identity The term “decentralized identity” (DID) is used interchangeably with Self-Sovereign Identity (SSI). DID enables trusted data exchange that is based on a trust framework for identity management. The aim is to give people official proof of identity and complete ownership and control over their private data in a secure and user-friendly way. A verifiable identity or credentials are often needed for citizens to access essential services like authority services, banking services, healthcare, and education. According to Worldbank data, 1 billion people still do not have official proof of identity. That limits people's freedom. Traditional centralized identity management systems are insecure and fragmented. Users' data is at risk of theft or can be misused by third parties. Personally identifiable information (PII) is a set of information about particular individuals that directly or indirectly identifies them. It can usually be a combination of name, age, address, biometrics, citizenship, employment, credit card accounts, credit history, etc. When using traditional (centralized) forms of digital identity PII is stored and managed by third parties. Users have limited control over their identity and PII. Moreover, they are not often aware of the value of this information. The Lace wallet allows users to maintain full control over their personal data and decide with whom and to what extent to share it when verification is needed. Data can be shared selectively. This means you can prove your age and nationality without sharing your name and address. Data cannot be shared without the user's permission. Users' data will be stored in a decentralized way in users' wallets, so there is no risk of a large-scale data breach. A decentralized identity has three pillars: Blockchain: Cardano is used as a decentralized database that is available everywhere in the world 24/7 and is unstoppable. Cardano ensures the immutability of records and resistance to hackers. Verifiable Credentials (VCs): VCs are referred to as tamper-proof cryptographically secured and verified credentials that people can present to organizations that need them for verification. They can be licenses, passports, proof of bank account ownership, active employment contract, and other digital credentials or documents. They can represent the same information that can be found in the common paper equivalents. Decentralized Identifiers (DIDs): Cryptographically verifiable identifiers created by the user, owned by the user, and independent of any centralized third party like a registry, identity provider, or certification authority. A DID refers to any subject like a person, organization, data model, abstract entity, etc. DIDs contain no personally identifiable information (PII). DID is a unique identifier that is similar to, for example, an email or a phone number. The W3C standard defines its form. A DID is a simple text string. The private and public keys are generated during the creation of the DID. Ownership of the private key provides sovereignty over one's identity and data. The most important thing about DID is that the owner of DID can cryptographically prove the ownership of the identity by the ability to use the corresponding private key. The private key is used for encrypting user data and for establishing encrypted communication channels. Data related to DID are held in a form of verifiable credentials. Multiple verifiable credentials can be associated with one DID, similar to how one person has an ID card, driver's license, employer-building access card, etc. Verifiable credential consists of 3 components: credential metadata, claims, and proofs. Credential metadata represents data related to credentials itself like identifier, the identity of the issuer, expiry date, etc. Metadata might be cryptographically signed by a private key of the issuer. In this case, the issuer needs to have its own DID. Further, verifiable credential contains claims. It is a tamper-proof set of claims made about the credential subject. For example, it can be someone’s status, name, surname, age, nationality, permission, rights, proof of ownership, job title, etc. Last, verifiable credential contains proofs that allow using cryptographic methods to verify things like the source of data, authenticity, consistency of data, etc. User data is not stored in the Cardano blockchain but in the Lace wallet. The Lace wallet has all the information that a user needs for authentication and provides the necessary data for the verification of documents (verifiable credentials). The blockchain is only used to store the DID and the DID document. The DID document contains mainly cryptographic material and it can contain biometric data as additional protection of information. The public keys must be available for the authentication of users. It is not necessary to perform on-chain transactions during verification. With Lace, users can carry data with them at any time in encrypted form and use it for authentication and provision to third parties who can verify it via data stored in the blockchain. How credentials can be issued and verified Once someone creates a DID, they can receive verifiable credentials from a third party (issuer). The owner of the DID receives documents (verifiable credentials) that can be submitted to another third party (verifier) for verification. Let's define the roles: Holder: A user that has created a DID via a wallet. The holder can receive and store verifiable credentials. Issuer: The organization that needs to have created a DID in order to issue verifiable credentials. It signs a verifiable credential with its private key and issues it to the holder. Verifier: A party that checks the credentials that are provided by the holder. It can read the issuer’s public DID. DID is information that is available in credentials and is stored on the blockchain. It is used to verify if the verifiable credential the holder shared was signed by the issuer’s DID. For example, it can be verified that an ID is really issued by the government. In the image above you can see how the holder obtains verifiable credentials from the issuer. The holder must first be authenticated through the private key. Thus the issuer can be sure that gives the verifiable credentials to the holder who is actually supposed to receive them and not to anyone else. During authentication, biometric data can be used if they are available in the DID document. Verifiable credentials contain the DID of the issuer (metadata) and the method of verification (proofs). Verifiers will know how to verify the issued document. The issuer can be an office issuing an ID card, a bank issuing access to its services, a university issuing a diploma, etc. A digital signature is irrefutable cryptographic proof that the credentials have been issued by the issuer. This proof can be easily verified by anyone without having to communicate with the issuer. The information available in the Cardano blockchain, namely the DID and the corresponding public key, is sufficient for verification. Verification is fast, easy, 100% provable, available at any time, and essentially free. In the picture above you can see the process by which the verifier checks verifiable credentials. Again, the holder must be authenticated by verification of the DID’s signature and biometric data can be used. The authenticity of the submitted verifiable credentials is verified through the digital signature of the issuer. The public key of the issuer is available in the Cardano blockchain. The verification process ensures that the verifiable credentials have not been modified. Benefits of decentralized identifiers The described system has many advantages over a centralized solution. Users create their own identities and do not need a third party to do so. This is advantageous for people who have no identity. The DID can be used to allow the employer to issue a certificate of employment. This confirmation may be sufficient for the DID holder to gain access to other services. For example, a bank will not provide services to someone who has no identity. However, if the DID holder had an employment certificate from a reputable company, the bank could provide its services to the client. The user can prove their transaction history, which can be useful for various reputation systems. Users manage their own private data. They can monetize it and don't have to worry about a third party misusing it without permission. Unless the data is stored centrally, there is no risk of theft. If companies are afraid to hold on to user data because of the risk of theft and subsequent penalties, they can use DID. Note that cryptography makes it very difficult to cheat. No one is able to create a fake document. If the document was not cryptographically signed by the owner of the DID, it would be easy to detect that it is a fake. If a fake document were found to exist, it would mean that someone had misused the private key, and the pool of people who could do that would be relatively small. It's hard to steal user data. As long as the user guards the private key well, their data is perfectly safe. All communication is through encrypted channels via keys that are generated and owned by the users themselves. Document verification is very easy and fast. Just as any blockchain node can verify the validity of a transaction, it is just as easy to verify the authenticity of users (DID holders) and any documents they submit. All the necessary information is available in the blockchain. There is no need for the verifier to contact the issuer and ask for any information regarding the authentication of documents. Trust is immediately established between third parties. Issuers and verifiers do not need to know and trust each other. They just need to trust the cryptography. If an issuer issues and signs a document with their private key, everyone in the world can easily verify it. The only thing that needs to be verified by the verifiers is the DID of the issuer stored in the blockchain, which is a one-time action. For example, once two governments share their DIDs with each other, they can check the IDs and passports of their own and foreign citizens. The big advantage for users is that they have all their documents together in one place and basically available at any time, not only in their own country but also abroad. Users themselves are responsible for creating backups and protecting their private keys. The processes are very similar to what you need to do when creating any blockchain wallet. A regular user will use DID through Lace or another blockchain wallet and won't even know that Atala PRISM is running in the background. The wallet will allow users to create a DID, obtain verifiable credentials and share it with verifiers. Issuers and verifiers will also use Atala PRISM. This platform will allow them to easily issue and verify verifiable credentials. PRISM is compliant with the W3C identity management standard. The platform can cost-effectively onboard millions of users since it implements a novel batching mechanism to reduce public blockchain fees. The Cardano blockchain allows everyone in the network to have the same source of truth about which credentials are valid and who authenticated the validity of the data inside the credentials. People often mistakenly believe that all user data is stored on the blockchain. There's not enough space on the blockchain for that. Users basically only need to store their DID and public keys in the blockchain. The verifiable credentials that contain personal details are securely stored in a wallet. From the verifier's point of view, it doesn't matter where the data to be verified comes from. What matters is authentication. For this, public keys falling under a specific DID that is stored in the blockchain are sufficient. Conclusion The decentralized identity space is still in its infancy but it is obvious that it has the potential to change existing identity management for the better. A decentralized solution is relatively simple, seamless, beneficial for users and third parties, easier for issuing and verifying documents, tamper-proof, and more reliable than traditional digital identity. The world moves more toward Web3 and DID is a key player. New applications and services will be built on DIDs. Users will take back control of their data. At the moment, DID mainly needs adoption by IT companies and governments. Adoption is slow and it may take a few more years before the new W3C standard is fully adopted. The government in Ethiopia has decided to use Alala PRISM to create identities for students and teachers. If this pilot program succeeds, all citizens of Ethiopia will have a DID. This would be a huge success for Cardano and adoption in other countries would likely follow. Decentralization and Defi enthusiasts will use DID as it will make it easier for them to use the services. One of the big barriers to using blockchain technology is the need to copy blockchain addresses. A mistake usually means the loss of the assets being sent. This problem can be solved in other ways. For example, through NFTs that allow the routing of payments towards the holder of the token representing the identity. DID is a much more powerful solution and will allow the trusted issuance and authentication of documents. In a broader context, DID is another important step in decentralization. Non-state decentralized money will not free us from dependence on the state, as identity is the cornerstone of our society. Especially in the world of the internet, where people communicate remotely and may never have met before. If two people are to trust each other, they must rely on identity. DID is a key technology for being able to establish trust in an Internet environment. Creating decentralized financial services will be much easier with DID. In the beginning, proof of identity will be issued by states, but in principle, anyone can do it. A group of users can agree on a system that allows them to use their identity in a trusted way. This is a big step forward.
