On metasystems and digital identities

The Internet was never designed for people. The goal was to connect computers. A proxy server connects the user’s computer to the Internet as an intermediate station (proxy = ‘proxy’). The Internet itself is a metasystem, a ‘system of systems’. Not so much a communication system as a system for building communication systems. Metasystems use protocols, governance, and conventions to enable decentralized interoperability between the systems they comprise. A user is identified through the proxy server, regardless of the access control system that the computer has. If you can get access through a proxy, basically anyone can access the Internet.

metasystems

The public Internet has a hidden system of governance and permissions that ensures you are always granted access to key resources. An ecosystem of networks between network addresses and servers. However, the network management model is so deeply embedded in the architecture that each vendor, platform, application, and cloud must orchestrate its own identity. Which has understandably become a hodgepodge of solutions. A large collection of separate username/password-based identities for every relationship on every site and app was needed. Because the Internet was never designed for human use.

If we want a human identity system for the Internet, initially it will also be a metasystem. You need an ‘identity metasystem’ to enable a large ecosystem of collaborative identity systems. The concept of an ‘identity metasystem’ was first described by Kim Cameron in 2005. Cameron: ‘A separate metasystem that protects applications against the internal complexity of the Internet, allowing digital identity to be freely bound’.

With permission or without permission

There are two types of networks: permissioned and permissionless. The world wide web has “permissions”: browsers trust operating systems and applications through certificates and authorizations. Specific names and numbers require permission from IANA. The world wide web is therefore an authoritative system; you must have permission to participate.

If you want to bypass central censorship, ‘permissionless’ networks are the solution, as we see with Bitcoin and Ethereum. Within the network, proof of work is required from a pay-per-use ‘miner’ who must use ‘proven’ computing power to approve transactions. No central authorization is required to access the network. Security within the network is mutually arranged by users.

Metasystem for self-sovereign identities

An interesting article by Phillip J. Windley describes the Red Sovrin. A metasystem where identity is as natural as it is in the physical world, where possibly everyone has been given an immutable identity that no one can revoke. After all, you are who you are. That is also necessary digitally: a metasystem for self-sovereign identities. A digital identity that cannot be revoked by anyone other than the owner of that identity. The Sovrin Foundation was established as a non-profit organization to operate a ‘self-sovereign identity network’. If someone creates a ‘verified’ and ‘verifiable’ digital identity on the Sovrin network, that identity cannot be revoked by anyone.

The data is stored in the Sovrin app on a phone, which also allows zero-knowledge proofs to publish as little information as possible. The network itself is controlled by the consensus of independent nodes that are managed separately. This enables the use of distributed ‘ledger’ technology, better known as blockchain. Sovrin uses a “permissioned blockchain” that provides public access to identity owners, while only known, trusted, and vetted entities can serve as nodes to reach consensus on transactions.

Irma

In the Netherlands, Radboud University in Nijmegen developed a network comparable to Sovrin under the name IRMA (I Reveal My Attributes). The result is an application that allows citizens to log in on various platforms. IRMA is a solution that meets the criteria of a sovereign identity but, unlike Sovrin, does not use blockchain. Store claims using the app on the user’s phone. Certificates are signed and can be ordered online. Like Sovrin, IRMA uses zero-knowledge proofs. With a digital signature from the publisher of the information stored, the user can prove that the claim is valid.

Like Sovrin, IRMA meets provability and data minimization requirements. Only IRMA lacks an important feature of Sovrin: the ‘persistence’ that blockchain provides. At IRMA, this is centrally organized and remains a single point of failure. However, IRMA shows that even without the persistence functionality of the blockchain, an almost complete decentralized SSI identity can still be built. A digital identity that is many times more secure than the privacy-hostile login mechanisms of normal mainframe systems where user data is centrally stored.

eID of the future

Developments like IRMA and Sovrin show that we are seeing more and more (private) applications of self-sovereign identity. In a growing number of government organizations you can log in with a standardized electronic identity (eID) proof that has been approved by the European Commission. The EU developed the eIDAS framework for cross-border access and each Member State is developing at least one electronic identity (eID) and digital wallet (wallet) that works across Europe. The Netherlands intends to be able to log in with our national DigID in other European countries from the second quarter of 2022.

Organizing a truly common digital identity at the European level still seems to be a few (privacy) steps away. The actual SSI must be developed from the bottom up by citizen, starting at one device. Then, as an individual, you remain your own chief privacy officer and keep things closed to others. Everyone must create their own wallet in this way, protected by their own biometric data and additional protections. Only then will everyone trust this development and we will start using digital identities seriously. Unfortunately, this does not exactly fit into the massive plan that the European Commission is now implementing. Therefore, the question is whether a single sovereign European e-Identity is realistic or will ultimately remain a dream. † †

In the meantime . † †

Starting from the new development of the metaverse, blockchain-based SSI solutions are being developed. At the end of the day, we need to be able to access any environment or application in the most secure way, without sharing additional data that is not necessary. Once we are in a specific online environment, we must have full control over our identity and decide what information we want to share and with whom. Whether privately, as a company, within a government organization, or in the metaverse.

To make this possible, DigiCorp Labs is developing an identity suite of products and tools. Based on trusted infrastructures such as open source blockchain technique and decentralized secure quantum networks to ensure transparency and security, cutting out the middle man and removing dependency on third-party security measures and authorities.

By: Hans Timmerman (photo), Chief Data Officer at DigiCorp Labs and Director of Fortierra

Leave a Comment