Self-sovereign identity: Data sovereignty in the digital world
Digital identities are the linchpin of life in the online world. Bundesdruckerei is developing secure and trusted infrastructures in order to tap into the potential for digitalization while protecting people’s data and identities.
Omniscient ID providers
There are many different situations in which citizens and organizations provide digital proof of their identity be it when applying for documents, opening an account or using online services. With a variety of providers, users deposit their personal data and identify themselves each time they log in.
Large ID providers, such as Apple, Facebook or Google, provide simple access path with single sign-on: After logging in once, users can then access the services of other providers without having to re-enter their data each time. This is convenient, but it also means that the central provider is aware of every transaction the user makes on the network, transforming the central provider into an omniscient party.
IDunion: Guiding principle of self-determined identities
Up to now, no international standard for digital proof of identity has been able to firmly establish itself. To better protect data and privacy, experts around the world are working on trusted identity management infrastructures.
Together with partners from the private sector and research, Bundesdruckerei is providing a holistic system for self-determined identities in the funded Idunion project. Self-sovereign identity networks are based on distributed structures and establish the data sovereignty of users. This funded project covers applications in both the private and public sectors, thus creating a suitable framework also for digital administration, which will receive additional impetus from the Online Access Act. After all, beginning 2022, public authorities in Germany will be obliged to provide their services online and offer citizens a uniform user account for this purpose.
Self-sovereign identity (SSI): Data sovereignty in a decentralized system
The aim of the SSI ecosystem is to exchange digital ID credentials in a secure and data-thrifty way. Interaction between the issuer, holder and verifying body is designed in such a way that the user always remains in control. “Any disclosure of identity data requires the user’s active consent,” explains Micha Kraus from Bundesdruckerei GmbH's Innovation Team. The system is based on distributed ledger technology, which is similar to a blockchain and is based on several independent nodes. IDunion plans to found a European cooperative to operate the network. This cooperative is also is open to other partners.
In the SSI model, each user has their own personal digital ‘wallet’. This is where the user stores and manages their ID documents, for instance, ID card and driving licence, credit card and rail card, etc. All these identities were first checked and electronically signed by the respective issuers, such as the registration office or bank. If the user wants to check in to a hotel, they disclose selected ID data to the receptionist. To verify this information, the hotel receptionist accesses the decentralized network where merely the data needed for verification is stored rather than hotel guest’s actual documents. Using a cryptographic signature, the receptionist can verify the data. The registration office is not contacted in this case and does not know where the user is currently on holiday; private matters remain private.
Multilateral relationship of trust
When implementing the SSI system, it is essential to provide each individual relationship between the parties involved with secure trust mechanisms – for instance, an online shop wants to be able to rely on the fact that the bank is actually behind a credit card. And users want to disclose their data exclusively to the right addressee and not to a fake shop. The wallet must also be protected against manipulation and misuse. Bundesdruckerei is using its expertise in data protection and high security to develop these trust mechanisms.
The funded IDunion project
The aim of the IDunion consortium is to establish a decentralized, trusted ecosystem for self‑determined identities. It builds on the results of previous projects, such as Lissi (Let's initiate self-sovereign identity) and SSI4DE.
Under its original name ‘Self-Sovereign Identity for Germany’ (SSI4DE), the project emerged victorious from the innovation competition ‘Schaufenster Sichere Digitale Identitäten’ (Showcase on Secure Digital Identities) launched by the Federal Ministry for Economic Affairs and Climate Action. Now, the ecosystem for self-determined identities is to be implemented.
The project kicked off in April 2021 and will run for three years.
A special feature of IDunion is the broad participation by sovereign, private‑sector and other non‑government stakeholders. This enables the network to build a bridge between the application scenarios of different sectors. The partners are:
- Main Incubator GmbH (Commerzbank-Gruppe)
- Technische Universität Berlin, Service-centric Networking and Centre for Campus Management
- Bundesdruckerei GmbH
- esatus AG – IT
- Robert Bosch GmbH
- Stadt Köln
- ING-DiBa AG
- DB Systel GmbH (Deutsche Bahn AG)
- Bank-Verlag GmbH
- Siemens AG
- GS1 Germany GmbH
- YES Payment Services GmbH (yes)
- Spherity GmbH
- Westfälische Hochschule, Institut für Internet-Sicherheit – if(is)
- Deutsche Telekom AG (DTAG)
- Telekom Innovation Laboratories
In 2021, the consortium plans to set up a European Cooperative Society (Societas Cooperativa Europaea, SCE). The task of this cooperative is to operate and continue developing the network and also to expand cooperation through new partners.
The initiative stands for the implementation of the highest European data protection standards – especially eIDAS and the GDPR – and goes a long way towards securing Europe’s digital sovereignty.
The public verification infrastructure (Verifiable Data Registry) is the connecting element of the SSI structure. It does not contain the user data itself, but only data necessary for administration and data verification. The verification infrastructure consists of several nodes, similar to a blockchain. These nodes are operated by several independent instances and coordinate with each other via consensus protocols. The individual partners of IDunion are at the same time the operators of a node. The decentralized structure of the system reduces the risk of misuse and increases reliability.
The data schema defines the structure of the data to be checked for each type of ID verification, just like the boxes in a form. Using private and public keys, data can be signed by the owner and checked for authenticity by the verifying counterparty. Anonymous blocking information is an important component for revocation of issued credentials.
The IDunion consortium is working on more than 30 use cases – including applications in education and eGovernment, finance, industry, eCommerce, mobility and eHealth.
IDunion relies on open source applications and pursues the goal of interoperability by looking to the standards of the World Wide Web Consortium (W3C), the Decentralised Identity Foundation (DIF) and the Trust over IP Foundation (ToIP). The know-how generated in the project is also to be incorporated into international standardization processes.
Data sovereignty: Users at the heart of the systems
Bundesdruckerei has a host of other projects dedicated to research and development in future-oriented systems for digital identities.
In the ONCE project funded by the Federal Ministry for Economic Affairs and Energy, Bundesdruckerei GmbH is working with partners to explore and implement diverse scenarios for mobile services. The focus is on administration, mobility and the hospitality industry.
This project is based on the technological platform developed in the OPTIMOS project. Using the specially protected ‘Secure Element’ in smartphones, sovereign documents can be securely stored on a smartphone. The Trusted Service Manager serves as the mobile ID background system and is operated by a trusted institution.
As a novel alternative in terms of data sovereignty, Bundesdruckerei GmbH is exploring the concept of digital authorisation chains. In the ‘FIDES’ innovation project, we are developing a radically new concept of identity and rights management that places control over data in the hands of the responsible users. In the FIDES model, citizens can securely manage their data from different spheres of life in their personal life‑chain. Be it an ID card or Word file, university diploma or insurance contract, the user is linked to each document as a unique rights holder. Only the user can grant or revoke authorization to read or edit. The user also has an overview of the further history of granted authorization. This means that the user can control where their data is circulated.
Central components of FIDES are identity management, secure storage of documents and smart authorization management. The Cortex database, which searches through millions of data in a matter of seconds, is used here. In several pilot projects, among others with Südtiroler Informatik AG, we are testing the implementation of the FIDES technology.
Reduce complexity: Improve security in everyday user life
For identity and rights management, Bundesdruckerei is developing new design approaches to make complex systems understandable for users and fit seamlessly into everyday life. After all, user-friendliness is not least a security factor that must be taken seriously.