Interview with Phil Windley, Chair of the Sovrin Board of Trustees
By Daniel Dal Bello, Director
December 22, 2019 – 16 min read
Phil Windley is an author and academic, founder of the Internet Identity Workshop, passionate tech educator, and Chair of the Sovrin Board of Trustees. The Sovrin Foundation have been continuing to grow and develop throughout the year, as new Stewards (organizations that will operate Sovrin nodes) are added and initiatives like the Compliance and Payments Task Force are announced.
In this post we share a conversation about self-sovereign identity, the current state of the Sovrin Network, and recent progress by the organization toward their goal of creating a global public utility for identity.
Daniel Dal Bello—Sovrin is being built to serve as a global public utility for self-sovereign identity. I think the best way to understand what that means is to start with the problem, and talk about why digital identity has been so difficult to solve.
We can make the case that the internet was built without an identity layer, and that has resulted in the messy situation of one-off identity systems for almost every website, service and product we use in our daily lives. Hundreds of username and password combinations, and importantly a lot of inefficiency, lost time and sacrificed privacy as a cost.
Can you explain what your definition of a metasystem is, and why creating an identity metasystem is the solution for the missing identity layer of the internet?
How does an identity metasystem solve the issues of friction and privacy currently existing in online identity?
Phil Windley—Digital identity suffers from several specific problems that make it different from how identity works in the physical world. First is proximity. Online, you can’t count on being near the other party. Consequently, none of our normal faculties for identifying someone or something can be used. Second is autonomy. In the physical world, we’re naturally decentralized and autonomous actors. Online, traditionally, we’ve been a part of someone else’s administrative system, built for their purpose. Third is privacy. The physical world has natural barriers and frictions that protect our privacy. Those are not available to us online. Lastly, identity in the physical world is quite flexible. There are any number of ways we use to determine whether to trust someone else in any given situation. Online, we’ve had just one: usernames and passwords. And those are often insufficient or, alternatively, overkill for the task at hand.
Solving these problems requires building something more abstract and general than the one-off, context-specific identity systems of the past. The internet is a monument to abstraction and generality. Rather than being a communications system like the telephone, the internet is a communications metasystem. That is, the internet is a system for building communications systems. Every new protocol changes the kinds of messages that the internet can communicate and thus changes its nature.
Similarly, an identity layer for the internet must be a metasystem that provides the building blocks and protocols necessary for others to build identity systems that meet the needs of any specific context or domain. An identity metasystem is a prerequisite for an online world where identity is as natural as it is in the physical world. An identity metasystem can remove the friction, decrease cognitive overload, and make online interactions more private and secure.
An identity metasystem is based on encapsulating protocols, creating an ecosystem. The metasystem has a consistent user experience despite employing a variety of tools from different vendors. The metasystem is flexible, allowing it to be used in a wide variety of situations. Finally, the metasystem provides for autonomy and privacy in its architecture and implementation.
This is not a plan or dream. Such a system exists today as the Sovrin Network, an identity metasystem for the internet.
The metasystem architecture has three primary features that allow it to be used as the basis for any context-specific identity system that is needed:
Relationships—the architecture must allow people, organizations, and things to have relationships with each other.
Messaging—the architecture must support messaging between the parties to those relationships.
Trustworthy Attribute Exchange—parties to relationships must be able to reliably exchange information about attributes (often called claims by identity professionals).
The architecture for the identity metasystem supplies these features using layers that build on each other as depicted below.
Relationships are created using a system of peer-to-peer agents in Layer 2. These agents exchange decentralized identifiers (DIDs) to create a relationship. Because DIDs are cryptographic artifacts tied to public-private key pairs, this exchange provides the agents with the means to perform mutual authentication and create an encrypted channel. Agents use a messaging protocol called DIDComm to exchange messages.
DIDs exist in two forms, public and peer, which correspond to Kim Cameron’s “omnidirectional” and “unidirectional” identifiers in the law on Directed Identity. Public DIDs can be universally resolved to reveal the public key and service endpoint of the owner. Peer DIDs are exchanged between parties to create relationships.
Agents exchange attributes over the channel created in Layer 2 using a flexible, decentralized system of credential exchange illustrated at Layer 3 in Figure 1. In credential exchange, there are three parties: the credential issuer, the credential holder (sometimes called the identity owner), and the credential verifier (also known as the relying party).
A credential is a collection of claims (i.e. attributes) that is signed by the issuer and held by the identity owner. Credentials conform to the Verifiable Credential specification. While the word “credential” conjures images of formal documents, almost anything that can be represented in JSON can be attested using a credential. So, while things like passports and driver’s licenses fit this bill, so do things like membership cards, boarding passes, school report cards, invoices, purchase orders, and store receipts.
To see how credential exchange works, suppose Alice (the identity owner) is applying for a loan at her local bank (the credential verifier). The bank requires proof that Alice is employed and makes at least $70,000 per year. As shown below, Alice’s employer (the credential issuer) has issued an employment credential that includes her employment status and her current salary. It might also include many other attributes related to Alice’s job. Alice holds the employment credential and can present it to prove to the bank that she is employed and makes more than $70,000.
When Alice proves her employment status to the bank, she doesn’t present the entire credential since doing so would reveal more information than is necessary. Instead, Alice presents just the information the bank needs using a cryptographic technique known as “zero knowledge proof.” The ability to limit the information presented from a credential is important to maintain privacy through the principle of minimal disclosure.
The identity metasystem (orange box in the preceding figure) provides assurances about the fidelity of the credential: the identifier of the issuer and that the credential was issued to the holder who is presenting it, hasn’t been tampered with, and hasn’t been revoked.
The verifier is also concerned with the credential’s provenance: who issued it (not just their identifier) and on what authority they issued it under? Provenance depends on the design of the context-specific identity system (blue box). The verifier may ascertain the provenance of the credential in any way that satisfies them. In some cases, they may know about the issuer directly (e.g. many banks would know about local employers). In other cases, they may rely on things the business can prove about itself (e.g. I can determine if a business is a legally registered entity and other information from credentials they can present such as a business registration credential). Still further, the business may be part of a larger, formal organization that governs how they operate (e.g. an accredited university or a regulated bank).
The fidelity provided by the identity metasystem, combined with the credential provenance provided by the context-specific identity system operating on top of it, provides the basis for trusting the information that the holder has conveyed through credential exchange.
Daniel Dal Bello—How would you simply describe the concept of self-sovereign identity as opposed to the regular notion of identity that we already hold? What are the requirements that must be met for a self-sovereign identity system to succeed?
Phil Windley—As I mentioned, one of the core features of the identity metasystem is that it provides for autonomy and privacy. In a credential exchange, there are three players: credential issuers, credential holders, and credential verifiers. Any person or organization can play any or all of the roles.
- Credential issuers determine what credentials to issue, what the credential means, and how they’ll validate the information they put in the credential.
- Credential holders determine what credentials they need and which they’ll employ in workflows to prove things about themselves.
- Credential verifiers determine what credentials to accept and who to trust.
Because of these features, credential exchange is decentralized. In contrast, traditional identity systems have a single identity provider (IdP) who administers an identity system for their own purposes, determines what attributes are important, and decides which partners can participate.
On the Sovrin Network, a particular credential is not intrinsically true. Rather each verifier determines who and what they will trust by relying on the attestations of other parties. Thus, truth is established through a preponderance of evidence. How much evidence is needed for a situation depends on the risk, something the verifier determines independently.
Self-sovereign identity (SSI) means the individual or organization controls and manages their identity. SSI implies the individual is able to control the credentials and use them in a privacy-preserving manner whenever and wherever they want. Privacy is a critical feature of SSI because without privacy, there is no control. In SSI, people must be able to control who sees what, and that means that privacy is a fundamental property of the architecture for SSI.
SSI also implies that the parties to the credential transaction behave as peers. In traditional identity systems, the rights of the so-called “identity subject” are subordinate to those of the identity provider. In SSI, every player independently determines the role they’ll play, who they trust, and what they will believe. As we’ve seen, in SSI, an identity owner holds credentials from multiple providers and can use them wherever she wants. While these credentials can be revoked individually, the identity owner still controls her own identity wallet and all the other credentials she has collected.
Craig Burton said:
“It’s about choice: freedom of choice vs. prescribed options.
Leadership shifts. Policies expire. Companies fail. Systems decay.
Give me the freedom of choice to minimize these hazards.”
SSI is an insurance policy against all these ills.
Daniel Dal Bello—The Sovrin ledger has been purpose built for identity and to serve as the decentralized cornerstone of this identity metasystem that we’ve talked about. Sovrin will provide the foundation and materials for organizations and other entities to build identity systems to suit any specific identity need or context.
In order to create this utility and metasystem, and as mentioned in the Sovrin whitepaper, this system will need to operate like the internet. It needs to be based on open protocols and standards.
The network has been launched in mid-2017 based on the Hyperledger Indy code, can you tell us about that relationship?
Phil Windley—People often ask me how Sovrin relates to Evernym or Hyperledger Indy. It can be confusing, so I created a diagram that seems to help.
First a few definitions:
Sovrin Foundation—The Sovrin Foundation is an international nonprofit organization supporting self-sovereign identity through a global, decentralized network. I’ve discussed the Foundation, its mission, and organization at some length in a previous blog post.
Evernym, Inc.—Evernym is a commercial software vendor that developed the initial technology for Sovrin and continues to be a large contributor to the open source code that Sovrin is based on.
Hyperledger Indy—Indy is one of the open source code projects in Hyperledger, an open source code effort sponsored by the Linux Foundation.
Sovrin Community—The community is the heart of what makes Sovrin work and comprises identity owners, developers, Stewards, businesses, and other organizations, all in multiple roles and with varied interests.
The preceding diagram shows the relationships between these and other organizations:
- Sovrin Foundation is the sponsor of the Hyperledger Indy open source project. The Sovrin Network runs code from Indy.
- Evernym and other organizations build products that run on the Sovrin Network. For example, Evernym is building the Connect.me wallet for use with Sovrin and a commercial enterprise-grade verifiable credentialing system called Verity. The Government of British Columbia is building software to use Sovrin credentials for business licensing. These commercial organizations also provide services, like agencies, to the Sovrin Community. Developers at these organizations contribute code to Hyperledger Indy.
- Hyperledger Indy houses the open source code for the Sovrin Network and provides collaboration services for Sovrin, Evernym, and others working on Indy code. Indy relies on volunteer contributions from the Sovrin Community.
- The Sovrin Community supports and is supported by the Foundation, contributes to Indy, and provides services to or uses services from the various software vendors and agencies.
Even though Sovrin is only a few years old, this ecosystem is making great progress toward making self-sovereign identity a reality. Here are a few accomplishments from just the last year:
- There are multiple vendors of credential wallets that work on the Sovrin Network, giving people and organizations choice.
- There are many organizations that see helping companies issue credentials as their business model.
- The Sovrin Network now boasts Stewards on every continent except Antarctica. There are over 75 Stewards representing organizations large and small from around the world.
- The Sovrin Network is running code contributed by over 250 developers from around the world. These developers have made tens of thousands of contributions to the open source code over the last few years.
- The Sovrin Governance Framework has undergone a major overhaul and represents the very best thinking from contributors around the globe in how a self-sovereign identity network should be governed.
- Dozens of organizations from around the world are conducting pilots or proofs of concept to explore how Sovrin can help them better serve and connect to their customers.
All of this adds up to an extraordinary, vital ecosystem dedicated to promoting self-sovereign identity, defining the processes, protocols, and specifications to make it happen, and building a network that makes it a reality.
Daniel Dal Bello—For a practical perspective on the concepts we’ve discussed, can you give us a relatable real-world use case for the Sovrin Network?
Phil Windley—Manreet Nijjar and Henry Goodier became doctors to provide critical care and give support to individuals in need – from cancer diagnoses to life saving operations. They believe the best care is given when trust exists between two entities such as a patient and a healthcare professional; a physician and a hospital; or healthcare organizations. That trust is, in part, fostered by strict regulations; for example, doctors are required to be certified and accredited by multiple organizations. However, current regulatory mandates are upheld by repetitive, inefficient, and time-consuming manual processes, creating large administrative burdens for over-stretched doctors and HR staff.
Nijjar and Goodier recognized this challenge and created Truu, a secure, portable digital identity for doctors and healthcare professionals. Using Sovrin’s distributed ledger technology and W3C verifiable credentials, Truu modernizes the way medical services verify staff identities, qualifications, and certifications, which in turn enables healthcare professionals to spend more time caring for patients.
Based in London, England, Truu collaborates closely with UK governmental and regulatory bodies such as the National Health System (NHS) to provide a digital identity system that meets current and future standards.
Truu has developed a domain specific governance framework that allows individual doctors to hold and control their own identity and credentials. The first step is the real-world identity to digital identity interface. Users simply take their physical documents, such as a passport, to a verifier, like the Post Office or a hospital. These documents are then checked to high level of assurance using biometrics and then translated into a signed, digital credential which is sent to the Truu mobile device app. This step acts as the trust anchor that other organizations can have confidence in easily, quickly and remotely accessing. Organizations such as university medical schools and medical licensing authorities can now directly issue native digital credentials to the doctor to store on their portable device. Digital credentials provide doctors and other healthcare professionals a secure, reliable form of verifiable identity that can be used throughout their careers, no matter where they are employed. In turn, organizations can hire and work with doctors knowing there has been a trusted, assured system of verifying their credentials.
A key challenge for healthcare professionals right now is the time intensive nature of identity verification and credential compliance. Can you describe the overall impact and why the problem is so critical to solve?
It’s estimated that in the UK alone, doctors in training (60,000 in total) spend one-to-two days annually on ID and compliance checks, which equates to 500,000 patient encounters that are lost to these administrative duties. This doesn’t even account for the remaining 220,000 doctors (not in training) who must also undergo periodical ID and credentials checks.
A platform like Truu promises to significantly reduce the administrative burden for HR admin staff, which saves both time and money. Truu provides a higher level of assurance and standardization for ID and certification checks by reducing the subjectivity of manual physical checks. This increases trust, reduces costs and allows administrative staff to focus on vital tasks such as the health and wellbeing of their staff.
Truu chose the Sovrin Network because it prioritizes privacy, security, personal control and revocation top in solving identity problems. Doctors must go through regulation and verification from multiple organizations each of which provides its own form of credentials. Truu needed a solution that could help facilitate these checks and scale as the number of credentials given to any one doctor increases.
A distributed ledger and blockchain technology like Sovrin encourages trust between different organizations by providing a standardization for schemas and credential definition, supported by a domain specific governance framework built on the Sovrin Governance Framework.
Sovrin has also been a leader in developing open, decentralized identity standards that facilitates future interoperability with other ledgers and technologies and means there is no vendor lock in.
The ultimate goal of Truu is to empower doctors. Truu increases confidence for both patients and the medical community by providing a guarantee that a professional is fit to give the care they are providing. Portable, digital, and live identity checks can highlight any concerns about an individual or identify any necessary workplace adjustments.
Truu also reduces major administrative burdens for doctors which allows them to devote more time to giving the best care possible to patients. The doctor/patient relationship is one of the most trusted relationships an individual will have outside of their partner or family members. By increasing the level of assurance above the current processes, Truu helps reduce the chance of fraud when employing doctors and increases trust throughout the healthcare ecosystem.
Creating systems that include verifiable digital identity will not only raise standards for patient care but will help instill trust in future models of care such as remote telehealth systems and peer-to-peer communication between doctors, other healthcare professionals, organizations, and patients. Truu ultimately believe smarter identities will lead to simpler relationships and therefore better care.
The internet is missing a layer for secure identity. Unlike in the physical world where governments and organizations issue identification cards, certificates, and papers directly to identity holders that remain under their own personal control, there is no simple way to verify that you are who you say you are or what you claim to be on the internet. Truu is a perfect example of an identity problem that when solved, can bring positive change to countless lives.
Daniel Dal Bello—How does Sovrin utilize zero-knowledge proofs and selective disclosure to address privacy?
Phil Windley—Zero knowledge proofs (ZKPs) are cryptographic techniques that allow users to share information without relinquishing their security and privacy. ZKPs use cryptography to prove a statement from party A (known as a prover) to party B (known as a verifier) without revealing anything else.
Zero knowledge proofs must have three properties to be usable:
- Completeness: If the statement is true, the verifier believes the result of the proof.
- Soundness: If the statement is false, the prover is unable to create a false proof to fool a verifier into thinking that it is true.
- Zero-knowledgeness: The verifier does not learn any other information about the prover other than what is in the proof.
A classic example is date of birth. Driver’s licenses/ID cards are often the primary means of proving age. However, this type of ID also contains other valuable, private information (such as a person’s home address) that is frequently used in identity theft. Selective disclosure uses ZKPs to turn (for example) a digital copy of a driver’s license into an abstract proof of itself. It’s as if you’re creating a carbon copy of your driver’s license that is every bit as reliable and conveys the same personal identifiable information as the real thing; but, based on who is asking, you control what information actually appears to them on that particular copy.
Using something as simple as a mobile app, you could create a ZKP for each situation where you need to prove your age. ZKP allows you to quickly, easily, and securely verify you are over 18, (or 21 or 65) without actually having to share your specific date of birth.
As we’ve discussed, companies using the Sovrin Network can issue credentials that identity holders keep in the digital wallet of their choice. Pieces of personal information on that credential, such as an address or social security number, are called “attributes.” ZKPs are created using these attributes. Using the Sovrin Network, identity holders create ZKPs to prove one or more of the following things about their attributes.
- Equality: if the attribute is equal to the value or an identity holder can just reveal the attribute itself in the proof.
Example: [Are you employed?] = Sovrin ZKP: [Yes] or [Employer: IBM]
- Inequality: if an attribute lies in a specific range without revealing the actual value. This is helpful when dealing with something that has a numerical attribute, like age or money.
Example: [Are you over 21] = Sovrin ZKP: [Age >= 21]
- Set Membership: ZKPs can prove if a value is contained in a set without revealing with value.
Example: Do you live in Europe? = Sovrin ZKP: [Country of residence is: a European country] or [Country of residence is: not in a European country]
Daniel Dal Bello—As mentioned previously, the network has already launched and you have over sixty ‘Stewards’ that run nodes on the Sovrin network. These organizations are spread across the globe and include the likes of IBM, Deutsche Telekom AG, and Cisco. What roles do the Stewards play and are the Stewards the only players supporting Sovrin’s goals with the ledger?
Phil Windley—The Sovrin ledger is operated by known validators who are called Stewards. As previously mentioned, there are currently over 75 Sovrin Stewards who are located on six continents around the world. The Sovrin Governance Framework contains the requirements for operating a node and the agreements that the Stewards sign.
The ledger is an instance of Indy Plenum which implements a Redundant Byzantine Fault Tolerance (RBFT) algorithm. The details are important because they are what protects the network from errant or malicious nodes. Plenum is a 3f+1 RBFT system. The implication of this is that an attacker would have to compromise f+1 nodes to stop consensus and write progress and 2f+1 nodes to change what constitutes valid transactions.
So, making the math easy, assume there are 22 Stewards validating transactions on the mainnet. That makes f equal to 7. To stop writes to the ledger, you would have to compromise 8 Stewards. To change a valid transaction, you’d need to compromise 15 Stewards. That means you can’t just hack one Steward to successfully attack the ledger as a whole.
Still, if a hacker took over one node, they could potentially send back bad answers to queries that are different from what’s on the ledger. Clients have several defenses against that. First, clients can send a ledger query to more than one node. Second, and better, clients can ask for a state proof of ledger state. State proofs can be used to check the answers from a node and are signed by 2f+1 nodes. Consequently, answers can have RBFT built in, allowing clients to easily check the validity of the answer.
In any computer system, there are opportunities for security issues. Sovrin employs algorithms, code, and governance to make the ledger as secure as possible and prevent censorship.
Daniel Dal Bello—Recently the Sovrin Foundation announced a new Compliance and Payments Task Force, dedicated to addressing the growing interest from the financial services industry in verifiable credentials and identity solutions.
Can you talk to us about the new framework or ‘Rulebook’ that this task force will be developing, and how important this task force is to the broader global utility goal?
Phil Windley—The Compliance and Payments Task Force is one of four current task forces that have spawned out of the incredible work being done by the Sovrin Governance Framework Working Group (SGFWG). The purpose of the SGFWG is to develop the governance framework for the Sovrin Network as a global public utility for self-sovereign identity. The SGFWG focuses its efforts through different task forces which currently include:
- Guardianship Task Force.
- SSI for IoT (Internet of Things) Task Force.
- The Business of SSI Task Force.
- Compliance and Payments Task Force.
The Compliance and Payments Task Force (CPTF) launched in September of 2019 due to the pressing need of the Sovrin Community to develop a specialized governance framework for digital value exchange that incorporates the same risk and regulatory compliance safeguards for secure payments related to digital assets or blockchain-enabled networks as those required of traditional financial institutions. Since identity is at the core of ensuring comprehensive and disciplined compliance with financial regulations, this governance framework being built by the CPTF will be built on top of the Sovrin Governance Framework to ensure its foundation is based on interoperable self-sovereign identity. Importantly, it is focused on ensuring participants/nodes in the broader Sovrin community—as well as other global blockchain-enabled payment networks—have an understanding and roadmap to apply appropriate AML/KYC and other important compliance protocols to these activities.
The CPTF has started its work by developing the “Rulebook”. The Rulebook was originally based on:
- Governance rules for international payments facilitated by SWIFT, the world’s largest financial messaging service provider.
- Payment rules for the National Automated Clearing House Association (NACHA).
- Global standards for KYC, AML, and CFT set by the Financial Action Task Force (FATF).
Digital payments networks will be able to use the Rulebook to ensure they are in compliance with the global financial industry standards and regulations while delivering a seamless experience for users and a smooth flow of funds for members. The CPTF is lucky to have assembled a global-reaching cadre of industry and regulatory professionals to inform this guidance for application to digital payments, and thereby be an important bridge between traditional and new/emerging digital-payments platforms.
The Sovrin Foundation is a non-profit organization established to administer the Governance Framework governing the Sovrin Network. The Sovrin network is a public service utility enabling self-sovereign identity on the internet. For more information about Sovrin, visit https://sovrin.org.