It’s interesting to always hear from people who are against the Self-Sovereign Identity (SSI) model. I think it’s healthy to discuss the merits of one identity model against another, when the discussion is based in a true understanding. Sadly, that isn’t always the case.
Take the title of this blog post. Yes, people have described SSI as like printing your own money. The prompt for this particular post was an email I received from a colleague, which quoted a discussion panel where someone on the panel proclaimed they are set against SSI, because it’s like printing your own money! Wait what??? Really? Well, no of course it isn’t, but it sounded good right? They got a soundbite out there which then makes people think for a moment. The frustrating part is, these sorts of comments show a real lack of understanding of implementations of SSI.
Now, I don’t believe they meant printing money literally, I expect it is related to the fact that “who created the identity” in the first place. Especially if you are self-attesting claims about yourself. Well this is where there is a lack of understanding.
Verifier trusts the issuer.
Before I go into too much detail, to simply dispel this notion or printing your own money, you simply have to understand the verification process. Verifiers of SSI identities (credentials held by the individual or business) can state which identities and credentials they trust. This means, even if you had 10 companies all issuing you with identity credentials, the verifier may elect to not trust any of those issuers.
However, verifiers will have identities / issuers they do trust. In the verification process, verifiers state which identity credentials are only acceptable, as in those that have been issued by trusted issuers. The identity owner has to present identity information from the acceptable list of issuers, or they fail to identify themselves.
This simple notion of trusting an issuer renders the entire “print your own money” argument dead before we even get into the weeds of issuing, SSI governance and the fact that not all SSI infrastructure is the same…
It’s always best to walk through an example and a graphic. Lets assume I need to prove to a third party, a verifier that I am over the age of 21.
The diagram above captures a verification process, but also the issuing and trust aspect of SSI.
The issuer is ID Crypt Global, and they have issued to my ID Crypt Global Mobile Vault application (on my mobile device) my digital identity. The Identity I have been issued supports Zero Knowledge Proofs (ZKPs) a critical part of digital identity. A ZKP allows me to confirm my age in this example without disclosing my date of birth.
The verifier does not need to know my date of birth, rather they need to verify that I am over the age of 21. The verifier trusts ID Crypt Global (IDC) because it knows / has oversight of how IDC identity credentials are issued. The verifier requests proof that I am over the age of 21. My Mobile Vault app receives that request and generates a ZKP which is based on the identity credential issued to me that the verifier trusts, my IDC credential. The ZKP is then generated and securely shared with the verifier. The verifier cryptographically confirms the authenticity that the data was taken from my issued IDC credential, and therefore can trust the ZKP. The ZKP confirms I am over the age of 21.
This need for an existing trust relationship is why ID Crypt Global provides oversight to verifiers of how identities are verified, generated, and issued. This trust relationship is why SSI cannot ever be seen as printing your own money.
Understanding the SSI infrastructure
There are a few SSI infrastructures out there, and each of them do things in a different fashion. We at ID Crypt Global are a Steward of the Sovrin network, and an active part of the Sovrin Foundation. Sovrin is the worlds largest decentralized blockchain dedicated for digital identity.
Now first off, Sovrin has a strict governance model, so not just anyone can rock up and connect to the blockchain. Stewards operate Sovrin nodes and there are strict governance processes regarding who can write to the blockchain ledger. In addition, there are policies and processes in place regarding who is able to issue digital identity credentials. Issuers have their identities stored on the blockchain so verifiers can select to trust identities issued by them, or more importantly not.
Sure, there are other SSI implementations that lack the governance that Sovrin has, but they still have this area of verifiers trusting the issuer.
If you get a moment, have a quick read of the 12 principles of SSI here. You can also read about the Sovrin Governance framework here.
SSI like printing your own money? Well, no it isn’t like that at all. With a semi decent understanding of SSI verification processes you can see that SSI is nothing like printing your own money. As a final thought on this. Money has value because those that receive it place value in it. Here with identity, it’s only a valued and valid identity if the verifier places value in it – and that like money is based on who issued it. So maybe identity is like money in that respect, and just like money, yes you can print your own, but no one will recognise it as holding any value, and so, it’s not money…