peers-bounty-hunts/projects/self-sovereign-identity.md

Self-Sovereign Identity Project

Key Requirements

1. Implement a multiplatform mobile app using Apache Cordova or similar that creates a business card for use as a digital identity controlled by the mobile owner, called a self-sovereign identity, or SSI.
2. Store a public/private key-pair for encryption purposes, such as RSA, when communicating with others.
3. Use existing technology for transmission of messages by either email or text messages.
4. Specify a simple, virtual business card schema with typical contact information laid out like a typical physical business card.

Developmental Requirements

1. Use one of the following multiplatform frameworks:
   • Apache Cordova
   • NativeScript
   • For advanced developers, write nigh on everything in C and use the NDK for Android and take advantage of iOS using ObjectiveC, a superset of C.

Why

1. Centralized identities offer a single attack surface for identity thieves to perform large scale breaches of identity theft.
2. SSIs use encryption instead of sensitive, private information.
3. Self-sovereign identity solutions elevate identity assurances for collaborating owners and service providers.
4. SSIs decrease reliance on remote access passwords to access web services.

Stories

1. Users create a digital identity in the form of a business card to exchange with others.
2. Users add a photo or a logo to their virtual business card.
3. Users send/receive their ID and messages via existing technologies.
4. Users follow the typical procedure of signing their message with their own private key and encrypting it with the receiver's public key.

Nice-to-haves

• Extend support for secure-scuttlebutt
• Extend support for blockchainMe
• Extend support for uPort
• Use other existing technologies, such as QR codes, NFC, bluetooth, or some other standardized protocol or service.
• Allow for multiple identities.
• Add a duress mode to spoof the process or send alerts.
• Add other digital identity schema, such as an electronic driver license or virtual student body card.
• Implement a web service that can login a user with an SSI without the need for a password.
• Specify a revocation process for expiring an identity.

Suggestions

• Encapsulate the encryption process into its own module.
• Start with smaller RSA key pairs.
• If using Bluetooth, bootstrap the process with NFC.

FAQ

What is the difference between a digital identity and a self-sovereign identity?

Data structures that specify identifiers, names, or attributes are digital identities. When the user of the digitial identity strongly controls the data, instead of a service provider, the digitial identity is self-soveriegn.

How does this SSI app differ from existing popular apps such as Whatsapp or Signal?

SSI has different goals from Whatsapp/Signal.

Configuration

SSI enables owners to configure and control multiple digital identities that can specify virtually any combination of identifying information of the owner.

Whatsapp/Signal provide a single bare-boned user profile specifying the name, phone number, owner’s photo, etc.

Presenting Identification

SSI owners decide which of several digital identities to present to relying parties which enables them to control what identifying information to reveal.

Whatsapp/Signal do not reveal any identifying information the users did not already know before installing the app. For example, Alice adds her friend Bobby, but they already knew each other's name, cell and photo.

Authentication

SSI plans to integrate authentication mechanisms so owners can strongly bind to their digital identities. A relying party can demand the remote owner re-authenticated to ensure they currently control their device confirming that it has nott been stolen (somebody could steal your Android and scam me).

Whatsapp/Signal can integrate with other authentication services, but only by further centralization in single sign-on or by multifactor authentication.

Trust and Attestation

SSI also plans to give collaborating owners the ability to proof, attest and issue digital identities to each other to elevate identity assurances among peers. Alice might want to communitcate with Charlie, a stranger. But because Bobby is friends with both Alice and Charlie, Alice can use Bobby's attestations to feel secure that Charlie has presented a truthful identity.

Whatsapp/Signal do not have this as a goal, though users can manually do this with simple communication. Note, LinkedIn has similar features to SSI for users to attent to the skills of others in their network.

References

• Are you affected by the recent Target hack?
• The Equifax Data Breach: What to Do
• WeChat Security Concerns
• The Path to Self-Sovereign Identity
• Rebranding the Web of Trust