DID: A New Identity Technology

foreword

With the rapid development of the Metaverse and Web3, Decentralized Identity (DID) has once again become one of the hot topics. In addition to the Metaverse and Web3, DID also has great application potential in digital cities and other fields.But why DID? What is the value of DID compared to traditional identity management solutions? What is the bottleneck of technological development? In response to these issues, Wang Puyu, Chief Economist Office of Wanxiang Blockchain, conducted in-depth research. The following is the full text of the research report for your reference.

Author : Wang Puyu, Chief Economist Office of Wanxiang Blockchain

Review : Zou Chuanwei, Chief Economist of Wanxiang Blockchain

In recent years, people’s attention to the privacy and security of personal data has increased significantly. This article will discuss this issue from the perspective of identity management, mainly including four aspects: First, what are the problems with traditional identity management solutions? Second, what is DID? What is the technical implementation process like?Third, what are the bottlenecks in the development of DID technology? Fourth, what kind of sparks can the combination of blockchain technology and DID technology erase?

Identity management

An identity system consists of three elements: identity, proof of identity, and authentication. We combine three elements to discuss identity management from the two dimensions of the physical world and the Internet world.

identity system

  • identity

In the physical world, each person has unique identity characteristics from birth, including appearance, weight, age, skin color, fingerprints, etc. In order to quickly describe the identity characteristics of any individual, we use the name as a code to help everyone quickly identify others Think of everything about the other person in parallel, which is collectively called an identity.

There is also an Internet world corresponding to the physical world, and the concept of identity is completely different. In the Internet world, users can completely set their imaginary “identities” according to their own preferences, including name, gender, height, weight, etc.; they can even change these “identity characteristics” at any time. To be precise, the identity at this time is different from traditional Identity in the sense, because there is no uniqueness and certainty.

  • personal I.D

In the physical world, the system composed of people has become increasingly large, and in order to facilitate the management of centralized institutions, identity certificates have appeared. The centralized organization issues unique identity certificates based on the identity characteristics of different people to prove that the subject owns an asset or declares that it enjoys certain social rights and interests, and can be used to determine responsibility when interacting with different individuals and organizations. , dispute traceability and trust assurance. Identity certificates make the characteristics of identity from invisible to visible and traceable, such as government-issued ID cards, passports, etc., to prove that the subject belongs to a certain country and enjoys certain rights; another example is a driver’s license, which can prove that a certain Identity has vehicle driving skills.

Subject identification in the Internet world is completely different from the physical world. In the physical world, the identity certificate is directly related to the identity, that is, the identity certificate can be mapped to the subject himself; but in the original Internet world, there is no mapping relationship between the identity certificate and the identity, and different subjects only need to The envisaged identity characteristics (age, height, name, etc.) are submitted for identity certification applications without being consistent with the physical world identity characteristics, so Internet identity certification alone cannot be mapped to the subject himself. With the development of the Internet world, anonymity and non-traceability have gradually affected the governance and security of the physical world. Many regulations require the platform to do a good job of user real-name verification. In this way, there is a mapping between Internet identity certificates and physical world identity certificates. relationship, and further the relationship with the subject identity mapping appears.

Interestingly, the identity certificate of Internet users needs to rely on the mapping of the identity certificate in the physical world to determine the uniqueness and certainty of identity. But the website in the Internet world is completely different. It has a complete identity certification system from the beginning, such as the Uniform Resource Identifier URI as shown in Figure 1. Each website has a unique domain name. The issuance of the domain name (identity certificate) is managed by the International Domain Name Management Center, and my country is managed by the China Internet Network Information Center.

DID: A New Identity Technology

Figure 1: Uniform Resource Identifier Architecture

  • Authentication

In the modern social system, identity verification is the basis for establishing trust. When there is an interaction between individuals or organizations, identity verification is required, that is, to prove that an individual or organization has the ownership of a certain resource or enjoys certain rights and interests, and the purpose is to maintain the basic rules and security of system operation through the identity verification system. .

Physical World Authentication

Physical medium proofs, such as various paper documents or card proofs, are the longest-reliant identification proofs in the history of human development, including ID cards, passports, social medical security cards, driver’s licenses, and more.With the development of technology, it is more and more easy to falsify physical media certificates, and it cannot be effectively identified in the identity verification process. There are often problems such as identity tampering and identity fraud, which lead to the illegal transfer of assets and the theft of social rights and interests. Therefore, it is difficult to maintain the original social rules and security through the realization of identity proof through physical media. In order to prevent identity fraud, various governments and organizations have upgraded from two aspects: the first aspect is to upgrade the physical medium of the identity certificate, adding various features for verification, such as adding laser color-changing recognition on my country’s ID card, adding microtext, Visually present layer stacking, etc.; these upgrades only increase the cost of fraud for illegal elements. Once they master these technologies, they can still copy various identity certificates, but cannot fundamentally eliminate the problem of fraud; the second aspect is to improve verification. means, government agencies connect to various identity certification platforms, and can identify the authenticity of the identity by comparing the physical medium certificate and system information before a subject enjoys rights or disposes of assets. There are two problems in this model. The first problem The reason is that all kinds of identity certification platforms are not fully connected, and data silos lead to incomplete verification information; the second problem is that enterprises and other individual users have no right to connect to the identity identification platform. In daily transaction cooperation, the authenticity of identity cannot be verified through this mode.

Internet User Authentication

In the internet world, authentication mainly relies on usernames and passwords. Being able to enter the correct information means that the authentication is passed. There are two problems in this verification system. The first is that user names and passwords are easily stolen by network attackers; the second is that centralized platforms have absolute control over user identity information. Your own needs to delete, add, change, and even trade the user’s identity information.

  • Identity information security issues

Whether it is the physical world or the Internet world, there are problems in identity management, and the identity certificates of the two parallel worlds are gradually converging. The identity verification problem in the physical world is enhanced by the use of the Internet; and the security problems caused by anonymous trust and non-traceability in the Internet world are solved by mapping the identity to the physical world. We have solved the troubles caused by the authenticity and credibility of the identity, but at the same time it has brought us new troubles, that is, the characteristics and behavior of the identity are exposed in the network, and various platforms ignore the relevant regulations and arbitrarily collect the identity-related information. behavioral information and misuse of such information.

DID: A New Identity Technology

Figure 2: Traditional database management mode for user information

As shown in Figure 2, in the centralized management mode, user information is repeatedly collected and stored by different platforms. In the 2021 Issue No. 76 “Data Privacy Issues from the Realization of User Portraits”, we pointed out the problems, including user Information is over-collected, information is traded on different platforms, and users have no control over personal behavior data.

  • other

At present, what we are facing is not only the above-mentioned problem of human identity management. With the development of Internet technology and communication technology, the network connects everything and builds a digital world that is parallel to the physical world. The participants in the digital world are not only people, but also everything else. How to define the ownership of everything in the digital world, and how to define the rights and interests of each digital object? This issue is related to the maintenance of the normal order of the digital world and the construction of trust. The aforementioned three elements “identity-identity-certification-identity verification” are only discussed around people, but in the physical world, in addition to people’s identities, we also have various other international unified identifiers, such as commodity-related unified codes (RFID). , product serial number, QR code), etc. In the future, we need to manage every element of the digital world, provided that the identity management of these elements is done well.Further, we need a tool that can maintain different identification methods in a unified manner, and can achieve “identity-identity-certification-authentication” for different things.

DID technology details

Distributed digital identities (Decentralized Identifiers, DIDs for short), in W3C’s “DID V1.0”, defines DID as a new global unique identifier. This kind of identifier can be used not only for people, but also for everything, including a car, an animal, and even a machine. This article mainly takes people as an example to discuss DID.

Below we introduce DID technology from the perspective of technical implementation and application. Technical implementation mainly describes the components of DID technology; while application mainly discusses the implementation of DID around “identity-identity certification-identity verification”.

Technical realization

The core components of DID technology include three: DID, DID Document and Verifiable Data Registry.

DID: A New Identity Technology

Figure 3: Relationship between DID architecture and related components

(Source: W3C DID core)

  • DID

DID is a type of Uniform Resource Identifier URI, which is a permanent and immutable string. It has two meanings. First, it marks any target object (DID Subject), which can be a person, a commodity, a Second, DID is a unique identifier associated with the document describing the target object (DID Document, DID Doc for short) through the DID URL, that is, the specific DID Doc can be searched in the database through DID.

  • DID identification method

DID is divided into three parts, as shown in Figure 4, the first part is DID Scheme (similar to protocols such as http, https, ftp in URL); the second part is DID method identifier (usually the name of DID method); The three parts are DID method specific identifiers: unique throughout the DID method namespace. W3C only regulates the representation structure of DID, namely <did:+DID method:+DID Method-Specific Identifier>, but there is no specific standard to regulate the content of the three parts. The specific content is related to the DID Method, which will be introduced in the second part below.

DID: A New Identity Technology

Figure 4: Simple example of DID

  • DID Method

The DID Method is a set of public operating standards that define the creation, resolution, update, and deletion of DIDs, and covers DID registration, replacement, rotation, recovery, and expiration in identity systems. At present, there is no unified operating standard, and each company can design it according to the characteristics of the scene, and it is maintained by the W3C CCG working group. As of the release of “DID V1.0” on August 3, 2021, there are as many as 103 DID Methods registered in W3C, all of which have different names and specific identifier representation methods.

  • DID URL

In order to integrate the existing URI network location identification method, DID uses the DID URL to represent the location of resources (such as paths, queries and fragments). The W3C ABNF defines the syntax description of DID URL as follows: <did-url = did path-abempty [“?” query][“#” fragment]>.

  • DID Document

DID Document (DID Doc) contains all the information related to DID subject, and there are authentication methods for identity information (including encryption public key, related address, etc.) in Doc. DID Doc is a general data structure, usually the DID controller is responsible for data writing and modification. The file contains key information and verification methods related to DID verification. It provides a set of DID controllers that can prove their corresponding DID control. mechanism. It should be noted that the DID Controller that manages the DID Doc here may be the DID subject itself or a third-party organization. Different DID Methods have different rights management for the DID Doc.

As shown in Figure 5, it is a DID Doc (a file written in JSON-LD) corresponding to the DID in Figure 4, stored in a location that everyone can control (can be centralized or decentralized) to find it easily.

DID: A New Identity Technology

Figure 5: DID Doc example (source: W3C DID white paper)

DID Doc can be regarded as an identity information map, as shown in Figure 6, it consists of two parts, the first part is called label, the content that can be queried and directly read in DID Doc, including three parts: core label ( Such as id, controller, authentication, etc.), extended tags (such as Ethereum address, etc.), and some tags that are not registered in the W3C DID specification; the second part is not listed in the DID Doc, but links to specific forms such as URLs Go to third-party platforms or website systems to query relevant identity information; in order to ensure maximum interoperability and information compatibility, W3C has established DID Specification Registry to ensure that specific forms of content can be identified and parsed in DID Doc. When a new label appears, the relevant platform or system needs to register with the DID Specification Registry.

DID: A New Identity Technology

Figure 6: Identity feature entry of DID Doc (source: W3C DID white paper)

There may be an information interaction relationship between different DIDs. As shown in Figure 7, the concept of Production & Consumption is proposed in W3C: the process of creating a DID Document is Production, and the created Document is referenced to the DID Subject to create other DIDs. The process is Consumption. During the verification process, the DID Document corresponding to each DID is independent, which is equivalent to information isolation for each DID. During the verification process, the DID holder can authorize different DIDs as needed, and the verifier can only read the authorized DID Doc, but cannot obtain more information, so as to achieve the information protection purpose of the DID Subject.

DID: A New Identity Technology

Figure 7: Representation of DID generation and consumption (Source: W3C DID white paper)

  • Verifiable Data Registries (VDR)

The original intention of DID is to hand over the management right of user identity information from the platform to the user himself. In this process, the problem that the user must solve is where is the information stored? And where to find this data when it needs to be verified? How to ensure the authenticity of the data? What VDR discusses is how to solve these problems. We call the system that supports recording DID data and can provide relevant data when generating DID Doc as Verifiable Data Registry (VDR). This system includes distributed ledgers, distributed file systems, P2P Network or other trusted channels; and VDR and DID Method have a direct correlation, generally each VDR will propose its own DID Method based on the W3C DID specification. At present, the main DID storage medium in the market is wallet, which is divided into custodial wallet (such as Coinbase), ordinary wallet (such as imtoken), and smart wallet (Gnosis Safe, Dappe, Argent). Which medium can store DID information more effectively is temporarily not discussed in detail in this article.

Implementation of DID: “Identity-Identity-Authentication”

We briefly discuss how DID implements these functions based on the first part of “Identity-Identity-Proof-Authentication”.

identity

In the DID scheme, everyone can register different DIDs on any trusted third platform for different purposes in different scenarios and at different times. Hold a DID to prove ownership or specific interest in an asset. DID does not have a direct mapping relationship with the physical world identity, and the maintenance of DID information is also maintained by the identity subject or a trusted third party, which ensures the security of the information. For the identity subject, it is necessary to do a good job in the safe holding of the DID, and at the same time maintain the identity document (DID Doc) corresponding to the DID.

personal I.D

DID is just a string of random values ​​with a key. In specific use, the third-party agency writes the identity certificate into the DID Doc according to the DID information, and the third-party agency will add its own digital signature to the file to facilitate later authentication. For example, Zhang San needs to prove that he has the ability to drive. At this time, there is no need to issue a driver’s license to Zhang San like the traditional centralized method, and the specific personal information does not need to be stored in the database of the authority; through DID technology The solution given is [1]: Zhang San provides the DID prepared by himself or uses the DID provided by the DID to the DID, and the DID writes the relevant information according to the JSON-LD data structure of the DID Doc (including but not Limited to id, type, validity period, controller, verification method, etc.), and add the digital signature of the DMV. DID Doc can be stored in the DMV, in Zhang San’s smart wallet, or other storage media. It should be noted that the DID here does not reveal Zhang San’s identity characteristics, and there is no other identity proof that maps the physical world. This DID is only one of the many DIDs held by Zhang San. Therefore, as long as Zhang San himself does not show the DID certificate, no one can know that this DID Doc belongs to Zhang San, thus protecting Zhang San’s personal privacy.

Authentication

The main purpose of verification is to prove that the target subject can be compliant or authorized to carry out a certain procedure. In the W3C “DID V1.0 White Paper”, the verification purpose is sorted out and divided into five categories, namely: verification, declaration , important protocols, performance calls, and performance authorizations. According to five different purposes, different schemes can be designed in DID Method. The sources of verification information are divided into two categories, one is the data listed in the DID Doc; the other is the data that needs to rely on external systems or platforms, and the W3C has made requirements for the format of the material (mainly including publicKeyJwk and publickeymultibase), with Easy to analyze and identify. The following is an example of “statement”. According to the latest national youth online game regulations, the time limit is one hour per day. The traditional method needs to upload ID card information, but in the distributed identifier solution, you only need to provide your own DID. , it is enough to verify whether the user is over 18 years old through zero-knowledge proof, without needing to inform the platform of the user’s specific age. This is just one of many verification methods.

Application and Development of DID

It has been four years since DID was proposed, and various industry associations, Internet platforms, and foundations are actively promoting and improving DID technology. After a long period of exploration, W3C released the DID version 1.0 white paper on August 3, 2021. Compared with the initial version 0.1, a brand new identity identification system was built. In version 1.0, we began to consider how to integrate the existing identification methods on the market. Other associations, organizations and enterprises have also proposed a variety of DID Methods based on the W3C DID specification, but there are still many problems to be solved before the DID technology is applied, mainly including:

How to meet compliance requirements?

The Internet initially only required platform authentication via username/password, but to meet compliance requirements, physical world authentication was added. The original intention of this method is to make the behavior of network users accountable and traceable, and to gradually establish a network trust system, but the negative impact is to cause a large amount of personal information to be leaked. DID effectively solves these problems, but still faces compliance issues.Although no relevant regulations have been promulgated at present, it will definitely face the problem of how to map different DIDs to specific subjects in the near future. At the same time, this mapping relationship needs to be considered. Will it cause a new round of information leakage? This issue needs to be further explored and observed.

How to verify the relationship between DID and holder?

DID is anonymous, and the solution given by the current mainstream DID technology is: whoever holds DID is entitled to enjoy relevant rights and interests. This scheme cannot verify whether the DID provider is the person, nor can it prevent the DID from being stolen and used for illegal purposes. Although some DID Methods propose to map DID to a centralized database and verify whether the DID provider is the person through a centralized set of methods, this will still leave loopholes in the protection of personal information, such as whether it can be reversed through a centralized database. Launch DID holders?

How to market DID?

In the process of DID marketization, there are currently two bottlenecks: First, no company is willing to voluntarily give up user data; user data is like a platform moat, generating a lot of value. If you agree to the use of DID, it means agreeing to dismantle the moat. is a fatal blow. Second, who will pay for the implementation of DID technology? First, are different users willing to pay for their identity information? In other words, are users willing to pay a provider like a smart wallet?Although personal behavior data will have the opportunity to be realized in the future and be sufficient to pay for this part of the cost, how many people are interested in participating when the business model is unclear? Second, DID technology will break the original data management structure of each platform side, and it is necessary to add relevant verification platforms. Who will bear the relevant costs? These bottlenecks will greatly hinder the implementation of DID technology. There is still no ideal solution on how to balance the interests of stakeholders.

Risky key management

The credibility of DID mainly depends on key technology. If the private key of a third-party organization is stolen, will there be any behavior of issuing certificates at will? Or some identity principal lost the private key inadvertently, can these DID certificates never be used? There is currently no ideal solution to these problems, and it will also pose great challenges for practical use.

Identity information leakage risk

Compared with traditional identity information management methods, DID has greatly improved the security of data, but there are still certain risks in specific applications. For example, when a third party collects a sufficient amount of personal DID data, it is possible to Data is reversed to discover mappings between DID identifiers and deduce personal identities in the physical world. The root cause of this problem is that most W3C-based DID Methods are static identities, not dynamic identities; if a dynamic identity management system can be designed in the future, DID identifiers can be updated regularly, even if a third party can collect some DID Subjects However, it is impossible to find the relationship between DIDs through massive data.

The combination of blockchain and DID

Although blockchain is not a necessary option for DID technology, blockchain technology can help the implementation of DID technology, avoid many disputes, and maintain the credibility of data at a lower cost, mainly in the following aspects :

Reduce verification costs

What DID technology advocates is to store DID and DID Doc on the user side, but how to ensure that the DID Doc will not be tampered with on the user side? If the blockchain is not used, DID certificate issuers are required to maintain these certificates synchronously, increasing maintenance costs. When using DID, the partner can verify the consistency between the DID holder’s DID Doc and the issuer’s database, which increases the verification cost. However, the use of blockchain technology can reduce the cost of the issuer. As long as the information written into the holder’s DID Doc will be recorded on the chain, it cannot be modified, which ensures the authenticity and security of the information; the issuer does not need to Increase the cost of database storage and maintenance, and the partner does not need to increase the cost to check the consistency between the holder’s DID Doc and the issuer’s database.

Construction of trust system based on DID

Most of the current solutions around the blockchain have not achieved an ecological closed loop. If someone defaults in the blockchain ecosystem, it is still necessary to return to the centralized model to find legal solutions, which has not relieved the pressure of government governance. In the future, will we build a DID-based credit record system to make up for the shortcomings of this ecological closed-loop construction? This issue is worth watching. The behavior information of different subjects will be recorded in the DID Doc along with the DID, and will also become an important reference for the cooperation of different parties. Unable to find partners, therefore, this trust system will have a very positive impact on ecological governance. And the basis of all this is trusted data, and the blockchain cannot be absent.

Notes:

[1] Since different DID methods have different operation suggestions, here is only an example of a method for issuing DID identity certificates.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/did-a-new-identity-technology/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-01-12 08:50
Next 2022-01-12 08:53

Related articles