Ive been having a discussion with Paul Worrallhttps://www.linkedin.com/in/worrall/
who is publishing helpful videos of his consideration of identity proofing standards, specifically GPG45 which defines standard identity for the UK and its inter-operation with EIDAS in Europe.
I commented as below to his last video. (Linkedin doesnt understand this length of debate, so I had to cut it over 3 comments! )
As you say, “Blockchain doesn’t ‘do’ identity”. Rather, DLT is a persistence infrastructure with some desirable properties. Similarly, the ability to manage identifiers (using ENS or otherwise) isn’t ‘identity’, rather it is entity address-ability.
Whether MS’s DID+off chain identity hub, or HyperLedger Indy+off chain agent, or GlobalID+off chain personal storage, DLT is ‘just’ the immutable record of transactions and identifiers which represent transactions. The associated notions of attested data held in my store and of co-signing assertions on the chain, do certainly enable third parties to rely on point data for services. Again, as you say, the identifiers might ‘help to prove identity’ (but they are not identity).
This is all good stuff, and I personally want to live in a world in which I control my data and I use of privacy-preserving proofs to authorise access or to prove my entitlement.
An Identity Provider (IDP) might rely on such attested assertions. However, an Identity Provider is more than this. It is a service layer, acting on behalf of a trust eco-system. One such eco-system is a nation-state enabling access to its services and across its borders. Another might be international regulation on CDD/KYC/AML necessary to open a bank account. To prove a ‘claimed identity’, an IDP uses sources of authoritative data, perhaps including those from Personal Data Stores (whether via DLT or otherwise), and assesses the quality of the evidence. The IDP, independently, and under an assurance regime, proves an identity exists, is associated with the person, and is being managed to continue to exist, to a specific level of confidence. GPG45 is the UK’s standard (along with EIDAS) of how to prove identity of persons to a certain level of confidence.
Of course, it is possible that each relying party (RP) could assess evidence for itself, by examining a combination of attestations from trusted sources (DLT or otherwise). Of course, each RP can do so if it owns the costs and risks of doing so within its own governance structure. How then will it inter-operate with its fellows across its trust eco-systems? Will they all bear their costs to re-proof the person? Will the first RP indemnify all its partners against costs and risks in their mutual business transactions? I note that the answers to these questions will change over time, and that costs will come down when the pervasiveness of attested data stores reaches critical mass. But even then, eco-systems will need standards to inter-operate – including identity standards.
IMO the debate is really about the merits of standard identities, not about storage fabric, nor methods of addressing items in that fabric. The aspiration ‘I am self-sovereign over my data’ is probably deservedly ubiquitous. ‘I am myself’ is philosophically true; thus the real ‘I’ already is ‘self-sovereign’. When I need to prove that the owner of this account or data point is in fact, ‘the I’, using digital representations of my data, then we need standards which enable commerce or government to function, so that I can achieve my outcomes with minimum friction.
Perhaps the DLT / SSI community might propose a contract based service to ‘prove and maintain identity to a standard’? Perhaps this service, if independently assured to meet that standard, could be called ‘an identity provider’?
There is much more to be said and learned. I’m happy to contribute.