SESSION ID: IDY-W11 Managing Self-Sovereign Identities: A Relying Party Perspective George Fletcher Identity Standards Architect Verizon Media Inc. @gffletch #RSAC #RSAC Introduction 2 #RSAC Quick SSI Introduction #RSAC Federated Identity Model User credential Trust Identity Provider Verifiable Credential Relying Party 4 #RSAC What is Self-Sovereign Identity? #RSAC High Level SSI Model Verifiable Credential Proof Holder Trust Issuer Verifier 6 #RSAC Decentralized Identifier -- DID did:example:123456789abcdefghi { "@context": "https://w3id.org/did/v1", "id": "did:example:123456789abcdefghi", "authentication": [{ // this key can be used to authenticate as did:...fghi "id": "did:example:123456789abcdefghi#keys-1", "type": "RsaVerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n" }], "service": [{ "type": "ExampleService", "serviceEndpoint": "https://example.com/endpoint/8377464" }] } 7 #RSAC Why change the model? Better end-to-end cryptographic trust Possible privacy concern with the Federated Identity Provider knowing where (which sites) the user is authenticating – Also which claims were presented to that relying party Easy conceptual model for users 8 #RSAC Relying Parties 9 #RSAC Relying Party Life-Cycle Management #RSAC Identifier indirection at the RP Identities RPID First Name Last Name Gender … 1234 George … Fletcher Male IDP Username AuthN Credential RPID SSI gffletch DID-Auth DID 1234 Google 13443453 OIDC Credentials 2345 #RSAC Registration 12 #RSAC Common Pattern: Registration Provide Registration Information Relying Party Verify Mobile Phone #RSAC Possible SSI Registration Flow Show QR Code w/ AuthN Challenge Request Additional Claims Scan QR Code Claims POST AuthN Response Relying Party #RSAC What’s Different: Data / Claims / Attributes Data Availability • What to require/request? • Zero Knowledge Proofs Verified vs Unverified • Which claims can be self -asserted? • Which claims does the RP want to be verifiable? • Who do you trust to verify a claim? Lessons learned from the OpenID Connect rollout 15 #RSAC What’s Different: Protocol Challenge / Response for registration • Based on DID -Auth • UX is closer to a “social login” or federation flow for registration Lack of standardization • No standard for requesting claims 16 #RSAC Authentication 17 #RSAC Common Pattern: Authentication #RSAC Possible SSI Authentication Flow Show QR Code w/ AuthN Challenge Scan QR Code Signed In POST AuthN Response Relying Party #RSAC Possible SSI Authentication Flow Request Username Signed In Push AuthN Challenge AuthN Response Relying Party