The traditional centralized identity management system has many drawbacks. For example, the owner of the digital identity does not genuinely control their identity, and there is a risk of easy leakage and misuse of identity information.
With the popularity of digital activities, digital identity is particularly important as the basis for digital activities. Therefore, after analyzing the necessity of the transformation of digital identity from centralized to decentralized, we focus on the research of distributed digital identity technology based on blockchain. Taking the onboarding process of new employees in a certain unit as an example, we will establish a decentralized digital identity model and build a blockchain basic network to authenticate the model.
In today’s world, various countries are vigorously developing the digital economy. Many businesses have created QR codes and cloud-based schools for controlling and preventing epidemics. Only by ensuring the authenticity of people and things in digital identities, various information about people and things, and various online transactions can be authenticated and their effectiveness can be ensured.
The frequent occurrence of the above-mentioned identity problems exposes the importance of user digital identity management, and there is an urgent need for security protection of user identity information.
With its features of decentralization, multi-party consensus, openness and transparency, tamper-proof and traceability, blockchain development service technology provides a credible solution for the security transformation of digital identity. This technology can just solve the current pain points of digital identity, so that identity owners have an absolute right to speak to their digital identity.
1. Digital identity evolution
The current ubiquitous identity management is centralized management. The essence of a centralized identity management system is that a centralized identity or authorized organization holds the identity data. The authentication and authorization process of digital identity holders in daily activities is managed by the centralized organization, and the identity is not controlled by the user. Different centralized websites (such as Taobao, Jingdong, etc.) have their own identity systems. The identity information used by the same user on different websites is not the same, so users need to re-register new accounts when visiting different websites.
In order to solve this problem, in 1999, Microsoft proposed the concept of alliance identity. That is, each website forms an alliance, and the identities within the alliance can recognize each other. After the launch of the federated identity system, users’ digital identities are shared among multiple websites. The representative product of alliance identity is to use some common social accounts such as WeChat and QQ to log in with one click. As the alliance identity gradually matures, the digital identity begins to transform towards decentralization. Although many websites support WeChat and QQ third-party login, their user experience is not very good. After successful login, users need to bind their mobile phone numbers again.
To sum up, there are two intractable problems in the centralized identity management system: one is that the identity owner does not have absolute dominance over his own identity information; the other is that the centralized identity management systems are isolated from each other. Identity information cannot be shared.
With the rapid development of blockchain technology, policies, technologies, and markets have also guided blockchain technology to change people’s ways of life, and a new digital identity model (distributed digital identity) has emerged as the time required. This digital identity model changes the drawbacks of centralized digital identity control, truly allows identity owners to control their own identity, and completely changes the problem of identity misuse and leakage through the return of digital identity ownership.
2. Digital identity distributed
The most common model of digital identity is an identifier that represents an entity and the attribute claims associated with it. Similarly, a distributed digital identity (Decentralized ID, DID) includes two parts: a distributed digital identity identifier and a digital identity credential (claim set).
The W3C has developed relevant standards for DID generation, as shown in Figure 1. The standard points out that DID can be divided into two layers: the base layer and the application layer. The base layer mainly focuses on DID specifications, including DID identifiers and DID documents; the application layer mainly focuses on Verifiable Credentials, abbreviated as VC.
2.1 The base layer of DID
The DID base layer is a global key-value database. In the DID identification, the example field indicates that the database is either a DID-compatible blockchain, a DID-compatible distributed ledger, or a DID-compatible decentralized network.
The DID identifier is a special string that is unique in the whole network and can be separated and parsed and encrypted and verifiable. The basic format of the DID identification specified by W3C is: example: 123xxx, where example represents a blockchain, a distributed ledger, or a decentralized network. There are currently many fields , such as WeBank, and the field is vast.
The DID document is a six-part JSON-LD formatted data set. Each part of the user can be selectively disclosed, and attributes such as encryption materials and service endpoints are often associated with the DID identifier, so as to achieve the purpose of establishing a secure channel.
2.2. Application layer of DID
The application layer of DID is mainly verifiable claim VC. VC provides a specification to characterize a certain attribute that a user entity has. DID entities can present their VCs to other entities to prove the authenticity of some of their properties. A common VC model generally consists of four roles:
(1) Issuer: An entity that has proof data of certain attributes of users and has the ability to issue VCs to users, such as public security departments that provide identity certificates, schools that provide academic certificates, institutions that provide training certificates, etc.
(2) Inspector-Verifier (IV): an organization that needs to verify user information, has the ability to accept VCs, and can provide relevant services to users after successful verification.
(3) Holder: An entity that requests, receives, and holds VC for the issuer; presents the VC to the IV; and the issued VC can be stored by an agent for easy reuse.
(4) Identifier Registry: An agent that provides user DID identification applications, such as a blockchain, distributed ledger, or related distributed network. The agency can access the database when the IV verifies the user’s DID identity.
The provision of VC should be based on the principle of minimum leakage of user information. For example, user A wants to register as an online car-hailing driver. At this time, the online car-hailing registration website requires the user to provide proof of driving the vehicle for more than 3 years and proof of the relationship between the car and the owner. According to the method used by the current online car-hailing system, users need to upload the original driver’s license and the original driving license to the online car-hailing company’s website so that the initiative of personal information is handed over to the online car-hailing company. If the website of the car-hailing company is not properly managed, there is a risk of leakage. With the concept of VC, user A can apply for VC from the issuer (vehicle management office). The VC content only needs to disclose “User A’s driving experience > 3 years, the vehicle belongs to me,” after which User A provides it to the Inspector (online car-hailing registration agency), the VC can verify it, and User A can successfully register the car-hailing driver.
The ideal VC is to reply “yes” or “no” to the verifier, which can reveal the least amount of information to the IV.
3. Scenario analysis and modeling
Generally speaking, the DID application can be summarized in the following steps:
(1) Create a blockchain network for various business institutions (including individuals and organizations);
(2) Generate and upload DIDs in accordance with W3C standards for related entities;
(3) Create verifiable digital credentials (credentials) for all types of certificates required in the business, and perform trusted registration, authorized circulation, and authenticity verification using blockchain technology‘s private key management and immutable digital proof features.
The following is an example of a new employee joining a military unit. In order to ensure that the materials provided by new employees are authentic and not tampered with, companies need to contact third-party agencies to verify and analyze the role of DID technology in it.
Before employees join the company, the unit requires employees to provide a series of certificates, such as graduation certificates, degree certificates, resignation certificates, no criminal certificates, and actual performance certificates, to go through the entry procedures, and each certificate must be provided by different departments. It is also more troublesome for new units to verify the authenticity of various certificates. With DID technology, this problem can be solved very well.
(1) The provider of each certificate is the issuer, and the unit to be hired is verifier;
(2) For each certificate, the issuer, the new employee, and the new unit create a blockchain network and register their own DIDs.
(3) Users can host their own information on the user agent, which can be in App or Web mode.
(4) New employees apply to each certificate provider for their own certificate information.At this time, the certificate issuer must verify the authenticity of the new employee’s identity through DID, and the certificate will be issued if the identity is true;
(5) After the new employee gets the certificate, it will be hosted by the agent and the hash value of the certificate will be calculated and uploaded to the chain;
(6) After the new unit obtains the materials presented by the new employee, the authenticity of the presented materials can be verified through the information on the chain.
4. Model Validation
WeIdentity is a set of distributed multi-center digital identity solutions based on blockchain technology developed by WeBank, the first Internet bank in China. The solution provides the basic layer and external interface functions related to digital identity technology, on which developers can carry out secondary development to realize authentication, authorization, and trusted data exchange between digital entity objects (people or things).
BCOS is an open source blockchain platform focusing on enterprise-level applications. It is jointly developed by WeBank, Wanxiang Blockchain, and Matrix Yuan, and is a distributed application platform for enterprise-level users. In 2017, the Open Source Working Group of the Golden Chain Alliance launched a customized version of FISCO BCOS for the financial industry on the basis of BCOS. So far, FISCO BCOS has formed a strong domestic open source alliance chain ecosystem in the Internet industry. The platform has been tested on hundreds of projects, covering numerous areas of various industries.
This paper uses the open source framework of WeIdentity+FISCO BCOS as the basic framework, and on this basis, verifies the new employee onboarding scenario for the military industry unit. The main steps are as follows:
(1) Build the blockchain network of FISCO BCOS, as shown in Figure 3;
(2) issue certificates, as shown in Figure 4;
(3) New employees entrust user agents to hold VCs, as shown in Figure 5;
(4) The new unit verifies the basic information, as shown in Figure 6.
This paper builds a Blockchain Network on the basis of studying the theory of distributed and decentralized digital identity and models and validates practical problems. With Blockchain Development comapny, distributed digital identity technology will be widely used in digital life, but the promotion of digital identity is still in its infancy and there are certain deficiencies. The ways to ensure the security of the on-chain transmission process and the authenticity and credibility of the data on the chain are the directions that need to be studied in the future.
Guest article written by: RaguNath.T is a Digital Marketing Executive. He designs marketing strategies with the intention of using high-quality content to educate and engage audiences. His specialties include social media marketing specialist, SEO, and he works closely with B2B and B2C businesses, providing digital marketing strategies that gain social media attention and increases your search engine visibility