Empowering Digital Identities: The SSI Protocol Landscape

In this fourth part of the blog series “Swiss e-ID journey”, we give an overview of the Self-Sovereign Identity (SSI) [10] landscape in CH, EU, and beyond. This allows the reader to put the current effort of the e-ID in context with international efforts in references and implementations regarding e-ID systems.

You can read the other three articles here:

  1. The Swiss Confederation E-ID Public Sandbox Trust Infrastructure
  2. The Swiss E-ID Journey
  3. C4DT Demonstrator using the Swiss Public Sandbox Trust Infrastructure

From e-ID to Self Sovereign Identity

Since the first implementation of an electronic ID in Finland in 1999 many different technologies have been developed and implemented. One of the most used in the world is  Aadhar [1] from India, which is also used in 11 African countries (mid-2024). Europe, where privacy is prioritized, is developing a new system regulated by eIDAS [4b] and defined in the Architecture Reference Framework (ARF) [4a]. Switzerland will soon decide which technological solutions it wants to use for the new e-ID system.

Both Europe and Switzerland base their systems on Self Sovereign Identities (SSI) [10]. This means that the electronic identity is usable in a way similar to a physical passport or ID card: there is no central entity involved in the transactions. Other systems like Aadhar [1] (which inspired MOSIP [8]) use a central registry for the identities, which raises potential privacy issues.

e-ID Components Matrix

The following matrix provides an overview of the e-ID components for SSI [10] used in the European Union and Switzerland. The information is presented in a matrix format, with columns and rows explaining the different technological choices made by the EU and those proposed by the Swiss e-ID project.

Matrix Components

The matrix categorizes the various protocols and technologies used in SSI based on the following columns:

  1. Credential formats: Define how personal or document information is stored.
  2. Cryptographic algorithms: Prove that a credential is issued by a trustworthy authority. Some protocols also allow the creation of zero-knowledge proofs (ZKP) [2d] of credential attributes.
  3. Transmission protocols: Define how credentials are exchanged between the issuer, wallet holder, and verifier.
  4. Storage systems: Define the trust infrastructure of the e-ID system.

Organizations and Their Roles

Several organizations are involved in defining protocols, writing references, and working on implementations:

  1. Linux Foundation [7]: Hosts the Decentralized Identity Foundation (DIF) [7a] and TrustOverIP [7d], which define protocols and write references. The foundation also has Hyperledger [7b], with its Aries [7b.ii] and Indy [7b.iii] projects, as well as the OpenWallet Foundation [7c], all working on implementations.
  2. OpenID [9] and W3C [12]: Work on defining protocols and writing references.
  3. IETF [5] and IRTF [6]: Standards body, provide the infrastructure to host some of the references.

States and Regulations

The EU and Switzerland are actively working on implementing SSI-based e-IDs and providing regulation and legal frameworks.

The Matrix

The matrix approach helps to better understand the different technological choices made by the EU and the Swiss e-ID project in their efforts to develop SSI [10] solutions for e-ID. By categorizing the protocols and technologies and identifying the roles of various organizations and states, it becomes easier to compare and assess the progress made in this field.

2024/06 Credentials Cryptography Transmission Storage
Writing references and definitions
Decentralized Identity Foundation BBS+ [6a] DIDComm [7a.ii]
IETF and IRTF
host references
SD-JWT [5a] BBS+ [6a]
Open ID Foundation Post-Quantum Identity Standards [9b] OID4VC [9a]
Trust over IP
also implements
W3C DID [12a] Trust Spanning Protocol [7d.ii]

Trust Registry Protocol [7d.iii]

Key Event Receipt Infrastructure (KERI) [7d.iv]
W3C W3C DID [12a]

Verifiable Credentials [12b] [12c]

JSON-LD [12d]

BBS+ [6a], ECDSA [2b], EDDSA [2c]

Test suites [12e]

Status List [12f]
walt.id mDL ISO/IEC 18013-5:2021 [13a]

SD-JWT [13b]

Integration and implementation
Hyperledger Anoncreds 1.0 W3C DID [12a] CL enabling zero-knowledge proofs [7b.i] DIDComm [7a.ii] HL Indy [7b.iii], or any database
OpenWallet Foundation SD-JWT [5a] OID4VC [9a]
Regulate and define legal frameworks
EU eIDAS, ARF

PARTIAL

SD-JWT [5a]

SD-JWT VC [5b]

mDL [13a]
W3C VC DM [12b]

RSA [2a], ECDSA [2b] OID4VC [9a] StatusList (revocation)

Trust Registry

Swiss e-ID – Scenario A – PROPOSAL [11a] SD-JWT [5a] RSA [2a], ECDSA [2b] OID4VC [9a] Revocation: StatusList

Trust Registry

Swiss e-ID – Scenario B – PROPOSAL [11a] JSON-LD [12d] BBS+ [6a] OID4VC [9a]

DIDCOMM [7a.ii]

Revocation: Accumulator, StatusList

Trust Registry

Swiss e-ID – Tech Roadmap (2024-06-18) – PROPOSAL [11d] W3C DID [12a]

EU: SD-JWT [5a]

Priv: JSON-LD [12d]

EU: ECDSA [2b], EDDSA [2c]

Priv: BBS+ [6a]

OID4VC [9a] Revocation: Accumulator, StatusList [12f]

Trust Registry

 

Missing pieces

Post Quantum Cryptography

The security of asymmetric cryptography, such as RSA and elliptic curves, relies on the difficulty of calculating the private key from the public key. While deriving the public key from the private key is easy, the reverse is nearly impossible with current technology.

However, the advent of powerful quantum computers could change this. Estimates suggest that within 5 to 20 years, quantum computers may be able to calculate private keys from public keys, rendering these widely used cryptographic systems vulnerable.

Alternative post-quantum cryptography systems exist, but adoption is slow. Currently, only the OpenID Foundation is working to include these in e-ID standards. There is the possibility to use W3C’s Data Integrity [12c] recommendation to bind future post-quantum safe cryptography schemes to a VC [12b], but it’s not clear yet whether these schemes will have unlinkability.

The threat of quantum computers to asymmetric cryptography is real, but the timeline is uncertain. Nonetheless, it is crucial to develop and adopt post-quantum alternatives to ensure the long-term security of our digital infrastructure.

Interoperability

Once more e-ID systems go into production, it will be important to find ways to make them interoperable. This is also an issue with the upcoming Swiss e-ID system: if the final system does not directly implement the ARF [4a] of the EU, then a Swiss e-ID will not be directly usable in the EU, and vice-versa. There are currently some discussions within the e-ID task force on how to make the Swiss e-ID interoperable.

But even before technical interoperability with other states is reached, Switzerland will have to gain regulatory interoperability with other legal spaces.

Trust Registry

If you want to verify for example a driver’s license from another country, you have to make sure that the issuer is allowed to issue a driver’s license. This is done using Trust Registries.

The EU proposes Trusted Lists [4c] which must be published and maintained by its member states. These trusted lists should include information related to the qualified trust service providers for which they are responsible, and information related to the qualified trust services provided by them [4c]. In addition to the qualified entries, member states are allowed to add other entries on a voluntary basis.

The Swiss e-ID system doesn’t define the technology for the Trust Registry yet.

The Digital Trust Laboratory from Canada [3] is working on its own Trust Registry, which is based on DNS entries.

Summary

Electronic ID (e-ID) systems have been in development since 1999, with various technologies being implemented worldwide. India’s Aadhar system is one of the most widely used, while Europe prioritizes privacy and is developing a new system regulated by eIDAS and defined in the Architecture Reference Framework (ARF). Switzerland is currently deciding on the technological solutions for its new e-ID system, with both Europe and Switzerland basing their systems on Self Sovereign Identities (SSI), which allows for the use of electronic identity in a manner similar to physical passports or ID cards, without the involvement of a central entity in transactions.

Links

  1. Aadhar
  2. Cryptography
    1. RSA
    2. ECDSA
    3. EDDSA
    4. Zero Knowledge Proof (ZKP)
  3. Digital Trust Laboratory, CanadaTrust Registry
  4. EU
    1. Architecture and Reference Framework (ARF)
    2. Electronic Identification and Trust Services (eIDAS)
    3. Trusted Lists
  5. Internet Engineering Task Force (IETF)
    1. SD-JWT, see also [13c]
    2. SD_JWT VC
  6. Internet Research Task Force (IRTF)
    1. BBS+ Reference, see also [7a.i]
  7. Linux Foundation
    1. Decentralized Identity Foundation (DIF)
      1. BBS+ Reference, see also [6a]
      2. DIDComm
    2. Hyperledger
      1. CL enabling zero-knowledge proofs – documentationgithub
      2. Hyperledger Aries
      3. Hyperledger Indy
      4. Anoncreds
    3. Openwallet Foundation
    4. Trust over IP (ToIP)
      1. Model explanation
      2. Trust Spanning Protocol
      3. Trust Registry Protocol
      4. Key Event Receipt Infrastructure (KERI)
  8. MOSIP
  9. OpenID Foundation
    1. OID4VC, see also [13b]
      1. OID4VCI
      2. OID4VP
    2. Post-Quantum Identity Standards
  10. Self Sovereign Identities (SSI)
  11. Switzerland
    1. Discussion Paper Tech ProposalScenario AScenario B
    2. Elektronischer LernFahrAusweis (ELFA)
    3. Swiss Public Sandbox Trust Infrastructure (sandbox)
    4. Tech Roadmap
  12. W3C
    1. Decentralized Identities (DID)
    2. Verifiable Credentials Data Model
    3. Verifiable Credentials Data Integrity
    4. JSON-LD
    5. Test suites
    6. Status List
  13. walt.id
    1. mDL library
    2. OID4VC, see also [9a]
    3. SD-JWT, see also [5a]