This October, Evernym's Timmothy Ruff wrote about the 7 Myths of Self-Sovereign Identity, clearing up common misconceptions about SSI. That post was an excellent start, and a good model to build upon. What are the myths that need busted? I briefly summarized Timothy's 7 myths as a jumping off point. -infominer33
Self-Sovereign means having ownership over your own credentials. However, we are still dependent on others to verify specifics about who we are. Self-attested credentials provide your personal opinion, preferences and consent. Proof of specific attributes commonly requires a trusted third party to verify and attest to.
Many people are reminded of the Sovereign Citizens movement, that asserts its sovereign independence from presiding governments. Self-sovereign identity, on the other-hand, enables a private, encrypted connection between a government and their citizens. That connection, mutual and revokable by either party, can support mutual authentication, communication, and datasharing; independent from change of address or phone numbers.
SSI is not meant to supplant a national ID system. As mentioned previously, governments can use SSI to improve existing identity systems, whether national, regional, or otherwise. SSI does not replace the trust of government or any other organization; rather SSI makes possible stronger, more flexible and verifiable connections between existing organizations, members, governments and constituents. SSI will, however, make possible identification for those who are unable to access any from a local government, including refugees and other displaced people.
SSI gives its owner control over some aspects of identity, but not all. The digital wallet, DIDs, interaction history, consent receipts, private keys, and self-attested credentials are under complete control of the owner.
Connections, relationships, and third-party issued credentials are not entirely self-sovereign, nor should they be. Like real-world relationships, all parties involved have some degree of control over the continuation of the relationship.
With Sovrin\Indy-style SSI, digital credentials can be held by the SSI owner in a self-sovereign digital wallet, and can still be revoked by their issuers, without the credentials being removed from the wallet.
With real SSI there is no third party in the middle verifying each credential added to a wallet. Identity proofing services can provide a valuable service, but its a lot simpler when government and financial institutions issue verifiable credentials directly to identity owners.
If want to use that credential somewhere other than where it was issued from, it can be instantly verified by any relying party I share it with, without having to check with the issuer.
SSI isn't dependent upon any particular means of authentication. It offers a protocol supporting any authentication method that two (or more) parties opt to use. One implementation might use facial or voice biometrics while another uses proof of location, and another simply exchanges digitally signed attestations, which are incredibly strong.
User-centric identity gives the user greater control than before, and that’s great! However, it never realized its original intent — user independence — and it actually left large intermediaries with even more power than before. Facebook and Google, the biggest beneficiaries of the move to user-centric identity, would call their services user-centric.
Even the term gives it away: you’re still a user and not the owner, and that means the underlying service is siloed or federated, not self-sovereign. Of course with SSI there are services provided by third parties, such as cloud agent hosting and relationship management apps and tools, but they are modular and replaceable.