A Focus on the Trust Triangle for Digital Identity
In a previous article, Functional Analysis for Implementing Self-Sovereign Identity (SSI) in Your Business, we discussed how decentralized identity is transforming digital identity management. It offers users complete control over their personal data and emphasizes the importance of a detailed functional analysis for successful implementation. In this article, we will focus on the main use cases within an SSI ecosystem, exploring the interactions and roles between the key players.
What is the SSI Trust Triangle?
The trust triangle is a fundamental concept describing the trust relationship among three actors in the SSI ecosystem: the issuer, the holder, and the verifier. This trust triangle ensures that digital credentials are issued, managed, and verified securely and reliably.
Roles and Responsibilities:
- Issuer: The entity that issues digital credentials based on certain attributes or information of the holder and digitally signs them. Examples include universities issuing digital diplomas, governments issuing digital IDs, or companies issuing employment certificates.
- Holder: The person or entity that receives and possesses the digital credential. The holder stores these credentials in their identity wallet and presents them when needed. They have full control over who can view and verify their credentials, ensuring privacy and control over their identity.
- Verifier: The entity that verifies the authenticity and validity of the digital credential presented by the holder. They ensure that the credential was issued by a trusted issuer and that the information contained in the credential is valid. Examples include employers verifying employment certificates, airlines verifying digital passports, or financial institutions verifying customer information.
Credential Issuance
Credential issuance involves the issuer and the holder and can be initiated in two ways:
1. User-Initiated Request
The holder initiates the action by requesting the issuer to generate a credential. This process can be done through an application provided by the issuer. Once the request is approved, the credential is sent to the user’s identity wallet.
2. Automatic Issuance
Automatic issuance occurs without an explicit request from the user. It happens when a specific action within a system triggers the issuance of a credential, which is then sent automatically to the holder’s identity wallet without requiring additional confirmation.
Credential Reception
The holder receives credentials either through mobile applications or web applications.
Mobile Identity Wallet
If the holder initiates the credential issuance request, the issuer’s site or application generates a credential embedded in a QR code or a deeplink.
- QR Code: The holder scans the QR code with their phone’s camera or the wallet’s integrated camera. This initiates the Wallet and Credential Interactions (WACI) flow, involving a message exchange with the SSI backend. The user accepts and saves the generated credential in their wallet.
- Deeplink: The holder accesses the deeplink received from the issuer, automatically initiating the WACI flow. The user accepts and saves the generated credential in their wallet.
Web Identity Wallet
For web wallets, the reception can be automatic. The generated credential appears directly in the wallet without needing user confirmation. This process also involves the WACI protocol.
Credential Presentation and Verification
Credential presentation involves both the holder and the verifier. The verifier can be a web or mobile application, adapting to the user’s and verification context’s needs.
Presentation Methods:
1. QR Code Scan
The verifier presents a QR code that the user scans with their device. The user selects the credential they wish to present and can choose to use Selective Disclosure, showing only the necessary data from the credential or presenting the entire credential.
2. Automatic Presentation
The user can select the credential they wish to present from their web wallet and choose the verifier to whom they wish to present it.
Verifier Validations
The verifier validates the credential, ensuring it is current, valid, and issued by an authorized issuer. After validating the credential, specific business rules of the verifier are applied. The validation results are shown to both the user and the verifier.
Conclusion
These use cases highlight the flexibility and control that decentralized identity offers, allowing users to manage their credentials securely and efficiently. Understanding these flows and the information exchange between SSI ecosystem actors is crucial to appreciating the benefits and innovation brought by this system.
For more information on Self-Sovereign Identity (SSI), use cases, applications, and industries that can implement decentralized identity systems, visit: