An introduction to Lissi — Let’s initiate self-sovereign identity.
This article explains the intentions of the research initiative “Lissi” and explains the technical implementation. This Article is also available in German.
Lissi is a cross-industry research initiative for a new way to identify, authenticate and authorise individuals, legal entities and things. It’s objective is to establish an ecosystem for self-sovereign identities in Germany and the EU.
The concept of self-sovereign identity focuses on the administration of personal data. Instead of an organisation or institution as main authority, the user is central point in the administration of his data. In this context, the term “self-sovereign” refers to a person’s ability to decide which application (wallet) should be used for administration, where the issued identity information should be stored (locally or in the cloud) and to whom information should be transmitted. Furthermore, the user is given extensive options to disclose only the required minimum of information, for example, by only sharing necessary information of a certificate instead of disclosing the complete content of a document. In addition, a person gains more control over the consent about the use of his or her data, as well as the exercise of data protection rights defined in the DSGVO, which is the German counterpart to the GDPR.
The consortium is funded by the Germany Federal Ministry of Economics as part of the innovation competition for digital identities called “Schaufenster Digitale Identitäten”. The project “Self-Sovereign Identity for Germany (SSI4DE)” includes a blockchain enabled, self-sovereign identity system. For this purpose, an identity network is being established at various German locations to test the implementation. Ultimately, a decentralized identity ecosystem for secure digital identities will be developed, which will be interoperable with other European and international networks. The project aims to facilitate access to German products and services for the economy, administration and citizens, which is equally user-friendly, trustworthy and economical.
This identity system aims to allow all institutions (“identity issuers”) to issue their verified identity data to the user. Individuals can store the received verified credentials on consumer devices (especially mobile phones). Users (“identity holders”) have the option to provide these certificates as proof.
A user can therefore identify and authenticate himself to other institutions (“identity verifiers”). Identity holders can be both natural and legal persons as well as objects (e.g. vehicles). The verification of the legitimacy of the presented proof can be executed by comparing the public key or rather the decentralized identifier (DID) of the issuer with the digital signature of the proof. The DIDs of identity issuers are stored on the distributed Lissi network and are accessible for the public.
The system will not be limited to the exchange of personal identity data, but also allows the exchange of any information required for authentication purposes. This can be the transfer of registration data, information about creditworthiness, Membership certificates, admission tickets of any kind as well as the access to websites (via single sign-on “SSO”) or buildings.
This information is transmitted via an encrypted peer-to-peer connection established between the holder and the issuer or verifier. Hence, the communication takes place directly between two parties without the need for an intermediary. For each new connection, a different DID is used to avoid correlation of identity data and the unwanted creation of user profiles by third parties. Since it is difficult to correlate these connections back to an individual the approach creates an increased level of privacy for the user.
The network will offer interfaces to existing standards such as OpenID Connect to enable a fast acceptance and distribution via the single-sign-on functionality. Furthermore, a inclusion of sovereign ID documents shall be enabled, especially the use of the eID function of the national identity card. The registry for DIDs will leverage the open-source framework Hyperledger Indy. The DIDComm protocol, which is managed by the Decentralized Identifier Foundation (DIF), is used for encrypted communication between two endpoints. The endpoints themselves are so-called agents, which are implemented using the Hyperleger Aries framework. Hyperledger is an open-source software library managed by the Linux Foundation.
The distributed network will be set up with permissioned write and public read rights. Only the DIDs of identity issuers are stored on the blockchain to ensure verification of the information issued by these parties. While not yet determined, we believe, that this architecture is compatible with existing requirements of the GDPR.
The partners of the initiative are looking forward to the start of the competitive phase of the federal innovation competition, which will start in June 2020. The initiative is open to new partners under the condition that they wish to implement use cases based on the technical standards used. More information about the project can be found on our website www.lissi.id.