Author: Peter Amrhyn

Self Sovereign Identity: Self-governing and yet secure

A digital identity that users manage themselves? Can that even be secure? Behind it lies a complex system consisting of several entities and modern technologies. Dr. Paul Muntean, Senior Cyber Security Engineer at Swisscom Trust Services, explains the system's background.

Self-sovereign identity does not mean everyone can create their own identities as they see fit. Self-Sovereign Identity (SSI) also involves official bodies, government, or other institutions acting as issuers of identities. However, Identity here is much broader than one might think and includes documents such as credentials, membership cards, payment data, and much more. Even machines can issue identities; for example, a sensor could transmit digitally signed proof of particular readings. The SSI ecosystem comprises three entities: Issuer, Holder, and Verifier.


The state is the most apparent issuer of digital (and analog) identities, which, among other things, issues identity cards or passports. Theoretically, however, any person or instruction can create digital identities, just as these actors can issue analog proof. The credibility of these credentials ultimately depends on the reputation of the issuing institution. A degree from a university, for example, indicates a certain level of education. Of course, the tools used to create such proofs must be kept under strict control. In the analog field, these are, in particular, seals of a university or the printing plates with which the Federal Printing Office prints the unique pattern on the paper of the passport. The equivalent in the digital domain is the private cryptographic keys that are an elementary component of the public key infrastructure underlying the certificates in the SSI ecosystem. Digital certificates that function according to this principle are already used today for electronic signatures and can easily be adapted to the new use case.


In the SSI framework, the holder is usually a citizen who requests verifiable credentials from the issuing institutions and stores them in a wallet. In addition to everything typically in the wallet, many more credentials can be kept in an identity wallet - for example, all kinds of credentials. Even if it is obvious to look at individual citizens as users, it is also conceivable to have company wallets in which, for example, the company credit card is stored or credentials and certificates. At the wallet level, self-determination also comes into play: the user decides what information to disclose. If, for example, foreign language skills have to be proven, a user could transmit only this information from a certificate without the recipient seeing the other grades. This principle of data economy can also be transferred to other applications, such as proof of age when shopping online. A current big topic in the media is 3G proof in trains. If one were to log on to the railway website with an SSI instead of a username and password, the vaccination status could also be transmitted there, and the problem of checks would be solved.


Verifiers can be any person, organization, or thing looking for a trustworthy guarantee for identities or other types of proof. They request this from the Holder. This is an essential point with SSI: there is no direct communication between the issuer and verifier. This is interesting, for example, in the case of employment certificates. On a technical level, the Public Key Infrastructure comes into play again as a fundamental principle in verification. Since only the keys for creation have to remain secret in this procedure, anyone can verify credentials issued with a public key. If the holder agrees (and the holder always has a choice), the holder's agent responds with proof that the verifier can then verify. The crucial step in this process is demonstrating the issuer's digital signature, usually done with a Decentralised Identifier (DID), which can be stored on a blockchain network.


Properly implemented, the SSI approach offers excellent potential for self-determined handling of personal data. The entire system provides a high level of security; the underlying technologies, such as blockchain and asymmetric cryptography, have been tried and tested for decades and are constantly being further developed to adapt to current requirements. It is also important to create simple and secure options for initial identification for users and ensure information transmission in the framework via specific channels.

Share this post

printer Copied! copy email facebook linkedin twitter