August 30, 2019
By Scott Perry, member of the Sovrin Governance Framework Working Group
Scott Perry owns and operates Scott S. Perry CPA PLLC, a boutique cybersecurity CPA audit Firm which is one of only seven Firms qualified to audit public Certification Authorities (internet trust anchors) in the U.S.. He is a founding member of the Sovrin Governance Framework Working Group and has lent his expertise to major sections of the Sovrin Governance Framework V2, in particular the Sovrin Trust Assurance Framework. In this blog post he shares his vision for where SSI infrastructure is going.
As a career cybersecurity auditor, I finally see the tipping point where individuals conducting high-value transactions can be relied upon with great integrity and legitimacy upon a global scale.
I was one of the pioneers investigating internet security back in 1994 when the architectures of digital signature and certification authorities were being introduced. Why has it taken over 25 years to proclaim that we finally have a chance for a trustworthy internet? Three factors: cost, cooperation, and dependence.
In 1995, I publicly projected that there would be billions in ecommerce revenue amid a skeptical landscape of only a few early vendors such as FTD for flowers and a startup bookseller called Amazon. Since that time, the utility of the internet has far exceeded the global tolerance for cybersecurity risk. At the outset, internet service providers were reluctant to implement the security protocols and trust anchors needed to build security from the ground up. Slowly that changed—the persuasive business case for reading real-time news, shopping in your underwear, and accessing the Library of Congress at your fingertips finally outweighed the risk of operating in the milieu of a wild west movie.
While pockets of attempts to legitimize the anonymity of internet traffic have had some success, our global dependence on an internet fraught with identity theft, ineffective user IDs/passwords, ransomware, and security breaches have finally raised the ire of the core user community. People are now willing to pay for a more assured internet.
While five years ago I would have said that our predicament was leading to a doomsday scenario because federated digital identity frankly would not scale, I am more hopeful today. The reason is that I feel we collectively now have the motivation, technology, and potential for global cooperation that can finally establish a trusted internet communication protocol above the insecure TCP/IP stack. This new protocol could propel an entirely new set of trusted applications to thrive and change our daily digital lives.
The internet has had an identity problem since its inception. Black markets and cryptocurrencies have perpetuated this anonymity and thrived under it. But the lack of a true internet identity layer stymies the introduction of a new wave of revolutionary applications that depend on the legitimacy of one’s identity within the process. Envision an internet where every user is accountable for their actions, and behavior will change. Fast.
The advent of blockchain technology is the secret sauce. The technology is not radically complex and, in most instances, can run on standard servers. It employs public key infrastructure, technology that has been around for 25 years. What is novel is a committed layer of governance that the internet has not seen to date. It requires cooperation of jurisdictions, high-tech companies, and self-established governing authorities who agree to operate within a trust and accountability framework in order to meet their own control objectives that in turn contribute to a larger trust layer.
The efforts of the Sovrin Foundation and other decentralized identity innovators have demonstrated the ability of blockchain technology to finally solve the integrity of internet identity. They have shown us how trustworthy internet identities can be established, stored, and operated using simple mobile phone interfaces, yet be cryptographically strong enough to be relied upon by organizations who have never met you. Imagine the power of that.
I’m encouraged that there has been more activity in the identity space in the last three years than I have seen in the prior twenty. The promise of impending verifiable credential standards and protocols connected to globally-available blockchains will allow internet users to prove their identity anywhere in the world without all the bureaucratic overhead of physical identity documents.
However, it will require global governance and accountability in the system. This is not a trivial task. Global governance requires legal jurisdictions and tech titans to put aside their proprietary intentions and come together to agree on a new trusted internet protocol stack. TCP/IP has been in place since the 1970s. It is time for a reimagined protocol that puts trusted transactions at its core. Public key infrastructure, cloud technology, and mobile 5G will all play a role. Once that stack is defined, we need global cooperation to advance its adoption. Technology alone will not be the linchpin. The needed work is in internet governance where there are few models today.
The internet needs global governance models to establish domain-specific (i.e. jurisdictional or industry) governance bodies to manage how trusted internet identities will be established, operated, and made accountable. They do not exist today, but as part of the Sovrin Governance Framework Working Group, we are building the template.
Solid governance requires leadership, clear knowledge of affected cybersecurity risks, tenets of accountability, and intestinal fortitude to keep the mission moving forward with integrity. Governors need to be vigilant about collaborating on standards and keeping the health of the larger internet in mind. We need innovators that envision the power of new applications that rely upon standards-based internet identities created without massive overvetting. Governors need the integrity of judges as they will become the de facto courts of internet law. And they must do it all without even the appearance of conflicts of interest.
Recent legislators have called healthcare a basic human right. I believe the ability to traverse the internet safely, securely, and privately is a basic human right that will need global cooperation to achieve. I invite you to join our work here to help make it happen.
###Sovrin Foundation announces 30-day public review for data protection regulation revisions to the Sovrin Governance Framework Use case spotlight: Onfido to provide self-sovereign identity verification services »