In SSI (Self-Sovereign Identity), anyone can generate their own DID (Decentralized ID). No authority or authorization is needed to create one. Since a public key pair is associated with DID, the person can prove the ownership by using the private key. DID document, which includes DID, is stored in a blockchain that prevents illegal manipulation. In some materials on the web, they call this decentralized PKI. This is a little confusing because I always associated PKI with certificates issued by CAs. In SSI, how do people verify that the given DID is Alice's DID? Furthermore, how do people verify that the given DID is the Issuer's DID (for example, a university that issues verifiable credentials of a diploma)? Do we need some other mechanism (perhaps centralized PKI to prove this DID is Alice's DID to the issuer before requesting her diploma)? What is the main reason we no longer need certificates when using public keys?
1 Answers
A certificate is a document containing a public key, identity information associated with that key, a signature, and information about what entity created the signature. A self-signed certificate is any certificate where the signature was created by the same entity that has the private key of the certificate. A DID is just a self-signed certificate.
By using their private key to sign a challenge the DID holder can verify to others that they possess that private key, and thus are the same entity as they were when the DID was created and added to the blockchain. Nothing about the blockchain ensures that the identity information is correct, of course, only that it hasn't changed. That step has to be done independently. In your example, the university could publish their DID on their web site.
You might note that this doesn't get rid of certificates, it just calls self-signed certificates DIDs.
- 5,968
- 20
- 27