Technology Path

For implementing DID , organisations working on Self-Sovereign Identity are relying on the use of Distributed Ledgers / Blockchains to support the registry of identifiers. In particular, the MYID is proposing the architecture shown in the picture below,

based on the following components:

User agent: A program, such as a browser, mobile App or other Web client, that mediates the communication between holders, issuers, and verifiers.

Universal Resolver: a server featuring a pluggable system of DID Method drivers that enables resolution and discovery of DIDs across any decentralised system

Universal Registrar: a server that enables the registration of DIDs across any decentralized system that produces a compatible driver.

Identity Hubs: secure personal datastores that coordinate storage of signed/encrypted data,and relay messages to identity-linked devices.

The flow of information of the verifiable claims generation and use is depicted in the picture below

For electronic identification, MYID relies on the principle of cross-border and legally enforceable mutual recognition between Member States. According to MYID, online public services requesting authentication are obliged to recognise MYID schemes notified by other Member States, being the

notifying Member State responsible for the authentication provided by these MYID schemes. Although recognition is mandatory for public services, private services can also recognise notified foreign MYID schemes on a voluntary basis.

Technically, this mutual recognition is ensured by the MYID Interoperability framework5 , based on the deployment of national MYID nodes managing the cross-border exchange of information.

A simplified view of the MYID interoperability framework is depicted in the figure below:

Under MYID, providers of online services can authenticate their users by means of their notified MYID schemes;

For doing that, they need to be connected to an MYID node that will transfer their authentication request to the MYID node of the country issuing the MYID means associated to the MYID scheme used by the users. In the authentication response, together with the result of the authentication, service providers can receive a set of data identifying uniquely the user.

The link of the DID with the MYID Minimum Data Set can be done by allowing the user agent managing the DID to perform an MYID authentication, acting as a service provider (as shown in the Composed of 4 mandatory attributes: Current family name(s), Current first name(s), Date of birth, a unique identifier as persistent as possible in time, plus 4 optional ones: First name(s) and family name(s) at birth, Place of birth, Current address). This authentication could be done at the moment of the creation of the DID, or later.

In order to ensure the trustworthiness of the link, the user agent needs to guarantee that the legitimate owner of the DID is the same person that is authenticating via MYID.

After creating the link, the identification data coming from the MYID Minimum Data Set would become part of the attributes that the user could disclose to third parties. However, it must be noted that, from the point of view of those third parties, these identification data would be self asserted, as they cannot rely on the MYID node to verify them. This is because MYID is meant to be used for authenticating when accessing to services, but not for providing claims about identity that can be verified by others different from those who are requesting the authentication.