Self-Sovereign Identity & DIDs
Lesson by Uvin Vindula
Self-sovereign identity (SSI) is a paradigm shift in how digital identity works. Instead of platforms and governments controlling your identity, you control it. You hold your own credentials in a digital wallet, share only what's necessary for each interaction, and no central authority can revoke your identity or access your data without your consent. This lesson explains the architecture, standards, and practical reality of SSI.
The Three Models of Digital Identity
| Model | Who Controls Identity | Example |
|---|---|---|
| Centralized | A single authority (government, platform) | Your NIC, a Facebook account |
| Federated | Multiple authorities sharing access | "Sign in with Google" across websites |
| Self-Sovereign | The individual — you | Credentials in your own digital wallet |
What is a Decentralized Identifier (DID)?
A DID (Decentralized Identifier) is a new type of globally unique identifier that doesn't require a centralized registration authority. Unlike an email address (controlled by Google or your email provider) or a phone number (controlled by your telecom company), a DID is created, owned, and controlled entirely by you.
A DID looks something like this:
did:example:123456789abcdefghiThe structure has three parts:
- did: — The URI scheme identifying this as a DID.
- example: — The DID method (specifying which blockchain or network resolves this DID).
- 123456789abcdefghi — Your unique identifier on that network.
DIDs are defined by the W3C (World Wide Web Consortium) DID specification, which became an official web standard in 2022. This means DIDs have the same standards-body backing as HTML, CSS, and HTTP — they are not a fringe concept but a formally standardized technology.
How SSI Works in Practice
The SSI model has three roles:
1. Issuer — An entity that creates and signs a credential (e.g., a university issues a degree, a government issues an ID, an employer issues proof of employment).
2. Holder — The individual who receives, stores, and controls the credential in their digital wallet. This is you.
3. Verifier — An entity that needs to verify a claim (e.g., a bank verifying your identity, a bar verifying your age, an employer verifying your degree).
The flow works like this:
- The Issuer creates a Verifiable Credential (VC) — a digitally signed attestation about you. Example: the University of Colombo issues a VC confirming you hold a BSc in Computer Science.
- You receive this VC and store it in your digital wallet (an app on your phone or a hardware device).
- When a potential employer needs to verify your degree, you create a Verifiable Presentation (VP) — sharing only the specific claims needed (e.g., "I hold a BSc from University of Colombo") without revealing unnecessary data (your grades, student ID number, etc.).
- The Verifier checks the digital signature against the Issuer's DID to confirm the credential is authentic, unaltered, and not revoked — all without contacting the university directly.
Verifiable Credentials: Digital Certificates That You Control
A Verifiable Credential (VC) is the digital equivalent of a physical credential — but cryptographically secured and privacy-preserving. VCs follow the W3C Verifiable Credentials Data Model standard and contain:
- Issuer: Who issued the credential (identified by their DID)
- Subject: Who the credential is about (your DID)
- Claims: The actual assertions (e.g., "date of birth: 1995-03-15", "degree: BSc Computer Science")
- Proof: A cryptographic signature from the issuer that proves authenticity and prevents tampering
- Expiry/Revocation: When the credential expires or how to check if it's been revoked
Unlike a paper certificate that can be forged, a VC is cryptographically signed — any alteration would invalidate the signature. Unlike a centralized database record, the VC is held by you and shared only when you choose to.
Real-World Applications
SSI is not theoretical — it is being deployed today:
- EU Digital Identity Wallet (eIDAS 2.0): The European Union is building a digital identity wallet for all 450 million EU citizens, based on SSI principles. By 2026, EU member states must offer citizens digital wallets for storing government-issued credentials.
- Bhutan's National Digital Identity: Bhutan launched the world's first national SSI system, issuing self-sovereign digital IDs to all citizens using blockchain technology.
- ION (Identity Overlay Network): Microsoft's decentralized identity network built on Bitcoin's blockchain, enabling DIDs that leverage Bitcoin's security without requiring Bitcoin transactions for every identity operation.
- Professional Credentials: Organizations like the International Association of Privacy Professionals (IAPP) issue Verifiable Credentials for certifications that holders can share with employers instantly.
Key Takeaways
- •Self-sovereign identity (SSI) shifts control from platforms and governments to individuals — you hold your own credentials and share only what's necessary
- •Decentralized Identifiers (DIDs) are a W3C standard for globally unique identifiers that you create and control without any centralized registration authority
- •SSI has three roles: Issuers (create signed credentials), Holders (store credentials in wallets), and Verifiers (check credential authenticity cryptographically)
- •Verifiable Credentials (VCs) are cryptographically signed digital certificates that cannot be forged and are controlled by the holder, not a central database
- •Real deployments include EU Digital Identity Wallet (450M citizens), Bhutan's national SSI system, and Microsoft's ION network built on Bitcoin
- •Sri Lanka's digitization efforts could leverage SSI for NIC, banking, healthcare, and government services — eliminating repeated document submission
Quick Quiz
Question 1 of 3
0 correct so far
What is the key difference between federated identity and self-sovereign identity?