Self-Sovereign Identity (SSI) Patterns

Disclaimer: This is a summary of patterns we have observed during our research and should not be considered any form of technical or investment advice. Also, the given “known examples” do not imply they are the best implementations of the said pattern or any superior to any other implementation of the pattern not listed.

Self-Sovereign Identity (SSI) patterns focus on the design of blockchain-based SSI applications. As can be seen from the following figure, we present the patterns in 3 groups: key management, DID (Decentralised Identifier Documents) management, and credential design. The patterns aim to make better use of 3 main objects in self-sovereign identity – key, DID, and identity credential, by understanding their use in different stages of the lifecycles. Figure 1 shows an overview of the patterns. Figure 2 gives a glimpse of the relations between the patterns.

 

Lifecycles of self-sovereign identity patterns

Figure 1: Lifecycles of self-sovereign identity patterns

 

Self-sovereign identity pattern relation overview

Figure 2: Self-sovereign identity pattern relation overview

 

  • Key management patterns
    • Master and Sub Key Generation – Each party has a master key for managing a set of sub-keys that are used for signing transactions for different identity accounts
    • Hot and Cold Wallet Storage – A party maintains keys in 2 wallets, one to store frequently used keys and another to store infrequently used keys.
    • Key Shards – Split a key into several different pieces and restored using enough pieces
  • Decentralised Identifier Documents management patterns
    • Identifier Registry – Use a registry to maintain bindings between an identifier and the address of an identity attribute (e.g., name and profile picture of a party)
    • Multiple Registration – A party registers a unique identifier for each relationship (i.e., every identity) it has.
    • Blockchain and Social Media Account Pair – Establish a bidirectional binding between social media profile and blockchain-based identity
    • Dual Resolution – Parties engaged in a mutual interaction acquire each other’s decentralised identifier documents to access information necessary for verification and communication
    • Delegate List – Each party maintains a list of delegates that can help him/her to recover an identity
  • Credential design patterns
    • Selective Content Generation – Generates a customised credential according to the holder’s specific requirement for credential attributes/contents
    • Time-Constrained Access – A credential holder can share a link to the verifier that is used to access the credential only within the specified time window
    • One-Off Access – A credential holder can share a link to the verifier that is used to access the credential only once
    • Blockchain Anchor – Instead of storing everything on-chain, one can periodically record the hash value of off-chain data on the blockchain