In modern society, identity is the entrance to dealing with entity relations. It is an important model of social relations to determine and authenticate the identity information of entities and not provide services that match their identities.

1 History traceability

In modern society, identity is the entrance to deal with entity relationships. It is an important model of social relations to determine and authenticate the identity information of entities and not provide services that match their identities. And require the user's identity information to be shared with the service provider.

Today, let’s briefly talk about identity and digital identity.

• Identity

International Electronics Technical Committee defines "Identity" as "a set of attributes associated with entities". The entity here is not just a person, it can be an entity for machines or objects, and even virtual things in the network can be an entity and have an identity. As an important part of a digital society, these entities have jointly built a digital ecosystem.

• Digital identity

With the emergence and popularity of the Internet, traditional identity has another form of expression, namely digital identity. It is generally believed that the evolution of digital identity has gone through four stages, namely: centralized identity , alliance identity , user-centered identity , and self-sovereign identity .

• Centralized Identity: is managed and controlled by a single authoritative organization. Most identities on the Internet are still centralized identities.
• Alliance Identity: solves the disadvantage of fragmented and confusing identity data in centralized identities. This kind of identity is managed and controlled by multiple institutions or alliances. The user's identity data has a certain degree of portability. For example, when allowing users to log in to a certain website, they can use the account information of other websites, similar to cross-platform login of QQ, WeChat or Weibo.
• User-centered identity: focuses on decentralization, sharing identity data through authorization and permission, such as OpenID.
• Self-sovereign identity: Decentralized, completely owned and controlled by individuals.

2 PKI&DPKI

"Identity " itself is fundamental and objectively existing. Today's Internet widely builds a trust system and realizes secure communication between entities through the services of "lease" third-party institutions (DNS registration agencies, certificate authorities, ICANN). If we want to realize a decentralized ecological system, we should understand the relationship between the basic PKI and the DPKI system.

• PKI

PKI is the abbreviation of Public Key Infrastructure. It is translated as a public key infrastructure. It is a collection of software, hardware, people, policies and processing processes necessary to generate, store, distribute and revoke user digital identity certificates. It is also an internationally recognized and widely applicable complete information security system. The establishment of PKI relies on authoritative authentication and is inseparable from the collaborative work of trusted third parties. By using a variety of technologies, can be used to provide with security support such as authentication, encryption and digital signature for applications, and provides security services such as key management and certificate management for information systems. Its main carrier is certificate files in X.509 format.

• DPKI

Distributed Public Key Infrastructure (DPKI) As PKI, the evolution of PKI is not a complete discard and substitution of PKI, but more of an improvement and supplement on the basis of the original authentication system. By building a distributed authentication system, it solves the problems of the centralized authentication system, and is the infrastructure of the future network trust ecosystem. There is no obvious difference between DPKI and PKI in the business process. First, the user provides relevant information and initiates an application. Next, the issuing party reviews the information, issues the certificate, and finally the user presents the certificate to complete the verification.However, unlike the PKI system, DPKI emphasizes the independent controllability, identity portability and distributed authentication of user identities, and the verification of personal identity no longer depends on the issuing party .

3 Digital Identity Identification-DID

With the development of trusted technologies such as blockchain, major companies and institutions have entered the market one after another, and have carried out more in-depth research and exploration on the implementation of DPKI, and distributed digital identity (DID) solutions have emerged. By combining blockchain technology , distributed digital identity allows users to truly own and control their personal data and assets, and can realize decentralized sharing capabilities across departments, industries and regions.

Decentralized Identity Decentralized identity, referred to as DID, compared with the traditional PKI-based identity system, the DID digital identity system established based on blockchain has the characteristics of to ensure the authenticity and trustworthiness of data , to protect user privacy and security , , strong portability , and other features. Its advantage lies in

• Decentralization: is based on blockchain, avoiding the identity data being controlled by a single centralized authoritative organization.

• Identity is autonomous and controllable : Based on DPKI (distributed public key infrastructure), the identity of each user is not controlled by a trusted third party, but by its owner, and individuals can independently manage their identities.

• Trustful data exchange : Identity-related data is anchored on the blockchain, and the authentication process does not need to rely on the application party that provides the identity.

• DID Identification

DID Identifier is actually an string . In W3C, DID refers to the standard of URN. The specific format is as follows:

• DID Document

Each DID identifier corresponds to a DID document (Document). The document is in the JSON string format, which mainly contains key information and verification methods related to DID verification to realize the control of entity identity identification. The DID document content format is shown in the figure below:

, and an entity can correspond to multiple DIDs. After the entity applies for registration, it can obtain one or more DID identifiers that are maintained and managed by itself. The identities represented by different DID identifiers are not related to each other, effectively reducing the coupling between identity information. In general, we can regard the DID basic layer as a key-value database, the DID identifier is used as a key, and the DID document is the corresponding value. The relationship structure between the two is shown in the figure below:

• Verified declaration

Verified declaration (Verifiable Credential) provides a specification to describe certain attributes that entities have and realize evidence-based trust. DID holders can prove that certain attributes of their own are credible to other entities (individuals, organizations, specific things, etc.) through verifiable statements. At the same time, combining cryptography technologies such as digital signature and zero-knowledge proof can make the statement more secure and trustworthy, and further protect user privacy from infringement.

In the DID ecosystem, it mainly has three roles: user, issuer, and user.

• User : Anyone/organization/physical object with digital identity on the chain. Any entity object can create and manage its own DID through the developer's project.

• Issuer : People/organizations that can issue digital vouchers. For example: a university can issue a digital graduation certificate to a certain student, then the university is a certificate issuing party.

• Verifier: Also known as the business party, it refers to the person/organization that uses digital credentials. After being authorized by the user, the verifier can verify the user's identity or his digital credentials. For example: When a company admits a person, it needs to verify its college graduation certificate, and then the company is a verification party.

4 Application scenario

• Identity authentication

Identity authentication can be said to be the most basic application of DID. For scenarios with the need for identity identification (KYC), by binding the VC issued by multiple institutions to the user in advance and anchoring it to the blockchain. With the password algorithm , distributed verification can be performed. Users only need to obtain the VC once and can present it and use it at any time. For example, employee onboarding background checks, materials are easily tampered with during the circulation process, and verification methods are relatively scarce. If you use DID solutions, students can use their DID logo on the chain to apply for academic qualifications (degrees) certificates from the school and apply for job (resignation) certificates from the forward company. When looking for a job, the company now only needs to verify the authenticity of the above certificates through the verification interface to quickly complete the employee's onboarding.

• Secure login without password

Application scenarios for password-free security login are similar to WeChat scanning code login. When we need to register or log in to the website, we do not need to enter passwords such as username, email, password, etc., just use the user DID information stored in the mobile phone to complete two-way verification with the website DID. Although the login format does not seem to have changed, unlike the traditional scanning code authentication method, the identity information in the DID is controlled by the user himself. The user first obtains the website DID through the QR code and authenticates it to obtain the public key, and then uses the public key to encrypt the request data, sends his own identity information to the server for verification. If the verification is passed, the login will be successful. Through the entire process, we can see that the server does not know the user's password and cannot obtain any information except the user's DID document, thereby effectively preventing data leakage and protecting user's identity privacy.

• Personal Privacy Protection

Privacy Protection is an indispensable part of any identity management solution, and DID is no exception. The risk of user privacy leakage can be effectively reduced through selective disclosure of user attributes. In real life, user identity usually has multiple attributes, such as name, date of birth, home address, ID number on the ID card, etc. We do not always want to directly display the entire document to the verifier to view. The leakage of too many related information will bring a series of trouble. Criminals have used the public big data (Health Code) to steal celebrity privacy and disseminate DID vouchers and sell DID vouchers combined with zero-knowledge proof technology, which can minimize information and not affect the legality verification of the vouchers, effectively protect user privacy. For example, a store owner with social responsibility refuses to sell cigarettes to minors. For customers who buy cigarettes, they need to check their age information. If you use your ID card, it will leak related sensitive information. However, in DID technology, only part of the information can be presented to prove that you are over a certain age (18 years old) without revealing other information, including the date of birth, so as to achieve selective disclosure of personal privacy information.

• Digital copyright protection

Online digital content often faces a series of copyright disputes. Using the blockchain's immutable and independent and controllable characteristics of digital identity, it can effectively solve the copyright protection problem of digital content, realize real-time sharing of multi-party information, copyright authentication, and transaction rights protection, and promote the legal and compliant flow of digital assets. By using DID technology, the on-chain participants make the work uniquely identified. After the copyright is certified, it becomes an untampered on-chain certificate. It can be used as a statement of evidence and circulation, and is used in scenarios such as asset rights confirmation, data pricing, circulation monitoring and analysis, and infringement evidence collection.

• IoT and Edge computing

IoT devices are usually distributed in different regions and use various methods to access the network, which also makes its encoding standard diverse, with high management costs and security risks.If DID technology is used to assign global unique identifiers to IoT devices, and combine manufacturer production information, IoT operators and equipment ownership information, multiple certificates are issued to the device, and the device can be given a declared and verifiable autonomous identity, efficient distributed authentication of device identity and data can be realized on the blockchain, effectively ensuring the authenticity of the data source, and at the same time it is conducive to confirming and valuing the data generated by the device.

5 Summary

With the advent of the digital economy era, digital development has become a global consensus. At present, more than 170 countries have successively issued relevant strategies for digital countries. In the "14th Five-Year Plan", my country has clearly used digital transformation to to drive the transformation of production methods, lifestyles and governance methods, and has built " Digital China " from four aspects: digital economy, digital society, digital government, and digital ecology. The development of digital identity will help users master their personal data and realize the free flow of data between various digital activities. Digital identity will become the entrance to the digital world, and its importance is self-evident.