区块链和数字身份.pdf

Thematic Report1Blockchain and digital identitya thematic report prepared byTHE EUROPEAN UNION BLOCKCHAINOBSERVATORY FORUMBLOCKCHAINFOR GOVERNMENT AND PUBLIC SERVICESAn initiative of thea thematic report prepared byTHE EUROPEAN UNION BLOCKCHAINOBSERVATORY AND FORUMCKCHAIN AND DIGITAL IDENTITYAn initiative of theThematic Report2Blockchain and digital identityAbout this reportThe European Union Blockchain Observatory Forum has set as one of its objectives the analysis of and reporting on a wide range of important blockchain themes, driven by the priorities of the European Commission and based on from its Working Groups and other stakeholders. As part of this it will publish a series of thematic reports on selected blockchain-related topics. The objective of these thematic reports is to provide a concise, easily readable overview and exploration of each theme suitable for the general public. The of a number of different stakeholders and sources is considered for each report. For this paper, these include Members of the Observatory Forum’s Working Groups. “Government services and digital identity“ by Dr Allan Third, Dr Kevin Quick, Mrs Michelle Bachler and Prof. John Domingue – an academic research paper prepared by the Knowledge Media Institute of the Open University, an academic partner of the EU Blockchain Observatory Forum. from participants at the “Blockchain and e-identity“ workshop held in Brussels on 7 November 2018. from the Secretariat of the EU Blockchain Observatory Forum which includes members of the DG CONNECT of the European Commission and members of ConsenSys.CREDITS DISCLAIMERThis report has been produced by ConsenSys AG on behalf of the European Union Blockchain Observatory Forum.Written by Tom Lyons, Ludovic Courcelas, Ken TimsitThematic Report Series Editor Tom LyonsWorkshop moderator Susan PooleReport design Benjamin Calméjanev1.0 - Published on 2 May 2019.The ination and views set out in this publication are those of the authors and do not necessarily reflect the official opinion of the European Commission. The Commission does not guarantee the accuracy of the data included in this study. Neither the Commission nor any person acting on the Commission’s behalf may be held responsible for the use which may be made of the ination contained therein.Thematic Report3Blockchain and digital identityACKNOWLEDGEMENTS NOTEThe authors would like to expressly acknowledge the following for their direct contributions and feedback to this paperObservatory Working Group Members Ivona Skultétyová Philipp Sandner Daniël Du Seuil Konstantinos Votis Jolanda ter Maten Javier Sebastian Cermeño David Suomalainen Leïla Nassiri-JametReviewers Pelle Braendgaard Julian Hosp Jamie Burke Christian Lundkvist Oscar BurgosIdentity Workshop Panelists Oliver Terbu Rouven Heck Carlos Pastor Luca Boldrin Patrick Curry Ronny Bjones Kai Wagner Elizabeth Renieris Catherine Mulligan Hitesh Tewari William SkannerupWhile we have done our best to incorporate the comments and suggestions of our contributors where appropriate and feasible, all mistakes and omissions are the sole responsibility of the authors of this paper.Thematic Report4Blockchain and digital identityContentscutive summaryIntroduction Digital identity and its discontentsDecentralised identity in action5817171817 Scenario Electric car subsidyScenario Diplomas onlineCase Study KonfidoHow do we define digital identityDecentralised identities – putting the user at the centreSelf-sovereign identity – giving the user full controlWhat do we need to implement decentralised identity Blockchain and decentralised identity Towards a decentralised identity framework121214141612Appendix1923Decentralised identity and the European regulatory landscapeWhat is wrong with digital identity todayWhat is decentralised identity, and how can it help810Identity and the GDPReIDAS A pan-European national identity standardeIDAS and blockchain191921Recommendations22Thematic Report5Blockchain and digital identitycutive summaryThere are few things more central to a functioning society and economy than identity. Without a way to identify each other and our possessions we would hardly be able to build large nations or create global markets. Unfortunately, there are persistent – and increasingly serious – problems with the way digital identity works. For historical and other reasons, the digital identity experience today is fragmented, with few standards or interoperability, and it is insecure, as the almost daily reports of hacks and data breaches reminds us. For individuals, but also for businesses and governments, the status quo is becoming less and less tenable.Many see the problem in the haphazard evolution and “centralised” nature of the current digital identity framework. Centralised here does not mean that there is one, central source for digital identities, but rather that digital identities are almost always provided by some third-party authority often a private company for a specific purpose of its own. The identity ination is “centralised” within that entity.Thanks to a combination of technological advances, including the increasing sophistication of smartphones, advances in cryptography and the advent of the blockchain, it is now possible to build new identity frameworks based on the concept of decentralised identities – potentially including an interesting subset of decentralised identity known as self-sovereign identity SSI. Explaining what these concepts are, and how they might work in the European context, is the subject we address in this paper.We start by defining exactly what identity is in an online context, showing that our digital identity is not a single thing, but rather the sum total of all the attributes that exist about us in the digital realm – a constantly growing and evolving collection of data points. Under the current digital identity framework, these data are generally under the control of entities external to the individual they refer to. In the decentralised identity paradigm, the idea is to put the user at the centre of the framework and so remove the need for these third parties. In this world, the user “creates” his or her own identity, generally by creating his or her own unique identifier or a number of them, and then attaching identity ination to that identifier. By associating verifiable credentials from recognised authorities, for Thematic Report6Blockchain and digital identityCUTIVE SUMMARYinstance governments, users can in effect create the digital equivalents of physical world credentials like national IDs and driving licences. Since these are digital, they will, however, be more flexible and easier to manage than their physical counterparts.By setting up a system in which the user controls not just the identity but also the data associated with it, we can create what are known as self-sovereign identities SSI. In an SSI approach, the user has both a means of generating and controlling unique identifiers as well as some facility to store identity data. Users are then free to make use of whatever identity data they like. These could be verifiable credentials, but could also be data from a social media account, a history of transactions on an e-commerce site, or attestations from friends or colleagues. There really is no limit.This ability to collect and make use of identity from a broad set of sources can help users create rich and varied sets of digital identities for themselves. It also allows them much finer control than they have today over what personal ination they share in which contexts. It could even open the door to new business models, potentially allowing users to monetise their personal data should they wish to do so.While these are intriguing ideas, making them work will be a daunting technological challenge. We take a high-level look at what would be necessary to implement a decentralised identity framework. This includes mechanisms to allow individuals to create their own identities, often referred as Decentralised Identifiers DIDs, as well as means to store personal data, for example in personal data lockers or identity hubs. We will also need digital “wallets” or other user agents to allow people to manage and use their identities. While blockchain is not required for decentralised identity, it can be a powerful solution for different aspects of the decentralised identify framework. This includes supporting the creation and registering of DIDs, notarising credentials, providing a decentralised infrastructure for access control and data use consent, and potentially linking credentials to smart contracts to, for example, trigger automatic payments. To illustrate how this might work, we describe a number of “scenarios” as well as present a case study of how blockchain may be used in digital identity.We then take a look at the European regulatory landscape as it pertains to digital identity. Perhaps the most important regulation dealing Thematic Report7Blockchain and digital identityCUTIVE SUMMARYwith identity in the EU is the electronic IDentification, Authentication and Trust Services regulation eIDAS. This regulation will have a deep impact on the decentralised identity framework, above all as it pertains to government-issued/recognised identity credentials, and so we take a closer look at it.We also examine how eIDAS touches identity on the blockchain. As fully digital ledgers, blockchains are by definition electronic documents under eIDAS. That means that blockchains, or more properly the data, including smart contracts, contained in them, cannot be denied legal force, at least not solely because of their electronic nature. Blockchains, we find, might also be useful for timestamping in an eIDAS-con way, and we ask if perhaps blockchain-based transactions can be considered to be digitally signed under eIDAS and if so, under what level of signature. Our exploration ends with a few thoughts on what policy makers might do to foster the decentralised identity landscape in Europe. Chief among these is to clarify the open regulatory questions, in particular around the standing of blockchain-based signatures and timestamps under eIDAS. We also think the EU could help bootstrap the decentralised digital identity framework though educating government agencies and encouraging them to get involved in building it out, for example as issuers of verifiable credentials. That Europe is looking seriously at decentralised identity and SSI, through for example the work on the European Blockchain Services Infrastructure, is, we think, a good sign that these concepts are taking hold in the Union. That bodes well for a more usable, secure and fair digital identity future.Thematic Report8Blockchain and digital identityIntroduction Digital identity and its discontentsWHAT IS WRONG WITH DIGITAL IDENTITY TODAYThere are few things more central to a functioning society and economy than identity. Without a way to identify each other and our possessions we would hardly be able to build large nations or create global markets. Yet the larger and more complex a society or market is, the more difficult identity becomes. In the physical world, we have developed various ways to deal with this, usually involving some kind of “proof” of identity claims, from wax seals and letters of introduction in pre-industrial times to the passports, driving licences and diplomas we are familiar with today. To create a digital economy, we need to have similar kinds of proofs, or “credentials”, in the digital world. These too have been developed over the years, starting with simple digital representations of our physical, paper-based documents and moving on to more sophisticated means of digital identification like digital certificates, e-signatures, private/public key cryptography and hashing – s that can help uniquely identify a piece of digital data for example a digital document and “prove” ownership of it.Despite these useful building blocks, there are persistent – and increasingly serious – problems with the way digital identity works today. Most of these problems are not related to technology, but to processes.One problem is that the current digital identity landscape is extremely fragmented. Surfing the web requires users to juggle all the different identities associated with their usernames or other aliases, most of which are not strongly related to their real identities. This experience is not fluid nor, unless there is a partnership between them, is there any standard way to use the data generated by one plat on another. In an ideal world, users could directly add the latest music videos viewed on YouTube to their Spotify playlists without using an outside service, by connecting only once, all the while maintaining control of their data. We are far from such an ideal.Thematic Report9Blockchain and digital identityAnother serious problem is that identity-related data is not secure. We have become accustomed to the almost daily notices of data breaches revealing sensitive user data en masse to hackers and criminals, to the ease with which scammers can create fraudulent identities and use them to commit theft, including stealing identities from others, and to the complete lack of control we have over our personal data – data that we, knowingly or unknowingly, create when we are online, and which can be and is used to profile us, earn money on us, and potentially influence our opinions. Nor is it only individuals who struggle with the shortcomings of the current digital identity regime. Businesses are faced with massive cost and complexity, not to mention regulatory and other risks, in both trying to secure and protect user data and in verifying the identities of the counterparties they deal with online, whether they be customers, suppliers, partners or competitors. Governments too have reason to wish for improvements in the way digital identity is handled. Whether to correctly identify citizens in order to provide them with government-issued/recognised credentials who is a citizen, who not, to correctly disburse benefits, to make possible electronic voting, or to combat crimes like terrorist financing or money laundering, governments rely heavily on digital identities. They will want these to be reliable. As custodians of the well-being of their citizens, businesses, markets and economies, they also have an interest in ensuring society has access to a viable, easy-to-use digital identity framework.A third problem is that under the current identity regime there is often a weak link between digital and “offline” identities. That makes it relatively easy to create false identities. For businesses, this weak link creates fertile ground for the phenomena of false views, false “likes”, and false comments, which can help in the perpetration o