User-centric global identity is a dream that won’t die. What it refers to is a universal environment in which people can exchange self-issued digital credentials and rely on their legitimacy without the need for trusted third parties to vouch for and validate them.

This vision is a holy grail for libertarians and privacy advocates because it avoids third parties that might misuse, abuse or lose user identity information along the lines of Facebook Inc.’s recent Cambridge Analytica fiasco. In the early years of this millennium, Kim Cameron, who later joined Microsoft Corp., referred to the enabling architecture as an “identity metasystem” that is global, distributed and universally trusted.

As an industry analyst in the identity management space, I found it all quite provocative and shared my insights in blog posts such as this, which elicited this appreciative response from Cameron. As I noted back then, all user-centric global identity systems, of which his was not the only proposed architecture in circulation, seemed to stem from the following core principles:

• Identity federation: People must be able to establish trust relationships under which they can freely choose to accept or repudiate each other’s identity assertions.
• Identity assurance: People must be able to unambiguously ascertain, resolve and verify each other’s identities, and they reserve the right to refrain from or repudiate interactions in which such assurance is lacking.
• Identity self-empowerment: People must be able to self-assert their identities, and reveal or conceal as much or little of their identity as they wish, at any time, for any reason, from any other party, for any duration, and also to defederate unilaterally from any domain that deliberately or inadvertently compromises or violates these rights.

I’m revisiting this now because a recent industry initiative, the nonprofit Sovrin Foundation, has breathed new life into this dream. Showing its support for this project, longtime identity management solution provider IBM has donated hardware, software and networking resources to get Sovrin up and running. The effort’s prime mover, longtime identity activist Phillip Windley, refers to what he’s doing as establishing “a protocol and token for self- sovereign identity and decentralized trust.” The pillars of his approach are as follows:

• Self-provisioned identifiers: These define the identities that people issued to themselves and point to the public keys and service endpoints that anyone can use to verify those identities.
• Verifiable claims : These are self-issued credentials that people can create in any format that suits them and that may be verified by other people on-demand without prior business or technical arrangements with that issuer.
• Zero-knowledge proofs: These allow people to prove things about themselves, based on self-issued claims, without having to reveal confidential, private or sensitive details about the claim itself.
• Independent software agents : These engage in peer-to-peer identity transactions on behalf of identity self-issuers, such as creating, sharing and processing verifiable claims.

Truth be told, Sovrin’s core architecture could easily have been developed in the past decade, except for one important twist: Sovrin relies on a blockchain-based hyperledger to provide an immutable, persistent, trusted and shared record of self-issued and cryptographically signed identity artifacts. Within the Sovrin architecture, there is no provision for centralized identity repositories, nor is there any mention of federated identity domains of the sort specified in the OpenID Connect, WS-Federation or Liberty Alliance global-identity architectures.

Is blockchain the panacea that will bring the dream of truly universal user-centric identity to fruition? It’s much too early to say, considering that Sovrin’s success in gaining broad acceptance will depend both on the complexities of the requisite trust infrastructure and on the ease of setting up, administering and using a distributed identity hyperledger.

The much-hyped blockchain phenomenon may turn out to be a fad. It may prove more cumbersome to implement than its proponents have led us to believe. For example, blockchain implementers must address its well-known issues with performance, scalability, security and flexibility.

Where Sovrin is concerned, universal adoption will depend on both on establishing a testbed proof-of-concept and then gaining a critical mass of acceptance in the identity management marketplace. At the very least, it will need to gain enough momentum to get over the “network effect” hump that frustrates many ambitious internet computing initiatives.

It will be interesting to see whether identity management providers other than IBM lean into the Sovrin initiative to take it to that next plateau. As it currently stands, it is the only such identity management powerhouse currently in the project’s list of institutional stewards.

Here’s a fascinating interview on theCUBE recently where Kaleido Research’s Jessica Groopman and Jeremiah Owyang discuss prospects for blockchain as well as IoT and other emerging technologies:

Image: PublicDomainPictures/Pixabay