China Blockchain Development Report (2019) | Distributed Digital Identity Development and Research

Author: Zhang Yifeng flat Qingrui (CBPM block chain Institute of Technology)

This article first appeared in the "China Blockchain Development Report (2019)" technical innovation articles.

Source: WeChat Public Banknotes Blockchain Technology Research Institute



The development of traditional Internet is characterized by centralized services, and each application is an isolated island. Personal identity depends on different centralized service providers. With the rapid development of web2.0, capital, data and traffic resources are highly monopolized by large technology giants. The problem of cybercrime and privacy leakage is becoming more and more serious. The first prerequisite for secure, legal and convenient cooperation between applications is to solve the problem of trusted digital identity. .

In order for identity to be truly autonomous, the digital identity infrastructure needs to be broken into a centralized, closed environment controlled by a single organization or federated organization, and placed in an open, distributed environment. This paper explains the distributed digital identity from the research background of distributed digital identity, the core concept and basic content of distributed digital identity, key technologies, technical architecture, and the status quo of development at home and abroad, in order to provide readers with distributed information. Digital identity is more comprehensive and systematic.

Distributed digital identity is the foundation for building a trusted network and the cornerstone of the national network security strategy. It is of great significance to research related technologies, promote the construction of distributed digital identity infrastructure, and develop the relevant ecology and application.

Key words

Distributed autonomy digital identity verifiable statement distributed ledger privacy

This year marks the 50th anniversary of the birth of the Internet. With the maturity and development of network technology, more and more application services serve the public through the Internet. It is no exaggeration to say that with the rapid extension of the digital world created by human beings, people are experiencing the physical world to the digital world. Migration. However, with the increase in the number of people using network services every day and the need for trusted collaboration between different application services, the problem of user identity caused by the lack of identity protocol layers in the Internet has become increasingly prominent.

At the beginning of the Internet design, there is no standard and clear user identification or organization. Internet application service providers often solve the problem of user identity management by creating a local account based on the username and password, which has become the main solution for network identity. This account-based identity management approach has gradually revealed the following drawbacks:

1. Multiple identity establishment, high maintenance cost and low efficiency

In the application-centric account management mode, users do not have their own complete digital identity. They only have dozens or hundreds of fragments scattered in different organizations. Control, update and maintain this information can only be developed one by one based on the application. Repeated and cumbersome. For example, people need to submit the same identity information in various business systems and repeat similar identity authentication processes.

With the application of scale, for the individual, the application account-based identity management method is difficult to maintain, and the security drawbacks are increasingly obvious; identity certifiers (such as government, finance, social basic services) and relying parties (service providers) Repetitive time and economic costs for identity authentication services for the same entity; beyond the perspective of websites and web applications, the global cost of acquiring, storing, managing, and protecting large amounts of user data by millions of organizations is related to holding such data Increased responsibilities, global data duplication and inconsistency between data lead to a huge waste of the identity authentication process. It is estimated that the cost of the UK identity certification process alone exceeds £3.3 billion annually, and the cost of the US identity certification process is approximately $22 billion per year.

2, the user name password method brings security risks

The premise of using the username password method is that only the user knows the account information, which is the most basic and easiest to implement user management solution in the current information technology environment. However, there are many problems with the username and password method. First, a simple username password does not have the security required by the system, and it is very difficult for the user to memorize a large number of different complex username passwords. In addition, the username and password have security risks. These security risks not only occur in the password input process, but also in the process of password transmission, storage, and verification.

The reason why passwords are widely used is their economy, and there are no obstacles to most users. Although the security is not high, it is better than any security measures. Issues associated with passwords include: security, exhaustive attempts, universal passwords, lifecycles, leaks, etc. In some cases, users use default passwords or built universal passwords into applications or devices. These known flaws are very It is easy to be cracked; with the development of technology, the time required to forcibly crack high-intensity passwords is getting shorter and shorter. The security drawbacks of username and password are becoming more and more obvious with large-scale applications, which brings huge security risks to the network. 10% of users on the network impersonate others to conduct cyber crime.

From the perspective of technology development, a single username password will eventually exit the historical stage of mainstream identity management solutions due to its maintenance issues and security risks.

3, identity data is not self-managed, there is a risk of privacy leakage

In account mode, personal identities are provided by the application on which they depend—each application manages user identity data by establishing its own user database. Some organizations have better databases and more comprehensive user data information than other organizations, so regardless of the identity owner's consent, a complex and expensive mechanism has been developed to pass user data information from one island to another. This process is often accompanied by unintentional or undesired user data leakage.

In just 2018, Facebook broke out several serious privacy leaks, including Facebook's subjective access interface, allowing companies such as Microsoft, Amazon, Spotify, Netflix, and Apple to read, send, and delete private information from users. Also included is a bug in the program that caused user-uploaded private photos to be accessed by third-party applications; Google has also experienced incidents in which user profiles have been compromised due to problems with the access interface. Google was exposed to hide the Google+ user private database due to software failure. It can be accessed by external developers and eventually shut down Google+ software to quell the trouble of the leak. In October 2017, according to security research firm Kromtech Security Researchers, about 47GB of medical data stored on Amazon S3 by a health care provider was unexpectedly open to the public, including 315,363 PDF files, which involved at least 150,000 patients.

On May 25, 2018, the European Union's General Data Protection Regulations (GDPR) came into effect, making it the most stringent privacy data protection regulation in history. GDPR greatly increases the mandatory and accountability of data protection, and requires the responsibility of all parties in the data supply chain from top to bottom. The GDPR specifies:

  • Right to be forgotten;
  • Data protection by design;
  • Data control and processing must ensure that data is secure and integrity protected.

GDPR will become the cornerstone of the future global cyberspace rules, with data as the starting point, and the underlying technology governance of network security. This will have a major impact, even a subversive impact, on the revenue model of the Internet 2.0 industry based on the collection of personal information and privacy.

In summary, it is time to establish a unified identity layer for the Internet, allowing people, organizations and things to have their own sovereign identity and manage their own identity information. Trusted digital identity based on autonomy is the key to opening a trusted network and the basis for the future deployment of trusted data and trusted assets.

First, the evolution of digital identity

The evolution of Internet identity is the result of meeting the three basic requirements of digital identity:

  • Security – must prevent identity information from being inadvertently leaked;
  • Control — The identity owner must control who can view, access their data, and for what purpose;
  • Portability — Users must be able to use their identity data wherever they want, rather than being tied to a single identity provider.

Looking back at the history of the development of digital identity, the evolution process has gone through the following four stages of development.


Figure 1. The various stages of digital identity development

  • Centralized identity

Most Internet identities are centralized. This means that they are owned and controlled by separate entity organizations, such as e-commerce sites or social networks. Local identity recognition works well in specific application areas, but it is difficult to meet the rapidly growing demands of today's users to interact with various online websites and services.

Since most people's unique identity on the Internet is centralized, deleting an account also clears a person's online identity. These identities may be accumulated by users for several years and are of great value and irreplaceable to them. data.

  • Alliance identity

Alliance identity is used to address centralized identity issues and can provide a degree of portability. For example, a user can log in to another service using one of his service credentials. At a more complex level, different services can be allowed to share detailed information about the user.

Alliances are common in large enterprises, and the single sign-on mechanism allows users to access multiple independent internal services using a single username and password, including the use of alliance identities by some government agencies to serve their citizens. Although the alliance seems to be portable, it still relies on the power of the alliance identity provider, and the damage caused by deleting the alliance account is far more profound. In fact, the alliance identity has intensified the centralized monopoly of data, preparing a large number of honeypot data for hackers, resulting in greater data security risks.

  • User-centric

The core requirement of user control is that the flow of information from the claim provider to the relying party occurs only when requested by the user. The individual fills in his own data store with information he can allow it to provide to other organizations, and keeps records when doing so. However, this process still relies on users choosing identity providers and agreeing to their unilateral add-on contracts. Due to the benefits, when data moves from one library to another, it is prone to intentional or unintentional data leakage, and user information becomes a product for sale.

Independent personal data storage also exists, but the problem still exists. In the mature personal data storage ecosystem, relying parties need to connect with many such identity providers to cover a wide range of customer groups. Due to the complexity and time-consuming integration, it is difficult to produce scale effect. .

  • Spontaneous identity

Autonomy means that the individuals (or organizations) to which the identity belongs fully own, control and manage their identity. It removes the centralized external control in the above three stages, so the digitization of the individual has nothing to do with any single organization. No one can Deprive someone of their autonomy. Autonomy can be seen as a digital container controlled by the identity owner, enabling users to share data and implement portable applications of identity. The identity claim data can be self-declared or can be claimed by a third party whose authenticity can be independently verified by the relying party.

The typical characteristics of "autonomy identity" can be summarized into the following three points.


Table 1. Distributed digital identity related technology standards

Second, distributed digital identity

In order for identity to be truly autonomous, digital identity infrastructure needs to be placed in a distributed environment rather than a centralized environment controlled by a single organization or federated organization.

Distributed Book-Based Technology (DLT) is a technological breakthrough that makes this possible. It enables multiple organizations, organizations, and governments to work together through distributed networks that interact like the Internet. Identity data is replicated in multiple locations to protect against failures and tamper. Distributed ledger technology has existed and developed for a period of time. Its capabilities in terms of distribution and security have been demonstrated. When it is combined with public key infrastructure and anonymous credential technology, the technology implementation of distributed autonomic digital identity become possible.


Digital identity and verifiable claims model

1.1 Digital identity representation

The International Electrotechnical Commission defines "identity" as "a set of attributes associated with an entity." The digital identity is usually represented by an identity identifier and an attribute declaration associated with it. The distributed digital identity includes two parts: a distributed digital identity identifier and a digital identity certificate (declaration set).

A distributed digital identity identifier (DID) is an identifier consisting of a string of characters that represents a digital identity and can be globally unique without the need for a central registry. Typically, an entity can have multiple identities, each identity being assigned a unique DID value, and an asymmetric key associated with it. There is no associated information between different identities, thus effectively avoiding the collection of owner identity information.

  • Verification Claims

"claims" refers to attribute information associated with an identity. This term originates from a claims-based digital identity, a way of asserting a digital identity, independent of any particular system that depends on it. The statement information usually includes: such as name, email address, age, occupation, etc.

A statement can be made by an identity owner (such as an individual or an organization), or by another issuer, and when the statement is checked out by the issuer, it is called a verifiable statement. The user submits the claim to the relevant application, which the application checks, and the application service provider can trust the verifiable statement signed by the issuer as trusting the issuer. A collection of multiple claims is called credentials.

1.2 verifiable declaration model

The main purpose of digital identity management is to enable identity owners to easily obtain claims and use statements to prove their identity attributes. Claim management is the main content of the digital identity system.

Based on the design of the distributed digital identity in the previous section, the declaration management and the workflow based on the verifiable declarative model can be well implemented: the verifiable declaration is signed and issued by the identity endorser (the declaring issuer) according to the identity owner's request, identity The owner saves the verifiable statement in an encrypted manner and submits it to the identity relying party (the claim verifier) ​​for verification when needed; the identity relying party (the claim verifier) ​​does not need to dock the identity endorser to retrieve The identity registry verifies the relationship between the claim and the submitter and verifies the true source of the identity holder's attribute claim.


Figure 2. Verifiable claim model

Compared with the traditional identity authentication method, the identity relying party collects the user information and transmits it to the identity authenticator through the secure channel for authentication. Under the verification claim model, the identity authenticator does not need to pay attention, trust and dock the identity relying party system. Only the identity requester is required to approve and issue the authenticity declaration file, and the identity relying party can realize the access to the diversified user identity information and the authenticity of the information without docking different authenticators.

In the application of digital identity, separating the generation and maintenance of identity identifiers from the generation/storage/use of identity attribute declarations helps to build a modular, flexible and competitive identity service ecosystem. .


Why is it distributed?

As mentioned in the opening paragraph, the control of the digital identity of any entity on the Internet today is in the hands of third parties, whether it is an email address, a username, or a digital certificate, which we pass to service providers, CA centers, and social networks. Leases, which led to serious availability and security issues across the Internet. In order to return control of the digital identity to the owner entity, a set of mechanisms is needed to support the identity owner to create a bootstrap encrypted digital identity without the need for a license, which requires placing the digital identity infrastructure in a distributed environment.

The need for a distributed digital identity infrastructure addresses the following issues:

• Autonomous control and management of digital identity identifiers

• Point-to-point authentication and security information interaction based on asymmetric keys

• Provide user-friendliness of cryptography applications

The answer to building a distributed digital identity is DPKI, the distributed public key infrastructure. DPKI implements the non-tamperable and global sharing of identity ID-vk (Authentication Public Key) information of identity owners based on distributed ledger technology, enabling different entities in the region and organization to reach consensus on the content and status of shared identity data to form a distribution. Trust.

DPKI supports the return of control of identity IDs to the owner and eliminates the impact of MITM (man-in-the-middle attacks) that plague traditional public key infrastructure (PKI), while ensuring that no single third party can compromise the entire system. Integrity and security.


Distributed digital identity key technology

In distributed digital identity technology, in addition to distributed digital identity identifiers and verifiable claims for distributed digital identity expressions, the following key technologies are also included:

  • Distributed Key Management and Use Based on DPKI

At present, there are some security and usability problems in the Internet identity management system based on DNS and X.509 PKIX. The root of these problems lies in the centralization of the system. The centralized design prevents the identity owners themselves from controlling the identity identifiers that represent their identities, thereby making it possible for third parties to compromise their identity. In order to solve this problem, we need to build a distributed public key infrastructure and clarify the distributed key management method.

Distributed key management can be achieved by providing distributed digital identity wallet applications for entities. Identity wallets enable users to create their own identities, maintain identity secrets (private keys) and control key usage; and through non-tamperable distribution The ledger registers and publishes the owner identity identifier and associated authentication public key information. The DPKI based on this design works even on resource-constrained mobile devices, and can maintain the integrity of the user identity identifier by providing private key protection.

  • DPKI-based peer-to-peer authentication and secure communication

The purpose of implementing DPKI-based peer-to-peer authentication and secure communication is to provide a secure and confidential peer-to-peer trust relationship for users and data. A secure point-to-point communication system needs to meet the following three basic requirements.

Confidentiality – Ensure that data in the peer-to-peer network is not accessed by unauthorized persons.

Integrity – Ensure that the data sent is sent by an authorized peer node and that the data cannot be forged or modified by an unauthorized person.

Availability – Ensures that authorized peer nodes are able to use network resources properly and are not available to unauthorized users.

For the communication between two points, the working principle of the secure communication is still based on the traditional PKI challenge response mechanism and the negotiation data encryption method; for all the nodes of the whole network, the identity key deployed on the decentralized server and the personal client The wallet and the DID distributed ledger shared by the whole network can realize the authentication interaction based on the asymmetric key mode between the nodes representing any different entity identity, and finally realize the trust of the whole network through the trust transfer between the entities.

  • Research and Implementation of Anonymous Credential Based on Zero Knowledge Proof

The traditional access control method is based on the user presenting his or her identity information to the service provider, and then the service provider determines whether the user can use the service. This identity-based access control is not anonymous, and the information that users need to disclose often far exceeds the necessary scope to gain access to the service.

A solution called Anonymous Credential (AC) can help users get rid of this situation. An anonymous credential is a special credential provided by the credential issuer that contains user information. It is used to transmit the claim information, but does not actually contain the plaintext or ciphertext version of the declarative data. Instead, it provides a cryptographic verification method for the result of the claim. A typical example of an anonymous voucher is proof of age (eg, "over 21 years of age") without revealing the actual date of birth information. One of the big advantages of AC is that service providers can't get full credentials with data, and they can't reuse it to impersonate another user. AC provides anonymity, which means that others can see users with authorized attributes to operate but not who the user is.

Anonymous credentials based on zero-knowledge proof is an important privacy enhancement technology that has been the subject of extensive research and development by Microsoft and IBM for more than a decade. They have great potential to protect privacy while sharing highly sensitive or relevant information.

Anonymous credentials apply to the Attribute-Based Access Control (ABAC) approach—granting a request to perform an action on an object based on its attributes, environmental conditions, and a set of policies based on those attributes and conditions. Rejected, the ABAC control mode can well support dynamic and flexible access strategies in an open environment.


Figure 3. Attribute-based access control

Globally, the research of distributed digital identity is only a matter of recent years, but it has developed rapidly. It has also entered the standardization research process led by super-large technology companies from the initial single project and single technology research. Organizational forms of key data in distributed digital identities, such as distributed identifier (DID) and verified credentials, have been developed by the International Standards Organization W3C; distributed key management standards are internationally structured The Information Standards Promotion Organization OASIS promotes the preparation and submission.


Table 2. Distributed Digital Identity Related Technology Standards

Third, the distributed digital identity architecture

As mentioned earlier, the core of distributed digital identity technology is distributed ledger and cryptography, a combination of the two to create non-repudiation and unalterable identity records. The starting point for digital identity in a distributed digital identity book is a security identity (ID-vk) that is not associated with each other. It is only associated with behaviors, digital assets or data with explicit user identities; individuals create digital identities by using a container "Manage and use digital credentials, they can accept the credentials issued by any organization in the distributed digital identity network, and present credentials to provide authentication when needed; each organization can be based on the credentials Trust and the result of the verification of the voucher to determine whether to trust the voucher in the container.

From the perspective of distributed digital identity system architecture, identity wallet client, cloud proxy, and distributed digital identity book form a three-tier architecture of distributed digital identity system.


Figure 4. Three-tier architecture of a distributed digital identity system


Distributed digital identity book

The basis of DPKI is a distributed ledger with distributed key-value data storage capabilities for use as a distributed digital identity identifier registry. As long as such registration is in effect and the identity owner remains in control of its private key, no third party can have access to the identifier and cannot impersonate and endanger the identity holder's wishes.

The main feature of the distributed ledger is that multiple nodes are jointly maintained to ensure that the public ledger record cannot be tampered with. In the distributed digital identity architecture, the distributed ledger is mainly used to support the distribution and maintenance of distributed digital identity data (ID, public key, communication entry point), so that all entities can retrieve the ID and key of the interactive object. Inter-identity authentication and secure network communication, the ability to support key discovery for distributed digital identity books is essentially free. In addition, the distributed digital identity book is also used to record and publish the voucher template information, as well as the deposit information of the voucher flow.

Since different identity entities have different requirements for identity privacy, the sharing scope of identity data will be different. For example, for government, industry agencies, and universities, identity data is generally supported for full ecological disclosure; for enterprises and merchants, Support for upstream and downstream cooperative companies and their customers; for individuals, they need maximum protection against anonymity. In order to meet the different visible requirements of identity, it may be necessary to construct different distributed digital identity books to work together. The design of the book is the key to consideration of interdependence, data consistency and overall operational efficiency.

From the perspective of privacy protection, distributed ledgers are used to store permanent records of transactions. It is not recommended to store personally identifiable information (including hashing of private data) on distributed ledgers, if the personal identity key is lost or damaged, or the vouchers Or if the relying party is compromised, the attacker may obtain an identity data record that the identity holder cannot deny, which affects the user's rights and interests, and also violates the requirements of laws such as the EU General Data Protection Regulations.


Distributed digital identity wallet

The distributed digital identity wallet is the personal identity data container, which is the infrastructure for managing the identity of the entity and the popularization of the identity management software module. In the case of an individual identity holder, it usually appears as a client application on the user's terminal device, and in the case of an institutional identity holder, it may be a one deployed on a specific server with key management capabilities. service.

A distributed digital identity wallet is a guarantee that identity control rights are in the hands of the identity holder. Generally speaking, it has the following functions:

  • Relationship chain management

Identifiers can be used to authenticate everything from the user to them. The robustness of the identifiers makes these identifiers very valuable, and the keys that match those identifiers are the "digital kingdom keys" that their owners have. The digital identity and identity-related data or digital assets corresponding to the entity can be unlocked.

The most critical function of the distributed digital identity wallet is to manage and protect the relationship chain of the identity owner. The relationship chain includes: DID relationship pair, DID relationship key, DID communication entry point. The key to this design is that each identity and its corresponding communication entry point and key are different. This information does not provide any associated clues between the different roles of the identity owner. Identity associations can only be owned by the identity. Initiate and implement.


Figure 5. Relationship chain structure

  • Local data storage

In addition to implementing owner relationship chain management, distributed digital identity wallets also support owner-local digital voucher storage, managing how this data is securely stored on specific personal terminal devices that load a particular operating system.

Since the storage capacity and bandwidth of different devices vary widely, there may be no identity owner's wallet client that can have a complete copy of the personal data container data. Therefore, another function of the wallet client is to manage how to share the content stored in the device data container and, if necessary, to other owner wallet clients.

The distributed digital identity wallet client supports peer-to-peer communication via Bluetooth, NFC or other mesh network protocols, or secure connections with other entities using distributed secure transport protocols through cloud agents.


Distributed digital identity cloud agent

The cloud proxy constitutes the "middle layer" of the distributed digital identity system architecture. It is both the client of the DID distributed digital identity book and the server of the distributed digital identity wallet with an addressable network portal. The main function provided by the distributed digital identity cloud proxy in the distributed digital identity architecture is persistent P2P message routing, because identity clients running on terminal devices (smartphones, laptops, cars, etc.) usually do not have their own On the message side, the cloud proxy service can provide them with addressable network communication functions as well as persistent message online services.

In addition, cloud proxy services simplify key recovery by providing encryption key backup capabilities; support encrypted data storage and sharing under identity owner authorization, simplifying and automating the process of storing and sharing data.

In theory, cloud agents do not have to exist. In the absence of cloud agents, the system needs to support client applications to directly access DID distributed digital identity books. In any case, the cloud proxy service should be a commercial, open competition market. Any identity owner does not have to and should not be bound to a specific cloud proxy service provider. Any time the cloud proxy service is migrated or canceled is The identity owner decides at his own discretion.


Distributed digital identity application

Distributed digital identity services are suitable for distributed applications, traditional Internet services, and even centralized application service systems.

As a unified digital identity independent of the application, the typical way of distributed digital identity application (verification) is as follows:

  1. The identity holder establishes an anonymous DID relationship with the service provider in the process of accessing the specific service, and initiates a related transaction request within the secure channel;
  2. The identity request information sent by the service party reaches the identity holder terminal device via the identity holder message entry point, and wakes up the client application as the identity wallet;
  3. The identity holder responds to the service provider's identity request information through the client application, and in the case of "confirmation", the wallet application constructs the verifiable identity certificate to be returned to the requester;
  4. The requester receives the verifiable credential of the identity holder and then verifies, and the business system determines whether to authorize access to the related service according to the authentication result;


Figure 6. Credential-based authorized access method

It can be seen that during the authorization access process based on the identity attribute, the identity owner does not need to memorize and provide a security element such as a username password. The construction of the cryptographic-based identity credential is also completely handled by the program, and the identity holder needs What is done is to respond to the identity request information, and this response can be achieved safely, simply, and amicably through biometrics.

Fourth, the status quo of distributed digital identity research and development

As the "fifth territory" of the Internet, cyber security has been highly valued by all countries. In order to strengthen the research and development of cyber security, countries have launched their own "National Strategy for Cyber ​​Security". China also released the "National Cyberspace Security Strategy" in December 2016. ", "emphasize the network governance system, strengthen the foundation of network security, and enhance the ability of network space protection." As the basic means to ensure network security, trusted identity management has always been an important research content in the field of network security.

In 2011, the United States issued the “National Strategy for Trusted Identity in Cyberspace”, preparing to build a network entity identity ecosystem within a few years to ten years; in 2011, the UK launched an identity protection program aimed at building a one-stop shop. Universal Identity Service provides a safe and fast way to authenticate public access to government websites; in recent years, Russia has issued ID cards containing citizen identification functions to citizens; the Korean government has also established an "I-PIN" network identity platform. Used to register related services to network entities.

Distributed digital identity is the answer to the problem of cracking the trusted digital identity and is the key to breaking the data monopoly. Distributed digital identity research has emerged with the verification and application of distributed ledger technology, and has developed rapidly. So far, it has obtained quite a wealth of technical and standardization research results, and has formed several major mainstream architectures in the international scope.

In 2018, Microsoft and ID2020 jointly developed a distributed digital identity authentication network to help individuals and refugees access basic services, including access to health care and education services in new places of residence, as well as digital traditional paper birth certificates and education certificates; Microsoft and MasterCard are working together to promote a digital identity partnership to address the issue of refugee status, ensuring that these users have access to normal financial and social services, or for money laundering.

As a leader and practitioner in the field of digital identity, IBM has recently deployed a number of startups, projects, and alliances related to distributed digital identity. Including the Indy open source project jointly sponsored by IBM and HyperLedger to provide promotion and cooperation to all parties. A blockchain authentication network being built by IBM and SecureKey and members of the Canadian digital identity ecosystem, including major banks, telecommunications companies and government agencies. In the first quarter of 2019, Visa also teamed up with IBM to launch a blockchain-based digital identity system to improve cross-border payment security. In addition, a number of blockchain-based digital identity projects have emerged around the world: UPort, Civic, AirPlatform, ISelfKey, and others.

In China, the development of digital identity in the Internet is still at the stage of alliance status. With the development of WEB2.0, platform vendors such as BAT have grown stronger, and WeChat and Alipay users have a huge volume. Ali and Tencent have accumulated a large amount of user identity information. Due to the increasing cost of Internet access, many small and micro enterprises and merchants tend to use the identity of the alliance to obtain the user identity information access interface provided by WeChat or Alipay. In the long run, according to the Matthew effect, the user data of Internet giants is huge, and the data monopoly will bring a lot of honeypot data risks.


Today, the world has entered the digital economy era. According to IDC, by 2021, at least 50% of global GDP will be contributed by the digital economy. As far as China is concerned, the total number of China's digital economy reached 22.6 trillion in 2016. In 2018, China's digital economy reached 31.3 trillion yuan, accounting for 34.8% of GDP, which has become an important engine for China's economic development. It is predicted that by 2030, China's digital economy will account for more than 50% of GDP, and China will fully enter the digital economy era.

Network security and informatization are two wings of the whole, driving two rounds. Without network security, there is no national security. Without network information, there is no modernization. Network security and informationization must be unified planning, unified deployment, unified promotion, and unified implementation. In order to better promote the development of the digital economy and adapt to the increasingly rich digital life, we need to think at the level of network security underlying governance and data privacy protection as soon as possible, develop independent and controllable information security technologies, and build a society-oriented A secure, convenient and distributed digital identity system that addresses the security, privacy and interoperability of existing digital identity, and further advances the construction of national trusted networks.


1. Christopher Allen and Arthur Brock, 'Decentralized Public Key

Infrastructure'. DPKI v1.0.0, 23-Dec-2015

2. Paul Dunphy and Fabiew APPetitcolas, 'A First Look at Identity Management Schemes on the Blockchain'. VASCO Data Security, 2018

3. 'Evernym HSHQDC-17-C-00018 DKMS Milestone 3'. Evernym DKMS Project, 15-Dec-2017

4. Andrew Tobin and Drummond Reed, 'The-Inevitable-Rise-of-Self-Sovereign-Identity'. The Sovrin Foundation, 29-Sep-2016

5. 'Sovrin Provisional Trust Framework'. Sovrin Board of Trustees, 28-June-2017

6. Dan Gisolfi and Milan Patel, 'Decentralized Identity Introduction'. IBM Trusted Solution, 2018

7. Drummond Reed, Jason Law & Daniel Hardman, 'What-Goes-On-The-Ledger'. The Sovrin Foundation, 29-Sep-2016

8. Gregory Neven, 'A Quick Introduction to Anonymous Credentials'. IBM Zurich Research Lab, Aug-2008

9. Melissa Chase, 'Anonymous Credentials: How to show credentials without compriomising privacy'. Microsoft Reserch,

10. 'Decentralized Identity: Own and control your identity', Microsoft, 2018

11. Decentralized Identifiers (DIDs) v0.12, Draft Community Group Report 09, May 2019

12. Les Chasen, 'Decentralized Identifiers (DIDs) and Decentralized Identity Management (DIDM)', A paper for the ID2020 Design Shop, Respect Network 2016-05-16

13. Verifiable Credentials Data Model 1.0, W3C Candidate Recommendation, 28 March 2019