Microsoft's distributed digital identity system decryption

Superbook China Co-Chairman

If you pay attention to the news of the blockchain, you may notice two news: First, Microsoft wants to build its own electronic identity infrastructure platform ION on the Bitcoin network, and second, Canada's BC uses Indy distributed identity, which is reduced every year. Billions of dollars in spending.

So what is identity? Everyone has a lot of identities, such as national citizenship, and we are still company employees. In order to prove our identity, we invented the certificate. It is said that a Chinese person has to do 103 certificates in his life! When you are not born, your parents will go to apply for a birth permit; when you are born, you must apply for a birth certificate, then an ID card, a vaccination certificate, a school entrance permit, a diploma, a marriage certificate, a social security certificate, a provident fund, etc.; Retirement is required to apply for a retirement certificate, etc., and if a person dies, a death certificate is required. And these 103 are still long-term documents for government departments. In fact, we also need to use a lot of temporary documents, such as tickets, tickets, movie tickets; tickets for specific occasions, such as work permits, a variety of membership cards. These are physical documents. The basic information such as personal name and gender is generally indicated on the certificate. The cardholder's photo will be increased for easy identification. There is usually a lot of extra information associated with the documents, which is stored in the corresponding personal file, and the files are kept by the issuing authority. This information is shared between the cardholder and the issuing authority.

With the advent of the Internet, most of us have registered and have countless network IDs for social needs and access to a wide variety of Internet services. With the provision of informatization, there are more and more IT systems and devices within the enterprise, and more and more systems and devices are needed for employees to access, so we also need a lot of IDs within the enterprise.

There are two problems: First, the ID is too much, the management difficulty is greatly increased, and the individual has no way to manage so many IDs and passwords; secondly, the ID identity is low and the identity verification is difficult.

Too many IDs can naturally be solved by reducing the ID.

First, the development authorization standard is adopted for the Internet platform. What is an open authorization? It is a big company like QQ, WeChat, Facebook, google, etc., which open their ID authentication system, and other websites, apps, etc. can confirm users through their authentication system. For example, now we can use WeChat to log in to many mobile apps. For our users, we can keep a lot of IDs and passwords; for these App operators, they can simplify their ID management. And big companies like WeChat, Facebook, Google, etc., their ID systems are generally more secure and reliable, passwords are not easily stolen, and our users' personal information is more secure.

Second, the company uses a dedicated ID management tool. Microsoft's Active Directory is an excellent representative of such tools. Employees only need to register an ID on the AD, and grant different access rights to employees through AD. Employees can access different systems or devices through the same ID.

Verification of identity, implemented by means of asymmetric encryption algorithms, is commonly referred to as PKI (Public Key Infrastructure). The need to introduce a trusted third-party organization here is CA. After the CA verifies the identity of the applicant, the applicant is given a digital certificate indicating the identity and public key of the holder, and the digital certificate is public; the holder holds the corresponding private key and cannot tell any people. When using, the party that needs to verify the identity of the certificate obtains the certificate of the certificate from the CA. During the communication process, one party uses the public key on the digital certificate, and the other end uses the corresponding private key to encrypt and decrypt the data. The asymmetric cryptographic algorithm guarantees the security of the data.

However, PKI is not omnipotent, it also has many shortcomings. CA is a strong centralized third-party organization. It requires a certain fee for issuing and maintaining certificates. Once a digital certificate is released, it can be easily obtained by anyone. Although the certificate itself has an expiration date, even if it expires, the content on the certificate Still visible; certificate updates are not convenient. Think about how complicated it is to re-do your ID card.

Is there a better way?


The World Wide Web Consortium (W3C) proposes a DID (Decentralized Identifier) ​​scheme. At the heart of this solution is decentralization and Self-sovereign identity – your own data is completely under your control. The Decentralized Identity Foundation (DIF) is an open source foundation that promotes DID solutions. Its main job is to develop specific technical standards based on DID and to promote interaction between different industries. The foundation currently has 70 members, including IT giants IBM, Microsoft, NEC, Accenture; blockchain organization superbook, R3, Ethereum Enterprise Alliance, ID solution organization everym, sovrin, SecureKey, Validated ID, Anth0, LifeID; financial institution MasterCard, Weizhong Bank, etc. Many members of DIF have their own DID products, including IBM's Trust Identity with Bank, Weidentity for MicroBank, Hyperledger Indy for Superbook, Sovrin for Code Contributor and Sponsor of Indy Project, and Sovin for IBM. member.

These products or solutions are implemented without exception using blockchain technology. Blockchain and cryptography are at the core. What is a DID? First, it has a unique ID, which is somewhat similar to a URL address. This DID is associated with a DID Document. The data recorded on the DID document is determined by the user, and unnecessary information may not be recorded on the DID document at all. In the DID system, there are three types of roles: identity issuer, identity holder and verifier. The holder applies for the identity of the issuer and the verifier verifies the identity of the holder as needed. The DID data is stored on the blockchain and no private data is stored on the chain. The three groups directly interact with each other using asymmetric cryptographic algorithms, zero-knowledge proofs and other cryptographic algorithms.

Although the same is DID, Microsoft's ION and Indy are very different. First, Indy is based on a coalition chain that requires alliance members to build on their own (Sovin has built a global network). ION stores data on Bitcoin. Recently, Bitcoin has soared, I don’t know if it is related to ION. If ION can succeed, it affects open authorization ID systems like Facebook and Google.

Whether ION can be successful, let us wait and see.

This article is [inter-chain pulse] exclusive, the original link: , please indicate the source!

Wen Hao Mutual Chain Pulse Special Author · Zhao Zhenhua