Adopting license chain technology in the enterprise is a challenging road. Fundamentally, the so-called Web3 stack based on distributed ledgers is not mature for implementing complex enterprise business processes. In the missing building blocks of the enterprise blockchain platform, identity is a top priority as a ubiquitous challenge for next-generation enterprise solutions. This article explores the identity management capabilities and identity layer models in enterprise blockchain solutions.
Image source: The Blue Diamond Gallery
- 2019 Global Enterprise Blockchain Benchmark Study Report (Full Text)
- Viewpoint | Cheng Xiaoming, "Godfather of the New Three Boards": What are the pain points of enterprises that can be solved by blockchain "chain reform"
- What can a blockchain do for various companies?
Over the past five years, with the advent of next-generation technologies, transition from complex systems such as CA or Microsoft Active Directory to more open API-driven platforms such as Okta, Ping Identity, One Login as, and AWS, Azure, or Google Cloud The identity stack industry has ushered in tremendous growth in the corresponding stack in the platform. These platforms move identity capabilities from proprietary systems to open protocols such as SAML, OpenID Connect, and more. However, this does not mean that enterprise identity management technology is simple and easy to use. On the contrary, with the development of identity functions, the requirements for identity management solutions are becoming more and more complex. Looking at the current identity management architecture in the enterprise, there are some features worth highlighting:
Centralized identity providers : Enterprise identity management solutions typically rely on centralized identity providers that receive some form of user credentials as input and then output identity certificates.
Identity – based protocols : Currently, a large percentage of enterprise identity management solutions use protocols such as SAML and OAuth2 to interact.
Decentralized : User identities in an enterprise environment are distributed across different business systems or user directories. As a result, different applications tend to interact with different representations of user identities.
Basic friction in implementing identity functions in the license chain
Combining all of these features, we can see that user identities in the enterprise are distributed across many systems, but are enforced by identity providers. For identity, there are two fundamental frictions that need to be addressed between the current enterprise system architecture and blockchain technology.
· Consensus and identity
· Centralization and decentralized identity assertion
Fundamental friction in enterprise system architecture and blockchain technology
Consensus and identity
Enabling identity management in the context of a licensing chain creates a friction with the underlying principles of the decentralized layer. The biggest contribution of blockchain technology is that we have for the first time a model in the history of computer science in which we can trust mathematics and cryptography rather than centralized entities. Based on this principle, the blockchain architecture is developed based on a consensus agreement. In the decentralized world, identity is not a basic building block, because the dynamics of the network need to achieve the best decision-making process.
The computation-based blockchain stack consensus model is fundamentally different from enterprise solutions in which the identity of the participants is known. In this sense, you can think that the benefits of a consensus agreement in a world of known identity are few.
Centralized and decentralized identity assertions
The architecture of current enterprise identity management systems relies on a centralized organization to create assertions about user identities. Coordinating this model with a distributed ledger architecture whose assertion will be distributed across the participant network is no small matter. Ideally, we need a model in which identity assertions are encoded and chained in a cryptographically secure manner and then distributed to the relevant network entities.
Building blocks for decentralized identity in the license chain
In response to some of the challenges listed in the previous section, we found that some of the technical components may be very useful for the licensing chain architecture.
Proof of authority (PoA)
Proof of Authority (PoA) is a consensus mechanism that relies on identity as the first type of object (an entity that can be created during execution and passed as a parameter to other functions or to a variable). In a PoA network, consensus is achieved by referencing a list of certifiers. A certifier is a set of accounts/nodes that are allowed to participate in consensus; they validate transactions and blocks. PoA does not need to solve the puzzle of very high computational cost to submit the transaction. Instead, the transaction only needs to be signed by most of the verifiers, in which case it becomes part of the permanent record.
Proof of authority
For enterprise blockchain scenarios, the PoA consensus is also very practical because it leverages the existing identity of users and systems. There are already many PoA consensus implementations related to the licensing chain, including Parity and Microsoft Azure.
Decentralized identity agreement
In order to achieve decentralized identity, the identity needs to be re-architected, and many traditional identities are dynamically transferred to the decentralized participant network.
For the past 20 years, Microsoft has been one of the leaders in identity management, but they also realize that the blockchain needs a new identity model. Inspired by the DIF (Decentralized Identity Foundation), Microsoft recently proposed a forward-looking architecture to support the decentralized identity of the blockchain. Microsoft's architecture includes the following components:
Microsoft Decentralized Identity Management Architecture
· W3C Decentralized Identity (DID) : A user creates, owns, and controls an ID that is independent of any organization or government. A DID is a unique global identifier that connects to Decentralized Public Key Infrastructure (DPKI) metadata (the metadata consists of JSON documents containing public key material, authentication descriptors, and service endpoints).
Decentralized system : DID is rooted in a decentralized system that provides the mechanisms and functions required by DPKI.
· DID User Agents: Applications that enable a real person to use a decentralized identity. User agent applications help create DIDs, manage data and permissions, and sign/verify claims related to DIDs.
DIF Universal Parser : A server that uses DID's set of drivers to provide standard lookup and parsing methods for DIDs in different clients and decentralized systems, and returns DID document objects that encapsulate DID-related DPKI metadata. .
· DIF Identity Hub (hub) : A replicated mesh that encrypts a personal data store. It consists of a cloud and edge instances (such as mobile phones, PCs, or smart speakers) that facilitate identity data storage and identity interaction.
· DID Proof : The proof of DID signing is based on standard formats and protocols. They enable identity owners to generate, present, and validate claims. This forms the basis of trust between system users. ·
For the licensing chain, the decentralized identity protocol provides a clear bridge between the traditional enterprise identity management system and the blockchain DApp.
Zero Knowledge Proof Identity Storage (Identity Stores)
The concepts of proof, declaration, and decentralized hub are some of the most important principles of the decentralized identity model. An interesting idea is to combine the decentralized hub with a zero-knowledge proof protocol (such as zk-SNARK) to add another layer of privacy to the DID while allowing other protocols to verify the identity. I like to call this concept zero-knowledge storage, and this concept has been supported by protocols such as uPort.
In the zero-knowledge identity storage model, assertions related to user identity are encoded using zk-SNARK and published on the chain. Smart contracts can verify assertions about a user's identity without revealing any information about the identity of the underlying user, thereby maintaining high-level privacy while maintaining chain execution.
Identity is one of the basic building blocks of a license chain application, and this issue needs to be addressed in order to achieve mainstream adoption of the license chain. The efforts of organizations such as the Decentralized Identity Foundation (DIF) will lead the integration of traditional identity systems with the new world of blockchain. Although there are some protocols and tools in the field, implementing identity capabilities in enterprise blockchain solutions remains a fairly complex task.