Skip to main content

Introduction

The goal of this project is to provide an identity agent that follows the principles of Self-Sovereign Identity (SSI) and complies with the EU Digital Identity (EUDI) Wallet specification. We distinguish three roles in the agent implementation: issuer, holder and verifier. The Bundesanzeiger will act as the issuer and provide Enterprise Credentials which reflect business-specific information such as functionaries, ultimate beneficial owners or address. As illustrated in Figure 1, these credentials can be requested by enterprises from the Bundesanzeiger. As enterprises hold claims about themselves, they are referred to as holders. Verifiers who need trustworthy information about enterprises can request these credentials from the relevant enterprises. Trust in this information is established by digital signatures issued by the credential issuer. As a result, the verifier can verify the accuracy of the credential provided by the holder because the digital signature can be verified. While the verifier trusts the issuer, there is no direct communication between the verifier and the issuer. Therefore, the issuer does not know to whom the credential is being presented and the privacy of the holder is protected. To enable verifiers to check the revocation status of a credential, issuers provide privacy-preserving revocation lists. These revocation lists allow the status of a particular credential presented to a verifier to be checked, but cannot be used to derive information about any other credential.

SSI Model

Figure 1: Interaction of actors in the SSI model

In the presented architecture, entities are identified by their Decentralised Identifier (DID). This includes issuers, holders and verifiers. DIDs are generated by and unique to each entity. Further, DIDs are associated with a DID document containing at least a public key for signature and encryption purposes, but may also include communication endpoints, routes and more. Enterprise Wallet users receive individual DIDs. This ensures transparency and accountability, as requests and presentations can be traced back to the individuals who initiated the process. The individual mapping also enables business partners to authenticate and authorise representatives of remote enterprises. DIDs can be anchored in a Verifiable Data Registry (VDR), which is a decentralised, secure system that stores and provides access to cryptographically verifiable data, thus ensuring its authenticity and integrity. Consequently, DIDs can be resolved by querying the corresponding VDR. Furthermore, a VDR permits the publication of revocation status for credentials in a privacy-preserving manner.