2

The Decentralized ID (DID) standard is currently being developed by the W3C (see here). What are the advantages and disadvantages of this new standard compared to existing federated identity authentication mechanisms such as OpenID and SAML? Why would a consortium of organizations choose DIDs over traditional federated identity approaches?

Sigmatics
  • 615
  • 4
  • 17
  • Apples and oranges. You can send any identifier (incl. a DID) in a SAML or OIDC message. – identigral May 25 '19 at 04:44
  • 2
    Unfortunately @identigral's statements here are inaccurate, confusing the free-for-all nature of OIDC with actual DID support: there is no official Profile for DIDs in OIDC, but our standards team in the Microsoft Identity division (which I am on) is actively working with others from the decentralized identity community to codify and ratify one so you can do this in a recognized, reliable way. – csuwldcat May 26 '19 at 00:47
  • I'm going to add the following bit to my answer below, given how much uncertainty @identigral introduced into the discussion by misrepresenting the ease of using OIDC to do decentralized identifier exchanges: if you're interested in an emerging way to use DIDs via an OIDC flow, this is a library our team created to do so, which should more or less match the OIDC DID Profile we're helping to codify: https://github.com/decentralized-identity/did-auth-jose/blob/master/docs/OIDCAuthentication.md – csuwldcat May 26 '19 at 01:26

1 Answers1

5

Great question!

Implementations of traditional auth frameworks (e.g. OAuth/OpenID providers) are currently (without the necessary extensions) based on the fundamental assumption that the identifiers users transact with (i.e. usernames and email addresses) are owned by a centralized provider and are essentially loaned to you. They also generally assume your personal and application data is under the control of a provider, who can access it at their leisure.

Decentralized Identity, on the other hand, introduce a very different set of features and models that are almost 180 degrees from existing traditional identity schemes - here are the two most important components:

  1. Decentralized Identifiers (DIDs) is a spec that outlines a standard data format and framework for using decentralized systems to empower users to create and control their own identifiers, independent of a centralized entity. This is extremely powerful. It means your identifier is now 1) truly yours, 2) cannot be arbitrarily taken from you, and 3) that it (+ the cryptographic keys backing it) can be used to sign identity proofs. This means you can't be deplatformed, lose your ID when a business shuts down, or be subject to entities claiming they didn't agree to something (via the signatory proofs you can create).

  2. Open source and standards organizations (e.g. Decentralized Identity Foundation - https://identity.foundation) are also working on another key component of decentralized identity: encrypted personal datastores. This component of the decentralized identity stack represents another major shift in the user model: instead of large companies and platform providers holding all your data in a silo they can access at their leisure, which have been subject to abuse and breaches, your data lives in personal datastores that are encrypted with the keys linked to your Decentralized Identifiers. This means you control your data and who you exchange it with - in this model, even the infrastructure provider of a personal datastore instance is not able to access it.

Decentralized Identity technologies/standards will empower users with a level of control, privacy, and security that has never existed in our digital world, and for that reason I am genuinely excited for what's to come!

UPDATE: due to the inaccuracies another commenter introduced regarding use of decentralized identifiers in OIDC flows, I must point out that while OIDC is a very permissive framework, there is current no ratified OIDC Profile for doing decentralized identifier exchanges in an official, reliable way. There are several groups (our team at Microsoft and various contributors in the Decentralized Identity Foundation) who are working to pass an official OIDC Profile for Decentralized Identifiers. Here is a library you can use to do OIDC compatible DID auth exchanges that reflects the forthcoming OIDC Profile for DIDs (which we'll update to tracking the spec, if need be): https://github.com/decentralized-identity/did-auth-jose/blob/master/docs/OIDCAuthentication.md

csuwldcat
  • 8,021
  • 2
  • 37
  • 32
  • Thank you for your reply! While it is helpful regarding the definition of DIDs and the fundamental difference (decentralized identity ownership vs centralized ownership), I was mainly wondering about the advantages and disadvantages in an organizational scenario. Why would a consortium of organizations choose DIDs over traditional federated identity mechanisms? I edited my question to clarify. – Sigmatics May 31 '19 at 08:33
  • 1
    @Sigmatics - organizations would choose DIDs for many reasons: 1) They can have a nontransient ID that can never be taken or expired, like domains can, 2) it allows them to sign more durable cryptographic claims against other DIDs, 3) they can do all these activities with higher assurance that their ID is not being maliciously used or manipulated (ex: the laundry list of fundamental flaws with the Certificate Authority model that DIDs solve) – csuwldcat Jun 01 '19 at 10:38