Interview with Michiel Schok on SSI the future of identity and access management

Self-sovereign identity: a new principle in identity management

A key principle of self-sovereign identity is that users decide for themselves what data they share and with whom. Identity wallets - digital wallets containing personal data - should start helping people do this. Identity experts have been paying attention to the principles of SSI in recent years, including from a privacy perspective.

European legislation and HOSA-IAM driving SSI

There are also developments such as the European eIDAS 2.0 regulation, which will soon require EU member states to offer a wallet to their citizens. Also, the recently published Higher Education Sector Architecture on identity and access management (HOSA-IAM, pdf) shows that SSI is becoming one of the architecture principles of the future. SURF closely monitors these developments for education and research and, in coordination with the sector, identifies the opportunities offered by SSI. We are also conducting our own technical explorations (see below).

What are the implications for education and research of the rise of SSI?

Much is still unclear about this. Currently, federated authentication via SURFconext is the most common method of logging in to services at institutions. This is likely to remain so for the time being. Particularly for systems at the institution, users continue to log in with their institution account via SURFconext. In the medium term, we do see possibilities for SSI for authenticating users who are not permanently linked to an institution, such as guest lecturers, researchers abroad and citizen scientists (citizens who collaborate in research carried out by scientists).

Besides authentication, the obvious way forward is to use wallets to exchange data across sector boundaries. For example, the education sector could decide to store information (e.g. microcredentials) in the wallet. The user can then make this information available to others, e.g. potential employers. And conversely, it becomes possible for our sector to use data added to the user's wallet by other parties.

SURFconext and the wallet(s) are expected to coexist for a period of time. How long that will be is difficult to say at present.

What concrete developments do you see in the field of self-sovereign identity?

Several commercial parties are already developing wallets. Apple, for instance, already offers one. But there are also public initiatives. For instance, there is Yivi (formerly known as IRMA), started from Radboud University. And the government is also developing a wallet. This is happening within the eIDAS 2.0 regulation. The European Union will soon oblige a number of public and private services to accept this wallet, provided they meet the set requirements. The EU also wants to oblige platforms like Facebook to accept the wallet, and there is a lot of discussion about that.

What is SURF itself doing in the field of SSI?

We are closely following national and international developments, and also looking at what role we ourselves can play, especially from a technical perspective. So that we as SURF, but of course also the member institutions, are ready for SSI when it really breaks through.

One concrete project is the development of a proof of concept of a wallet. We expect dozens of wallets to come onto the market in the next few years, all working in slightly different ways. With this proof of concept, we want to investigate exactly what requirements education and research place on a wallet. This will help determine which wallets we could use in the sector. But the conclusion may also be, that we as a sector, should develop our own wallet after all.

Update May 2023: The results of the exploration of an SSI wallet for education and research have been published and can be downloaded here: Technical exploration of SSI wallet for education and research.

We are also investigating how the use of wallets relates to the AVG. Here we try to answer questions such as: what is the impact of using SSI on the main principles of the AVG, such as the division of roles, processing basis and purpose limitation. And, at the moment when data is in the user's wallet, is personal data still being processed?

Furthermore, we cooperate a lot in this area with other parties, such as OCW, DUO, Kennisnet and GÉANT, including by exchanging knowledge and collaborating on technical pilots.

And what about eduID? How does that relate to SSI?

We initially developed eduID as a digital, institution-independent identity. One of the main use cases is to simplify the administrative processes for students when they take a course at multiple institutions. Furthermore, eduID is now mainly used to allow institutions to give guests access to internal systems. But in the future, eduID could evolve in an SSI ecosystem, from a facility for logging in, to a wallet in which users can store their personal data and share it with other parties under their own direction. We have already explored the possibilities in 2022, but it is too early to say exactly what role eduID will play in a future SSI ecosystem.

Can institutions themselves think about how to apply SSI?

Gladly! We can always use good ideas, for example on possible use cases. Email me at michiel.schok@surf.nl. We also try to bring institutions together to facilitate knowledge exchange and knowledge gathering on this topic.

More information on what SURF is doing in the field of SSI can be found at www.surf.nl/ssi

text: Jan Michielsen