-
By:
- Fatemeh Fathi, RWTH Aachen University, Germany
- Björn Adelberg, TU Dresden, Germany
- Philipp Zagle, TH Lübeck, Germany
-
A tool for decentralized storage of individual continuing education biographies.
-
#self-sovereign-identity #digital-identity #education #skills #distributed-ledger
The rise of online learning platforms has increased access to educational resources and greatly simplified the process of personal continuing education and lifelong learning. However, these platforms have revolutionized the way identities are issued, stored, presented, and verified. We normally perceive a certificate as a paper with some information on it, indicating that the holder of the certificate has completed an educational course and they are the owner of the certificate. However, paper-based solutions are extremely vulnerable to forging and fraudulent activities. Furthermore, individuals acquire several qualifications during their life from different educational institutions, which presents not only many challenges for verifiers to authenticate and verify each of those certificates but also for holders to manage all of those certificates. Hence, in such scenarios, the owner of the identity will face a lack of full control and limitations over their own identity. Given these concerns, an investigation surrounding digital qualifications emphasized the need for a trustable system, which not only makes the issuance, storage, and verification of educational records reliable and immutable but also gives holders full control over their qualifications. In light of such a demand, the MyEduLife project aims to develop a Self-Sovereign Identity (SSI)-based system to be used in further education to create digital certificates for vocational education and training institutions and provide secure and reliable storage for educational qualifications.
MyEduLife is a BMBF joint project of several German institutions, including TU Dresden, RWTH Aachen, TH Lübeck, and BPS GmbH on the development side, and HWK Dresden, EBZ e.V., and KOMPASS gGmbH on the testing side. In this project, we are exploring an SSI-based approach that focuses on the self-sovereignty and self-determination of the holder. We participate in various national efforts to keep up with current research trends. At the same time, we respond to the needs of our test partners to keep our research and the project itself grounded in their practical requirements. This includes the interoperability of skills, competencies, and ultimately job descriptions to be applicable in cross-border scenarios using ESCO.
As the need to digitize educational certificates nowadays is becoming more and more urgent, such a system provides an opportunity for owners to manage their credentials without requiring a central point of trust to prove their accuracy, validity, and authenticity. The idea is to move from a platform-centric approach to a user-centric approach. Therefore, users remain focused and retain sovereignty over their data. Decentralized Identifiers (DIDs) can enhance the user's control over their digital identity in the context described. DIDs provide a way to uniquely identify individuals and enable them to manage and selectively disclose their personal data, allowing users to choose the appropriate digital identity and level of authentication based on the specific context or requirements. For instance, when pursuing a college degree, the user may choose an identity associated with an ID card for stronger authentication, while for a private cooking class certificate, a less-authenticated identity may suffice. DIDs offer flexibility and empower users to tailor their digital identities according to their needs and the desired legal validity. DIDs are designed to decouple from central registries, certificate authorities, or identity providers. They are a URI and reference a DID subject with a DID document, which can represent for example a person, a thing, or a data model. Furthermore, the proliferation of educational opportunities and the diversification of learning paths have led to individuals acquiring qualifications from various educational institutions and organizations. As a result, qualification holders face the arduous task of managing a multitude of physical certificates, which can be cumbersome, prone to lose or damage, and difficult to present on demand. A universal system for issuing, storing, and verifying educational records would alleviate these challenges by consolidating multiple qualifications into a single digital repository.
There are various self-sovereign identity ecosystems that provide solutions for managing identities and verifiable credentials (VCs) in a decentralized and secure manner. One such solution is the emergence of digital identity wallets, which aim to not only address the challenges of managing different digital identities and verifiable credentials but also serve as a secure and user-centric repository for individuals to store and control their educational records and qualifications. Hence, using an identity wallet, all the individual's acquired competencies will be securely stored and managed in the wallet, ensuring the reliability and traceability of the information stored within the wallet. Furthermore, a VC that attests to a specific Identity allows a user to prove to a third party that he/she is over the age of 18. Therefore, it is not mandatory to transmit your date of birth, but it is sufficient to be able to prove this cryptographically. In technical terms, this is called "zero-knowledge proof".
The utilization of web-of-trust solutions could address specific problems in the context of digital credentials. While traditional solutions such as Pretty Good Privacy (PGP) and Certificate Authority-based Public Key Infrastructure (CA-based PKI) have many advantages, they fail to adequately address some challenges we encountered. Although the PGP's web-of-trust model is decentralized, it becomes unwieldy and cumbersome when dealing with a large number of certificates from various sources. Moreover, as Preukschat/Reed points out in "Self-Sovereign Identity", "a 'trusted path' to the digital certificate [...] to verify" is hard to find considering the constraints of scalability and security. Verifiers struggle to authenticate and verify each certificate on the complex web. Conversely, the CA-based PKI approach, which relies on a centralized authority, has its own limitations. The centralized nature of this approach creates vulnerabilities and restricts an individual's control over their qualifications. Additionally, the infrastructure requirements and resources needed for CA-based PKI pose obstacles, especially for smaller educational institutions. Although these solutions are still useful and ensure the integrity and confidentiality of data, they may not be suitable for addressing the specific problem faced by MyEduLife. While PGP or CA-based PKI primarily focuses on secure communication and digital signatures, one specific problem that MyEduLife aims to solve is the verification and authenticity of educational qualifications and learning outcomes to develop an innovative Self-Sovereign Identity (SSI)-based educational system. This system empowers individuals by providing a secure and trustworthy storage solution for their educational qualifications. It ensures that holders maintain full control over their identities and credentials while guaranteeing the reliability, immutability, and integrity of their educational records. The process has to be GDPR compliant and at the same time interoperable. To facilitate such a solution MyEduLife is currently actively building on EBSI, which enables a DID/DID document-based approach. At the same time, EBSI offers the possibility to experiment with national and supranational (i.e. mostly European, potentially global) governance frameworks while maintaining core principles of decentralization in a cross-border use case. We've teamed up with Fraunhofer FIT for the EBSI use case. However, during project runtime, we also want to experiment with public permissionless (blockchain) solutions such as ION [1]. Other goals in various stages of maturity are research on and implementation of alternatives to the JOSE/JWT complex, e.g. Paseto [2]; alternatives to classical identity and access management (IAM) systems such as e.g. keycloak-based brokered/federated IAMs, e.g. password-less solutions; and the implementation of national and European Identity credentials and/or wallets. Instead of employing a traditional "web-of-trust" solution, we use a solution in line with the SSI set of conduct: We base our solution on the trust framework provided with DID/DID documents in the EBSI ecosystem. This approach aligns well with the requirements of MyEduLife, enabling a transparent and distributed system for documenting and verifying qualifications across different providers and stakeholders. By leveraging such a solution, MyEduLife can/may address some specific challenges related to the verification and authenticity of educational qualifications, providing a more suitable and scalable approach compared to traditional PGP or CA-based PKI solutions.