myBID Technology & Security

SSI as a concept and specification aims to shift data ownerships from centrally controlled by third-party entities back to the real owners of the data, the end users. This is made possible by the technological breakthroughs established by the VC standards enshrined by the W3C.

Key components of SSI include: Decentralised Identifiers (DIDs), Verifiable Credentials, and digital identity wallet.

---

Key Component 1

Decentralised Identifiers (DIDs): DIDs are a new type of identifier that enable verifiable, self-sovereign digital identities. They are fully under the control of the DID subject, independent of any centralised registry, identity provider, or certificate authority.

DIDs represent a groundbreaking innovation in the realm of digital identity. As a new type of identifier, DIDs are fundamental to the technical design of myBID identity app, offering a paradigm where end users will interact through a secured channel with other VC complaint applications or infrastructure. myBID by design is designed to be interoperable and portable across various W3C compliant SSI wallets. Enabling this innovation is the concepts of DIDs, a unique identifier with properties to transmit data over encrypted and secure channels.

Architecture of myBID DID Model

Core Characteristics of DIDs

Decentralization: At the heart of DIDs is the principle of decentralisation. Unlike traditional digital identifiers that are issued and managed by a central authority, DIDs operate independently of centralized systems. This decentralisation is crucial for ensuring that the control of an identity on myBID remains with the DID subject.

Control by the DID Subject: The DID subject, which can be an individual, organisation, or even a device, has full control over the DID. This means they can create, update, and deactivate their own DIDs without the need for an intermediary. This level of control is empowering, providing users with autonomy over their digital presence.

Universal Registry: DIDs are not reliant on a central registry, identity provider, or certificate authority. This independence from central entities not only enhances privacy and security but also reduces the risk of censorship or identity denial by third parties.

Verifiability and Trust: DIDs are designed to be verifiable. They use cryptographic techniques, allowing others to verify the authenticity of a DID and the claims associated with it without needing to trust a central authority. This feature is pivotal in establishing trust in online interactions.

Interoperability: DIDs are created with interoperability in mind. They can be used across different platforms and services, which is essential for a seamless user experience in a diverse digital ecosystem. This interoperability is supported by standardised protocols and formats.

Privacy and Security: The design of DIDs inherently supports privacy and security. Users can share only the information they choose to, without exposing other unrelated personal data. The cryptographic nature of DIDs also ensures a high level of security against identity theft and fraud.

---

How DIDs Work

Creation: A DID is generated using specific methods and protocols, resulting in a unique identifier string. This process often involves the generation of cryptographic keys to ensure the security and control of the DID.

Resolution: To use a DID, it needs to be resolved. This process involves retrieving the DID document, which contains information necessary to authenticate the DID and interact with the DID subject.

Update and Revocation: The owner of a DID can update or revoke their DID as needed. This could involve updating cryptographic keys or other details in the DID document to maintain security and relevance.

---

Key Component 2

Verifiable Credentials (VC): They represent a digital analogue of physical credentials like drivers' licences, educational certificates, or membership cards. In myBID VC are digital credentials that are tamper-evident and can be cryptographically verified. They enable an myBID app holder to present and make claims about themselves in a way that a verifier, within or outside myBID network, can trust without needing direct contact with the issuer of those claims.

Before we dive deeper into what VCs entail, let’s look at the properties of everyday credentials as we know it. These traditional credentials are called Physical Credentials – containing the following six elements.

• Information related to identifying the subject of the credential (for example, a photo, name, or identification number)

• Information related to the issuing authority (for example, a city government, national agency, or certification body)

• Information related to the type of credential this is (for example, a Dutch passport, an American driving license, or a health insurance card)

• Information related to specific attributes or properties being asserted by the issuing authority about the subject (for example, nationality, the classes of vehicle entitled to drive, or date of birth)

• Evidence related to how the credential was derived

• Information related to constraints on the credential (for example, expiration date, or terms of use).

While Physical Credentials are essential to life in today's world, they also present many inconveniences. For example, a driver’s licence or health insurance card is a physical card that must be carried with you at all times if necessary, and can be misused if lost. However, in the event of misplaced or lost, there are several legal and administrative overhead, depending on the regulation, that comes into play.

The roles and information flows forming the basis for this specification.

Components of VCs

1. Issuer: The issuer is a pivotal entity in the Verifiable Credentials (VC) ecosystem. It is responsible for creating and issuing the VC, and more importantly, for attesting to the truthfulness of the information it contains. Issuers are typically trusted organizations or entities, such as government bodies, educational institutions, or corporations, that have the authority and credibility to validate certain claims about an individual or an entity. For instance, a university may issue a VC confirming a student's degree, or a government body may issue a VC attesting to an individual's citizenship.

2. Holder: The holder of a VC is the individual or entity that possesses and controls it. In most cases, the holder is the subject of the credential – the person or entity the credential is about. Holders can store their VCs in digital wallets, which allow them to easily present these credentials whenever required. The control aspect is crucial as it empowers the holder to manage how and when their personal information is shared, thus enhancing privacy and autonomy in digital interactions.

3. Verifier: Verifiers are entities that need to validate the authenticity and validity of a VC. They could be organizations, services, or individuals who must verify the claims made in the VC for various purposes, like access control, service provision, or compliance checks. Verifiers use cryptographic methods to ensure that the VC is genuine and has not been tampered with, and that the issuer of the VC is indeed who they claim to be.

4. Credential Subject: The credential subject refers to the entity or information about whom the VC is issued. While often the holder and the credential subject are the same, there are scenarios where a holder might possess a VC about another entity. For example, a parent might hold a VC that contains information about their child's vaccination record.

5. Claims: Claims are specific pieces of information made about the credential subject in the VC. These could range from basic details like age and name to more complex information like professional qualifications, medical history, or membership status. Claims are what give the VC its value, as they are the pieces of information that the issuer attests to and the verifier is interested in.

6. Proofs: Proofs are the cryptographic backbone of VCs. They are the mechanisms that ensure the integrity and authenticity of a VC. Proofs typically involve digital signatures or other cryptographic techniques like zero-knowledge proofs that securely tie the VC to the issuer. They allow verifiers to confidently trust the VC without needing to contact the issuer directly. This cryptographic element is crucial in preventing fraud and ensuring that VCs remain tamper-evident.

7. Basic components of a verifiable credential.
8. Digital Wallets: These are secure digital tools that allow individuals to store and manage their DIDs and VCs. They facilitate the sharing and management of credentials in a privacy-preserving manner.

myBID Digital Wallets are more than just a storage solution; they are a critical element for managing blockchain-based digital identities and credentials in a secure, private, and user-centric manner. Without the Digital Wallets, there would not be any paradigm shift that myBID offers.

Features of myBID Wallets

1. Secure Storage of DIDs and VCs: Digital wallets provide a secure environment for storing Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs). They often employ advanced cryptographic techniques to protect the data from unauthorised access, ensuring that only the wallet owner can control and access their credentials.

2. Privacy-Preserving Management: One of the primary attributes of myBID wallets is their focus on privacy. These wallets allow individuals to manage their identities and credentials without exposing unnecessary personal information. Users can selectively disclose information from their credentials, sharing only what is needed for a specific transaction or verification process.

3. User Control and Autonomy: myBID wallets empower users with full autonomy over their digital identities. Individuals can create, update, and revoke their DIDs and credentials as needed, giving them unprecedented control over how their personal information is used and shared in the digital world.

4. Facilitating Secure Sharing: myBID wallets simplify the process of sharing credentials. They provide a user-friendly interface for users to present their credentials to verifiers or service providers securely. This sharing is done using cryptographic methods that ensure the authenticity and integrity of the shared credentials.

5. Interoperability and Portability: A key aspect of myBID wallets is its interoperability across different VC complaint systems. myBID is designed to work with various SSI protocols and standards, making it easy for users to interact with different services and organisations without compatibility issues. Additionally, these wallets offer portability, allowing users to carry their digital identities and credentials across different services and jurisdictions.

6. Integration with Other Services: The myBID wallets can integrate with various online services and platforms, facilitating seamless transactions and interactions. This integration can range from logging into websites, accessing government services, to performing digital transactions, all while maintaining the security and privacy of the user's identity.

Digital wallets are essential for holding cryptographic keys and Verifiable Credentials (VCs) necessary in a Self-Sovereign Identity (SSI) system. The myBID wallet facilitates various interactions with other SSI entities, such as message signing, authentication through DID-Auth, and managing VCs and Verifiable Presentations (VPs). Additionally, digital wallets can function as an address book, keeping records of contacts and previous interactions within the SSI framework. Included in the wallet is the DKMS system.

The Decentralised Key Management System (DKMS) is a protocol developed to manage private keys effectively. This system is designed to prevent the dependence on a single wallet provider, as noted by Reed et al. (2019). DKMS also focuses on key recovery for practical usage. In scenarios like losing a digital wallet (e.g., through smartphone loss), it's crucial to recover the keys and, consequently, access to the identity. This recovery, however, must be balanced with security against theft or unauthorised sharing.

DKMS incorporates two primary methods for key recovery:

1. Offline Recovery: This method, as supported by DKMS, involves creating an encrypted backup of the wallet, typically stored in cloud infrastructure. The backup can only be decrypted with a specific recovery key. This key should be kept in a secure place, like on a USB stick, printed on paper, or stored in a bank safe. Such measures ensure that the wallet and its keys can be recovered even if the smartphone or wallet is lost. This method is similar to the recovery processes used for Bitcoin wallets, emphasising the importance of safeguarding a critical recovery key.

2. Social Recovery: In addition to offline recovery, the Decentralised Key Management System (DKMS) also employs a method known as social recovery, an approach that myBID supports. This method involves selecting a group of trusted individuals or entities who hold parts of the necessary data for recovery. A notable example of this method is the Shamir secret-sharing scheme, where a specific subset of these trusted identities is required to reconstruct cryptographic keys. This process can be compared to a puzzle where only a certain number of pieces are needed, with no single piece being critical by itself. For instance, recovering keys may require a minimum of three out of five signatures from a trusted network, such as friends or family. myBID's support for this social recovery method provides an additional security layer, leveraging a user's trusted network to facilitate key recovery, thereby mitigating the risk of total data loss in situations where the wallet is lost or compromised.

3. Agent and Agency Services: These services assist in the management and use of DIDs and VCs. They can include tools for generating and managing keys, creating and signing credentials, and facilitating secure communication.

4. Consent and Privacy Tools: Integral to SSI, these tools ensure that the sharing of credentials and identity information is always under the control and consent of the identity owner, aligning with data privacy regulations and principles.

---

Applications of DIDs in myBID

DIDs play the core role in the applications of myBID across various sectors. They can be used for secure login processes, digital signatures, online transactions, and in any scenario where reliable and secure identity verification is required. This versatility makes DIDs a critical component. Without it, the myBID infrastructure would not meet the SSI principles.

1. User Controlled: By providing a secure, private, and user-controlled approach in myBID, DIDs are not just a technological innovation but the core enabling autonomy and trust in the digital world.

2. Interoperability: By adopting DIDs, myBID is moving towards accommodating an interoperable system where different existing or future enterprise applications can securely and efficiently share necessary information, thereby improving overall governance and service delivery.

3. Improving Trust and Privacy: DIDs help in establishing a more secure and private way of interacting with third-party systems. Users of myBID can share their credentials without exposing unnecessary personal information, thus maintaining privacy while ensuring the authenticity of their identity.

4. myBID Verifiable Credentials for Businesses and Professionals: BCGov has been exploring the use of DIDs in issuing verifiable credentials to businesses and professionals. This application ensures that credentials like licenses, permits, and professional certifications are easily verifiable and less susceptible to fraud.

5. Secure and Private Authentication: The myBID wallet utilises DIDs to facilitate secure and private authentication processes. Users can authenticate their identity to third parties without revealing unnecessary personal information.

6. Cross-Platform Compatibility: With DIDs, myBID users can seamlessly interact with various platforms and services that support decentralised identities. This compatibility is crucial for a unified and convenient user experience.

---

The System Components

Mobile Agent (App): The mobile agent handles the self-sovereign user control part of the ecosystem. It stores credentials, and provides means to present credentials to Verifying agents (Verifier) to check the authenticity of the credentials on the blockchain ledger.

Mobile agent contains the product features used by the Issuer, Verifier, Holder to perform their business functions. It contains an in-built wallet for storing encrypted credentials, with unique DIDs, and connects to their party API endpoints for performing payments or settlements by decentralised exchange.

It is intended to be based on Hyperledger Aries, SDK framework with already defined libraries and cryptographic elements for developing decentralised identity systems. In principle a user must possess a smartphone to be able to download and use mobile agents.

Cloud Agent: Provides similar functionality as the Mobile agent with additional capability for Reroute use cases for end-users who do not have access to mobile phone Agent to be able to perform core system functions by interacting with Edge Agent endpoints, though hosted in the Cloud.

Blockchain Ledger: The blockchain technology underpinning the myBID identity component. This contains the verifiable credentials definition and schema of institutions with the purpose of issuing out valid credentials to agents known as Agents, and a public permissioned blockchain module for maintaining active credentials. Ledger is considered a Node. Several qualified stakeholders are able to host Nodes which forms and maintains the ideal state of myBID ledger. Consequently, provides redundancy for the entire ledger network.

Solana Wallet: A central module interacting with myBID through API endpoints that allows the transaction of payments to users on Solana Blockchain. The payment is done through Sol SPL Tokens. It

Phantom Wallet is the native Solana wallet built for DeFit and NFTs. It facilitates transactions such as buy, send, receive, swap tokens and collect NFTs on the Solana blockchain. In principle no development activity is required for this feature except to integrate through Phantom existing APIs.

Payment Module: The capability performs automatic payment from third party research institutions to credential holders for access to personal information. The information is strictly for research survey and not for advertisement. Before access to personal data is granted to third parties a holder must agree to sell or share information in exchange for payment with Sol SPL token, the native cryptocurrency of Solana Blockchain.

Decentralised Exchange service: The capability allows for users to exchange SPL tokens with other cryptocurrency on a Decentralised Exchange (DEX) platform. DEX are cryptocurrency exchanges that facilitate direct peer-to-peer cryptocurrency transactions, swapping or buying and selling of currency, to take place online securely and without the need for an intermediary.

Integration System Architecture

myBID relies on a complex software supply chain, involving open-source components, third-party tools, and deployed with cloud native services. The modules and features making up this system integrate together through support by API endpoints or webhook. The integration guarantees archiving the business goals of the predefined features.