Issue #57: Revisiting Identity
A few weeks ago I wrote an issue describing how NFTs will form the basis of our online identity. A combination of NFTs purchased and NFTs earned paint a pretty accurate, nuanced picture of who we are and how we spend our time.
After I published that issue, several readers contacted me about another framework for online identity based on decentralized identifiers (DIDs) and verified credentials (VCs) - two Web standards championed by the World Wide Web Consortium.
It had admittedly been a few years since I looked at these standards so I was out of touch with recent developments. But what better time to dive back in!
I want to thank the readers - Alfonso and Lauren - who reached out. I’m revisiting the digital identity conversation today, this time inclusive of DIDs and VCs.
At the risk of oversimplifying, my premise for today’s issue is the following - there are two models emerging for online identity: one based on wallet addresses and NFT credentials, and the other based on the W3Cs decentralized identifiers and verified credentials standards. The former is blockchain native and entirely on-chain, the later has no dependency on blockchain and is therefore entirely off-chain. As with anything, there are tradeoffs.
Let’s zoom in…
First, the W3C
In their own words, the “World Wide Web Consortium (W3C) is an international community where member organizations, a full-time staff and the public work together to develop web standards. The W3C's mission is to lead the Web to its full potential.”
The W3C is responsible for developing the standard (technical specs) for things like HTML, WebAssembly and XML.
Basically, a bunch of Internet OGs who know a thing or two about global standards for decentralized networks. These standards are not crypto/Web 3 specific. They apply broadly to the Internet.
DIDs and VCs
Unique identifiers are everywhere; widely used today by individuals and organizations today. Most of them are use case specific. Here are some common examples:
Communications addresses: telephone numbers, email addresses, usernames on social media
ID numbers: passports, drivers licenses, tax IDs, health insurance
Product identifiers: serial numbers, barcodes, RFIDs.
URIs (Uniform Resource Identifiers): used for resources on the Web and each web page you view in a browser has a globally unique URL (Uniform Resource Locator).
The average person is represented by dozens of unique identifiers.
With the exception of communication addresses, the vast majority of these identifiers are not under our control. They are issued by a government or an organization and only useful in certain contexts. They might disappear or cease to be valid with the failure of an organization. They might unnecessarily reveal personal information. In many cases, they can be fraudulently replicated and asserted by a malicious third-party, which is more commonly known as "identity theft".
Decentralized Identifiers (DIDs) are a new type of globally unique identifier that resemble a URL (aka a web address) for a person, organization or thing. These new identifiers enable entities to prove control over them by authenticating using cryptographic proofs such as digital signatures.
Here’s the architecture of a DID:
DIDs essentially apply the architecture of the web address to everything else.
“DID” ——> “www”
"DID Method” ——> “.com, .edu, .org, .gov, .us”
“Method-specific identifier” ——> “nytimes.com” or “whitehouse.gov”
Pretty elegant when you step back and look at it. I created a DID based on my Ethereum address on Self.id. The thing to note here is that I used my Ethereum wallet address, already a unique identifier (but an on-chain identifier and specific to Ethereum), and turned it into a DID that is off-chain and can be used across multiple blockchains. Here’s what it looks like:
The other half of the identity conversation is credentials. Many identifiers are paired with a credential, and like identifiers, we collect dozens, if not hundreds, of credentials throughout our lives. Some examples include:
Driver's licenses: used to assert that we are capable of operating a motor vehicle,
University degrees: used to assert our level of education
Government-issued passports: enable us to travel between countries.
These credentials provide benefits to us when used in the physical world, but their use on the Web continues to be elusive.
It’s challenging to express these qualifications on the web today. To prove one of the above credentials, we usually have to provide a photocopy of the physical document, show up in person with the original document in hand, or rely on a trusted third party to maintain credential information on our behalf (ex: University registrar).
The W3C’s verified credentials standard is intended to be an architecture that can make all of the above credentials Web-native. It can also be used as an alternative to the NFT-based credentials being issued in Web 3 today.
The architecture of verified credentials:
The State of DIDs and VCs
There are a few Web 3 companies working on DIDs and adjacent innovation, but it’s largely been a Web 2-driven framework.
I was first introduced to DIDs in 2018 by uPort, a decentralized identity project under the Consensys umbrella. uPort was working on self-sovereign identity in the context of Ethereum and DIDs were a foundational component of their vision. Since then, other crypto projects like Ceramic, Disco and Spruce have started building DID/VC-based services around login, social profiles and data storage.
On the Web 2 side, Microsoft was (and still is) championing DIDs and VCs, presumably in part because they want to drive Azure consumption. Microsoft has a digital wallet like Apple Pay, but instead of storing credit cards, it stores identifiers and credentials. In other words, an identity wallet.
Snapchat and Telegram reportedly have DID-related initiatives too.
Some expect that when the DID standard is fully adopted by the W3C, it will see broad adoption across Web 2 and Web 3. That may be, but I can’t help but think there will be some resistance/disinterest among Web 2 tech with business models that depend on owning user/customer data.
NFTs vs. DIDs and VCs
Alright. So I think I’ve sufficiently introduced DIDs and VCs. Now I want to put them next to NFTs-based identity and discuss tradeoffs.
I don’t have a dog in this fight. I just want an online identity that I control, with robust privacy features. I should also point out these are not mutually exclusive, and it’s entirely possible we end up using both.
Here’s the case for DIDs and VCs…
Fit-for-Purpose. DIDs and VCs were designed specifically for identity. They are a round peg for a round hole.
Privacy. Identifiers and credentials don’t live on a blockchain, so it’s easier to maintain privacy of this information.
No cost. They are free to create/issue.
Designed for the Web. These standards were designed for the Web, making the total addressable market massive
The tradeoffs are that DIDs and VCs are still in the pilot phase of development and as of today there is no real network effect. Activity is isolated in small pockets, but that could change.
Here’s the case for crypto wallets + NFTs…
Network effect. Crypto wallets and NFTs have massive network effect already, making them easier to adopt, use and integrate with. This is the single strongest factor in favor of using NFTs as a basis for identity.
Nontransferability is possible. ntNFTs, also known as “soulbound NFTs”, ensure that the NFT stays with the original owner.
Toolkit. There are dozens of projects building Web 3 social/identity tools for NFTs.
The tradeoffs are that NFTs cost money to mint, they are by default public by virtue of being on public blockchains, and they are chain specific. Credentials issued on Ethereum are siloed from credentials issued on Solana, for example.
DIDs and VCs are an objectively better fit to the self-sovereign identity problem we are trying to solve, but they are losing the adoption race to NFTs. If we start seeing better tooling around DIDs and VCs emerge, they could make up that ground. If the momentum comes from anywhere, I think it will come from Web 3 companies. I just can’t see a new identity paradigm being driven by Web 2 tech. They weren’t built for this.
Thanks for reading,
Not a subscriber? Sign up below to receive a new issue of 30,000 Feet every Sunday.