Evaluating Decentralised Identity Projects

Illustration by Visual Thinkery is licenced under CC-BY-ND.

These days, with the support of standards for decentralised identifiers and verifiable credentials, there are a lot of companies launching apps in the decentralised identity space. Having evaluated a number of such projects, I have come up with a list of questions that help to assess the strengths, weaknesses and interoperability of such projects.

Following is an attempt to provide a comprehensive reviewer’s guide. The first thing the reviewer must do is to classify which component services are being provided: issuance, verification or identity services (typically described as wallet services). This evaluation isn’t really focused on the commercial aspects, but it’s my belief that issuance is what pays.

Issuance

• Are you producing Verifiable Credentials or just notarised documents?
• How does your application support all of the various use cases? Are you using the JSON schema as a driver for the production of certificates? Where are you storing the JSON schema?
• How do you handle layout? Can a web designer produce layouts or does it require programming and deployment (ie- devops) skills? Can your designer’s layout be imported into your application?
• Have you separated layout from the rendering application, so that 3rd-parties (including verifiers) can render your certs?
• How is decentralisation achieved? Will your decentralisation rely on encrypted files and if so, how will GDPR be supported?
• Can you support issuance on more than one (smart contract enabled) blockchain?
• Does your application provide a developer API supporting ad-hoc and batch issuance?

Verification

• What does the verifier service actually check?
• Does verification check that the document matches its schema?
• How do you assure that what’s in the layout matches the JSON data?
• Do you have the ability to check expiration of the certificate or credential?
• Does your verifier support multiple issuers (eg- the university and a specific department)?
• Does your verifier support one issuer and a separate certificate producer?
• Is this verifier suitable for issuers and other 3rd-parties to publish on their own sites?

Identities

• Are you supporting decentralised identifiers (DIDs) for issuer and recipient?
• Are you planning to provide a credential wallet which supports one or more DIDs?
• Which DID methods have you implemented?
• Can your DID method map (ie- transmute) to any existing method, similar to BIP32?

I hope you find this reviewer’s guide stimulates thoughts about how decentralised identity might work for maximum interoperability and broad adoption.

Bill Claxton — Founder and CEO of NextID Pte Ltd