The Three Pillars of Self-Sovereign Identity

What really struck me about several conferences that I have attended recently was the increased number of speakers and questions on the subject of self-sovereign identity (SSI). Adoption and interest is increasing at pace, and new SSI initiatives like the Alberta Credential Ecosystem and LISSI are springing up around the world. Since we launched Sovrin in September 2016, the trickle has become a flood.

What also struck me is the sheer number of misconceptions about SSI basics. I’ve lost count of how many times I’ve heard people talking about “putting personal data on a blockchain.” Not only are some of the things said incorrect, but frequently they were diametrically opposite to the intentions and philosophy of SSI.

As SSI goes mainstream, it’s essential to get the basics right. Otherwise, we risk undoing all the good work of a large and growing community, and we risk throwing away our chance to transform the Internet for the better

It’s also necessary to counter the growing tide of “SSI-washing,” where we’re seeing more and more organizations jump on the bandwagon by claiming their solution/system/product is self-sovereign, when it isn’t.

To clear up some of these misconceptions, I wanted to outline what we at Evernym see as the three core pillars of self-sovereign identity:

1. Secure connections
2. Digital data “watermarking”
3. A trusted, tamper-proof public key directory

These are the foundational components that are required to make SSI work and can be summarized as follows (note, I have omitted many complex terms and cryptographic details which you can find in the links if you want to explore more).


A venn diagram of the three pillars of self-sovereign identity

Fig 1: Self-sovereign identity needs secure connections, data watermarking, and trusted storage.

1. A standard, open protocol for establishing unique, private and secure connections between two parties without requiring the assistance of an intermediary “connection broker,” like Google, WhatsApp, an email provider, or a phone carrier.

Secure connections are created by two peers creating and exchanging decentralized identifiers or “DIDs”. The open DID standard is now being worked on at the W3C. There are “public” DIDs and “private” or “peer” DIDs. Public DIDs can be used as “jumping-off” points to trigger the exchange of peer DIDs. Peer DIDs are never stored or shared anywhere other than between the two parties in a connection. Once two parties have exchanged peer DIDs, they can communicate securely as though through a private tunnel that nobody else can see or enter. You can have a different DID for each of your digital relationships to keep them separate. DIDs can be created by anyone at any time without needing a 3rd party. DIDs provide secure connectivity; they do not by themselves provide trust—that’s where our second pillar comes in.

2. A standard, open “digital data watermarking” protocol for issuing, holding, and verifying digital credentials, like driver’s licenses, membership cards, plane tickets, and medical qualifications. This enables anyone to verify the source, integrity, and validity of any data. This watermarking mechanism uses a combination of well-proven public key cryptography to digitally sign each data element, and new techniques for enhancing privacy and avoiding correlation of all your online activities.

Akin to SMTP or TCP/IP protocols that make email and the internet work everywhere, anyone can build on top of this protocol. It is non-proprietary. The open Verifiable Credentials standard is the embodiment of this protocol, and is now a formal recommendation at the W3C. Any data can be put into a verifiable credential for any purpose by anyone. The combination of human trust in the issuer of the credential and cryptographic trust in the protocol is what provides digital trust between two parties.

3. Somewhere to store the public verification keys of credential issuers. This allows anyone to locate and retrieve public keys at any time in order to verify the source, integrity, and validity of any data that adheres to the verifiable credentials standard.

These keys and other cryptographic data are held in DID documents and credential definitions, which are anchored to the credential issuer’s public DID. While these could be stored in any database, in order for it to be globally trusted, it is important to ensure there’s:

  • no backdoor or admin access for surreptitious or malicious changing of data;
  • no reliance on a single monopolistic provider that can turn it off;
  • and that it is chronologically ordered so you know you are retrieving current keys. 

Therefore, a decentralized distributed ledger is an ideal storage medium, especially one like Sovrin that has been designed solely for this purpose. 


The combination of these three components defines the new identity paradigm of SSI. It will transform the digital landscape we know today. Together, these components provide a new way of securely moving data from A to B, without anyone in the middle snooping on it, and in a way that the recipient can verify the data’s source, integrity, and validity.

When implemented for the purpose of identity, everyone everywhere can issue, hold, and verify any credentials about anything. This means no more proprietary silos “owning” your identity. The combination of human and cryptographic trust in this environment means that you can finally get increased security and reduced friction at the same time.

The opportunity is not limited to identity, either. While many initial implementations have an identity focus, and the term “SSI” has taken hold, these foundational building blocks can be used for any type of data, as well as for people, organizations, and things. A new capability known as “Trust Over IP” is now emerging that encapsulates this wider capability.

What’s more, this capability enables secure messaging by default, as well as a new type of “quad-factor” authentication comprising device, biometric/PIN, DID connection, and verifiable credential proof. Taken together, these developments raise the bar on Internet identity, security, and privacy in a way that has not been possible since the dawn of the Web 20 years ago—unlocking a new wave of innovation.

Ready to take the next step in your self-sovereign identity journey? Check out our products and plans, or start for free with a Developer Account.