EBSI — The Grand Data Vision: Building Bridges and Not Walls

EBSI — The Grand Data Vision: Building Bridges and Not Walls

I am a strong believer in breaking down the barriers which seperate us. In the end, we have more that bind us together than seperate us.

Our next generation, too, should hopefully grow up in a world where there are few barriers in place and where they can thrive, and build the industries and societies of our future. These new societies will have little respect for the ancient barriers that we have been falsely placed over the centuries.

Putting the citizen at the centre

And, although the UK is not currently a member of the EU, I strongly believe in creating a world which allows frictionless trade by nations, and, in the free movement of people. So how can academia help support building a world which fit for our next generation and that is focused not our old ways, but building things around the citizen?

Well, we have been striving for over a decade to build data and trust infrastructures which respect the rights of the citizen. In fact, in partnership with Blockpass, we created the first research lab which was focused on digital identity. Along the way, too, we created an amazing spin-out company (Symphonic), and which were so successful, that they were recently aquired by Ping Identity. And, at our heart, our focus has always been around the citizen — and their rights to own and govern their own identity and data, and in respecting their rights to privacy.

For now, we are part of an EU research project named GLASS. Its focus is on supporting the building of an infrastructure which will allow EU citizens to move between between counties, and remove many of the barriers that our existing governance infrastructures put in place. It is an amazing goal, and one which aims to breaks down the siloed approaches that we have built within our societies over the centuries.

Our existing ways of governance are often still build on the ways that we use paper credentials. And, even today, we are still modeling our the verifiation of citizen data on the processes that we used for paper documents — but they just happen to now be scans and digital documents. But these digital forms often have virtually no inherent trust. We need better ways to digitally sign for document, and unstand the trustworthiness of that signature.

The Building Blocks of a New Data World

To create a more citizen-focused world, we need to have a trust infrastructure to define the rules and operation of the ecosystem, and also a verifiable place for identities. But, the countries of the world should not control this identity in the way they have done in the past — it should be handed to the citizen, and who should have full control of their own identity. And, our repositories of our identity credentials should be handed over to citizen, and for them to store and distribute — without the need to continually ask for them. Why can’t I receive a digital signed version of my passport, and hold it on my phone? Why do I even need a paper copy anymore?

Lykidis et al [10] define a wide range of on-going blockchain-based e-Government applications including Authentication, e-Voting, Land Property Services, e-Delivery Services, Human Resources Management, and Government Contracting. A major part of these infrastructures is the integration of an identity infrastructure, and which can involve the generation of identities by a trusted authority, or where entities can control their own identity. The method of creating and controlling our own identity is often known as SSI (Self-sovereign Identity). With this, we typically use a key pair, and where transactions are digitally signed using a private key, and then this is proven with a public key. The private key can then be stored in a citizen wallet, and which cannot be accessed by any other entity.

And, so, to build a new digital world, we need trusted identities, a trust framework to these to existing in, and ways to create digitally verifiable ID documents. A core part of any identity infrastructure is the integration of trusted identities. In terms of SSI (Self-sovereign Identity), we typically use a key pair, and where transactions are digitally signed using a private key, and then this is proved with a public key.

Two major global initiates which aim to harmonize the usage of verifiable credentials and wallets are the Open Identity Exchange (OIX) and Trust over IP Foundation (ToIP). With ToIP we see a focus around decentralized digital identity projects, and where it issues global compatibility guidelines for Hyperledger Aries and Indy, and verifiable credentials [1]. Figure 1 outlines the basic infrastructure for the integration of a trusted identity system, and where we have the user (the holder), the issuer of a verifiable credential and the relying party. The user is in full control of gathering the verifiable credential, and then passing it onto the relying party. Overall, we use a trust framework to give allow the replying party to check the trustworthiness of the verifiable credentials that are passed. This should include a digital signature of the issuer.

Within Figure 2, we see that user is prompted for their identity from a bank. They can then create a digital ID using trusted sources of identification and authorization. Once created they can then prompt an issuer for a verifiable credential, such as for their passport. The issuers will then prompt for some level of assurance that they digital ID matches the target of the verifiable credential and, once accepted, they will issue a signed credential to the user. This signed credential can then be passed to the bank for verification.

Common European Framework

A key focus for a citizen-focused data ecosystem is the usage of digital wallets and vertifiable credentials. In Canada, we see the usage of the Verifiable Organizations Network (VON), and which can issue digital licenses, permits, and registrations to legal entities [7]. These credentials then integrate with Hyperledger Aries. In Germany, too, Aries is used to issue eID cads, along with travel documents. For a global scope, the Trust over IP Foundation focuses on improving the compatability of infrastructures in using Hyperleger Aries and Indy for verifiable credentials.

In 2018, 27 EU Member states, Norway and Liechtenstein signed up to the European Blockchain Partnership (EBP) [1]. This led to the creation of the European Blockchain Services Infrastructure (EBSI). It currently four main use cases: Self-Sovereign Identity, Diploma, Document Traceability and Trust Data Sharing.

Within the European Self-Sovereign Identity Framework (ESSIF) we have a trusted method of identifying citizens and thus allow them to create their own identity. There is thus no need for trusted third party trust providers for identity checking. ESSIF aligns with the General Data Protection Regulation (GDPR) and the electronic IDentification and Authentication and trust Services (eIDAS).

Overall EBSI is a public permissioned blockchain and where digital credentials are stored in wallets that citizens own and control [3]. This means that citizens have full control of their identifies, and of their associated data. The blockchain does not store any personal information. Baldacci et al [8] define that the core principles of EBSI are:

• Public Permissioned: The identity of all participating nodes must be governed;
• Decentralized: Each member should run its own node or set of nodes;
• Scalable: Support of high-throughput and high number of nodes;
• Open Specifications: EU Public License and free from IPR;
• Sustainable: Energy-efficient consensus mechanism;
• Interoperable: should foster interoperability via alignment with the work of standardization bodies such as ISO, CEN or ETSI.

In 2020, a number of proponents (DIZME, Findy, Lissi and MeineSichereID) outlined their collaboration within the Trust over IP Foundation [4] and with a goal to focusing on achieving a European SSI Network. A key focus of their statement is related to the integration of EBSI with ToIP stack and ESSIF, and thus move towards a common single market for data across both private and public services.

EBSI

Turkanovic et al [5] define the usage of European Blockchain Services Infrastructure (EBSI) and which aims to integrate with public services across the EU. It involves EU Members States running both Hyperledger Besu [6] and Fabric clients. With a consensus, each member state has an equal vote on the verification process, and where each state runs at least one consensus node. Figure 3 outlines the architecture for EBSI, and where we have a customer (such as an HEI — Higher Education Institution) which can sign for an academic quantification, and then create a verifiable signature, and link to a cross-border service for an eIDAS signature. This then links to the EBSI blockchain infrastructure. With EBSI, each member state has at least one running running the ledger, and where the reading of the information contained on is public. The writing process can only be done by trusted entities.

Hyperledger Besu defines integrates with the Ethereum blockchain platform, where blockchain identities use a 42 character address (and based on a 128 character public key and 64 character private key). With this there is an owner of the blockchain network, and has the rights to define the addresses that have the permission to read and/or write from the blockchain. With Hyperledger Fabric, nodes are identified with an X.509 certificate. A Fabric root CA is then defined as as a Root of Trust for all the permissions.

EBSI Use cases

There are four current use cases for EBSI: identity checking, the awarding of a Diploma, social security checking and document traceability (Figure 4) [here].

At the core of EBSI is ESSIF (European Self-Sovereign Identity Framework), and which supports the on-boarding and creation of a citizen wallet (Figure 5). This should allow for the interaction with other public and private organisational infrastructures. One core feature is that ESSIF is compliant with GDPR, and supports e-IDAS. These are important for legal enforceability and citizen privacy — and thus move toward a European citizen derived identity.

The awarding of a Diploma involves an abstraction of the key roles involved in an academic award, such as for the Accreditation Body; the Educational Organisation; the Student; and Trusted Accreditation Registry Administrator. These can then be defined within a use case view (Figure 6), and which can then abstract the key roles and their interactions [here].

A common identity check that is used when moving between countries is a social security check. This EBSI use case integrates the creation and checking of a PDA-1 document, and for it to be signed by a trusted entity, and then check in another EU member state.

Within document tracing, EBSI focuses on defining ways that allow for trusted audit trails and compliance checks for documents. This involves both off-chain storage of the documents, with on-chain verification (Figure 7).

To support document tracability, EBSI adds in a storage layer to its infrastructure layer [8], and where documents are no kept off-chain, and where the document is hosted by a trusted organisation (and subject to T&Cs defined by EBSI).

Trusted health care data sharing using EBSI

Bittins et al [9] outline how EBSI could be used for the sharing of health care data across the EU, and thus provide both provenance and the integration of SSI. Figure 8 provides an overview of the proposed architecture. In this case, we have a trust relationship between XCA (Cross-Community Access). EBSI — though an eIDAS bridge — then defines the permissions and the required verifiable credentials for the access to medical data. It uses XDS (Cross-Domain Sharing) and the SAML (Security Assertation Markup Language) to integrate with existing legacy systems, in order to authenticate and authorize, and also to support patient-informed consent.

Conclusions

Our success in our research has not been build on looking at the here-and-now, but on a vision of the future. So, let’s build a new world for our future generations, and break down the false barriers that seperate us. Here’s some videos on GLASS, if you want to know more:

References

[1] Dizme, Position statement toward EBSI, https://https://lissi.id/about

[2] Queiruga-Dios, A., Pérez, J. J. B., & Encinas, L. H. (2022, April). Self-Sovereign Identity in University Context. In 2022 31st Conference of Open Innovations Association (FRUCT) (pp. 259–264). IEEE.

[3] Grech, A., Sood, I., & Ariño, L. (2021). Blockchain, self-sovereign identity and digital credentials: promise versus praxis in education. Frontiers in Blockchain, 4, 616779.

[4] Dizme, Lissi, Findy and MeineSichereID, Position Statement toward EBSI , https://networkofnetworks.net/wp-content/uploads/2021/05/EBSI_Network-of-Networks_esatus_Danube_Tech_TNO.pdf

[5] Turkanović, M., & Podgorelec, B. (2020). Signing Blockchain Transactions Using Qualified Certificates. IEEE Internet Computing, 24(6), 37–43.

[6] Dalla Palma, S., Pareschi, R., & Zappone, F. (2021, May). What is your distributed (hyper) ledger?. In 2021 IEEE/ACM 4th International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB) (pp. 27–33). IEEE.

[7] Sedlmeir, J., Smethurst, R., Rieger, A., & Fridgen, G. (2021). Digital identities and verifiable credentials. Business & Information Systems Engineering, 63(5), 603–613.

[8] Baldacci, E., & Frade, J. R. (2021). Advancing Digital Transformation in the Public Sector with Blockchain: A View from the European Union. In Disintermediation Economics (pp. 281–295). Palgrave Macmillan, Cham.

[9] Bittins, S., Kober, G., Margheri, A., Masi, M., Miladi, A., & Sassone, V. (2021). Healthcare data management by using blockchain technology. In Applications of blockchain in healthcare (pp. 1–27). Springer, Singapore.

[10] Lykidis, I., Drosatos, G., & Rantos, K. (2021). The Use of Blockchain Technology in e-Government Services. Computers, 10(12), 168.