The administration as a pioneer

Digital identity management with the help of self-sovereign identities

Hans Ulrich Buhl, Project Group Business Informatics of Fraunhofer FIT & Core Competence Centre FIM, Augsburg and Bayreuth, Nils Urbach, Project Group Business Informatics of Fraunhofer FIT & Frankfurt University of Applied Sciences & Core Competence Centre FIM, Augsburg and Bayreuth and Daniela Kühne, Consultant at the Bavarian State Office for Taxes
Published in: DiALOG - THE MAGAZINE FOR DIGITAL CHANGE | 2021

Identity management is becoming increasingly important in the age of digitalisation due to the sharp rise in the number of digital interactions. Physical proofs of identity such as ID cards or driving licences are difficult to transfer to the digital world. Nevertheless, they need to be transferred to a digital identity management system. An identity management system describes a system that enables a user to determine what information is shared with third parties. Until now, identity in the digital space has often been managed by combining a user name and password. However, this approach leads to great complexity due to the use of a large number of online services and thus a mass of username and password combinations. To circumvent this, simple passwords are often used repeatedly, which in turn increases the risk of possible misuse. In addition, the management of a user's identity lies with a service provider, meaning that deletion or changes can only be made by the provider. This is almost impossible for the user to control and is associated with an additional risk of misuse. Furthermore, the different services are rarely interoperable with each other, meaning that identities cannot be transferred easily.

Responsive Image

To summarise, it can be said that existing approaches to the management of digital identities have various disadvantages, such as a lack of interoperability, risks of misuse or a dependency on certain parties.

The concept of self-sovereign identity (SSI for short) is intended to overcome these challenges and problems of existing digital identity management systems. SSI is intended to ensure individual control, security and full portability of digital identities across different services. The user acts as the central administrator of his/her identity, including all existing sub-identities. This enables the user to maintain control over his/her identity across all different services and thus achieve autonomy in the management of these services.

The components of an SSI solution, which in combination form the foundation of an SSI architecture, can be divided into five main artefacts: Verifiable Credentials (VCs), Roles (Issuer, Holder and Verifier), Identifiers, Digital Wallets and Agents and Hubs.

Digital certificates (hereinafter referred to as credentials) are the central component of every SSI solution. These credentials can either contain self-attested identity attributes or those that have been attested by third parties. Attested credentials are defined as VCs (1), which represent the central artefacts for proving identity attributes between the central roles of an SSI solution (2). These roles in turn form the basic framework for interaction within the issuer-holder-verifier relationship. Each VC is created by an issuer, stored by a holder and the information it contains is presented to the verifier in the form of a verifiable presentation (VP). Figure 1 shows the relationships between the individual participants.


The concept of Self-Sovereign Identity (SSI) is intended to overcome the challenges and problems of existing digital identity management systems.


To ensure the most secure communication channels possible and to protect privacy, the DID standard (3) allows parties to provide information to establish end-to-end encrypted, bilateral communication from different infrastructures. This means that blockchains can be accessed in a standardised manner and users can use their identity under different identifiers if necessary. The individual VCs and cryptographic keys are stored in digital wallets (4). In this context, agents and hubs (5) are required as technical endpoints and trustees for the identifier as connecting points for bilateral communication. These ensure protected communication between individual identities and should be continuously accessible in the same way as email servers. These five basic building blocks (1-5) form the core architecture of a technical SSI solution.

Several projects have already been launched to evaluate the potential of the SSI concept. These include the research project carried out by the Business Informatics project group at Fraunhofer FIT together with the Bavarian State Tax Office (BayLfSt), the Bavarian State Ministry for Digital Affairs (StMD) and in collaboration with technology partner mgm technology partners. The growing importance of internet platforms in particular poses challenges for the tax authorities. Against the background of record-keeping obligations for operators of electronic marketplaces, it is of interest to the tax authorities to create an identification feature for online traders with which they can prove their tax registration and which they can pass on to the operators of internet platforms.

The solution design of the implemented project is based on the concept of SSI and blockchain technology. At the request of an online trader, a VC is issued by the responsible tax authority after a positive check of the required tax registration by comparing it with the master data stored in the ELSTER system. As a VC may need to be deactivated, a validity status is registered on the blockchain at the same time. Upon receipt of their VC, the online trader can then provide evidence of the online trader's tax registration, similar to the current paper-based document. To this end, the online trader creates a VP from their VC and can thus prove to the marketplace that they are registered for tax purposes. This in turn allows the marketplace operator to retain the verification of the proof and present it to the tax authorities on occasion.

Based on this concept, a corresponding prototype has been developed that implements the system technically. The entire process, from issuing to checking tax certificates, has been successfully implemented. The system has a number of advantages over conventional identity systems. Information is always passed on bilaterally and only when the identity holder, in this case the online retailer, takes action. Accordingly, the identity holder always has full sovereignty over their data and can decide for themselves who has access to which attributes. Furthermore, the SSI system is based on open source software and a range of open standards. Accordingly, any organisation can also follow these standards and make use of the VCs issued. It is therefore also conceivable that the system can be transferred to numerous procedures in which certificates are issued by an organisation, another person or organisation acts as the data owner and properties contained in the certificate must be proven to an interested third party. For example, when applying for a loan, it may be possible in future to prove the name and place of residence with the ID card VC and the amount of income securely and easily with the tax assessment VC. Further use cases and design options are being researched by the business informatics project group at Fraunhofer FIT. In the long term, the aim is to create an SSI ecosystem that will make many processes simpler and more secure for private individuals and organisations.

Responsive Image

Prof. Dr Hans Ulrich Buhl is Scientific Director of the Chair of Business Administration, Business Informatics, Information & Financial Management at the University of Augsburg and works in the Business Informatics Project Group of the Fraunhofer FIT & Core Competence Centre FIM, Augsburg and Bayreuth. Daniela Kühne is a consultant at the Bavarian State Tax Office. Nils Urbach is Professor of Information Systems, in particular Digital Business and Mobility at the Frankfurt University of Applied Sciences. He is also Deputy Scientific Director at the Core Competence Centre Finance & Information Management and the Business Informatics Project Group of the Fraunhofer Institute for Applied Information Technology FIT as well as co-founder and co-director of the Fraunhofer Blockchain Laboratory.

The Business Informatics project group at Fraunhofer FIT in Augsburg and Bayreuth combines expertise at the interface of financial management, information management and business informatics. Through several years of interdisciplinary and multidisciplinary research work, the Fraunhofer Blockchain Laboratory located there has been able to build up well-founded and far-reaching expertise in the fundamentals and application of blockchain and SSI. The project group works closely with the core competence centre Finance & Information Management FIM, which also covers a wide range of teaching activities. These include the elite network degree programme in Finance & Information Management with the Technical University of Munich, which has already been named the best German Master's degree programme five times by the CHE.
https://www.fit.fraunhofer.de/de/geschaeftsfelder/wirtschaftsinformatik