Concept and Logic Architecture
DIDs are public/private key pairs that can be created for organizations, individuals, and objects. Each identity is represented by a unique public key immutably stored onto the ledger (in our case, the IOTA Tangle). Identities and public keys are used to anchor off-chain verifiable credentials (VCs), certificates containing identity attributes and signed by an Issuer identity using its private key.
The Issuer itself is an entity with its own decentralized identity. The SSI Bridge allows an identified trust root to verify users' identities. Verified identities can then propagate this verification to organizations, individuals, or objects identities using a network of trust approach.
The Bridge also allows Issuers to issue verifiable credentials for selected Identity Owners identified by a decentralized identity, and said Owners to present them to Verifiers. Verifiers can use the SSI Bridge APIs to verify a credential's authenticity. This requires verifying that a credential contains the identifier (DID) of the Owner presenting it and that an authorized Issuer signs it. This process requires access to information stored on a ledger.
The following image illustrates the interaction between the Issuer, Owner, Verifier, and the ledger to manage the lifecycle of decentralized identities and verifiable credentials.
The IOTA SSI Bridge provides an abstraction layer through REST APIs that allows entities to create decentralized identities (DIDs), verify them, attach verifiable credentials and verify those credentials.
The figure below shows the envisioned system architecture within the full set of IOTA Integration Services developed for the ENSURESEC project.