Overview#Identity Custodian is an entity which is trusted to be your Custodian of your Digital Identity.
Because it’s painful to create new identities from scratch, Identity Providers like Facebook, Google, and Amazon have created systems that let you use them as a trusted Identity Custodian so you can establish a login at other sites based on your identity on their site. However, the more you take advantage of these systems for providing what are called Federated Identities ,the more of your online identity is owned by a company, and not by you. For example, if Facebook decides to terminate your account, you lose your access to and your Digital Identity at sites that you have asked to rely on your Facebook login. It also means that these Identity Custodians knows just that much more about you and the sites you visit.Self-Sovereign Identity only changes this slightly.
Identity Custodian are still required in all Self-Sovereign Identity systems Ldapwiki has encountered.
Most Self-Sovereign Identity are based a Distributed Ledger Technology (like Blockchain) but which is a Permissioned System that only allows certain Agents access to the actual Blockchain. Additionally, due to the complexity of securely managing and storing your Digital Identity, most people will not host a "Digital Wallet" themselves which implies a Identity Custodian will be used by most Natural Persons.
Identity Custodians is able to give a key back when it’s lost. Ideally, we SHOULD be able to choose which Identity Custodian to use and switch as often as wanted. Most if not all of the Self-Sovereign Identity systems do not currently allow. We also need different Identity Custodian for holding identity data and holding a key in escrow, to ensure segregation of responsibilities, and to reduce risk of exposure.
Identity Custodians are not going to be a Provider of services for your Digital Identity and not harvesting the data, they will need to be compensated for this effort, or like the National Identification Number (National ID) by government, have it be a role assigned to them and funded some other way.
There are several other fundamental challenges with using Identity Custodians:
- First is access to a user’s Private Key, which must be high-friction. It SHOULD NOT be possible for a rogue employee of an Identity Custodian to get access to your Private Key. But it must be possible, with your involvement, to recover the Private Key. High friction and convenience do not go hand-in-hand.
- How do you prove who you are… when you cannot prove who you are? The Key Recovery must handle the situation that you have forgotten the key entirely and have no possessions that can help.
- Will personal data become more private under SSI or more government observable if one person’s data is all in one place?
- Self-Sovereign Identity has a high degree of Complexity