eID and Self-Sovereign Identity Usage: An Overview

Round 1

Reviewer 1 Report

The paper focuses on the technical and IT aspects of the design and deployment of identification systems and the aspects of usability and acceptability by different populations (benefits of use, popularity of systems). The article clearly differentiates between systems managed by a third-party entity (the government, a private company, a generally centralized system) and systems where the trusted third-party entity is absent (Self-Sovereign Identity, an autonomous system, essentially decentralized and technically independent, following blockchain technology). However, these elements can be widely discussed.
The paper emphasizes identification, when in fact what really matters in all of these systems is authentication. So refugees, homeless and undocumented migrants can identify with these systems: we can always give a name and baptize something or someone. It is however an issue since these undocumented migrants cannot prove their identity, and it is often even a will on their part. They have even sometimes burned their own identity papers (often with the complicity of their own government of origin ...) to "flee" their country and become "refugees" in another host country and thus benefit from generous rights granted to them in our democracies, often with the help of ideologically oriented organizations or associations. It is preferable not to hide too much naivety in the description of use of innovative identification techniques, but diverted for malicious usage. We must remember that bitcoin is used by traffickers for money laundering, and blockchain technology is also a way of turning away from states, government authorities and legal financial circuits.
The paper speaks of neutrality and agnosticity but explains that these systems work with Ethereum, Hyperledger or techniques and protocols of this kind. The systems are therefore dependent on the managers of Ethereum, Hyperledger and infrastructures of this type, which are far from being neutral entities. A computer system is always managed by a public or private organization with a known mission and unknown underlying wishes. These organizations are often influenced by states (indirect funding, etc.). The trusted entity is then discreet but it actually exists, to such an extent that surveillance systems are connected to these systems: the transparency of these systems is therefore quite relative (see the same thing on the internet). We are therefore rather witnessing the emergence of a digital conquest of public services (here identification) by private organizations in order to confiscate the power of sovereign services from states.
The article only mentions the technique and people's reaction to these techniques and does not mention culture, customs, habits, religion, etc. However, this paper is centered on identity, and we know that identity is above all cultural: The Sandinavians and the countries of northern Europe do not have at all the same reactions as the citizens of the Greek-Latin countries (Italy, Greece, etc.) or Slavic countries (not to mention Arab or Asian countries, China, Japan) vis-à-vis identification and authentication. The difference in the generation of names of persons and families (in Europe, Africa, the East and Asia) is very significant in this respect. The difference in the use of Facebook, despite a common identification system, by the various populations, is also illuminating.
The text of the paper gives the impression that the people, who are on the planet, have a unique culture and are interchangeable. Here we find the ideology of globalization, while the pandemic has shown on the contrary all the faults of this openness. The pandemic has denounced this pseudo homogenization and has shown that the populations have more confidence in the nation and the sovereign state for the safety and security of goods and people.
All the concepts of interoperability and harmonization therefore go in the direction of a negation of specific identifications and authentications by a state, according to customs established for millennia. Chinese, Arab and Western civilizations are in open competition in 2021, and it would be futile to deny all the obstacles to general harmonization by promoting a vision of a world government, obviously led by the digital empire, idyllic, transparent, neutral, image of progress ...
It would be useful if the authors, in the conclusions, could moderate a little the technical supremacy of this overly optimistic article in their judgments and temper the differences between these two visions (centralized, SSI), sovereignty being a concept, or a philosophy of life, much more complex than what is described and promoted in the article.
I have followed all the work of the European eIDAS system for 20 years. The people in charge of the eIDAS project, for 25 years, with incredible perseverance, have overcome all the technical, economic and political obstacles, so that this system is finally a notable success. The article could better emphasize the efforts and the difficulties which must be overcome in order to finally obtain a system which functions beyond all European diversity.
The article does not speak of the future and necessary identification-authentication of robots, AI software which will soon have an autonomous "life and responsibility". Car drivers have a driving license which is sometimes used for identification: it would be good if the robots that will drive our vehicles will have soon a license of this type which could also serve as identification, when they are involved in accidents or are victims of computer attacks which usurp their real identity (hacking of the takeover of a vehicle by another malicious robot).

Minor correction

The Self-Sovereign Identity exits primarily on the citizens’ devices => The Self-Sovereign Identity exists primarily on the citizens’ devices

Author Response

Dear Reviewer and Editors,

we thank the reviewers for their insightful and positive feedback on the article. We have edited the article to address their concerns.

One primary concern was the short summary. We extended the summary, added recommendations, and described our directions of future research in more detail. Additionally, we added future and necessary identification-authentication for other use cases as future work. The efforts of eIDAS are mentioned in the conclusion. Last but not least, we also shortly compare classical eID with SSI.

To answer the comments of reviewer 1: We agree that refugees might have either lost or destroyed their ID card, as already stated in the paper. Not only blockchain, but all technologies including traditional ones can be used for malicious activities. Technical neutrality describes the changability of implementations without regarding the entities behind it. When having the digital sovereignity as a focus, this of course should be taken into account. We agree that identity is more than just technique, but nevertheless eID and the lessons learned from projects and solutions is the main focus of the paper. Therefore, we concentrate on the factors, which are relevant for this topic. Even though decentralized structures have inherent less controllability, several state-related intiatives currently work on the topic of SSI or are at least talking about it, see the proposal of the new eIDAS regulation. When it comes to SSI, the state nevertheless still issues the credentials.

Last but not least, we applied the minor correction of reviewer 1.

In sum, we have tried to address all the reviewer's concerns (not only those mentioned above in detail) in the revised version and hereby submit it again, kindly asking for review after minor revision.

Best regards,

Dr. Daniela Pöhn, on behalf of all authors.

Reviewer 2 Report

1. Introduction to the article - the abstract is done correctly. The authors of the article presented the basic issues that will be discussed in the article.
2. The literature review has been compiled exhaustively. In the bibliography, the authors presented as many as 163 items that were quoted in the presented article. In these literature items, apart from scientific articles, there are also important legal regulations concerning the subject of the article. All literature and standards are up-to-date.
   
3. The article is theoretical, but the authors conducted a comprehensive review of the applicable laws and regulations. The authors prepared overview, very interesting figures and tables - see e.g. Figure 2. Taxonomy of challenges in eID and SSI projects, Figure 4. Taxonomy based on challenges in eID projects and Table 1: Summary of National eIDs.
4. However, the summary of the article is poorly formulated - it's only 15 sentences and too general. The article is 28 pages long, but the summary is too weak. Based on theoretical considerations, the authors should state what directions they will recommend or should be developed for further applications in the world and the direction of their further research. This is missing. I am asking you to build conclusions from the article, maybe to summarize in subsection 7.2, prepare a drawing - how things are going today and the direction of further development of security measures.
   

Author Response

Dear Reviewer and Editors,

we thank the reviewers for their insightful and positive feedback on the article. We have edited the article to address their concerns.

One primary concern was the short summary. We extended the summary, added recommendations, and described our directions of future research in more detail. Additionally, we added future and necessary identification-authentication for other use cases as future work. The efforts of eIDAS are mentioned in the conclusion. Last but not least, we also shortly compare classical eID with SSI.

In sum, we have tried to address all the reviewer's concerns (not only those mentioned above in detail) in the revised version and hereby submit it again, kindly asking for review after minor revision.

Best regards,

Dr. Daniela Pöhn, on behalf of all authors.