Access control mechanisms define how tenants/entities can access and interact with their data and resources and control who can access them. It helps enforce security and privacy policies in a multi-tenant environment.
The act of anchoring is tying to something that is trusted by assumption. Usually some sort of an entity with authority.
An administrator is a role who oversees the agent and releated resources, including tenant, Edge Agent management, or external services. Admistrator typically does not participate in day-to-day SSI interactions.
An assertion made about a subject.
The Cloud Agent is a scaleable, easy-to-use, robust, and W3C standards-based agent that provides self-sovereign identity (SSI) services to build products and solutions based on it. The Cloud Agent exposes REST API for integration with any programming language.
See DID Controller.
The protocol provides endpoints for creating and managing connections, as well as for accepting invitations.
An invitation from one entity to another to establish a connection.
A request to establish a connection.
A data template for verifiable credentials (VCs). It contains claims of the VCs, credential schema author, type, name, version, and proof of authorship.
An Issuer sends a request to the Holder to accept a verifiable credential.
When the Holder accepts or rejects a credential offer, a credential request is created from it.
A globally unique persistent identifier that does not require a centralized registration authority and is often cryptographically generated. All DIDs use distributed ledger technology (DLT) or some other decentralized network.
A set of secure, standards-based communications protocols to establish and manage trusted, peer-to-peer connections and interactions between DIDs in a transport-agnostic and interoperable manner.
The entity that has control of the DID
A set of data that describes the DID subject, including mechanisms such as cryptographic public keys. The entire W3C DID specification is here.
The DID method defines how to implement a specific DID method schema. The specification defines the DID method, including precise operations to create DIDs and DID documents and how to resolve, update, and deactivate them.
The process for retrieving a DID document.
The entity is identified by a DID and described by a DID documents. Anything can be a DID subject: person, group, organization, physical thing, digital thing, etc.
A DID itself is a type of a URL, while did is a registered schema type, like http and https. With Identus, we refer DID URLs to a DID that includes path and query parameters and can resolve a resource via one of the service endpoints in the DID document. For example:
did:prism:9f847f8bbb66c112f71d08ab39930d468ccbfe1e0e1d002be53d46c431212c26?resourceService=agent-base-url&resourcePath=schema-registry/schemas/did-url&resourceHash=4074bb1a8e0ea45437ad86763cd7e12de3fe8349ef19113df773b0d65c8a9c46
A distributed database or ledger establishes confidence for the participants to rely on the data recorded. Typically these databases use nodes and a consensus protocol to confirm the order of cryptographically signed transactions. Linking the transactions over time creates a historical ledger that is effectively immutable.
A network address at which services operate on behalf of a DID subject.
An entity, in the context of the Identus platform, is an identity representing a user or system.
Each entity possesses an Edge Agent and is associated with an authentication method.
Entities are crucial for secure and verifiable transactions within the SSI ecosystem.
For use with web and mobile (iOS, Android, TypeScript) enable identity holders to store credentials and respond to proof requests.
A Edge Agent can perform DID operations, like create, update, and deactivate. It also enables management of verifiable credentials, and communications.
See Trust Framework
An entity will take on this role by possessing one or more verifiable credentials and generating verifiable presentations. Also takes the role of a prover when presenting verifiable credentials for verification.
IAM (Identity and Access Management), is a framework that controls and manages user access to computing resources. It ensures secure authentication, appropriate authorization, and effective auditing to protect against unauthorized access in a computing environment.
A suite of products that provides infrastructure for decentralized identity.
An Identity Provider (IDP) is a centralized service that manages and authenticates user identities, allowing individuals to access multiple applications and services with a single set of credentials. IDPs play a crucial role in Single Sign-On (SSO) systems, simplifying user access management across various platforms and services.
Sent by the inviter to the invitee to request and establish a connection.
A subject that receives a connection invitation and accepts it by sending a connection request.
A subject that initiates a connection request by sending a connection invitation.
An entity that asserts claim(s) about one or more subjects then creates a verifiable credentials from these claims and transmits the VC to a holder.
Allows you to create, retrieve, and manage issued verifiable credentials (VCs) between a VC issuer and a VC holder.
Keycloak is an open-source IAM solution that provides authentication, authorization, and single sign-on capabilities for applications and services. It allows organizations to secure their applications by managing user identities, enforcing security policies, and facilitating seamless and secure user authentication.
A mediator participates in agent-to-agent message delivery that the sender must model. It has its keys and will deliver messages only after decrypting an outer envelope to reveal a forward request. Many types of mediators may exist, but two important ones should be widely understood, as they commonly manifest in DID Docs:
- A service that hosts many cloud agents at a single endpoint to provide herd privacy (an "agency") is a mediator.
- A cloud-based agent that routes between/among the edges of a sovereign domain is a mediator. For a detailed overview of mediators refer to the RFC0046: Mediators and Relays.
Multi-tenancy is a core capability of the Identus platform, allowing it to serve numerous users/identities while logically isolating their Edge Agent assets. This segregation maintains data privacy and security, enhancing scalability and resource sharing within the SSI ecosystem.
OIDC (OpenID Connect), is an authentication protocol built on top of OAuth 2.0. It enables secure user authentication and allows applications to obtain information about users, facilitating single sign-on (SSO) and identity verification in web and mobile applications.
OID4VCI (OpenID for Verifiable Credential Issuance) defines an authorization mechanism for issuing credentials using the OAuth2 protocol. It grants the holder access to credentials protected by the issuer's authorization server.
They are specialized DIDs for peer-to-peer relationships.
A rich DID method that has no blockchain dependencies. The verifiable data registry is a synchronization protocol between peers. See the Peer DID Method specification.
The protocol provides endpoints for a Verifier to request new proof presentations from Holder/Provers and for a Holder/Prover to respond to the presentation request using a specific verifiable credential they own.
A cryptographic mechanism that proves the information in a verifiable credential or verifiable presentation has not been tampered with. Many types of cryptographic proofs include but are not limited to digital signatures, zero-knowledge proofs, Proofs of Work, and Proofs of Stake.
See verifiable presentation. Also see Present Proof Protocol.
The Protection API in User-Managed Access (UMA) is a set of endpoints that enables resource servers to enforce access policies and protect resources. It provides a mechanism for resource servers to interact with the authorization server to obtain necessary information and permissions, ensuring that access to user-managed resources aligns with the user's specified policies.
The Protection API in User-Managed Access (UMA) is a set of endpoints that enables resource servers to enforce access policies and protect resources. It provides a mechanism for resource servers to interact with the authorization server to obtain necessary information and permissions, ensuring that access to user-managed resources aligns with the user's specified policies.
Also known as protobuf.
A response type for endpoints that implement prism anoncred method
{"resource": <encoded resource as string>, url: <did url at which this resource can be resolved>}A relay is an entity that passes along agent-to-agent messages depending on the sender's encryption choices. It does not decrypt anything. Relays can change the transport for a message (e.g., accept an HTTP POST, then turn around and emit an email, or accept a Bluetooth transmission, then turn around and transmit something in a message queue). Mix networks like TOR are a type of relay. For a detailed overview of relays refer to the RFC0046: Mediators and Relays.
A party that depends on the authenticity of digital signatures.
Requesting Party Token (RPT) is a concept within the UMA framework. It represents a token obtained by a client application from an authorization server, allowing the client to access protected resources on behalf of the requesting party (user), based on the user's policies and consent.
This component securely stores sensitive information, such as private keys associated with an individual's digital identity, Edge Agent seed, etc. Secrets storage plays a crucial role in SSI implementations because it ensures that sensitive information is securely stored and protected against unauthorized access or disclosure
An identity model that shifts control to the edges, focused on security, privacy using public/private key encryption.
A tenant is an individual user, organization, or entity that utilizes the SSI platform. Each tenant has its isolated area within the system, maintaining the separation of assets.
Tenant isolation is a core capability of the Identus platform, allowing it to serve numerous users/identities while logically isolating their Edge Agent assets.
Tenant management encompasses the processes and tools used to onboard, provision, and manage tenants within the SSI platform, including user registration, role assignment, authentication method configuring, and access permissions.
A governing body that establishes rules, requirements, establishes operating procedures, and a trust registry for specific ecosystems.
A document that lists authorized issuers and verifiers established by the Trust framework.
User-Managed Access (UMA) is an authorization framework that allows users to control and manage access to their online resources. UMA enables individuals to share their digital assets with others while maintaining control over who can access the information and for what purposes.
HashiCorp Vault is a widely used open-source and enterprise-grade solution designed for securely storing, accessing, and managing secrets and sensitive data in modern computing environments. It offers a centralized platform for managing cryptographic keys, passwords, API keys, tokens, and other secrets.
A verifiable credential is a tamper-evident credential that contains one or more claims made by an issuer whose authorship can be cryptographically verified. It is possible to use VCs to create a verifiable presentation. Also, the claims in a VC can be about different subjects.
A system that mediates the creation and verification of identifiers, keys, and other relevant data.
Data is derived from one or more verifiable credentials, issued by issuers, and shared (presented) to a specific verifier. The verifiable presentation is tamper-evident and encoded in a way to trust the authorship of the data after a cryptographic verification.
An entity that receives one or more verifiable credentials optionally, inside a verifiable presentation. Also known as a relying party.