Investigate the impact, opportunities and challenges of the use of SSI based technology on various parts of the AARC blueprint architecture

The AARC Blueprint Architecture (BPA) describes a ‘Community AAI’ solution, a set of software building blocks that can be used to implement federated access management solutions for (inter)national research collaborations. 

The benefit of the BPA is that its proxy-based architecture provides both a technical integration point for authentication and authorisation, as well as a centralised point for implementing the research communities' policies. The BPA also identifies a ‘membership management service’ which implements community-specific onboarding to help establish the researcher's status and may be used to issue community-specific attributes to establish roles and rights. Implementations of the BPA, like eduTEAMS and SRAM, have greatly improved the capability to use FIM for research communities.

Unfortunately, the BPA model also introduces a few challenges:

• The BPA proxy acts as an authentication gateway, which impacts the user flow. Depending on the authentication path taken by a user, the user may end up with a different identity and hence different permissions. This is confusing for end-users and leads to challenges for services.
• A centrally operated infrastructure is required, which is acting as a ’man-in-the-middle’ for all authentication transactions. This impacts data protection and user privacy and hence needs to be considered carefully. 
• Institutions need to release attributes to all such BPA infrastructures their users want to make use of. Even though this already scales much better as compared to releasing attributes to individual services, this may still impede the ability of users to gain access to relevant services.
• A centrally operated infrastructure may not be feasible for all communities as it introduces operational costs and a certain level of organisation of the collaboration.

At first glance, a SSI based model may offer similar benefits as the AARC BPA model, while reducing the number of impediments as a wallet model may take away the need to have a proxy as the central authentication gateway.

This activity will further explored the potential use of SSI technology in the context of the AARC BPA. It will describing where SSI technology may be leveraged, explore benefits and challenges and describe how that may be implement. A number of technical pilots will test the assumptions.

Self-Sovereign Identity (SSI) provides a new paradigm in trust and identity on how users can engage with, and have control over their personal data. It may also provide new models for institutions and services to engage with users in the context of issuing and receiving (researcher) identity and in dealing with guest or external identities. This will have an impact on how research communities and their services can handle authentication and authorization.

SSI awareness in Europe recently spiked as the revised EU eIDAS legislation puts SSI-based technology at the forefront of the minds of decision-makers and technologists alike. With large-scale pilots with wallet technology being planned and through the technology-driven European Blockchain Services Infrastructure (EBSI) activity, the EU aims to roll out a digital wallet for every European by 2024.

To further explore these questions, an AARC BPA SSI expert working group (Group) will be formed to further explore, investigate and discuss such questions.

For the European academic trust and identity community, these developments present both challenges: how does this SSI ecosystem relate to Federated Identity and the established practices developed? There may also be opportunities: does this perhaps help us save cost when we enrol researchers, or external identities in our collaborations, can we perhaps build trust in a new way, can we now finally get rid of proxies?

It it unclear how much interest there is to find a SSI based solution at this point in time.

The activity does not affect any privacy

The activity will launch a series of public meetings with community experts to discuss this topic. Afterwards a report will be created and published.

The goal of this activity is to investigate the topic and create a report about the state of play. It can be the trigger for further investigations in GN5-1 or to establish a community group.

After a series of meetings with an Expert group to discuss SSI and the AARC BPA, a Report on Decentralised identity for GÉANT, NRENs and institutions was created and published.