10 Decentralized key management

 

Dr. Sam Smith

    Chapter 9 covered the overall topic of SSI digital wallets and agents. However, the function at the very core of digital wallets—cryptographic key management—is deep enough to merit its own chapter. Although thousands of papers and dozens of books have been written on the subject of key management, for this chapter on decentralized key management, we called on Dr. Sam Smith, who is not only one of the most prolific thinkers and authors in SSI but the inventor of Key Event Receipt Infrastructure (KERI), covered in the final section of this chapter. Sam received his PhD in electrical and computer engineering from Brigham Young University in 1991; spent 10 years at Florida Atlantic University, reaching full professor status; and then retired to become a full-time entrepreneur and strategic consultant. He has over 100 refereed publications in the areas of machine learning, AI, autonomous vehicle systems, automated reasoning, blockchains, and decentralized systems.

    Chapter 9 began with this overarching definition of digital wallets:

    A digital wallet consists of software (and optionally hardware) that enables the wallet’s controller to generate, store, manage, and protect cryptographic keys, secrets, and other sensitive private data.

    10.1 Why any form of digital key management is hard

    10.2 Standards and best practices for conventional key management

    10.3 The starting point for key management architecture: Roots of trust

    10.4 The special challenges of decentralized key management

    10.5 The new tools that VCs, DIDs, and SSI bring to decentralized key management

    10.5.1 Separating identity verification from public key verification

    10.5.2 Using VCs for proof of identity

    10.5.3 Automatic key rotation

    10.5.4 Automatic encrypted backup with both offline and social recovery methods

    10.5.5 Digital guardianship

    10.6 Key management with ledger-based DID methods (algorithmic roots of trust)

    10.7 Key management with peer-based DID methods (self-certifying roots of trust)