One of the first things you encounter when reading about decentralized identity is a daunting array of unfamiliar terminology. While important distinctions exist, there is a significant amount of high-level overlap with the roles and interactions you’re already familiar with.
Let’s start with the decentralized identity role of the issuer. It’s pretty easy to follow that an issuer issues things, and in large part you can immediately connect it to the role of an identity provider (IdP) or OpenID provider (OP) in that one of their primary functions is also issuing things: tokens.
What is an issuer issuing if not tokens? That would be credentials. While a traditional opaque access_token isn’t a good analogy to a credential, an id_token is a better comparison since it is a statement by the ID provider (issuer) about some attributes of the user.
The other easy association is that of the relying party (RP) or service provider (SP) to the new term verifier. A verifier is simply the party or service that verifies and acts on the validity of a credential. While the issuer/verifier terms generally map well to existing concepts, it’s important to note that with decentralized identity, both the issuer and verifier may also be a single individual and not always be a service.
The terminology diverges further when considering the relationship between the above two generalized roles. With SSO and federation there’s a variety of flows with different capabilities, but few of them provide for a distinct or stand-alone third role that sits in between those entities. In decentralized identity, that middle role is a cornerstone of the architecture and is more formally known as the holder (though typically just called the wallet). Its role is to securely retain digital credentials on behalf of the user (also known as the subject) and protect their privacy.
While it follows that credentials are issued to a holder about a subject, we should highlight the verifier side of a credential flow. It begins when a verifier generates a presentation request to the holder, which, after gathering any user consent, then presents the credential to the verifier.
In summary, decentralized identity follows some very familiar roles and relationships to existing identity management protocols but uses a more action-oriented terminology instead:
- Issuer → identity provider or OpenID provider, issues credentials
- Verifier → relying party or service provider, is presented credentials
- Subject → typically a user or individual, could also be other types of entities
- Credential → crypto envelope of information about a subject, such as an id_token
- Holder → wallet software to manage credentials on behalf of a subject