Decentralized Identity Handbook – Part 2: Status quo of digital identities
In Part 1, we introduced digital identity. This follow-up explores current identity technologies – centralized databases, federated logins, and PKI – and their limitations. Despite added convenience, they raise concerns about privacy, security, and user control, highlighting the need for decentralized, self-sovereign identity.
Status quo of digital identities and their management
Centrally hosted online identities with user databases
Today, most digital identities are managed through centrally hosted systems—user data is stored in centralized databases operated by online service providers. This means each platform maintains its own user account system, and users must manage multiple logins across different services.
To simplify this fragmented experience, federated identity solutions were introduced. These systems allow users to access multiple services with a single set of credentials—commonly using a shared login via a provider like Google, Facebook, or Microsoft. This is known as federated identity management, where identity information is used across trusted domains based on common attributes like usernames, email addresses, or other identifying data.
Simplified view on federated identities:
While federated identity models improve convenience for users by reducing the number of credentials to manage, they still rely on centralized control of user data. This approach carries several vulnerabilities:
- Security Risks: Even with best practices like strong passwords or multi-factor authentication, user data remains a high-value target. Central databases are still frequently compromised through breaches and hacks.
- Privacy Concerns: Centralized providers often retain ownership or sovereignty over user data. This means personal information can be linked or even monetized without full user awareness or consent.
- Compliance Loopholes: Although regulations like the General Data Protection Regulation (GDPR) aim to protect user privacy and improve IT security, enforcement is inconsistent. Many providers exploit gray areas due to the difficulty of detecting violations and the relatively low risk of penalties.
- Scalability and Trust Issues: Centralized federated systems are limited by the trust relationships between providers and the concentration of user data, which makes them attractive targets for cyberattacks.
Ultimately, federated identities still inherit the core weaknesses of centralized identity systems. They do not fundamentally solve the issue of user data sovereignty or resilience against breaches—they merely shift the control from multiple silos to fewer, but still centralized, ones.
Identity management with digital certificates and public key infrastructure (PKI)
A foundational concept in digital identity management is the use of digital certificates, which play a crucial role in securing today’s web-based systems. They complement centralized identity models by enabling stronger authentication, encryption, and integrity checks. This concept also underpins aspects of decentralized identity systems.
What is a Digital Certificate?
A digital certificate is a structured data record—typically in the X.509 format—that uses cryptographic methods to confirm the identity of a person, organization, or device. It validates both authenticity and integrity by proving that certain properties (e.g., a public key) belong to the claimed entity and have not been tampered with.
A certificate typically includes:
Rules or constraints defining how the certificate may be used
- A serial number and expiration date
- The public key of the entity
- A digital signature from the issuing Certificate Authority (CA)
- Rules or constraints defining how the certificate may be used
The Role of PKI
To manage and validate these certificates, a Public Key Infrastructure (PKI) is used. This technical framework supports the issuance, distribution, and management of digital certificates, forming the backbone of many secure digital interactions.
Common use cases include:
- Email encryption and signing
- Digital document signatures
- Authentication for cloud and enterprise applications
- Secure communication in networks (e.g., VPNs, servers, routers)
- IoT and Industry 4.0 devices
- Access control for WiFi or corporate resources
How PKI Works
PKI relies on asymmetric encryption, where a public-private key pair is generated. The private key is securely stored (e.g., in a hardware module), while the public key is shared.
However, to establish trust, a third party must verify that a public key indeed belongs to the claimed entity. This is the purpose of the Certificate Authority (CA), which signs and issues digital certificates after verifying the identity via a Registration Authority (RA).
The CA’s digital signature assures other parties that the certificate (and its public key) is legitimate. Third parties can verify this using the CA’s own public key, forming a chain of trust.
Disadvantages and Limitations of CAs and PKI
Despite its widespread use and technical robustness, PKI has several weaknesses and risks—particularly related to the centralized trust model:
- Single Points of Trust (and Failure)
CAs are central trust anchors. If compromised (e.g., through hacking or internal misconduct), the security of all certificates they issued is at risk. Notable incidents (e.g., DigiNotar, Symantec) have exposed this vulnerability. - Over-Reliance on CA Trustworthiness
Users and systems must blindly trust that the CA has properly validated identities. There’s limited visibility into or control over how rigorously this validation was performed. - Revocation Issues
When certificates are compromised or misused, revoking them is often inefficient. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocols (OCSPs) can be unreliable, slow, or ignored by clients. - Centralized Governance
PKI reinforces centralized identity structures, which may contradict the growing movement toward user-centric and decentralized identity models. Trust decisions remain largely outside the user’s control. - Complexity and Cost
Operating a secure PKI is resource-intensive. Organizations face high costs and complexity in managing key lifecycles, renewals, revocations, audits, and compliance for hundred thousands of certificates. - Lack of User Autonomy
End-users typically have little control over how their keys are managed or how certificates are issued. This contrasts with emerging self-sovereign identity models.
Conclusion
Digital certificates and PKI remain essential tools for secure digital identity and communication. However, they come with centralized dependencies and structural weaknesses. These limitations are key drivers behind the push toward decentralized identity systems, which aim to distribute trust and give individuals greater control over their digital identities