Stay informed and up to date!
The trust triangle contains the three main roles within the ecosystem and illustrates their relationship to each other.
Issuers are institutions or companies that issue identity information to the respective holder. For example, a student card is issued directly by the university. All issuers of verified credentials have their public key on a distributed network and sign identity documents with their private key. This means that the authenticity of the credentials issued can be verified independently and asynchronously.
The holder stores his/her identity information in the Lissi-Wallet. The issued data can be a university degree, a membership certificate or other identity related information issued to the holder by an issuer. The holder thus stores, manages and controls his/her own identity information.
Entities requesting and verifying identity data from holders are referred to as verifiers. To ensure verifiability, the verifier can independently cross-check the validity of a verified presentation with the issuer’s public key on the distributed network.
.webp)
Connections are an encrypted communication channel between two parties (referred to as “contacts'' within the Lissi Wallet) to exchange information. This connection acts as a trusted communication channel given the other party can be identified.
As a user: The name of a contact is illustrated red or green to indicate the trustworthiness of the contact. This trustworthiness is based on certificates of communication end-points such as extended validation certificates. In the future we will directly incorporate authenticated public Decentralised Identifiers (DIDs) in accordance with the eIDAS regulation.
As an organisation: Organisations can identify users by either using existing trusted communication channels such as internal customer portals or request a proof of a suitable identity credential.
Credentials are claims signed by the issuing party, which usually contain multiple attributes. The sum of all attributes is referred to as schema. A credential definition is based on a schema and announces who is going to be issuing credentials with that schema. The holder of a credential can, but doesn’t have to be the subject of the credential.
An information request is a standardized procedure of one party asking another party to provide information. An information request can contain and combine a request for verified credentials, self-attested information and knowledge free evidence:
Verified presentations: Credentials or parts thereof (individual attributes) are presented. These have been issued by an issuer and can be verified by third parties.
Self-attestation: The data is inserted by the user and is not verified by a third party or issuer. Answers for self-attested information can be inserted by the user as desired.
Knowledge-free evidence: Verify a statement with regard to the fulfilment of thresholds, which are above, below, equal to, greater than or less than the selected value. This feature is currently limited to numerical values and is also known as “zero knowledge proof”.
Credential request via a verified presentation:
A backup is a secure copy of your data so you can access your wallet in case you lose your phone or access to the application.
The backup consists of two parts:
The recovery phrase:
These are 12 words, which in the right order can be used to restore your backup. This is an example of such words:
satisfy promote minimum bird unfold develop list dad easily craft cup mutual
Write them down in a secure location and do not share them with anybody else. If you lose your secret words you won’t be able to restore your wallet. Keep them secret and secure.
Here you can find detailed information regarding our products, partners and history as well as the general and technical backgrounds.
Identity cards, membership certificates, user names, biometric data, passwords and many other attributes draw the picture of your online identity. But it is not only individual features, but their relationship to each other that provides the necessary context. In times of increasing digitalization, people must be able to reliably prove their identity information. However, we continue to rely on passwords to authenticate ourselves. At the same time, we have no reliable way to prove certain characteristics of ourselves, such as our university degree or address. Document forgery and identity fraud are common problems. To solve these immensely costly and cumbersome problems, the Lissi components enable the secure storage and management of identity information with optimized user experience and high privacy standards for all involved.
The term self-sovereign identity (SSI) is used to describe a new concept of identity management. It not only puts the user in the center of all processes, but also gives the user more control over the distribution and management of his identity data.
With SSI users can receive certificates of identity information from issuers in their wallet and present them as they deem appropriate. The user decides which wallet to use, which certificates to accept and with whom to share them (or parts of them). The personal data is thus no longer primarily administered by companies or institutions, but is the user's data sovereignty. The data exchanged may be verified data, self-disclosure or a predicate without further information (so-called zero knowledge proofs).
Lissi is a software provider with the aim to enable trusted interactions between organisations and their customers. We are part of an ecosystem, which uses open standards and protocols to enable users to choose the application they like the most. We generate income by selling software to organisations and offer our Wallet for free to end-users. We lead the IDunion consortia and are part of the Main Incubator GmbH, the research and development unit of the Commerzbank Group.
Lissi is an acronym and stands for "Let's initiate self-sovereign identity". With this name we express that Lissi has set itself the goal of bringing the concept of self-sovereign identity to market. We are implementing this mission together with our partners in the IDunion consortium.
The main incubator has been researching self-sovereign identities (SSI) since 2017. The main incubator is the research and development unit of Commerzbank and is a wholly owned subsidiary. First, existing identity solutions on the market, especially federated identity systems, were analyzed and compared with SSI solutions. The results showed clear advantages for SSI solutions.
In the further course of the project, different SSI solutions and frameworks were compared and the Hyperledger Indy/Aries Framework was identified as the most promising solution. Based on this, a first prototype called "ChainID" was developed within four months by a team of three developers and the international networking, especially with the open-source community, was accelerated.
In June 2019, the joint research project "Lissi" was founded, for which many additional partners were won. More information can be found in our press release. In the meantime, the research topics have been spun off into the IDunion consortium and Lissi is focusing on the provision of agent software.
The goal of Lissi is to enable an easy exchange of identity information between private individuals, companies, institutions and authorities. For this purpose we are developing an identity app, which enables individuals to store their identity information and share it with companies and authorities. Every transfer of identity information is documented directly in the app and allows a simple overview of all shared identity information. For companies and authorities Lissi is developing an institutional agent with which identity information can be sent to individuals and requested information can be verified. In order to ensure a wide use of the solution, different aspects are standardized in the IDunion consortium and other international stakeholders.
Our goals can be summarized in the following key points:
- Data portability for users and companies (no vendor lock-in)
- Data sovereignty for users and companies on local devices
- Optimizing access to public and private sector services.
- Improved transparency in all interactionsSelf-determination for users with focus on consent and choice
- Public verifiability of presented information for all parties
- Privacy protection through encrypted connections with minimal and selective disclosure by the user
Previous identity networks and log-in services are usually based on centralized identity data storage by a central provider. Lissi offers the following advantages over existing systems:
1. Empower individuals
Large technology companies that offer a "social login" have the possibility to delete the account of a person at any time at their own discretion. The problem with this is that the customer not only loses his:her account with the respective provider, but also access to all associated services. Furthermore, a user only has a very limited possibility to claim his:her data protection rights.
By means of the self-sovereign identity the user regains control over his:her data. Since the user stores and manages his certificates independently, they cannot be deleted by a central instance. An administration of the identity data in an wallet application, which is selected by the user and is located on his:her end device, allows an easier management of data, relationships and rights for the user.
2. Avoidance of ‘honey pots’
Currently, login and personal data is stored centrally. This data is stored in data centers, which are operated or commissioned by an organization or company. The central storage of these data sets create attractive targets for cyber attacks. Decentralization counteracts large-scale data leaks. Individual users are much less attractive targets for hackers.
3. Avoidance of unwanted correlation of user data
An identity correlation describes the linking of activities and their assignment to a person in order to build digital profiles of people. This is not compatible with the principles of privacy and should generally be prevented. With a single-sign-on (SSO) login (e.g. "Login with Google"), the identity provider (in this example Google) can not only see, which service the customer uses, but also when and how often the customer uses it.
4. Single-sign-on
A single-sign-on is also possible through Lissi, but technically it works differently. The user not only has a direct and encrypted connection with each third party, but also a unique decentralized identifier (DID) for each connection. This means that neither company ABC, Lissi nor the IDunion knows when a user communicates with whom and what data is exchanged.
5. No need for passwords anymore
An email address in combination with a password is still a very common standard for authentication on the Internet. However, since one should not only have long and complicated passwords, but also unique passwords, users are often overwhelmed.
6. Service Providers
Lissi offers service providers and users the possibility to establish an encrypted connection without an intermediary. The service provider can then issue a certificate to the user, which the user can use as proof to authenticate himself with one click when logging in.
In our solution, the users move back into the center of identity management. Each user keeps his:her secure digital identity data on his:her own device or decides where this data should be stored. A wallet is used for this purpose, which stores the user's identity data and uses the IDunion network (or similar networks) as an anchor of trust. This enables each person or company to verify certificates issued to them.
The Lissi Wallet is available as a test version on mobile devices since June 2020. The application is available for users to download from both the Google Play Store and the Apple App Store. You can already use the wallet to import existing physical cards and store pk.pass. Currently the basic infrastructure for the verification of credentials is still in development and is only available for testing purposes for the time being. A productive use of the wallet is planned for 2022.
Identity and data management in particular opens up numerous new business opportunities. The topics of identification, authentication and authorization plays a central role - regardless of whether it is the initial identification of new customers, registration with online service providers, digital signing or the onboarding of new employees. With our solution, we strive for more security and a better customer experience. This not only leads to cost savings, but also to completely new revenue opportunities.
Yes, the institutional agent consists of several docker images. This means that it can be operated in your own data center or in the cloud. Furthermore, an openshift template is available. Thus the institutional agent can also be operated in an openshift cluster.
Various partners are working together in a co-development approach on the institutional agent of Lissi under the direction of the Main Incubator GmbH. These partners are the Technical University of Berlin, Bundesdruckerei GmbH, ING-Deutschland AG, Commerzbank AG and Deutsche Bank AG.
The Lissi Wallet is developed by a separate development team in the main incubator. Furthermore, we work very closely with the various partners in the IDunion consortia.
Generally, there is interest in further expanding the use-cases within the ecosystem. Interested companies, no matter from which sector, or institutions on municipal, state or federal level can contact our team at info@lissi.id to work on further use-cases.
Lissi uses private end-to-end connections for data transmission and uses a distributed ledger technology (DLT) solution (also referred to as blockchain), which allows many participants to share a common source of truth with a high level of integrity for digital signatures. Anyone who wants to verify publicly available data can do so without restriction. Users or holders of identity information store the data themselves on their end device and can therefore have access to it themselves.
The Lissi mobile wallet as well as our institutional agent, which is used to issue, store and verify certificates and to request or answer certificates, is based on the open-source framework of Hyperledger Aries. The direct (peer-to-peer) communication between two agents is standardized by the DIDcomm protocol, which is managed by the Decentralized Identity Foundation (DIF). Furthermore, we also enable the use of single sign-on (SSO) services through the integration of OpenID connect and SAML.
The open-source frameworks Hyperledger Indy and Hyperledger Aries were chosen because the source code of the framework is publicly available. Furthermore, these standards have a large developer community worldwide and several international consortia are actively developing solutions with these standards. The use of the technology is also well compatible with the General Data Protection Regulation (GDRP).
