If you work in the area of identity you will have noticed a lot of talk about self-sovereign identity (SSI).\u00a0 As a concept, it applies the goal of placing the user at the center of digital identity management and control. User-centric digital identity is not a new idea. I first came across it back in 2008 when I read Kim Cameron\u2019s Laws of Identity \u2014 the piece itself going back to 2005. Law 1 states that \u201cNo one is as pivotal to the success of the identity metasystem as the individual who uses it.\u201dSSI is user-centric, but you don\u2019t need to have a self-sovereign ID system for it to be user-centric.On paper, I like the idea of a self-sovereign identity. After all, digital identity is about what you do with the information that makes up who you are \u2014 surely that should be under your control. Yet still, I have lingering questions that make me question the ability of SSI to fulfill my identity needs.What is self-sovereign identity?Self-sovereign identity uses blockchain to register the attributes of a person\u2019s identity. What does that mean? Your identity data (attributes or claims) \u2014 the stuff that determines your digital you, or that thing is that thing \u2014 are registered to a block on a blockchain. The blockchain is a distributed ledger (i.e., it has no central authority controlling it, it is decentralized); the subsequent decentralized claims are then part of a person\u2019s identifying data that they can share, under their control, with a requesting party like a bank or a government service, etc.The substance of the SSI is based on the idea of verifiable claims. If you follow my blog you\u2019ll know that verification is a thorny issue in the digital identity space. It is certainly not straightforward and can do with a sprinkle of "user friendly" if you ask me. But organizations like Sovrin, who are offering a backbone for SSI, are built upon the notion of verifiable claims being managed through a distributed ledger technology backbone specifically attuned to digital identity.What is a verifiable claim?I just want to talk a little about the notion of a verifiable claim. For a piece of data on an individual to carry any weight it has to be true or at least have a probability of truth that satisfies the service provider. Claims that are checked (verified) by a trusted third party are deemed to be verifiable. Web standards custodians, W3C, have looked at the issues around standards for verifiable claims.\u00a0 The research findings of the group come down heavily on the side of user-centric and privacy enhanced. There is a very strong value statement driving their work \u201cNo User-Centric, Privacy-Enhancing Ecosystem Exists for Verifiable Claims."The research concludes several things including:Trust is decentralized. Consumers of verifiable claims decide which issuers to trust.AndUsers may share verifiable claims without revealing the intended recipient to the software agent they use to store the claims.But, in the context of this article, do you need a decentralized identity system to have decentralized verifiable claims? Are the two mutually exclusive?Three critical questions about self-sovereign identityWho will pay?We live in a world that is built upon certain commercial structures. These structures are pretty much universally driven by money. I want to understand how we can fit an identity framework, that is based on presenting verifiable claims, to a service. Who will pay for the verification? If one organization pays, will they be happy if that data is then shared with a competitor to build up a trusted relationship with them?Are we back to the same issues we had with federated identity? As Phillip Windley said back in 2006: \u201cNot surprisingly, the hard part isn\u2019t usually the technology. Rather, the hard part is governing the processes and business relationships to ensure that the federation is reliable, secure, and affords appropriate privacy protections.\u201dWill self-sovereign systems come up against similar commercial issues to those faced by federated identity, but this time from a pay for use basis?An interesting look at how this could be solved is from the Web of Trust working group and their work-in-progress treatise \u201cHow SSI Will Survive Capitalism.\u201d This is something I will be keeping a close eye on. This is my main concern from their SWOT analysis: \u201cLack of upfront financing due to lack of platform (chicken & egg problem).\u201dAnd a last point before I move on that was brought up by a government official in the UK: Is a government verified identity document like a passport actually your data to own?Where is the weak point?I\u2019m also not sure about the whole SSI being a magical panacea for refugees. There is a nagging feeling in the back of my head around the \u2018stewards\u2019 model. Self-sovereign frameworks like Sovrin use a steward\u2019s model to maintain trust. The stewards are trusted third parties \u2013 organizations that operate the nodes in the distributed ledger. Sovrin currently has over 50 stewards that provide human and computing power.I can see the positive aspect of this. It extends the notion of decentralization to another layer. But will the steward will become a weak point in the system? Will cybercriminals target stewards to gain control of the nodes?How private is it, really?The privacy aspects of decentralized, SSI are part of the charm of the system. Sovrin, for example, uses Zero Knowledge Proof as the underlying mechanisms of minimal disclosure of data. "Are you over 18?" Only Yes\/No is revealed. Of course, SSI isn\u2019t the only system that offers privacy of attributes. There are several ways of achieving the same thing using traditional identity services. One such mechanism was developed by Sid Sidner back in 2006, and named \u201cVariable Claims.\u201d I\u2019ve seen it applied in a traditional identity service. It works in a similar manner by only revealing certain data, i.e., yes\/no or partial reveal of attributes.The problem is this. It is all well and good having minimal disclosure. But what if you want to buy a pair of shoes online? You have to allow the online vendor to know what address to send the shoes to. They will likely also want your name and other demographic data if they can get consent, for marketing purposes. Your data is then outside the SSI and held in a more traditional manner. And\u2026it is now outside of your control too.An identity ecosystemI remember looking at pretty good privacy (PGP) way back. It offered the hope of secure email communications based on the idea of a \u201cweb of trust.\u201d PGP always seemed very "techie" to me; you virtually needed a Ph.D. in computer science to use it. Usability, rather than methodology has probably killed PGP \u2014 even Phil Zimmerman, who invented PGP, doesn\u2019t use it anymore. I get the same techie feel of PGP within the SSI movement. I know that folks in SSI are working hard to get neat apps together to help with usability, but still, there is an air of PGP about it.\u00a0 I can\u2019t shake it. I want to, but I think it comes down to this: We need to understand the true nature of why we use digital identity, the real use cases, the pitfalls of such use cases, as much as we need the technology to make them happen.I do not, however, want to write a technology off just because I have a few unanswered questions. I can see, for example, that blockchain has some use cases that fit well and as an additional layer in a tech stack it has enormous potential.Tim Bouma, senior policy analyst for identity management at Treasury Board Secretariat of the Government of Canada, recently summed up the SSI debate perfectly, and I agree wholeheartedly with his very pragmatic take. Tim explores technology with open eyes and the hard head of experience. He said in a recent tweet and Medium post on SSI:The extreme (decentralized) case is no service provider, but likely it will be a mix of centralized, federated and decentralized options. That's ok because options make for a healthy ecosystem.SSI is on the extreme end of the digital identity spectrum. Its focus is putting control back in the hands of you, the user. But SSI is not the only way to skin a cat. My own view is that a mix of technologies will, at least for the foreseeable future, be needed to accommodate the vast array of needs across the identity ecosystem. I can see use cases for SSI. But will it become the overarching way that humans resolve themselves in a digital realm? I don\u2019t know. I don\u2019t have a crystal ball, but my gut says it won't \u2026 unless there are compelling answers to the three questions I have listed above. Maybe the SSI community can help me to understand?