Decentralized Identity - Why is it all the Rage?

Good evening. It is so nice to be in a room with so many identity experts and friends. You are the ones who have created and shaped where we are today. And you are the ones who are going to be creating the infrastructure and the systems that will take us into the future for next generations. This is a very exciting time in identity and it's also a very challenging time in identity. I wanna tell you a little bit about, you know, 10 years ago when I joined with some identity experts to start working in this field. And at that time I thought identity was, at least in technology systems, was all about login and access controls. You know, and there's enough complexity just with that to know what the difference between authentication and authorization is to know what types of levels of assurance are needed in specific context, how provisioning works with and without external applications, that's complex enough. But where we are today is even more complex. And what I realize now is that identity is really about making sure that each individual has access equally to the services that they need to have access to, regardless of connectivity, technical knowledge or ability.
Today, I realize that the complexity involves the struggle between needing to know your customer and the individual's right to be forgotten and not tracked. So put into Star Trek terms, it's understanding when the needs of the many outweigh the needs of the one, and when the needs of the one are so important that we need to build it into the systems so that we don't regret the future that we built for ourselves. So tonight what I'm gonna do is I'm gonna tell you a little bit of history about how we got to where we are today. I'm going to then tell you a very basic little bit about decentralized identity, and then I'm gonna have a call to action for you. I want a call to action for you to look beyond the pieces of identity that you know well and learn about new technologies that are coming out. Learn about decentralized identity, learn from the people you don't agree with. So let's start with a little history.
Before I went to work for Netscape, and before, you know, the worldwide web was even, you know, a thing. I worked for IBM Business Partners. I worked on the IBM system 36, the IBM SY system, 30 well before that, the 34 and the AS 400 when a friend of mine held up this 1994 time magazine cover and said, we're gonna build a company based on internet protocol. Now, I thought he was a little bit crazy, but I valued his opinion. And so when I went and saw this poster in my library that they were having a session in the community room on Thursday night about the internet, or actually they called it the information superhighway at that point. But I said, I'll go. I went there, I showed up in the little basement room, there was a guy with a card table, he had a a computer on the card table and a projector against the wall. There were about eight people in the room on folding chairs. And I stood in the back of the room, it was dark, and I, I'll tell you, I was pretty skeptical. And then I watched this guy connect using Telnet to a server from my little library in Concord, California to a university in Germany and use Gopher to go connect and find a strudel recipe and download the strudel recipe with ftp. And in that moment, I had two thoughts.
One was, oh my gosh, this is real. This isn't some pipe dream, it's working. And my second thought was, how the heck am I gonna learn enough? I'm behind? Where am I ever gonna find enough time to learn new information, to capitalize on what's coming? And so the second part of that thought was, I have to quit my job to have enough time. I went home, I called my friend and I said, I'm in. And it took me six months before I quit my job and another six months before our little company made enough money to pay me. But what I'd saw in that day was I saw a potential that gave me the ability to take the risk. Why am I telling you this? It's the last day of keynote speeches. We have some more tomorrow. But perhaps during all these wonderful workshops, you have heard something that made you think, oh my gosh, I'm behind.
How am I ever gonna learn enough about decentralized identity? And I wanna tell you, you're right, because there's a lot of very intelligent people that have been working on decentralized identity for years. But you're also wrong because the large scale pilots for the European Digital Wallet are just now getting underway. Bhutan Baton just issued their first verifiable credential national ID to the first person in their country, which is their crown prince. That just happened last month. So things are happening now. So you're not that far behind. So let's talk about what it took to get here. When, when we built the internet, the internet was not built for humans. It was built ironically, in a very decentralized way. The whole purpose was that you could route messages and if one server went down, the message was just sprout around it, but it was to connect servers and transfer messages.
All those things we did at Netscape kind of blew the whole thing up, you know, because we wanted to do e-commerce and we wanted to do all these things. And so what happened, we ended up with the dreaded username and password. Now, this first became a problem for the enterprise because in the enterprise, when they started using these technologies, they had a bunch of internal systems that people had to connect to. And what did people do? They made lists of their passwords, or worse yet, just stuck 'em right on the computer security and access nightmare. So we came to the next set, which was centralized systems. And single sign on this was great for the enterprise because it allowed people to connect directly to the systems they needed to connect to once authenticate and get connected. But it did nothing for the public who still needed to have an password for their bank, a password for their shopping, a password for their soccer club. And so we ended up with social login and federated id. But what's the problem with this? It doesn't work like real traditional identity works in the real world. Now, hats off to the inventors of SAML Open id oof one, oof two, you know, open Id connect, but it caused a lot of problems. And I don't need to go through all of these. You have a honeypot of risk, you have privacy of individuals in question, et cetera. But again, let's say it doesn't mirror how identity works in the real world.
If we go here, I wanna talk about something called foundational identity. When you were all born, you probably got something that was a foundational and identity a birth certificate. I just wanna show a hands here how many you have your birth certificate in your pocket right now? No one, but it's your foundational identity. No, what you did is you took that birth certificate and you went and got a foundational identity that was more appropriate to your jurisdiction. So in California or in the United States, the most valuable one is probably a driver's license. In other countries it might be a national identification card. If you're a global traveler, that foundational identity that might be important is a passport. But the key point here is you took one credential and you went to get another credential with the first credential. Now, once you have that foundational credential, you can then take it and use it for other things. So you can use it for connecting to your bank, take it and get an account. You can use it to prove you're of age to go drink. You can use it to go in a governmental situation across departments and get a a fishing permit or a business license. And in all those cases, you don't go back to the original person and say back to the hospital, the original traditional and say, here's my birth certificate. There's no centralized system for that.
So you've all probably seen this. If you've ever seen a decentralized identity session, it's the issue. Work issues it, the holder can hold it in various wallets. We've had plenty of sessions on that. And then the verifier, when they get it, can go verify it against the cryptography that's in the certificate that's been signed without going to a central location. Now, what that allows for is for you to know the authenticity of the credential. Let's talk about authenticity of the credential. All that says is that I can know who issued it and I can know whether it's been tampered with, whether it has been altered. That's all it says. Now, the first point I do wanna make is it does not require a blockchain. That's just one method of doing verifiable credentials. But this is not enough to establish trust.
We need to know who that issuer was, et cetera. And that's where we get this thing called the trust diamond, which is the whole bottom half is about the legal, the human, the social, the business contracts that say whether I trust that issuer or not. This is how your payment networks work. You know, you're all probably too young to know this, but when I got my first credit card and you went to the restaurant to use it, you had to check the little decals on the window to see if they accepted your credit card from your bank because there weren't the backend agreements that allow you to go ahead and check and do all the payments behind the scenes and all those agreements. That's a governance framework. So I work for the Trust over IP Foundation started three years ago. And the main reason that foundation was started was they saw on one side that a lot of people were working on the technical side, but no one was working on giving recommendations, white papers, templates, things to help with creating the governance decisions that need to be made. And people would say it's only at the ecosystem. The ecosystem will worry about that. But it's actually governance at every layer. If you do choose to use a blockchain, again, not required unique governance or regulations and rules about that blockchain and which blockchain you pick, right?
I could go in an hour on any one of these slides, however, that was not the title of this talk. The title of this talk is Why is Decentralized Identity All the Rage? And frankly, I think it has very little to do with the trust triangle that we talk about all the time. And it has everything to do with humans being able to now trust what's on the internet again and what's connected to it. If we can use the technology that's used in decentralized identity for human claims and human assertions, we can also use it for authenticating a sensor in a climate control system, a news article to see who its author really was, or even an image to see if Oprah really did, you know, endorse those weight loss gummies. I'm still very curious if you can take a d a weight loss gummy and it loses 50 pounds immediately, and Oprah said it did, apparently.
But no, you could verify that if we use this same technology that we use for human claims, to me, that's why it should be all the rage. Yes, what it can do in the area of humans assertions is great. What it can do in the way of having a derived credential where you take one credential from one issuer, say an airline ticket, another credential from a completely different issuer, say a hospital about a covid participant, and combine those into what's called a derived credential that says just okay to board very privacy enhancing. That's great. That should be enough to say, Hey, I wanna look into this. But that's still not why I think it's all the rage. The problems we are facing right now are not next quarter problems.
AI is not coming. AI is here. You can go right now on chat G P T and ask it a question. It's about anything that you want. And you will get what looks like a well researched, well thought out, well articulated answer. Now, when I was in college, if you wanted to take a shortcut, you had to walk down to the bookstore and get something called Cliff notes. Does anybody remember those Cliff notes? So you didn't have to read the whole book. Now all you have to do is sit down at chat G P T, you can get cliff notes on any book that you want on the fly. And not just about a book, but any subject. But here's the problem. It's only as good as the dataset it learned from. And so if there's misinformation in that dataset, if there's fake news in that dataset, it will give you what looks like a wellar articulated, well-researched, well thought out answer, and it could be completely wrong. So we could use the same decentralized trust technologies to perhaps write in the algorithms to make sure that the source of that data is something we would want to put in the answer.
So decentralized identity, in my opinion, is not all the rage because it is a better way to do login and access controls. It's all the rage because if it is implemented, it's a way to have commerce directly between two individuals. It's all the rage because if it's used in a governmental setting, you can issue a credential once and then it can be used across departments. So it as eliminating redundancy, it is all the rage because it can make the internet trustworthy again. Now, if you've heard anything this week that makes you think, well what if, how am I gonna learn anymore? What I recommend is you get involved at any of the open source projects or standard organizations that are working on this stuff, join the Open Wallet Foundation. If you're interested in making code for wallet sets of what they're doing, they're only working on code.
Join the Decentralized Identity Foundation that has special interest groups on everything from use cases on hospitality and the traveler journey to working groups, building the technology for the DCOM protocols, or join trust over IP at trust over ip. You could join in with engineers from Europe who sometimes stay up till midnight to talk to architects in Asia because I think it's important to create a trust spanning protocol that will allow for you to have different standards being used, but being able to be interoperable or one of our working groups that works on trust registries, but not just a trust registry. Trust registry protocol so that you can actually have a trust registry in this ecosystem and a trust registry in this ecosystem. And there's an actual protocol for how they connect to each other so that they can not, again, make redundancy.
So the thing is, this is a very exciting time, but it is built on the shoulder of giants. It is built by all those protocols I listed earlier are not going away. And this is why standards like Open ID for VC is so important Now is open ID for vc a truly decentralized way of doing verifiable credentials? No, it does not embrace all the principles of decentralized identity, but does it build a bridge between what we have today and what's coming in the future? Absolutely. Phyto. Pakis, do they, based on a totally decentralized model? No. But are there a million companies and individuals who worked for 10 years to create a solution for a very specific need? Yes. So what I have to say to you today is the challenges of today are not next quarter problems. We need to be leaning in together and face the future that's coming.
And the way we do that is by working as a community, listening to people who have the opposite opinion from us and seeing how these things can work together. And so what I want to do is invite you that as you attend your last session tomorrow and you're driving home or flying home on a 12 hour flight, think who could I talk to who could teach me more about something I don't already know? Who could I talk to to explain to me why, what I don't think will work might work. Let's not make tomorrow the last day of when the internet community identity community comes together. Let it us make it the time when we come together as a community to listen to each other, learn from each other, and build this decentralized trust infrastructure together. Building on what we have today and moving into the future. I wanna thank Kipper Cole for bringing us all together here today. One, just to be together, two to learn, and three to be inspired. Let's take this time together and take it out into the world to create a wonderful decentralized future together. Thank you.
Great. Like it's for very entertaining and engaging presentation at the end of a very long day is what we just all needed to kind of lift us up and get us in. And thanks for the, the call to arms and everything. I only have one question, which is, is kind of, I think a bit of from, from a bit of a skeptic. He says, but the verifier needs to accept the identity. The user needs to trust the verifier because the verifier collects data. So the user gives the control of data away by presenting his data. This is a huge responsibility, isn't it?
Isn't it something we do every day all the time anyway.
Yeah, I guess so. But I,
All we're trying to do is replicate how identity has worked in the real world before. You know the whole, how many of you saw the two box, one box presentation last night with, you know, Anne Glaser before the one box in the two box solutions? Identity wasn't created by trying to connect to a system. We had our own credentials, we walked around trust was because I know you, you know, you have a nice smile, right? And that's what it was. So it's really no different than what we've been doing in the real world. You have it, you have to decide what you're gonna use with it. You're in control.
Sounds great. I
Don't know if that answered, but I understand these questions are gonna be given to us. So if you have other questions, we'll answer them and put them online.
Oh, that's great. Thank you very much. Round applause again for Judith.