When will my Digital ID Wallet Work all Over the World?

Good morning. Great to see so many of you here this early in the morning. Now I'm really not a morning person, so this is the beginning. This slot is, is, is, is not in my comfort zone. But good morning. Good morning. Great to see you all. So let me kick off, let me find the clicker.

So, so I'm Mother Shaw, chief identity strategist at the Open Identity Exchange. And we're a members organization. We have a lofty vision that all of us can have a additional ID of our choice that works seamlessly all over the globe. That's what we're, that's what we're trying for. Microsoft back in the eighties, nineties, had the vision of a, a desktop computer in every home around the globe. Everyone scoffed, no, they're never going to achieve that. And look what happened. So we like a lofty vision. We like to have something to aim for.

And I, when I was putting this presentation together, I wanted to talk to you about when will were my, my wallet work all over the world. But as I put it together, I realized I was talking more about the how, how is it going to work. So we're gonna kick off with the how, how will my wallet work all over the world? What are we gonna do to make that possible? And then that brings us to the who, who is, who is going to be involved in this colossal and challenging task. And then finally, I will wrap up with a when. So let's start straight away with a how.

So what I want is a wallet that, like my phone, that like my bank account works wherever I go. I don't want to arrive in a new country and have to get a new wallet or a new digital identity. I want it to seamlessly work for me all over the globe. So when I hop on a plane with my UK based wallet, this is subject to the UK trust framework. So that O X, were all about trust frameworks. And when I land in the US I expect my wallet to work. Now I might accept that some things in IT don't work anymore because they're not relevant in the new country I've moved to.

So I think some, like some of my loyalty cards are no longer relevant. Some of my payment instruments might not work, but by and large, I expect everything in my wallet to work. And if I've got a level of trust in my wallet, so I've got that level of confidence of medium that's been afforded to my identity through my wallet in the uk, I might reasonably expect that the things in my wallet can be used to formulate a level of assurance where I've just landed. So that if I've just landed in the US now I can get an IAL too, for instance. That seems a reasonable expectation for me.

Now, to do that, we've got to make our wallets smart. They've got to understand credentials, they've got to be able to read these rules from different trust frameworks and adapt seamlessly to them as we move around the globe. And as we heard in some of the presentations yesterday, what implementations so far have not been that smart. They've been quite technical. So this is a, this is a long way for us to go, but this is where we need to get to if we're gonna make this successful. And at the OpX we've been working on what we're calling the open Policy Rules exchange framework.

We've been working and analyzing eight different trust frameworks around the globe. We've completed our initial analysis on the uk, the US, and the EU trust frameworks. In this. We've done version four in eu. We've done the latest RF and the latest regulation. We know it's moving, but we want to work with the latest material we've got. And we're creating a framework that enables communication of policy from frameworks to wallets within credentials to wallets and beyond. And by acceptors or relying parties of the policy that they want.

That might be a level of assurance, it might be a level of liability. So this will work for all of these different parties. And it will also work whether the wallet is from a government or indeed it's a government based ID or whether it's from the private sector. So we are technology and implementation agnostic, centralized identities, decentralized wallets. This framework will enable all of them to communicate their policy and also determine and formulate policy so that the wallet can adapt. And we're also working with an, with a whole set of trust frameworks here, a trust frameworks in total.

We will conclude this analysis around August time and then release a paper, explain to you what this framework is all about. But it essentially enables me to answer the questions. Questions that a relying party or a framework wants to know. Can I accept this wallet? Does it meet my policy requirements? That means we need a wallet that is subject to policy from a provider who we know and trust. When I know I trust the wallet, do the credentials in it meet my policy requirements. So if I'm hiring a car, does the driving license meet my policy requirements? Can it derive information I need?

So I might want to ask the person whether they're over 18, we hear this a lot, they might, you know, go to a bar in the new country I've arrived in, used to be over 18, over 21. Can the wallet answer that question? There's lots of ways it can answer that question from lots of different credentials. So the wallet needs to be smart and understand the local rules for that and adapt. And then the other question is, can it formulate a local level of assurance relevant where I've landed? Because that's the prevailing law.

That means I can do something more sophisticated like maybe open a financial account or access government services. Now ultimately if I move to a country, I'm going to need a wallet issued by that country. But when I arrive, when I'm doing business, when I'm a tourist, my wallet should work seamlessly. So drilling into that, we've identified a whole set of what we call general policy rules at apply to the wallet and to credentials as well. But let's apply them first to the wallet. We've got 178 different characteristics so far grouped into just over a dozen. You can see here different areas.

As we doing analysis, they are continuing to expand. At the end we will normalize those and we'll be able to enable frameworks to describe which characteristics they exhibit. So another framework can understand what the position is on data management liability consent. And so a relying party can understand that and see whether it meets their policy requirements. When we start to drill into what's accessible from a credential point of view, we've identified what we're calling golden credentials.

Five golden credentials, National ID cards, which many IDs are formulated directly from, they're essentially digital versions of a national ID in the us. That's a state id often passports, driving licenses, bank accounts and telcos. And when we analyze trust frameworks and the way they do proofing to determine trust in a user, we find these five credentials. We also find local things, local data sources. But when we're looking interoperability, we've zeroed in on these five credentials.

And if we're going to achieve interoperability, so my wallet works when I land in the US or here in Germany, we're going to need them to be standardized. Every element of them to be standardized, not just one bit, not just the data, not the credential for the technical protocol. Every bit of them needs to be standardized. That's not there in the market today. So when we examine a credential, we need to know who the issuer is. We've got huge amount of effort going into that. Traceability. Who is the issuer? I need to know the general policies.

It is subject to what's its, what's the credentials, position on liability, How were the authenticators connected to it? I need to know the format. Is it a mobile driving license? Is it a digital travel credential? Is it a bank account? I want those formats to be standardized so we can inter operate. I want to know how it was proofed to the user. How do I know this is the user's credential? What was the process that we went through to do that? I'll come onto that in much more detail in a moment. We want to know the authenticators that are bound to it.

Are they of the right level multifactor biometrics that enable me to accept that credential with confidence? Or are they too weak? And I want to know that the data within the credential is in a format that I understand. I don't want to have to adapt my data consumption for everybody's different format for debt, for driving licenses or for bank accounts. So we've got a way to go on standardizing all of this. There are bits of standards, there's a patchwork of standards, but it all needs bringing together in a way that we can, great credentials that will work all over the globe.

Digging into proofing this, splits into validation, validating that a proof is genuine and verifying it belongs to the user. And our analysis so far, we've identified that pretty much there are five validation and five verification methods. They all use the same approaches. The way they do it though, the way they specify their procedures is different. Sometimes they reference a ISO standard or yeah, a local standard. But there is a lack of standards in this area.

So one of the things we need here are standards, particularly for things like document scanning, taking selfies, there's some liveness standards, cross-matching them. All of that needs to be brought together. Not little bits of standards that are, you know, interpreted in different ways. We need clearer consolidated standards for how a whole credential is validated and verified.

So our, our work here will segment this, unpack it and call for a set of more coordinated standards. And then what we also identified was that actually the methodology that's used to then take the credentials, validate them, verify them, is pretty consistent. And that's not surprising because these methodologies have been developed by reading the methodology of whoever wrote the last framework and adapting it. Some of it's drawn from what we've done at O X over the years.

So we'd start off with a list of these are the things we accept, the permitted credentials local and the five golden ones I've just talked about. We say which validation methods we accept for which credential and we give them some kind of weight in our model, we often combine those. And this is part of the, the, the secret recipe. So that we're put together, well if you're going to do a face-to-face check, we also want you to do a data check.

So we're getting two different sources and we put, this was the interesting bit in our analysis, these different combinations that then add weight to the confidence in the identity, both on a validation level and a verification level. And then what we do is we put those together again. So this is, this was really interesting. We found this is like a, this is like a cooking recipe when you fold the dough and then we're gonna fold the dough again and then we're gonna fold the dough a third time.

And it's, that is the secret thing that makes the whole thing successful. And so from these accommodation, these combinations, it might be that one very strong combination gives you a level of assurance. We might have to combine two different credentials with different techniques for verification to give a level of assurance. But we've proven with the three we've analyzed so far that this methodology flows through those three. I've already half done a fourth one, which is the Thai government one. And that fits in the methodology as well.

So if we can go back to standardized credentials, have them proofed in a standard way. Governments, writers, trust frameworks, relying parties can express their policy needs for assurance through a methodology like this. Which means dynamically we can add up level of assurance from the credentials I already have in my wallet. That's where we want to get to. Now that's a big step I know, but that's the vision we have and the methodology so far seems to work. The other thing I mentioned in terms of standards was data. We've been doing a lot of work at O X on data.

You'll hear most people talking to you at this conference about protocols, O I D C, very verifiable credentials, verifi verify credentials, this verifiable credentials. The other we're looking at what goes in those protocol envelopes. However you move it about if I'm communicating a passport to you or a driving license or a name or an address, it's the same data. We want that to be consistent and we're about to release a paper that will call for protocol independent data standards. So whichever of these protocols I pack the data into the data is the same.

So I can change protocols when I unpack it, all the code I've written to process the data doesn't need to change. I can move suppliers. The code I've written to process the data doesn't need to change. We think O IDC for IDAs, for identity assurance, the verification object is a good start for that standard. And we'd like to see that lifted out into a data protocol, independent data standard of its own. We're gonna release that paper next week and we're gonna be doing some PR and consultation around the back of that. So that's the how, how we're going to do this.

As you can see, this is a big challenge to who's gonna tackle this. Well we've already got a set of not-for-profits collaborating under what we call game. And we were talking more about GAIN tomorrow, the Global Assured Identity Network. It was launched at EIC just over two years ago now. So far six organizations have come together to join Gain Open id open Ex Open Identity Exchange and Open ID Foundation of both running active working groups on different elements of it. We're on the rules, they're more on the the technical area, the tools. We invite other not-for-profits to join us.

We'd love trust over IP to join us for instance. We've been talking with with them about that over, over the last year or so to come and join and collaborate to solve this problem, this puzzle together. And we're delighted to see the format, the formation of the Open Wallet Foundation. We became a a, a founding member of that as an associate member. And that fills in another piece of the puzzle.

The code, the open source code that these smart wallets can be built from. But it's not gonna build. The smart wallet is not gonna define the policy within which they work. No one organization alone is solving this problem unless they're solving it for themselves. And that's the tech giants. They're solving this problem for themselves and they're capable of doing it. This looks like the Olympic wing rings. Who's gonna win the race? Do we want the tech giants to win that race? As we look around the world, different parties are solving parts of this problem.

Governments are issuing IDs, governments are thinking of issuing wallets. The EU is doing a UD wallet. Banks are already providing identity services in several parts of the world. In other parts of the world it's telcos. We have a whole host of independence disruptors who are a lot of whom are my members, a lot of whom are here trying to find their way to make our vision here, this smart, this open digital id a reality. But all of these will take apart and a place in the ecosystem. So we have to work with all of them to make this happen.

Quick thought on governments though, we don't think governments are the best place to issue wallets. The wallet in my pocket today doesn't come from a government. There's stuff in it that comes from my government. Government should stick to issuing credentials into wallets they trust. They should write the trust frameworks, certify wallets to that and only allow wallets that are certified to carry their credentials. That should be government's place in this puzzle. So we need to work together.

We, the identity community, you in this room along with all those other parties, need to work together to solve this puzzle, to create this vision where our wallets can work all over the world and we can only do this together if we don't work together and we leave those who can solve it alone to do it. We will get a few dominant companies controlling these rails and to, that's presentation yesterday. We'll get this hyper decentralization issue.

So finally the when, so I know this is my title, but I only have one slide on it because I don't quite know when yet because we're only just working out the how and we're still doing that together and we must do that together. So we've got to collaborate On the how to determine the, when we have to have something standardized for this to work properly. If we don't, we're going to be unable to enable policy adaptation and policy alignment. So we're gonna be calling for new standards, consolidated standards to address some of those gaps.

And then when we've got that, we can use the open Policy Rules exchange framework for which we need a snappier name cuz that's a bit too long to enable the communication sharing of policy. You cannot have a trusted wallet without a framework. The wallet provider must be trusted. It must be subject to the framework. That's our view. We are going to start showing how a smart wallet can move using the opre from framework to framework later in this year. So once we've gone through this first stage and we've proved the hypothesis, we want to show how it will work in a demo capacity.

That's just a demo. We need to line all the ducks up to make this happen for reality. We're trying to solve this global puzzle together. Gain is a collaboration, an MOU based collaboration of organizations that's trying to do that. Please come and join that and get involved. If you're interested in specifically in what we are doing, not the other technical or elements, then please come and join O Ax and get involved. It'd be great to have you to help our thinking to, to drive this forward and to enable my wallet, your wallet to work all over the world. Thank you. Thank you Nick. Thank you.

This is a massive effort and it seems like, yeah, you're, when you're away and knowing what you want and how to do it. So it's very promising and yeah, it would be sort of world peace in identity country. Let's say we have a few questions and the first one is, how do we ensure that everyone will be able to receive at least one of these golden credentials, buzzword paperless people, and how do we manage recovery in situations when one loses their credentials? So inclusion is paramount here. We need to make sure that everyone who wants a wallet can get one.

We also need to make sure there's, there are alternatives for those who don't have them. We, we need to plan for inclusion. We're a great supporter of what women and identity are doing around designing inclusion in. We're working with them on that code of conduct. So that's as part of this puzzle. It's got to be inclusive recovery. That's kind of a bit of a more technical question. My view is that wallets and devices or on devices will be short-lived. They will become more cloud-based. You don't need recovery when that happens. Okay? Yeah.

Another question is, apart from data standardization on formats, don't you also need semantics taxonomy? A sort of Yeah. Definition.

What, what do we mean with Yes, A wallet, yeah, semantics. We do. And that's what those 178 characteristics we've identified are there. That's semantic explanation of, okay, what, what are the six different ways that people do consent? How do we describe that? And how do we describe consent and what does it mean? How Yeah. And how do we boil that down into compact single sentence definitions? That's the, that's the challenge we're gonna get. We're trying to go through That's, that's one of the biggest challenge, or It's the biggest challenge for us. Yes.

And I expect we'll have 400 to 500 maybe of those by the time we finish the analysis and then we'll consolidate. We'll have less. And one of the big tests of whether this methodology on the general policy side will be successful is, is can we get the frameworks we're working with to agree on that? The other interesting bit is when you look at the differences between the statements, you can actually say, well that, that that policy approach and that policy approach essentially achieved the same thing. They do it slightly differently, but it's the same thing.

So when I'm thinking about accepting a another policy in my domain, can I accept another policy characteristic? It may not be the one I chose originally, but hey, these aren't gonna be all of my transactions. They're only gonna be part of them. I can accept the risk. So I think there's a big question around that as well. Wow. Yeah.

Well, one more applause and thank you Nick. Thank you.