Event Recording

Joni Brennan and Allan Foster

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So it's great to see all of you here today. We're, you know, thrilled to be a part of this track of this conversation today. The talk originally was gonna focus on verifiable credentials in the workplace in India. We're gonna take the map a bit north to Canada and north America context and stay within that space around verifiable credentials. So I appreciate the lovely introduction from our friend DAU I'm Jon Brennan, I'm the president of the digital ID and authentication council of Canada. What we are is a nonprofit association that has two primary functions. We help to we're an adoption accelerator. So we help to reduce uncertainty around adoption for digital identities. So that means creating white papers and proofs of concept, performing market research, anything to help reduce uncertainty toward adoption. The second thing that we do is we have operated we've developed and operated a Pan-Canadian trust framework.
So I think we'll talk a little bit more about what that trust framework is and, and what it means in context, in, in the real world. And as the real and digital world become one, we're about 120 member organization. We have we're neither government nor public, nor private sector. We represent the interest of both government and private sector. So we've got federal government provincial governments, municipalities, as well as nearly every major bank and credit union and telecommunications providers, payment networks, consultants, all within our, within our tent and our family. When people ask, I sometimes have organizations ask, well, we're not in Canada. Are we able to join and, and be a part of your organization? And we say, absolutely, yes, we have many multinational corporations. And the reason I'm so enthusiastic about non-Canadian entities participating is in fact, our mission is to unlock Canada's full and beneficial participation in the global digital economy. And we cannot do that working alone in Canada. So we need to be working with others from around the world, from the very start and be global first and global by design, because that's what will help Canada to move forward. So that's a little bit of kind of context setting about us. If you don't know who we are, how about you, Alan?
Well, how about me? So yeah, so I'm Alan and the way that I'm connected with the DIAC obviously I was with, for truck and several years back Joni and I in different lives were involved in the Canara initiative. And when she went over to the DIAC, we were talking with her and being one of those non-Canadian companies, we actually got involved with the DIAC. I was on the board on the DIAC for four years, something like that, specifically to bring in the international focus into what was happening within the DIAC. The reason for that is that in the work that I was doing with, for truck, I was working with government citizen identity projects, whether it would be in Norway or in Singapore, some stuff down in New Zealand, various places around the world. The thing that actually really caught my attention of working with the DIAC and Joni mentioned it, and I think it's really important to look at.
She said, we're not a government and not a private sector. I would actually disagree and say, we are both a government and private sector. It is a cross-functional group. And that's sort of unique the, the most of the places where you have a look at government identity, it's done by government and the, the premise that we've gone into it in the DIAC is that of how does government and the private sector remembering that in Canada government is more than just government, because there is both federal as well as provincial government and I suppose, city government as well when we get down into it. So you've got several layers of government and then you've got multinational corporations and local corporations. How do we get all of these to work together in true digital identity? And that was when sort of the result of that effort was the Pan-Canadian trust framework.
How do we all agree? Both private sector and public sector as to what an identity is, how do we prove it? How do we get it? And all of the things associated with that, so that you can have these credentials that can be used across the entire ecosystem. And, and sort of the reason I got involved was how you sort of how unique that was. It was, it was really a different approach, which is being carried out right, as places like New Zealand and Australia and things have actually come back to have a look at what's happening in Canada and how that actual partnership can really work.
Yeah, it, it, it has. That's a great point on, we have seen that model start to be replicated that public private model in New Zealand in particularly in, in, in Australia as well, I would say as well, something that's important from our perspective as well is that we are technology neutral. We are technology agnostic as an organization. We are not, our agenda is not to drive a specific technology forward. Our agenda is to move digital identity forward. And so what that means is we have a neutral voice, a trusted voice, kind of a lighthouse on the hill to, to share our perspectives, our informed perspectives about which technologies are those that Canadian entities should be paying attention to are paying attention to how are those technologies working together? Where are they not working together? And, and what do we need to call to action on in terms of how do we make this ecosystem move forward? And so this Pan-Canadian trust framework as a tool becomes a very important tool. When you have an ecosystem that has verifiable credentials, we know that there are more than one data models, more than one formats on verifiable credentials in the ecosystem, digital wallets, there are, there's not necessarily a single digital wallet standard or technology. Yet.
We also know that we continue to have the, the, the, the heroes and trusted standards that are in the space, the open ID connect SAML. Now the, the, the, the CYOP work that we, that we heard about today. And so tho those will not go away. Those will stay within the ecosystem. And so we're really keen on, and, and, and our framework is, is, has this neutrality because it needs to provide value, whether we're looking at the, the SYOP work or the W3C verifiable credentials, the emerging wallets, and also the traditional payment networks, the trusted operator networks that are out there and exists. And so the P CTF becomes a tool for us to measure assurance across all of these different technologies across these different solutions to know, can I trust them to the same degree, whether they're built on the same technology or different technology, and therefore, can that help me to know if I can perhaps move data from one between one system and another, and have a credential be portable in one system or another, how much can I trust that? So this is really a, a tool for trust, especially to bridge right now, when we have so many technologies and standards that are making such a huge contribution into the space. So I think that's, that's where we're so excited to provide value with the framework that we've launched and the certification that we, where we've launched to our members now will be soon opening to the public. And, and we can talk a little bit, get into kind of the what's happening in the verifiable credential space in our ecosystem.
Sure. I mean, one of the things I'd like to point out is one of the proofs of concepts that we did, because I think it really nails how the public private aspect of it really works. And the, the one that I'm thinking of is in, in a particular health provider, they need, which is a government service, right. They're providing a health service and they needed to get some kind of assertion that the person that was applying for benefits had been resident within the state for the last six months or 180 days. And that's an interesting problem for, for the government to actually require and part of this, because the trust framework was in there and you had this joint trust framework between government and the private sector, you could actually go to, for example, the utility companies or the phone company, or even the banks, and simply say, has this person used their ATM card?
You know, at least every 30 days in the last six months, they could respond back to the government and simply say yes or cannot confirm. So it's privacy enhancing, but it also enables the private sector to give assertions that the government can then use to make decisions about delivery of service. Right? And that's a, a really interesting use case of, of public sector utilizing a trust framework within the private sector to get these, whatever these assertions might be. And, and, you know, that proof of concept actually was a really interesting one to actually have a look at.
And I think you, you, you start to get into it's, it's looking at the space more as a information ecosystem, an attribute based ecosystem with different levels of assurance on those attributes and credentials being methodologies on those ecosystems, with the use case that you shared. And one of the things that we're, that we're advocating for and educating around and pushing forward within the DIAC, we think everything needs to be built around the person, whether that person is in the context of a citizen or whether that person is in the context of doing their banking, doing their healthcare. And so part of it is our job it's within our job to help ensure that yes, it's an important problem to solve that governments may have 47 places to log into with your federal government. This is a problem. This is a problem that, that needs to be solved for governments in terms of making things easier for the citizen and the resident and service delivery.
That's a small piece of what we're looking at. And so we are advocating for the person to be at the center and to build this ecosystem around personal data control. And so exactly what you shared, the ability for a person in Canada to take data that is issued by a pro federal government provincial government, and to be able to choose the data model that they export that data in, it may be one type of verifiable credential. It may be another type of verifiable credential, and to be able to use that data in a secure wallet of their choosing, we'll talk about how we verify that, and then to be able to share that credential with their, with their bank or with their other participant, and the same happens on the other end with the bank that you mentioned. Now, some of the challenges is when we, when we look in the public sector context, rightfully so public sector kind of sees the public sector problems and they try to solve those and they could be citizen problems.
They could also be government problems. So, so again, keeping that focus onto people where things are going, and our push for people is that we do have extreme participation of our financial sector. This is a great benefit we have in Canada. This is in many countries, the, the financial know your customer, any money laundering. This is all federally regulated in Canada from a identity attribute perspective. If you're born in Canada, this is across a Federation. So these are so individual sovereign governments that work together. And in fact, the federal government does not know that you exist until the province or the territory tells the federal government that you exist. Unless you're you've immigrated. We do have a strong participation from our payment network, that payment network has interact. So they have a very trusted operator, strong front door, and they are now offering the, what is the verify me service.
And so this is a kind of a hybrid approach ecosystem that has elements of SSI in a permission to ecosystem and enables data sharing at the direction of the subject between parties who have been verified to be in this network. This is a network that's live, and it's in production. I think it's been in production for at least a year with customers and it's, and it's growing. And, and I think we heard it mentioned in some other talks today, and we're looking at how can that network, how can there be, how can bridges be built, where it makes sense between one network, like the one that we have in Canada and other networks that are in this space, what we see emerging as well are what I would call cohorts of collaborators. And so we see our provinces have determined to move forward or something. We didn't talk about more into the open source space of verifiable credentials. And so British Columbia, Ontario, Quebec have been move moving forward with implementing along the Hyperledger indie areas, stack and developing wallets into that space. Our federal government is more keen to implement the w three C version of the verifiable credentials, both in the context of people, but also in the context of legal identifiers for organizations. So we've got pockets of collaboration. We've got existing networks that are in the marketplace, we've got pockets of collaboration around the provinces, and then we've got pockets of collaboration within the federal government. So what are we keen on in the DIAC? Well, these are, could be arguably silos of collaboration as well. And so we haven't even mentioned mobile driver's license yet,
So much more to go.
So I think it's all about building bridges and tools like the pan Canadian trust framework, help us to measure that assurance of can the, can the government trust this wallet to put that credential into it. And so part of what we're doing is helping to provide a check mark against the wallet. So government can feel more safe, can this credential and the information that's within it, be trusted at a higher level, putting the check mark on that as well, regardless of which technology they're using,
Which, which I think is one of the points that I want to highlight on it. And that is, it's not a solution, it's a framework. And so it's not actually saying you have to use this piece of technology, or you have to use that piece of technology. Any technology can get involved in the network, as long as you meet the framework and you tie into the framework, anybody can, again, as Jon says, assuming the trust levels and the assurance levels, anybody can participate without being told, in order to participate, you have to buy this piece of software, or you have to run this particular protocol. It's really a trust, a trust network that everybody can work together and trust each other, regardless of those underlying technology pieces.
Yeah. I think if there is one ring to rule them all, it's making sure that the policy is there for access to information and that the control of the data is in the subject's hands, that they have the right education to know what to do with that. What the accountability framework is around it. Ultimately, we will not have a singular network within Canada. We will have different networks that are purpose built, a small number, different wallets, different credentials, using different technologies. And so bridging between these silos for those contexts is what will, is how we will move forward together as a vibrant ecosystem. I don't know how much time we have. I
Think we we're about two minutes to go.
If anyone has questions,
I was just gonna emphasize that interoperable. And the bridges is really the two sides of the same coin.
Get a mic to you on the way
Your gram. You need a mic for, for the watching. Yeah.
For the,
You go,
Thanks, Ron. We heard one of the workshops about the OI DC. Well, the foundation working on game, the, how do you see this trust network working in collaboration with gain?
Yeah, well, I think this is exactly it. The, the verify mean network was massively inspired by the bank ID. I mean, that's, this is a very, this is a very part of, this is why we focus on financial use cases as well. Financial know your customer, any money laundering is well known around the world. So the there's already quite a bit of a DNA in our network from the bank ID ecosystem. So I think gain is another one of those tools and methodologies, just like the pan Canadian trust framework around building bridges between ecosystems that exist. And so I think this is a great opportunity for those ecosystems that are operating and those that will come forward. If they're all leveraging international financial action task force, know your customer, any money laundering, then what we really need in this ecosystem is our bridge builders. Maybe not I, and I was in the session this morning on gain, you know, where we said, we're not creating a new org. I think that's great. I don't know if we need any more organizations. We need more bridges you're here. We need more bridges. And so I think gain is an example of bridge building. I think the pan Canadian trust framework is an example of bridge building. And so I think we'll just see more of that as we go forward in this ecosystem. Yeah.
Are there any other questions for the audience or from the audience? Maybe one, just one. Yeah. Self-interest
All, those are the best kinds of questions.
What advice would you have for a new state or a new government, which is now entering this electronic identification and trust ecosystem area, which does not have a solution yet, but is trying to build one,
Put your, put your person at the center of what you do. And that will mean not only how do they access your services, how do you deliver services to them, but challenge yourself to think that part of what your service delivery is, is making that data that you issue and verify and hold available for them to use in different ecosystems as they would choose, including your own. So put the person at the center.
Yeah, I, I would add to that and that is, is that no disrespect meant, but as a government, you are not special. You are part of an ecosystem. And so work with the private sector. Yeah. Work with the others in
Your, not an afterthought. Yeah. Not an afterthought. Yeah.
Cool. Thanks so much, Eric.
One question. Have you been influencing legislation for example, through expert advice?
So you must be clairvoyant. We are in the process of developing a concise and direct another tool to advise governments on some of the key policy adjustments that may need to be made to enable this data ecosystem. I think we'll talk a, a little bit more about this in our workshop tomorrow. For example, we have strong and evolving privacy and personal data protection legislation and regulation within Canada. If you go through that legislation and regulation, it's actually silent on the government's responsibility on what the Canadian should expect about data that the federal government collects issues holds. So I think one of the biggest changes that we could see is that federal government could clarify and stand behind that access to information by citizens and residents. What that means what the accountability is. If they make the citizens and residents make the decision for that data, it is their decision to make here's how they're protected. And by setting that pattern at the federal level, that's something that the provinces can then choose to lift and then deploy. And I think that would be a very impactful way forward. So we're working on some recommendations for that. I think you'll see that from us in the fall.
Thank you. Great answer. And, and adding to that, I'm just gonna throw in my two PE the 2 cents on it. Why wouldn't, you know, of course being a public private partnership, we have the government entities involved in the monthly board calls and those discussions. And so a lot of those things that will require the expert advice and, and those kinds of things are actually discussed on the board. And so those government entities can, you can, whether it's having influence or whether they can be, make better decisions by having sort of a bigger scope to it, it really helps being part of a joint partnership rather than doing it by itself. Yeah.
Fantastic. Then a round of applause. Thank you very much.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Webinar Recording

A Winning Strategy for Consumer Identity & Access Management

Success in digital business depends largely on meeting customers’ ever-increasing expectations of convenience and security at every touchpoint. Finding the best strategy to achieve the optimal balance between security and convenience without compromising on either is crucial, but can…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00