Event Recording

Interoperability Between Global Identity Networks

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Morning everybody morning. And first, thanks for coming to Cole for allowing us to, to come and present to you this morning. So it's brilliant to see so many of you here this morning to, to hear myself, Nick mother shore, I'm the chief identity strategist at the open identity exchange. And with me is Gail Hodges, the chief executive at the open ID foundation. And we're gonna talk to you today about a thing called gain the global assured identity network. And the good news is we're not here to try and sell you anything today. We don't have a solution yet. We're here to ask for your expert help. We need your input. We need your input to solve an intractable problem. I'll come onto what that intractable problem is later in, more detail later, but it's really about trust and interoperability across the globe across the internet.
So that's what we're looking to explore. And this is a call to arms. It's a call to ask you to help in a battle. It's a battle that helps good people go about their business and a battle that will help us push the misprints out of the internet and out of our transactional lives. And we're gonna ask you what you think about this concept. We're gonna want to show of hands. It's a literal call to arms. We're gonna want to see your arms in the air. So I'm gonna test that now. Let's let's wait you up a bit. So let's, let's have your right hand in the air. Everybody. Please. Let's get your, get your hand up, go on those of you on the phones. Get off your phones. Okay? Your laptops. Let's get your hand in the air. We gotcha. Let's can see you now. Okay. So remember that, we're gonna be asking you to put your hand up a little bit later and what the reason I'm gonna do that is because we want to know if we've got the clicker there. That's
Clicker forward one. There you go.
We wanna know what kind of person you are and what you think about what we're talking about. So when you're faced with an intractable problem, like the one we're talking about here, what do you do? Do you try and solve it? Do you try to bind your time? Watch it, hope someone else will solve it, or do you avoid it? Do you stick your head in the sand? And we want to know your view on this problem, this challenge that we've got around interoperability and whether you want to solve it. And whether there's, whether you want to bind your time and see what happens or whether this is something for now, perhaps you think needs to be avoided. And Gail will, we're
Not biasing the vote at all with our ostrich here, are we? Yeah, no bias.
The problem we've got is that the internet was originally, it was originally trusted. So it was originally used by the military, by academics, in a closed ecosystem. And then it was opened up and trust was lost. And that was great for that at that point in time, because it was all about content and about sharing. But then as the internet evolved, we needed trust. Again, the internet became a very vital and important part of our lives, why we used it for watching funny videos of cats. But beyond that, we used it for watching, not for watching, for doing business, for trade, for commerce. And it's at this point, we need trust. So if we're going to deal with businesses and we're going to deal with governments, we need trust built into the ecosystem. We need to bring that back into the ecosystem. And the, the, the lack of this trust at the moment causes a lot of harm globally.
The internet is weaponized for crime, for organized crime to fund terrorism. Financial crime is 5%, 2 trillion in the us alone in terms of the cost of financial crime. And within that there's misinformation. So frauders misprints can use the internet to create misinformation, to spread lies, to lead people in the wrong direction. And for then individuals, that means there's a lack of trust and a lack of control. There's pervasive tracking of what's going on. People's identities are stolen and imagine in a world where we're moving to digital identity, what happens if not just one account is stolen with one organization and that's a pain for us to deal with today. Imagine what happens if our whole identity, our whole digital wallet access to all our cryptocurrencies, our money is all stolen in one go. That would be an absolute disaster. So we've got to make sure that as we create digital identity ecosystems, they are robustly defending from fraud.
Different topic talked about that last a a, I C might talk about it again, but as we build these islands of trust, then we are able to defend against fraud and remove them from the internet. So we have this shared vision. There are already islands of trust that are emerging in the internet trust frameworks, around the world in different places where people can trust, who they're dealing with and organizations who are dealing with people can trust that they are genuine individuals and the misprints, the people in the stripy jumpers and the, and the, and the masks, which I'm not sure why we can't spot them. Cause they're wearing stripy, jumpers and masks, but they are then removed from the ecosystem. That's great. And that's one of the missions of O IDF and IX that we've been working on for many years. What we're now moving on is making them interoperate.
How do we get trusted interoperability across these ecosystems? Not just the ones now, but the emerging ones based on SSI, distributed networks, distributed identity. How do we make sure these are all interoperable across the globe? So we can use our identities wherever we go. And the gain initiative is all about that global assured identity network. And it was born last summer. A paper was launched at this conference back in September, created by 150 individual authors, no logo pro bono open source to look at how we've build such a network, a conceptual network that enables global interoperability built on open standards, not new standards, leveraging standards that are already there. And how do we connect them into a network that works technology agnostic, supportive of SSI and distributed identity. And it needs to work at internet scale. And this is what Gayden's about. And it's the journey. It's the journey. We're just starting at this point. I hand over to gal to talking about where we are on the journey and
How we're getting on. Thanks. Thanks very much, Nick know, we're, we're, we're missing our capes today, but we're feeling a little bit like superheroes, but we're not the only ones. It's kind of like one of those videos where everyone is a superhero and has superpowers. We're looking for more superpower people because we're trying to actually build this network of networks, right. Try and do something truly extraordinary. But how do you do that in practice? Right? You have to prove it is technically viable to have networks of networks. You have to prove that the governance is viable between different countries all around the world. And you need to prove there is actual Goodwill. That's why we're asking you to vote. Later on today, we're trying to get a read of the amount of Goodwill. There is in the community to do this because all the technology in the world and all of the policy in the world, we all know doesn't actually get stuff done.
It's about the good intention to start with and everyone realizing what it means to them and to make sure it is the right thing for people and the right thing for our society. So have we been busy in the last six months since September of last year, we've been incredibly busy. We have been listening first and for months, most to the community using forums like the phyto plenary in Seattle, the O I workshop in London hosted by Nick the O I D F virtual workshop online and available to everybody around the world. And O I O IDF workshops at the I, I w a couple of weeks ago in San Francisco. And then of course here again at EIC on Monday. So we are really trying to actively engage with the community and hear what you think is needed to really make gain a reality.
As you also heard, Nick, Nick mention a little bit earlier, we've actively been working on standards to support this because standards are so vital to achieving the interoperability we need. And one of the most critical standards to that is a newer standard. It's only a couple of years old called open ID connect for identity assurance. And I'll talk a little bit more about that in a minute, how it acts as the connective tissue between the networks. We're also seeking to be technology agnostic. Also something that Nick met said, we, we wanna make friends with the different standards. Bodies we're actively engaged. We already have some friends that are part of our community, but we're, we're looking for more. So we see how the open ID open ID connects standard for verifiable credentials can act as a bridge between different types of standards. We're also actively engaged as the open ID foundation in a liaison with the ISO 18 0 13 dash five.
What many of you know is the mobile driving license standard, which is actively being deployed around the world since it was formal, formally announced last September and other other standards as well. So another critical one is entities, how you link entity identifiers to people, identities and the life standard for legal entity. Identifiers is a fantastic option to bring in that entity identification in terms of proof of concept and governance. We, we mentioned we needed that technical interoperability. We started from an alpha POC. You have a bunch of good intentioned people sitting around and trying to test their, their implementations against each other, but we wanted that to be more formalized. We wanted to make sure that there was a legal, safe space for you to test your implementations with each other. And of course, that's very important. We all know that this can be a litigious world, and it's important to have those safe spaces, not just to talk, but also to actually test those implementations.
So we formed a community group, which is hosted by the open ID foundation, but it is ultimately self-directed with a few guardrails, so they can truly, you know, do what they need to do to test out the implementations. Also at the open identity exchange are the interoperability working group and the in interoperably framework group that are seeking to kind of create what's real on the governance side. And Nick will talk more about that in Mo in a moment and last but not least is seeing some of these major non-profits voting with their feet to join in with an MOU. This is a non-binding MOU, but it is a way of defining the swim lanes between the first five nonprofits that are part of this initiative. And that's important, right? Many of you again, have been in this community for a long time. There are lots of great nonprofit efforts that are happening, but it's kind of loosely aligned.
We need to make that much more mature, be much more grown up in order to solve the kind of problems that we're talking about. So who are those five entities, the first five participants in the gay MOU, and in this supporting this effort really it's in a supporting function, not a governance oversight. Puppeteering role is the open identity exchange represented by Nick here on the stage who is leading on the rules, governance and digital trust frameworks. There's also the Institute of international finance. Yes, that IIF that has 500 leading banks around the world and gets involved in financial crises. They're also leading into this initiative and advocating for it within their banking community. There's also the cloud signature consortium. That is a global thought leader on standards for electronic signatures. The AF mentioned gly the global legal entity identifier foundation, which has some of the leading standards for leis that legal entity identifier, and a trust over IP based standard of V L EI V EIS. And then last but not least the open ID foundation, many of whom are here in attendance today are leading on many of the core identity standards and hosting that POC community group. So hopefully Nick, next time that we're we're on this stage, or we talk at Ivers in a couple of weeks, we're gonna have a much more pretty peacock feathers from some of our friends who are other nonprofits that we expect to join us soon.
So how do you actually create that connective tissue to enable networks of networks? So for the geeks in the room, I think this will probably not be deep enough for you. So we encourage you to join the working sessions this afternoon, but this is a, a very high level view. So the first step is the individual needs to give their consent to release that trusted identity. Now, we have a nice big box on the stage, which could be a bank, but that could also be a government issue credential held on the device. That could be an application running just on the user's device. That's solely in the control of that individual. It could be a mobile network, it could be a digital platform. It could be a payment network solution. It could be many different things. That's the initiation, but the individual trusts that counterparty, that identity provider to help enable this service.
The second is that you need to generate that sign claims object. And this is not a very complicated standard. It's the, you know, what is the biometric information you might need for a given use case? And what is the policy that was followed? Again, a lot of you are fluent with your GPG, 40 fives, your N 863 threes and other other standards around the world. So trust frameworks around the world, what was that level of assurance that was developed in one country? And how can another country know if they can trust that assurance when it was issued? How many different standards, trust frameworks are you looking at mapping in your exercise? 15 is the moment 15. Yeah. 15 trust framework. So we had a hard time choosing, right? Yeah. Who should even be the first 15 you do that desperate research on. So you gotta generate that signed claims object and what's in it clearly has to have some, some material value to, to the relying party that's gonna consume it.
And then you need to send it through some secure interoperable rails. So how might you send that? Well, again, a lot of you are familiar already with open ID connect because there are millions of applications using open ID connect. And it's not as again, as many of you know, it's not just for social logins anymore, right? This is an application open ID connect used for sharing of medical records in the UK and in the us, it's used for a wide range of enterprise applications. And it's not just about social logins and a few companies. And let's say, what is it login with Google login with apple and things like that. So another option is verifiable credentials. And a third option I just about missed was financial grade API. So open banking and open data is leading on the standard of, of the financial grade API, which gives a higher level of security assurance.
So in terms of the POC, we've proven out the technical viability and helping the community prove that this is truly technically viable. We've built, we've established four, four of the first identity providers have demonstrated that it's interoperable and therefore we've already demonstrated it can work for network of networks. Those four entities are in four different countries. And so we've proven interoperability across borders. And they're also different architectures with SSI, centralized and decentralized models for those different parties that we're testing. That's the first four of what we think could be thousands of identity providers that are participating, and there's much more to come, but this is a year long POC. So over to you, Nick,
Thank you. So in the open identity exchange, we've got a global interoperability working group and we've taken the 30 or so different elements of the O trust frameworks, which we've published in our guide on our website and whittled those down to seven vital ones so far, which may form a new global interoperability framework. So that's what we're talking about at the moment. And it's very much a framework for how one framework interoperates with another. And it's got key things in like principles or the principles across the frameworks, aligned data standards. If everyone's working to the same data standards, interoperability will be much easier to achieve or have to translate. How do we trust people in the ecosystem? What roles they're playing IDPs, relying parties, importantly, the legal and liability elements of this. So who's gonna be liable if something goes wrong, is that different across frameworks?
What about data protection? If I'm releasing information from one framework into another framework environment, is it safe? Is it handled correctly by the laws of the first framework? So several lots of key areas here we're looking at and governance is something we're considering as well. How is this governed? It must be distributed. It must not be a hub and spoke central solution. We probably need some overarching governance around standards and policies, but no central governance body. And ideally no new standards. As I said earlier, and to assess this further, we've already realized we need to talk to frameworks. We've already started dialogue with a couple of frameworks. We've started an assessment and open assessment of 15 frameworks. We've realized quickly that the level of transparency, which is a key principle in frameworks is quite different. We can only see bits of frameworks. We need to work with them.
So my invitation to you today, if you are a framework is to come and talk to us and join what we're doing here, because we it's vital. We have you as part of what we're doing and that's government like frameworks and private sector led frameworks most are government led, but there are many private sector ones as well. And one of the key things we're looking at is that what is the currency of identity? So levels of assurance, most frameworks have a concept of a level of assurance. It's the same concept, but it's different things in different frameworks then have three that may have five. They're not easily translatable. Can we work at that level from an interoperability point of view, or do we need to drop down a level? So the proofs, the credentials that are behind those levels of assurance and recalculate, the levels of assurance in the new framework.
And if so, then maybe some kind of agent role involved there and what the, the, the level of trust in a bank credential is absolutely vital in that area. So how much credence can we, because banks operate reasonably consistently. How can we leverage that, that across the different ecosystem, but this isn't all about finance. The original paper was a bit finance, biased. We know that this is about all sectors, all kinds of trust frameworks. And it's, they're here for everyone, identity providers from any kind of trust framework, government, private sector, independent, and we need relying parties. This is, we need to know with people who are gonna consume their identity from any sector. So please, you know, call to action, come and talk to us, come and join what we're talking about in gal, or now see what you think about all of this.
So who is it for? I hope we've convinced you that if you're a trust framework or if you are an IDP, or if you're a relying party that this is for you, but it's also for you as a human being, right? It's for your family, for your neighbors, your government, right? This is a problem that we collectively need to solve on a very kind of personal level. It also gets a lot bigger than this and you, some of you are fluent, but it, it can blow your mind that this is also for the admin privileges of your operation. It can be for the, how the person interacts, interacts with an IOT device. It could be your metaverse avatar, right? How does the metaverse get any better with the level of problems that we have today in, in the internet? It is not yet for your cat and your dog, but Nick tells me that apparently there is doggy biometrics coming.
So, you know, watch this space. So we're back to our vote are call to arms. So we have, yes, you, you're one of the early adopters already. You've already signed on, or Nick and I have convinced you today and we wait, you don't have to raise your arms just yet, but you will be asked to vote. So yes, you're in that early adopter. We've convinced you, this is a meaningful mission. And at a minimum, it's worth the Goodwill to lean in and try and make it a success. Or you're a ma you're a, maybe you're very pragmatic. You're trying to understand when would there be something in production I can actually test with? How much will that actually cost me? How much might I make out of offering a service like this very pragmatic questions, which we have too. We value you coming and helping us solve, ask those questions and answer those questions together in our safe spaces.
And last is our, our ostrich, right? This isn't my problem. Somebody else is gonna fix it. You know, the government, or, you know, big actors or Nick is trying to control the world. Right. You're in that kind of naysayer ostrich session. So not that we've biased. You love to hear your vote. So first, yes, you're early adopters you're already in, right? Thank you. I see a lot of friendly faces and, and some new faces around the world. So thank you. You know, it's, it's just the first step then. Maybe you're, you're wondering, you're not quite sure you're on the fence. You're willing to hear more. Okay. Very good. And those of you who are not scared to be an ostrich, we have any ostrich's out there. Not quite ready to be there. So thank you very much. It's good to hear where you are. We welcome you in the sessions later today.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…


Continual Access Control, Policies and Zero Trust

Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Event Recording

The Future of Access Management: The Role of Contextual Intelligence, Verifiable Credentials, Decentralized Identity and Beyond

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00