Panel | The Stack, the Stack, the Stack: How Trust over IP is Enabling Internet-Scale Digital Trust

All session looks at how trust over IP is enabling internet scale, digital trust. And this session will be led by the director of strategic engagement at the trust over IP foundation, Judis, FL. Good morning everybody. How's your conference going so far? Great.

Okay, great. So I wanna just let you know that the trust over IP foundation is a community foundation, a part of the Linux foundation in the JDF, which is the joint development project foundation with a group of projects that are all about standards. So we're in the standards body. Within the Linux foundation, we started in 2020 just before COVID with 20 founding members. We now have 400 corporate and individual members. So let me talk about our mission. Our mission is really simple. It's to create a robust, common standard and a complete architecture for internet scale, digital trust.

Like I said, it's a simple mission, but it's not easy. And because it's not easy, that's why we need to do it in a collaborative community with people like you. So our community creates standards, creates guides, creates white papers for government organizations that are trying to establish trust frameworks at internet scale. And today I am joined by four of our steering committee members and we have others in the audience here. We have Scott Perry from the, from Shellman.

We have also Mike VCs from Idra, but the four that are gonna speaking to you today are Lare Cora, who is the CIO at a status? He, he has been an information. Security has been his passion for since the millennium, but since 2015, you've pretty much been focusing on self sovereign identity, right? And other various active roles and communities trust over IP and others. So thank you for joining us next to him. We have B Robinson Morgan. He is the vice president of digital identity for MasterCard. He's a business architect of decentralized global interoperable, digital identity networks.

And next to him, we have Christine Leon managing director of Accenture. She leads the global decentralized identity and biometrics and last, but certainly not least. We have drum and Reed. He is the director of trust services at Avast. He is also the co-editor of the w three C decentralized identity version 1.0 specification and co-author of the 2021 Manning publication. That is the definitive book on self-sovereign identity. So if you would like to learn about soft sovereign identity, get the book by that name. So I'd like to start with our first question to you.

Drumin so within the session brief, it stated that we were gonna talk about the trust over IP stack. Can you give us the elevator pitch on what the stack is and why it is core to achieving our mission? Absolutely. Is this on, can you hear me okay.

Okay, good. You see a picture of the stack here behind you, and we'll be talking about it throughout this session, but the name trust over IP actually came from John Jordan, who is the executive director of digital trust services for the government of BC in Canada. And also actually became the executive director of the trust of IP foundation because it, it was, it was his vision that we are implementing. He called it trust of IP to very, very specifically create an analogy with the T C P I P stack that gave us the internet.

We only achieved the interoperability of a global network of networks by agreeing and implementing a common stack that is what's run on every device that's connected to the internet today that gave us data networking at internet scale gave us the term internet scale, right? Unfortunately, the T C B I P stack did not build in security privacy. A number of the things that now are the problems we're here at this conference discussing.

So what, what John realized what happened. There were a number of us, you know, everyone here at this table and about another half dozen folks became the founding founders of trust OFP. When we realized that the stack that was emerging from SSI architecture, self-sovereign identity became these four layers.

You could, you could very accurately describe it in these four layers. And the real aha though, was that it was a dual stack, the T C P I P stack does not involve governance. There is a limited form of governance that was necessary. That's now handled by ICAN. I for addressing, you know, very basic things to make it work on a global scale, but it didn't tackle trust and trust is not something that technology can deliver alone, right?

Business, legal, social trust. That's among people and organizations. That's why, what you see here is a dual stack. It is four layers of technology, but we said, ah, you need layers of governance at all four layers. So I actually, co-chair the governance stack working group. We have two working groups, one for each side, we have eight working groups total, but, but one for each side with Scott Perry from Shellman. So that's the fundamental rationale for the stack. And I think we'll go on and learn more about it.

So Andre, would you like to tackle, explaining the technical side of the stack and why it has four layers and why do we need that to enable interoperability? Yeah. Thank you for the question. I think I'll, I'll try to make it brief. Obviously you see, there is lots of puzzle pieces on the chart, but to, to make it make it fairly easy. So on the first layer, the layer one, we have the public utility layer, which means we have an anchor point for trust data items on the persistent layer.

So whatever that layer is, you, you have to have some cornerstones for your trust ecosystem that are available publicly. So we're not putting PII or anything on distributed lectures, but we obviously have to have some cornerstones like schema or DDS, which are persistently available for a longer period of time. This is covered by the layer one. The layer two is actually the communication layer between the different agents. So wallets is something that is very popular everywhere now. So the agent to agent communication happens on this layer too.

And we have the DICOM protocol to serve that adequately on layer three, we have actually the layer where the data flows. So we hand out credentials in the form of verified credentials to the holders, which are received by issuers and can be brought to verify. So we make data really flow. And obviously if we have a digital ecosystem, we need flow flowing data, which is happening on layer three and last or least layer four. Obviously we have industry specific topics to cover.

So the wording and technology items may slightly vary on a different technology stack or vertical stack for an industry solution. So on layer four, we bring it all together in an application ecosystem. And I think this ties all in neatly together, but obviously it requires protocols and functions be defined so that all this can work together neatly in a great user experience and also in a great developer experience.

And if we look at the landscape today, we know there is basically so much stuff going on already, and we have so many different functionalities protocols and sometimes even doc mass to cover all the same topics in that field. I think we need to overcome that and trust our piece dedicated to making the standardized and formalized. So obviously lots of attention is currently flowing on into the EU digital wallet topics.

You see a technology battle going on, and I think we definitely need something like trust O Y P to bring this to order or at least support that we are not talking about dozens of different technology stacks. And ultimately, as we have heard about zero trust before, it's absolutely inevitable that we get this right. Otherwise we will never really get zero trust operational in the field. Thank you.

Now, Christine, at Accenture, I am sure you work with a lot of different clients and different applications. Can you bring this to life for us with regards to what are some real life use cases where this is being utilized? Sure. I think is one of the, the cases we've been working on is with the world economic forum is the known traveler digital identity program.

And that's in conjunction with, and it started couple of years before the pandemic, as one of the world's first akin to what is the digital passport between the government of Netherlands government of Canada, the two national carriers, air Canada, KLM and capo airport Montreal and Toronto airports, and some of the technology providers to exactly use the layer four reference case, really to be able to bring it all together and is based on decentralized ID and also linking to other applications such as biometrics to have a completely seamless travel experience.

What most governments are looking at now in terms of touchless borders, of course, you know, the pandemic hits halfway through. But I think one of the key things that we have learned is that in a sort of real life example of what is a layer for ecosystem, the main things, weren't the technology.

We have leveraged all of the great work that the standards for these such as stressful IP and the community of all of the thinking that the experts like German have brought together into the field in terms of interoperability, in terms of the thinking, the contribution that the rest of the community have brought together to then apply it to say, right, we don't need to think about sort of, and debate a lot of what is already out there as the emerging standards.

But what is important is to think about in a actual real life application, the user experience, how to get people to adopt it, how do you actually not have to mess about with the, the wallet so much that, you know, you can't even get on the plane, even leave your home because it's too complicated, you know, think of some of the wallets out there currently in crypto, not the easiest things on earth. Imagine if you will have to travel with that travel being already very complicated by COVID thinking about things like legislation.

When we were doing setting up this known traveler digital identity, it was actually the biggest challenge was some of the IP laws, some working with government thinking who owns the IP, governments are not familiar with who owns the IP. Of course they own all the IP. They're the government. So arguing with two governments and, and whole ecosystem or public private is very hard. And I think lastly is also thinking through how do you set up a different ecosystem that is around the governance framework. And this is what trust over IP is really, really useful.

It's those learnings of unique governance. Every, every layer of the stack and governance is not an all encompassing word because governance at different levels mean different things, including the legislation parts and the changes in legislation in order to issue a digital credential in order to accept a digital credential and who is allowed to be a verifier. I think that bit is really, really important. And that's where trust over IP really helps in thinking through of that.

So, Bri, I see you have your, your logo there. It's two circles, Mike, right? MasterCard has the two circles. Absolutely. The trust over P has two sides. Can you talk to us about why the governance side and the, and our, we have our chair of our governs working group right here, Scott Perry and the technical side are necessary to get at digital scale. Absolutely.

So I, I think we've heard from drum and dinner's introduction and from Christina, really bringing it to life with a use case, the importance of, of that human governance. Because when we think about trust, trust really is a human construct. And what you need is the reliability. You need to know how things are going to work.

And it's, it's something that technology can't solve by itself. Technology is a huge part of it, but actually you need that human layer, the, the legal policy construct in order to really get the interoperable interoperability between it. And as you pointed out, Judith, I worked for MasterCard as well as doing digital identity. We have a small part of the business that does something called payments. And if you imagine your payment experience, you walk into a shop, you see the terminal, everyone recognizes the terminal. Do you care who makes that terminal?

No, because you know that when you get your card, which banks it from, what's it matter. I like people that I've got, so you've got the right card there. But when you, when you walk up, you've got that reliability, you've got the security and the integrity of the system. You've got the interoperability between the different terminal providers. You've got the interoperability between the participants there, that the merchants can accept cards from other networks. If people have cards from other networks, apparently some people do. And when you tap your card, the technology enables it to work.

But as we know, technology, doesn't always work, right? So we need to have those legal frameworks on top of that, we also need to have things like certification so that the terminal that I'm tapping has been certified, that it's not going to do bad things with my payment data at the next layer, you need the reliability that the merchants given you a product, and you've walked out the store with it, having tapped your card. They allow you to do that because they've got that reliability, that the money is going to end up in their bank account.

And at the top where that's really where the scheme comes in. So as a merchant, I don't need to trust bank X and bank Y and banks. Ed. I can just trust the scheme. I can trust MasterCard to operate that scheme. And as a consumer, if something goes wrong with the product that I thought, if I haven't got what I expected, I've walked out with a laptop that I was expecting to be able to get on the internet with. And it turns out that it's in several different pieces. I've got that dispute management through the scheme.

That means that the scheme will go to the participants and say, here's the contract that you've signed up to you. Haven't given the consumer the goods that they requested. So you have to give them the money back. And we have systems in place in order to do that. And that's what we are trying to replicate at trust over IP for digital trust, for trusting identities and attributes. And this is where the interoperability really comes into play because you will have different schemes.

So you've, goti a run by the government for the Europe European community, but then you've got N nest 863. How does that scheme work with the Ida scheme?

And again, from a consumer point of view, I've got my wallet. I want to put these credentials into my wallet. I don't care where they've come from. I shouldn't be restricted on how I can use them, where I can use them. I shouldn't have to go into one wallet and get one credential out and then go into the next wallet and get the next credential out. I just want to go into my wallet and pass those credentials over. So we really need to be able to have different networks operating to the common framework so that you do get that reliability within the interaction. Thank you.

So I see a lot of trust over IP members, actually in the room. So I know there's a lot of people here who are familiar with self sovereign identity. I just wanna show of hands. How many of you are familiar with the EU digital identity wallet? Okay. So a lot of people. So I'm gonna pose a question to our EU member here on the board, on Andre, from a status here in Germany. Can you tell me, or tell the audience here, how does the trust over IP stack fit in with this?

Well, the O the answer can only be, we obviously want to bring balance to the force. So actually you've heard me referencing that there's a technology battle going on. So let me give you a little bit of my personal insight on where we are at with you digital identity, and what's going on with all this topics around IDAs two O and the architecture reference framework and all this good stuff that's supposedly coming out of that. So I think what we, what we have to clearly look at now is this is a totally mixed bag of things currently being thrown at the U stakeholders.

So if you look at this architecture reference framework, it's well intended, but I think it's trying to do either 1.0, reloaded for two O with lawyers being the ones who have written up the technical spec. So this is obviously how this actually goes with kind of regulatory affairs.

However, it is not really fit for purpose at this stage. So I think they have received lots of valuable comments. Maybe they have even been flooded by comments from technical experts, which they couldn't digest in the timeframe given. And maybe they couldn't even really understand what was told to them, because if you're a lawyer, you are usually not good at it and vice versa. So I think this is kind of where the, the disconnect is. So I think we need to clearly overcome that.

And if we, if we are looking, what's going on now, we see all the, the work flowing into the various coor for the large scale pilots. I think this is somewhat a moving sideway for a while. And I think what we need to make happen as an industry is bring this balance to the force. And I think trust ORP is a very suitable vehicle to achieve that. And this is kind of our core mission to make that work, obviously a very much inclined to work with other organizations in the field.

However, we clearly bring the SSI perspective in the sense of principles of SSI into the picture. And I think this is where we need to go. And if the work in the U is gone, done, done smartly, they will look at the proposals that are coming in.

Also, particularly from trust overp to make the technology stack that they propose better. So that's kind of my three, two, 4 cents on the matter. Great.

So German, how is trust over IP, helping governments, industry organizations to implement digital trust infrastructure? So I'm gonna follow on what Andre said in terms of the EU perspective.

What I, I think one of the most important things about the stack is, again, back to T C P I P. It is a global solution. It is an architecture for trust at internet scale. That's right. As Judith read our mission statement, right?

We, we said, we believe this is possible. We have gathered a community where I think we just passed 400 members, is that right? Organizational members. And we also have individual members by the way, the base level of membership is free for any organization or me individual that wants to be part of it who align with this vision that we need an globally interoperable way to do. This is somewhat surprising. We found extraordinary interests from governments fairly early on, because guess what? They don't in most cases, not all cases, but in most cases, they don't want implement something.

That's gonna be a digital identity solution just for their citizens or just for their businesses. Their citizens need to travel. Their businesses need to do business all around the world. So they look at this and they say, ah, they see decentralized identifiers, right? The reason DDS are the base layer is if, if you, if you think about what is made the internet, I mean, the, the T C P I P stack successful, it is layer two in that stack. It is the IP addressing that lets any internet device reach any other internet device.

Very, very simple protocol. It's called the hourglass model. One simple protocol in the middle, everything below it supports it, everything above it uses it. What we realized is with this stack, we need to at a higher level, do the same thing. And we call it the, the, the lower level is the waist. The upper level is the neck layer. Two is where we have, we need to standardize a protocol. And the addressing at that layer is decentralized identifiers.

Every single device, whether it represents a person or an organization or a connected thing can use a D I D to communicate at layer two, they can work off trust layers at anchor one, and governments look at that and say, ah, we can be a trust anchor, but we don't have to be the only one. Right? And they can all use whatever verifiable data registry works for them.

So the government perspective has been surprisingly strong, obviously with the, you know, John Jo from the government to BC being, you know, directly involved is sort of given a oh, governments are, are welcome here, and we're gonna make it even more welcome. And we've found that several, the Canadian provinces have come to us for consultations.

We have, you know, deep involvement here with, with the EU will help any way we can, but also other countries I just learned yesterday, even though from the us, we look over and God it's all of Europe, but Switzerland is, you know, decided it's gonna be special, wonderful paper.

I don't have, I can't put the right up now, but it was just released earlier this week from the, from 10 digital identity experts in Switzerland, that basically says, here's the model that the Switzerland should follow for its digital identity system that they, the initiative to do conventional centralized E E I D was, did not pass last year. And now they're saying we should do this model, right? So I highly recommend that paper. I haven't read the whole thing.

It's about 40 pages, but I think it's a really good example of what a government looks at and how it sees a solution here that as we can come together around it, they will then adopt it. And, and I know that several Canadian provinces plan to issue, you know, government identity credentials this year, following architecture actually using the Hyperledger Indian area stack.

So I know it can be a really confusing landscape out there with a lot of forums, consortiums community groups we often have, well, just in the last two weeks, we've had several of them either asked to join us or asked us to join them. So I wanna pose this next question to Christine, because I think you probably have the same thing at Accenture that people come to you and wanna, can you kind of help us, you know, how does the T Y P stack initiative help things like the EU digital initiative or the global iden assured identity network known as gain?

I think you've probably heard of gain or the accountable digital identity association. I like to always use these names. That's a idea. So when somebody says idea, that's what it actually stands for.

Christine, can you tell us how the stack helps with this? Sure.

I, I would do the best I can. I think there are going to be, and, and since I've been in sort of the identity space for, you know, better, better part of 15 years, 20 years is telling my age, really. I think one of the, the main thing is that there are going to be many and in order, no one wants 50 applications on their phones. Or I just like, I don't wanna stack of identity papers in my handbag. Cause it would be very, very heavy. We also don't. And then there will be nothing to trust. We need interoperability.

And that aspects of what this is where trust of IP is really, really useful as an initiative because so much work has already been done. And all the artifacts that are available has been worked on by different stakeholders in the community, whether it's larger organizations like Accenture specialists, gurus like Drummond and many others that are part of the community to evolve the thinking to aim at this evolving space for interoperability. And there would not be a one size fits all for any ecosystem. There are going to be some that I identity Federation much like gain.

There are gonna be others that are more focused on, on specific persistent identifiers like idea. But the fact that there are these artifacts available that has been thought through the, especially at the governance level, rather than the tech level to ensure that aspects of interoperability. So we don't have stacks and stacks of this in our phones that, that no one is gonna use and dilutes the value of those identities in the future. I think it's important that to offer a set of guidance, that's where trust of IP initiatives can really, really help.

So Brandon, I'm gonna ask you the tough question. You ready? I'm ready. Okay. What challenges need to be addressed to achieve interoperability between emerging systems and existing identity systems. Okay. And you have 30 seconds now, 30 minutes. So I think anyone that's been in sessions over the last day and a half and no doubt for the next day and a half will have seen the siloed identity world, the federated model that we've got today and then the future being decentralized. And I think that everyone kind of agrees that decentralized is the future for an identity ecosystem.

So you'd, you'd have to be a bit of an idiot to say anything supportive about the centralized system. Surely nobody's gonna say that they're a good thing, but Hey, I'm bit of an idiot. So centralized identity systems are a good thing in their place. We're not going to get away from centralized identity ecosystems. You've got things like foundational identities that governments own. They're gonna have databases with people's identity in them, their, their national registers.

You've got passports, drivers licenses that governments are gonna store in central databases, but you've also got inclusion markets as well, where actually having a centralized silo database is required in order to serve people who don't have the digital skills, don't have smart phones and need somebody that will actually help them to get into the identity care system. So centralized systems aren't going away. We are not going to move to a 100% decentralized identity system.

So what we need to do is we need to work out how those centralized systems, how those siloed federated systems work in a decentralized identity network and how the two can inter-operate with each other so that we can improve the existing identity ecosystems out there. We can inter-operate with them. We can compliment them. And actually we can do new things in new ways with those identity ecosystems. And I think that we've, we really got to get to that level of maturity and the level of realism for how the world works.

And again, I think within trust over IP, we know that we're gonna have DICOM protocols. We know that we're gonna have O I D C. We know that we're gonna have SAML. We know that we're gonna have rest APIs. They're not going away. We need to work out how that interoperability works. Soreen I'm gonna give you the, I gave you the first question. I'm giving you the last question. I want you to tell us what is the call to arms for the industry for the next 12 to 18 months?

Yeah, no. The short Question. And remember we wanna leave some time for questions.

Yes, Exactly. So I hope you all appreciate this absolutely gorgeous picture up here.

Of course, it's all done. All you need to do is go away and implement it and we we're all done.

In fact, you can take off the rest of this conference. We're not done.

We're no, no place close to done what we call the first generation, the four big boulders we had to put in place, just to say, we have a, a, a foundation of a much deeper description of, of the layers that you see here. We're almost done with that.

We, we have de defined a first generation governance stack architecture. Several specifications are out on that side, frankly. It's a little easier. We are currently just, we're probably by the end of this quarter, by the middle of the year, we'll have the first, what we call the technical technology architecture specification. It's not actually gonna specify layer by layer protocol, by protocol, all the interfaces, all of that.

That's the next step after that, what we're, what we're doing is getting to convergence on the requirements layer by layer a number of the, of the companies and architects participating that are basically saying this it's not only long overdue, but it's the most intensive architectural work that they've gone through in their career. We are inviting you to be part of that. It is an open foundation.

It is all, you know, the, you know, classic standards worth. Okay, we're, we're close to that. And then we have a whole step beyond that in terms of actually then boiling it down. We love the fact that game, Ida, other initiatives that are trying to tackle trust on a global scale are reaching out to us and we wanna engage with them because we need their requirements to be reflected in the stack as well. I must say, you know, we're, we're here in force at EIC because the European digital identity wallet initiative can be a lighthouse for digital identity worldwide.

Exactly the way that GDPR has been for privacy, right? We really believe that we, and so we want it to be successful.

So we, the call to action is please let's all work together to harden the stack, to deepen it, and then to implement it. And we do want to get to interoperability testing like this exactly the way there was for T C P I P.

I mean, it's hard if you, but if you think back before there was the internet, there were a bunch of vendors that finally had to get together and say, we gotta make this work. And open source implementations of course are always necessary.

So that's, that's my call to action. It's a lot of work we hope a year from now. We're gonna be back and we're gonna have an even more detailed picture, but it's probably gonna be a number of years to, until we're all done. Thank you. And I'd like to invite Scott, could you give him a mic? He's been monitoring the online question. So I wanna give the online community, thank you for joining us online. A chance to answer their questions first, and then we'll go to the Room. All right.

Our first question is, do you think the layers are applicable even for IOT platforms to increase reliability even there who wants to tackle that? I'm gonna give a very short answer. Yes. Do you have any other online questions right now?

No, That's it. So, okay. So in the front row we have three questions right here. How about now? I'm going to the back next.

So, okay. So it's was really interesting presentation. So I have one question equally implemented digital again, some time ago is called pig. Actually have a similar process for the, of user like protocols. So you go to a verify park, verify you have your user name, password application, the phone that keeps your Yankee Kiki, and you can interact with public administration. We using that, I king have some something similar, but I'm not so sure.

So how do you tackle the, that every country will have their own digital ecosystem and you have con European level, which is figuration effectively, and the probable may not compatible. And also there may some, let's say difficulties in integrates the different platform. So I'll have a stubborn answering that one. So I think with spit during COVID the number of users that they've got has really hit the J curve and really taken off. And now you've got E I two and the EU digital identity wallet.

So already SPS got that challenge of how do they move from where they are today to where the commission wants them to go tomorrow? When like Andrea was saying, it can't just be a reboot of E I S one, it needs to evolve. And this is really where the stack comes in. That if the EU identity wallet follows the reference architecture so that it does get that interoperability, that's when SPD can say, okay, this is how we can fit in there.

And again, it's back to what, what does the existing world do in order to move towards the, the new world and, and SP and other identity schemes and the EU and the commission, if they follow the, the open reference architecture of the stack, but tri over IP got, then we've got a way of actually getting there. Okay, Perfect. Thank you. So we have a question from the back of the room, if you wanna say who you are and where you're from. That's great. And then we'll come to the front. Speaker 10 00:36:53 Hi, I'm a, I'm from Slovenia working some projects related to, to SSI.

I, I have two very brief questions. One is about layer two on the technology stack. And it's pretty simple.

I mean, in, we know that in T C P I P we have discovery via DNS, and there's a lot of effort being done to, to protect the communication and to manage access. So, so first question is, how do you see this? So how do TCP trust over IP see this part? And the second one is basically about the government governance across different trust frameworks. And like how, because we know that in different jurisdictions, we have different rules. How do you see the translation between the two?

Because I think this is one of the most challenging tasks we are, we will be facing in the following months and years. So how, how is the trust over IP addressing that, that problem. Thank you. So we'd like to address that and if you could make it kind of quick, cause we have one other couple in the front we wanna get to, but for the time, so I, I try to take a quick step on the, on the did com and verifying actors topic.

So actually, obviously it's a very important topic that you can reliably if that's needed, identify issuers, verifiers, and holders, because you want to be sure that you're handing the data to the agency or the institution that you, that you want. So we've gone in, in one project to, to great lengths, to find solutions to that problem. So actually what you can in fact, do revert back to classic certificates so that you can, in fact, identify verifiers and issuers by a classic extended validation or QX certificate. So that's one, one idea.

However, actually this is next generation idea that we are having and pursuing currently with gly global legal entity identifier foundation. So we are mapping a legal entity identifier to public debt so that all your agents can in the end query the public database of life to see who is in fact, the real legal entity behind the D I D that you see. And if you, if you bring that to the next level, obviously we can bring much more trust into that. And we will have the possibility with the trust ecosystem definitions to basically let issuers determine who should be verified and vice versa.

So I think we have to figure it out how it works out in the end completely, but these are clearly the cornerstones from a technical perspective for everyone to move on. So can I, no, we we're. We're outta time. And I know that these, these three in the front have been fighting it out with, like, who's gonna get the, ask the question. What I'll say is I'm gonna ask our panel to step right outside the room here. And if anybody has any additional questions for them, you guys will be out there to answer the questions directly. I thank you for attending.

If you'd like to join the trust of our IP foundation, just go to our website, trust over ip.org. Thank you for attending today. Speaker 11 00:39:55 Thank you.