All right then welcome from my side as well. Everyone in the room and on the screen. It's the last session of the day. That's why I have to increase the pace a little bit to give everybody excited for the last, for the last round, I would like to talk about first about the biggest identity crisis that I have ever experienced in my life with millions of people lay off billions of dollars being spent. And you all noticed under the term financial crisis when Lehman bank collapsed. But the real problem back then was that nobody could say how much money is involved and who are Lehman's customers and counterparties. And since this was completely unknown, boom, right? The regulators had to bail out everything and the rest is history. Now the G 20 nation leaders back then said, this is not supposed to happen ever again.
So let's think hard about measurements that we could put in place to overcome this. And one of the things that they figured very quickly is that there is no global business registry. You have national registry, no operate differently, different allocation rules, different access to data, different everything, but has no global one, but has also no global government. And there's no global taxpayer who could fund it. And that's why roughly a thousand people from the public and the private sector in the time of 2009 to 2012, came together to think about the governance structure. That is the closest to a government driven registry. Even though there is no government running it itself. And that is the regulatory oversight committee for the legal entity identified yet legal entity identify as just a dumb number, but how it's allocated. And what's going on with it is defined by policies defined by regulators globally.
Here we have 65 different regulators that could be the fat, the E a B that could B in, in Germany, that could be the Indian central bank and others. And they are responsible for defining the policies that national competent authorities can then turn into law. So everything that you hear today is based on law in almost every country. Now it's drawing it's it's, it's moving on. So the EI issuance was supposed to be federated. That means not a single unit, somewhere in the middle, doing all the work would, would be good. So people thought about local knowledge. Treating an entity in Japan might be very different to one in Poland, for instance, or in south America. And that's why we wanted to have federated knowledge in a federated environment. And so we created a network of 38 Lei issuing organizations. These are sometimes private organizations like Bloomberg London, stock exchange. Sometimes, sometimes government organizations like for instance, business registry, six or seven in Europe, alone, or even government owned regulators like in China and Saudi Arabia and other countries where this is all top down and our job life global legal foundation job is to manage this network of partners to make sure that they all uphold the principles and the governance framework. This government is the most and most important thing. So we are somewhat the compliance officer, the police, the quality control framework provider and all of that.
This is what Ani is all about. You see left Nestle ag Nestle, a, this is the Lei 20 dig should offer anme number. It's based on an ISO standard that was developed back then exactly for that purpose. But this number then references to data that describes the entity itself, the attributes, the reference data. And you can see here, the name where it's registered in Switzerland, the registration number and the local authority and so on and so forth. Then we also carry information about ownership, structure of Nestle. So the subsidiaries on a global scale, because in many cases, it's not just necessary to know who you're dealing with as one company, you also need to understand in which group structured this company is embedded in. Otherwise has a big chance for big surprises. So very basic on our website, you can go and carry the data. You can download the entire file you can, as an API, you can program against everything is free of charge. There's not even a login because everything we do is under open source, open data constraints.
And today the Europeans were a little bit busier than the others in the area of 2017, 18, but there you see the world distribution right now, but it's very interesting to say that it's now spreading out from the financial sector into other industries, supply chain, healthcare, pharmaceutical, and so on and so forth. And what you can see now is that the fastest growing regions in the world for the last four quarters already are India and China. And we've just heard on the panel, the importance of the Indian identification scheme for natural person, thei is the financial equivalent for legal persons. And China is even using the Lei in import export declarations and customs controls. And you name it. The sky is the limit of the application for the Alii.
The problem here is I like to talk about galaxies. We have a finance galaxy where everybody talks about everything payments here and this and that. And there are standards and that data providers and all, all of that, it's, it's a whole galaxy, right? Unfortunately, fines is not alone. I've just put two other galaxies out there, the internet galaxy and the supply chain galaxy. Again, it's all about identification, access control, authentication, authorization, and everything else handled every time in a different way. Have you noticed wherever you go shopping, you get a different customer number. That's not yours. That's not yours. That's the number of the organizations, give it to you. And the case of some organizations, unfortunately, German telecom among them, you even get multiple customer numbers because they don't bridge it in their it systems. Wouldn't it be nice if they would use my number so that I can it use that I can use it everywhere when I get an invoice much easier for me in my, you know, accounting, controlling and everything to check everything.
If you have some, some kind of claim to make and everything else, it's always burdensome to do that. And you have this in all the other galaxies as well. Identity is core to everything. We're doing healthcare. Another example, right? You need to know precisely who put that medicine together that you solo. So the Lei system is actually offering issuance validation and mapping services for all in one form together. And please, this is only for legal entities, right? It's not financial person. It has no GDPR or any, any other constraint here. This is also legal entities that expose the data anyway, through business registries, we believe a major driver for a very viable Lei. You see the V L E I as a, as an a acronym is the digital transformation of society. Let's face it. We can talk about the, the new world, a very fiber credentials and gain and everything else we're taking part of there.
But the reality is that the vast majority of people don't want to change legacy. It's costly, it's error prone. They don't have budget for this unless regulators ask for it, or there is a huge market push and competition. People try to stick with what they have, but now it's through digital transformation. And I think this audience is a very good example for that. What we're, what we mean by that. We're taking apart all the business processes and everything else and reassembled them in a completely different way. And that allows for new systems. And that allows also for new methods that we can apply for digital identity. With crypto, we see predominantly in the market, digital certificates, X 5 0 9 certificates in all forms, shapes, and sizes under how many regimes there are government regimes that private sector regimes. This is a pretty mature technology like introduced 30 years ago, standards available, lots of certificate authorities and PKIs and trusted service providers around.
And everything would be fine if digital certificates would not canvas certain shortcomings as always, for instance, digital certificates embed the information directly. So it cannot be changed, which is good. You don't want people to temper with your ID, but what if in the real world something changes, then you have to revoke the certificate and issue a new one, but that often doesn't happen. People carry forward. The certificates, even though the information underneath has changed, revocation has always been an issue in the industry. And this is just one of the many, and this is where the promise of very fiber credential kicks in and gly. Our organization has the following thought here. We have been working together with ISO Etsy to create a standard for embedding the Lei in X 5 0 9 certificates. That's a done deal. We, we have used as an, for the last two years personally, I sign every contract, every PDF file with my digital certificate, with an embedded Lei.
But we also want to look for new technology and new approaches. The market will in the end, decide which one is going to win, how it's going to be realized, you know, and everything else. And if gain is for instance, the best mechanism to carry information on legal entities, among parties. So be it, we we're supporting that as well, but personally, we believe that the future might be with very five credentials. And I'm glad that many others spoke this morning in this afternoon, the same way. So what are we doing? We have a real world, an organization, a person, and the role let's say organization, life, Stephan Wolf CEO, the same Stephan Wolf might be member of a sports club somewhere else. So I play a different role in a different environment, but here in a business context, it is important to know that I'm the CEO and that I'm authorized to sign contracts. And this information is available through the business register. My name is listed there with my signing authority and can be used here to create very fiber credentials, which is the red container where we put the Lei, the person's name and a role standard into a credential seal it or sign it. And call is a very viable Lei. Now, the roles are very important.
We come to that because legal entities usually operate themselves. The legal entity is an abstract concept. Usually people act on behalf of a legal entity, so that not just the CEO, CTO, CFO, but also every employee, right, has certain credentials that they get from their employer. I'm pretty sure that the vast majority of people will have their first credential from their employers because it's, it's so logic that, that they're going to do that. Now the legal entities want to entitle persons to represent the legal entity. Now, if someone presents a Blei to you with a role credential for, for somebody you want to know that this person has the credentials assigned from this legal entity, you also want to know that this legal entity really exists so that there's a vetting and validation process in place. And you also want to know that the here has the right to do so. And that's what life is the chain of trust, the head of the chain of trust. Here, there might be other change of trust possible either you could simply co-sign or make an attestation to the legal entity that is this the V I, and then you have two roots of trust and you could combine the standards. And also the legal frameworks quite easily.
There was a quotation of this book this morning, which I would not fully subscribe to. I, I like it. I like it actually. But there's one thing that I wanted to highlight is, and I checked Wikipedia again, Wikipedia being somewhat the truth for everyone. And everybody talks about self-sovereign identity, very fiber credentials and everything else in the context of a distributed ledger. Our approach is that this is not true. You can build all of this completely without distributed ledger technology. I don't want to hurt anybody's feelings. There are lots of reasons why you want to build ledgers, right? But to grant identity and to use identity, a ledger is not needed.
So let's talk about target audiences and use cases, just to name a few. All of these industries and major companies, industries have approached us with the need for help for getting their identity problems fixed once and forever for legal entities and their representatives. It's really amazing. I had a video from the pharmaceutical side where, where they explain very much why they use very fiber credentials, why it's so important to them, how this is embedded in their entire entire ecosystem. Unfortunately, there's no sound from this box here in this room, so that I can show this, but we're going to publish this video anyway, in a few weeks on our website. But other companies like telecom companies, you know, manufacturers, warehousing, we are working together with an organization called GS one, the barcode that's on every product. You know, we're working together in integration of the standards so that, you know, supply chain applications and all of that can be, can be much easier equipped with this I'm personally advisor to the international chamber of commerce, paperless trade on a global scale, a big thing. Hundreds hundred countries have no law in place to allow for digital exchange of information. They really require wet signature on paper. Changing the law on that scale alone is a project. And then once you have this, once you have machine readable data that is shipped from one side or the other, then you need identification authentication. And this is where the V L I comes in.
So this was the video I skipped that for maybe for next time. But I would like to explain another use case that we're going to build and show on our website in June this year, every company must publish its financial statements and file the statements to local authorities. That's what CFOs have to do every first quarter in the year. And they're all pretty busy in doing that. Clive does the same thing we do. We are Swiss foundation, private Swiss foundations, or we file of course in Switzerland. But in order to give the audience in the world a better understanding of life, we also publish a report in the so-called I F RS standard, which is an accounting standard. And we put this on our website. And in previous years, we have put this on our website as a PDF, which is great, looks nice. Everybody can read it, can bring it, but unfortunately it's not machine readable and forget about trying AI algorithm to fetch data out of it.
It's really error-prone and E cumbersome. The answer is machine readable, data formats and standards. There's luckily a standard called XBRL, the extended business reporting marketable language. And that is in use like 50 countries in the world. So we use XPO L for the last three years to create a file that is both coming with the XML data set that people can parse and use automatically. But it also comes up with all the HML features and nice graphics and everything else so that people can never, and nicely rendered sensation on the website. The problem with this report is here's an example. Yeah. When you click, when you click on a number, then you see some additional information, some charting and things like that. That's thei of the reporting entity in this case, gly, the problem is once you take this file and put it on a different machine, you download this from the website, the coupling between gly and the document gets lost from that moment on, everybody could temper with the data and you cannot trust if you get the file from somebody else that this file has not been corrupted.
And this happens, Russian hackers broke into the American stock exchange authority, S C they falsified an annual report document. And the next morning when trading started and everybody relied on this information, they made a fortune and disappeared. Nobody knows, nobody knows who it was. And the United States government, the S sec wanted them to replace login and everything is to factor authentication, all that kind of stuff. And the us government said, no, the white house budget and management office said, no, all government agencies must go and implement a zero trust architecture. This is probably the biggest push for our industry that we will ever see in life. Because if every agency must do this, then you can imagine all companies more or less will have to use this and enjoy it.
Now, what we're now going to do in June is that we take not X 5 0 9 certificates like in the past years where we signed the file. That's pretty old technology. The problem was that our auditors couldn't, co-sign the full file because they say we can, we can sign the financial statement because that's what we audited, but we cannot sign the marketing text and the pictures and everything else. So what we're now doing with very fiber credentials, and for those who are a little bit deeper in technology, we're using ACDC credentials, chain, container credentials. We use Caesar, which is another technology for multisig of document. That means we now have multiple people signing multiple parts of the document. I will sign the full document and the audit auditors will sign only those parts that they have audited, the financials, the financial statement, environmental auditors, our carbon footprint, if that becomes relevant at a time, right?
And what you then will see on the website is nicely rendered page, where you can click on the information and you see precisely through very fiber credentials who, which role who signed up on the various parts of the report. That's the demo that we're putting together. Nobody has asked for this, that's the demo we're putting together because we believe we believe that people believe only in something that they can click on. We can have PowerPoints and slides and everything else I can, I can assure you. My personal experience was I had my first digital certificate self generated like 24 years ago. We equipped the entire company with it later, we had then to use certificate authorities because the browser started not to accept those self-generated search any longer. I sold the company, stayed a little bit longer with the company in 2011, 12 ish. The first thing that the new owners did was to kill the certificate.
So no SMI many longer, no login to the internet based on certificates installed in the browser, everything was killed. You know why it's such an administrative burden. Our administrators have to go from employee to employee to install a cert because they can't do it. Are we using Mac windows? We have a few iPhones, Androids and everything else. And there is no management environment where we can simply roll out certs, revoke, certs, and everything else. Everything is error prone. And by the way, if I knew, if I need a new certificate, I have to call the CA and pay money for it. And all of this is going to be a pass with the V L E I here, the legal entity can decide where they want to use this technology to spawn off credentials themselves. They don't have to go to a CA the chain of trust is not broken, right?
It is the, the verification of the legal entity that, that happens from an independent third party. But once you have this, a company could spin off very fiber credentials to all employees for their entry keys, for instance, or for accessing certain computer systems or signing documents online and everything else. And that is what is embedded in the trust chain. And that is embedded in this hierarchy that I've just shown previously. And here you see, in this particular example, the rectangle represents schema. Of course, there's schema underneath and here you see how they are used for and your report. So it's the chief executive officer, financial officer, general counsel board chair, who are going to sign the report. Our auditors are going to sign the report. And then we have preparers and reviewers who are also responsible for certain aspect of that report, but they will not be exposed because that would be a GDPR issue.
We're using trust over our P standards for the governance model. We have been working over a year with trust over IP, together to create a V L E I governance model, both for credential, as well as for the entire ecosystem. Everything is downloadable. Our website is under CC comments. You can do whatever you want with it. I can really recommend take a look at it because trading a governance framework is anything, anything but easy, anything but easy. And we had a review process with trust over IP. They blessed it off. And I think it's by now the, the, the, the, the most complete and largest governance framework ever published in this standard. We're using the, the stack on the governance side. We have, again, the very fiber credential governance framework from the, from here. And we use the, the ecosystem governance framework standard for doing that. By now, they have been other developments under a trust over I P I ETF and so on and so forth. Namely developments of ACDC credentials, for instance, which is a slightly different implementation of very fiber credentials than a W3C standard phone reasons that I don't wanna go too deep into right now.
But the idea was with the credentials that you should be interoperable from day one. So IV L I issued here could be used in an application there and here you see a few example, hyper JD witness networks, cloud based systems and APIs, Ethereum quorum. I would love to add R three, which is the only one we don't have yet. And that means we're going to create not just the V I system, but also the witness network and the Watchers that you can use to access the information, to create the information. Even if you like to, you can anchor the V I on your own blockchain, if you like, how are we doing this with a protocol called care key event, received infrastructure hands up, who has never heard of it?
You should change that. You should take a look at it. It's really smart. It's it? When we looked into blockchain, we had, I don't know, zPo that we ran it. It never felt right. Blockchain can do so much more, but we don't need consensus mechanism. We don't need smart contracts. We don't, we don't need any of this, right. But what we need is key management, the issuance, the revocation, but also key rotation is also an important aspect. All of this is handled by Carrie and through key rotation is also quantum safe, which was a, which was a night addon feature for this. And it's a library that is open source. It is proposed to be under I ETF like ACDC credentials. So another open source project to watch, but I'm not selling Carrie. This, we are, we are not the inventor of, of carries. We're just using it as the underlying technology. And here's the carry stack for, for those who would like to learn a little bit more about it, you will have all access to my slides so that you can check it out yourself or dig even deeper. The carry white papers, 132 pages
Heavy to read document it's full of math by the cool one. And with this I'm at the end and would be happy if there are any questions that you might have
Before I go on stage, I check. Are there questions from the audience anybody would like to ask? Yes. Ah, just a moment. We need to turn it on.
Okay. Hi. As you explained, the relationship there between the legal identity organization and the people who play the roles in the organization and the infrastructure you're designing for the issuance of, of the AI to those individual roles, have you considered linking that in? And this comes to the game, work into trust framework that are already issuing identifiers to those individuals. So rather than issuing your own ID, you pick up the idea they've already got, maybe using the, they did, they've already, you know, did, they've already got from a broader trust framework ecosystem?
My answer, my answer to this question is twofold. First of all, there is no standard for roles. You know, you can name yourself in a business context on your business card. How, what, what you like there is no standard. And that's why we approached ISO and ISO created the standard ISO 5 0 0 9 for official roles in businesses. And gly is the maintenance agency of that standard. So my first answer is I think everyone else should need, should look and must even look at these new developing standards, because that will help a lot. If we speak the same lingual funk, the other, the other question is even more interesting. Yes, we're we joined gain because we believe the interoperability. We believe in, in the framework in networks that are federated and the V L E I does not solve any business problem. It's not an application. It is a building block, a feature. If you like that, you can hook into other systems and what we want to figure out together with the gain team and the, and the P is how this could technically work, but smart people will find smart solutions. I'm rather optimistic that this will work.
I'm curious in the specification for the data, cuz in Canada, some of the things that we're doing in financial regulation and companies is starting to look more seriously at making sure that the beneficial owner is identified money. I don't have to explain. I'm wondering if that structure is supported in thei.
No. The thei was explicitly tailor made for legal entities and cannot be used for natural persons. And the, most of the things that happen in Uber resistance so forth is about the ultimate beneficiary owner and the natural person. What we carry is the company ownership structure, because even the bad guys use vehicles around the world, right? We want to capture them all quite interesting fact, we did not switch of Russia, any Ukraine or anything like that because we believe that the transparency on the acting actors is a good in itself, right? For whatever purpose. We're not taking any political position here, but we're saying transparency is a good thing. Talking about Canada, heavily influence our thinking or book British Columbia in the implementation. That was great. We did one P with these guys, and this was outstanding. Triggered a lot of the thoughts that we now hear
John, when I saw
Yeah.
Hyperledger twice.
Yeah. We had high ledger, indie high blood areas completed different implementation. And which was one of the lessons learned it's it's not just overuse, Hyperledger and solve all of our problems. Right. There are so many things underneath and please don't let me go into this because I'm not entirely the expert, but I can tell you what rings in my ears. Why are you not using ACRs there's there are so many political discussions around that happy for the, for the experts to do that. Right? We're not saying, we're not saying that we have any kind of like better opinion or more knowledge than anybody else. The only thing we're saying is we life do it this way. And if you want to use the V simply hook it in.
So I have a question. I have a question here and then I'll come get those on the other side of the room. Yeah. Just a moment. We have a question here and then I'll come to you.
Yeah. So thank you for the presentation. It was very exciting. My question is, is it possible to link Ani to a D? So for example, if I receive a verified credential that is issued by a D, is there a way to look up the corresponding Lei for that D or, or the other way around, maybe if I have Ani, is it possible to look up corresponding D that that identifies that legal entity?
That's how it's built? So the gly website will become over time, a did registry, where you can look updates, you can see the owners of DS and things like that with, with the caveat that the owners must have Ani, otherwise it's not going to work. So we're not building a, a central facility for everyone, but for those leis and V EIS, we we're doing exactly that. Yeah.
Hello. Curious about the use of X 5 0 9 digital certificates for potentially containing attributes beyond identity for the purposes of authentication and the parallels with PS two, two, and EI us and qualified statements, which were used to convey regulatory authorizations. Is that just curious, is that the intention here to somehow represent attributes beyond identification of the business entity,
There were two possible ways to implement thei inserts in U alone. And that is the Etsy standard, which uses the, the identifier field. And then thei is a prefix Lei co, and then, then the number or the method that ISO preferred, and that was to create an extension. So there are O IDs available for thei and the roles to put the CEO in the cert the digital certificate authorities struggle with the fact that there are two standards and the answer from digital cert info cert and all these kind of guys is we put both in it's a little bit awkward. The standard buddies have never have you heard about competing standards? Isn't that the contradiction in itself here is here's a good example, right? So we preferred the O I D the extension space, but as one aspect, and I can be, I think, honest with you, the was supposed to be part of a TLS certificate, right? H DBS is the protocol of the world. And it was one of the large browser vendors who did not want that for whatever reason. So they defended, so to say the current model and did not want to have thei inserts.
And,
And that's what the future will tell us, how does this going into end? Right. I know that the Ida folks came to a similar conclusion that the commission, they might now a little bit more pushy in, in doing that. And we are picking back on that as well.
So in the interest of time, we'll have one more question, but if you have follow up questions, I'm sure Stefan would
Love, oh yeah, my, yeah. My email address and everything linked in everything is open. Please just send me your messages or questions.
Speaker 10 00:33:22 Yeah. I mean, for thei itself, this ISO standard is very simple. It's basically just how to create this unique number. If you go to the very fable Lei need to make it machine processable and also the attributes. So you, of course, we all want standardization and we would be happy to have one data representation in the very fabric potential because the ential is signed. So you cannot map it to another syntax because that would kill the signature. So basically if you take a decision, we take this syntax, then that's it. And at the same time, you want to be the global legal entity identifier to be used by all businesses, by all organizations, in all business domains, all over the world. And if
Sounds scary to you,
Speaker 10 00:34:12 No, it's not scary. But what I'm wondering is that we know that about syntax, that doesn't happen. You know, we have a multi multiplicity of syntaxes. Also XML has different dialects and we have Jason and maybe what we don't know what will come next. So the question is wouldn't, if you really want to be the global scheme, wouldn't maybe a little bit more flexibility on how to deliver the ential to what issuer might help to grow the market.
First of all, of course, we would love to see the world using it, but nobody's forcing the world. This is an offer. And maybe I should mention that this is free of charge to everyone. So if you want to build application, if you want to build product on top of that, on the AI, the V L I please do so because the usage of the V L I will not cost anything.
And that's gonna be interesting to see how all the other schemes are going to react on that and, and their business models, but that's not our decision. It's, it's up to the market to decide second for the V E I system itself. Yes, we have created those standards. We have XML templates and templates for the credential, sorry, and all of that. So this is all baked in. You can go to our website and you can see the standard documentation. There are GitHub repositories, where you can download the source code and, and everything is there. That was my answer. Number two, answer. Number three is the V L E I is nothing else, but the V but Ani wrapped in a container. Couldn't be simpler than that. Right? What you then do with it, the applications that you built with that, the type of Verifi fiber credentials that you built on top of that is entirely up to you. So for instance, someone could take the role credential of the CEO and add more information in another credential and, and chain the credentials. And that would be very easy way to add information about the CEO. For instance, entry date in the company entry date in the company would never be something that we would standardize and put out
Speaker 11 00:36:24 Management. I rely on the role
Speaker 10 00:36:28 If we learned a lot about excess management, also other speeches here. And if you use very credentials for excess management, you have to validate them and you have to validate the signature on it. Yeah. And if you want to validate the signature, then you have to inter make the interpretation of the syntax. Maybe I'm mistaken. Maybe it's not a problem to, to, to met from one and the other. But the point is that if the relying party systems are very diverge, they are very different. So you are talking as the issuer, but me as a relying party, I, I have to make the interpretation. And each time when I'm mapping the format to another format, I lose a signature. And that is a point where you can hack in and destroy the security. I think that that is a challenge of sign data. Anyway, if you do not want to do it, not to not, but you want to do it end to end, then you have to, well use the same coding basically.
And if you would replace signature with digital signature, I would fully subscribe to everything you just said. You sign the credential with the private key of the holder. And that's how you link the information to the holder of the key. That that is not, that's not different than any other system, like, like, like X five or nine or so, but what you can do with it is quite amazing because a company could decide to issue credentials to their customers for accessing their systems, right? These credentials might not play a role in any other context, because they're issued by the buying company. And the supplier then has credential from the buying company. And they do the vetting and validating that this is the right supplier, that, that these are the right people who can do things. Regulators, another example, they look into this. I, I mentioned the annual report as a big problem with regulators, the CEO of a company never files to report him or herself.
It's always an admin function that does that, right? So they can also go things bad, you know, between what the CEO wants and what the admin function does. And that's why they all can get very fiber credentials difference between the official role credentials and the functional credentials is that the role credentials will be made discoverable on the web for everybody to see this is, this is anyway public information. While the functional credentials for people, they will remain in the wallets of the holders and users in a peer-to-peer fashion. So maybe you should stop here and thank you very, very much, please. Thank you.
