Electronic Trust Ecosystems – What could a future look like? International Digital Identity Wallet activities and consortia

I'm, I'm usually here as in as he said already in many, in many roles, many heads. So this time I have the privilege of talking to you as a board member of Tele Trust IT Security Association in Germany. We are more than 400 IT security companies and, and associates basically representing the German ecosystem of IT security vendors. So I have the privilege of talking on in that role today.

And yeah, thank you Gideon for the interesting insights. So actually this has very much reminded me of Ready Player one. So I'm expecting that we will at some point be flooded with advertisements when we are going down the rollercoaster with the VR headset on. So I hope we can get a future where we don't blasted with advertisement in the VR headsets. But thanks for the insights and I'm really looking forward to following up on all that.

I think this is totally relevant and related to everything that we do in the online world and artificial or virtual reality and augmented reality will be definitely something where we desperately need trust in electronic ecosystems and digital identity. So electronic trust ecosystems actually, how do you trust in electronics? Anyone?

So trust, trust is like a human term, right? So we trust one another, we trust people. We may trust organizations and we probably trust in our electronics because we believe they are built securely and safely. So the closer you are to the security community, you probably know that the hardcore security researchers don't trust anything where electronics are inside if they have not built them themselves. So basically they trust, don't trust anything. So how can we electronic trust, I think one of the key parts is to have some kind of auditing of supply chains and have cryptographic assurance.

So this is something that we can have in electronic trust ecosystems that helps us. So everything that you probably have heard around digital wallets and, and and all these kind of things are basically things that are considered trust ecosystems. And we will go into a little bit of detail on that. So I've made three parts, background and evolution of digital identity. So probably not much new to you there. And then a little sweep on current electronic trust ecosystems and regulatory aspects.

I think this is the part where I want to spend most of the time on actually, and last not least, the whole trust of decentralized identity, organizational identity and yeah, like an outlook on zero trust architecture. So making me saying that already.

Now, electronic trust and zero trust architectures are not really mainstream these days. So all of you have read the BSIA zero trust paper will probably know there's no standard for zero trust, but all this, what we are looking at is helpful for enabling those. So background and evolution. So digital identities obviously nothing new. It started off when first computers came with time sharing and all that, but this is way before that even.

So we started off in organizations with centralized identity and very big bespoke solutions that were built for enterprise organizations by vendors that you all know. And this evolved into more federated identity with open mighty Connect and some and author and all this good stuff, which helped a lot to make identity a bit more seamless. Then we moved on to more user-centric digital identity paradigm, which means that you are perceivably more in control of what you do and what you have as control that you can exert over your digital identity.

But the leading edge stuff is, has basically been spawned under the term of self-sovereign identity or SSII think many people don't like the term anymore, including the community or invented it. So we talk about decentralized identity nowadays. So it's like putting the user more in control with what they do. And this is enabled by this ominous wallets and I think this has many benefits that we can get out of this kind of new paradigm and how we can get beyond mere identity cards that you may have or may not have.

And having like seamless processes with electronic trust ecosystems and decentralized identity available, we can get enhanced security. So it is possible, I'm not saying it comes naturally, but it is possible to get enhanced security with the possibilities of decentralized l and d. We will be able, and we we heard this in in in your talk actually earlier today. It should be invisible. It it should be seamless, right?

So it should be basically something that you don't even think about and it can allow you to interact online without thinking about authenticating and locking in and and stuff like that anymore. It'll enable completely interconnected services that that are today driven by APIs and in the future world we will be able to transport trustworthy data via verifiable credentials in an interconnected world very seamlessly and allow some kind of dynamic identity management with the data that we bring to this solutions.

And if we are looking at what is most discussed today in this world of decentralized identity, it's a trilogy actually. So most discussion is always about natural persons. It's about you and I having our digital identity doing something with it and interacting with some organization or some, some outside actor. And this is actually the key focus also today of regulatory activity. So everything you hear about the IDAs a huge digital identity wallet. It's usually about natural personal identity, but this is shortsighted. I think it will at some point reach out to where it actually needs to.

So talking about business identity, organization digital identity is something I think that will be the game changer in this world because if there is no useful use cases that are brought to us by business and government, then no one will actually engage with it. And I think we heard it in your talk as well earlier today. And last not least, this is the biggest volume that we can ever imagine. We will need machine identities for either physical artifacts or maybe even some at some very soonish point for AI artifacts that need to authenticate against ourselves. I will come back to that later.

So now let's go into what our current electronic trust ecosystem that we already have and what are regulatory aspects to consider in the, in the limited time we have, we'll only have a very brief sweep and in one slide we will go into a little bit more of detail. So we have very successful digital identity ecosystems and trust ecosystems. I've brought just three rough examples.

We have very successful digital identity scheme in the nors called bank id, which is not as privacy preserving as we would like to have it in the broader eu, but the Nordics are actually having a bank ID that is very successful. People use it every day. This is something that Germans citizens like myself would love to have as well as a, as a ubiquitous as something that you can use. We have in Italy the spit which is something similar in I IDAs regulated identity scheme. Very successful people use it.

It has made the way into daily lives in Germany we have the EID which has never really gotten a mass phenomenon due to various reasons. I don't wanna go into detail, I've just put a logo there of a, of a private sector use case that I personally know very well because I'm deeply involved in that. So we have many private sector use cases which enable digital trust ecosystems or really draw from them for implementing specific use cases that require cryptographic assurance and and verifiable credentials.

So I think we have these success stories but we want something like a uniform digital trust layer that we can leverage for everything. Are we there yet? I think we are getting there but we have many good reasons why we are not there yet because we have, if you look at the regulatory arena, no standard or dominant design yet technology wise and we have no breakthroughs in the technology that will go completely mainstream at the current point.

This is the slide I want to talk you through in a bit more detail because I think this is important for for you to understand this is not like a uniform paradigm and and the uniform approach of things happening and driving these trust ecosystems forward. This is in fact sometimes an almost religious debate of experts in the various communities and groups. So I try to differentiate these, these, these fields, these these camps. So we have this pure self-sovereign identity technologies and streams usually requiring a wallet.

You decide what data you get in and out and you have something like a decentralized identifier like it did that basically helps you to interconnect with actors in this world. And we have three technology strengths and this is now probably one of the more technical discussions you could entertain today we have three technical streams in this really pure SSI world. We have one thing, it's W three C verified credentials in JSN LT format, which are heavily advertised for by the US Department of Homeland Security.

They're very much investing in this technology for a couple of years via their Silicon Valley innovation program. Very, very eager, very, very enthusiastic crowd of people driving this forward. So they are very much convinced. This is the thing then for, for a long time and still around is something called hyper indy with retts, very fiber credentials, very privacy preserving zero knowledge proof capable cryptos signatures which are considered fancy crypto. So they will never be accepted by the government. Probably not on, not in my lifetime.

So this is something that is very useful and some governments, particularly in Canada, British Columbia government actually uses this kind of technology because they believe in the privacy preserving aspects. This is something that is around everywhere still it's much debated and we are looking for getting maybe a future solution for this kind of technology track in the community. The last thing in this pure SSI camp is the carry and a CT C world.

This is kind of the most new edge stuff you will probably not not have heard about but there is one international organization called Clive, which is the global legal entity identifier foundation who's issuing legal entity identifiers for all the banking industry in the world. It was invented after the subprime crisis to identify financial stakeholders everywhere. And they now have a verifiable variant of these legal entity identifiers called V Allis. And this is based on this technology stack which has very advanced properties.

It's it's, it allows threshold signatures, it allows a very distributed architecture, it has chain credentials, so like a little bit like APKI. So you have chain credentials trickling down the hierarchy for what they can do and where they, where they're coming from. So this is the pure SSI camp and then we have old school stuff and we have some the derivatives of these kind of SS SI approach. And one of the complexity reduced SSI approaches is what you see today in the U architecture and reference framework, which is the underpinning of the digital identity wallet.

It's all the stuff around almighty for verified residential issuing and presentation and the so-called SD JWTs SD sometimes pronounced it's selective disclosure Jordan Jason WebP tokens which are kind of an SSI style approach but with only a bit of innovation, not looking at decentralized identifiers but trying to have verifiable credential style certificates which allow selective disclosure and allow a very wallet validity approach. And I think this is extremely useful because this is something that regulators can accept.

It only uses cryptographic primitives that are on the either NIST list or BSI approved. So no discussion about fancy crypto here and it'll do the job. Is it completely in the SSI paradigm? Probably not, but I think it'll be very useful going forward if we get a new digital identity wallet. Then we have something else in the U digital identity wallet. It's the mobile driving license standard ISO 18 0 13 dash five with a technology called moc which wants to be SSI but it's not, it's not as privacy preserving and always has this called home approach.

However, it'll be part of the U architecture and reference framework. So we'll probably get it. Will it be mainstream? I hope not because I believe in the other stuff on the left hand side. So I think we will have many different technologies going on in this kind of wallet war that is still still going on. Last not least, we obviously have the classic world that dominates everything today. It's the non SSI things with open my deconnect and classic PKIX 5 0 9. Extremely useful, proven, trusted.

So this is what we are currently having and I think this will not go away quite soon, but it'll be added with the features that we get from the wallet world. So this is obviously not the target state that we keep on this kind of diverse world forever because everyone in the international digital identity community is obviously striving for getting at least some kind of convergence because we don't want to entertain this technical complexity forever.

So everyone in the community is really striving for getting convergence and aligning the technologies and learning from the others and getting to one kind of uniform approach. So I want to bring three things to you. Key industry collaborations where this convergence is actually made happen. Key infrastructure providers who actually currently run parts of the infra infrastructure in terms of verifiable data registries and key industry conferences like this one where actually this discussion and shaping happens. So first industry collaborations.

You have heard in at least one of the prior speeches in this room about the open wallet foundation, which was founded last year where actually technology is created for us to have wallets in our own hands and organization wallets in our, in our control where actually the real code is generated. So Open Wallet foundation is just about creating code and you have a standards organization that works in alignment with open wallet foundation called the trust OP foundation where actually the the governance frameworks and technology ideas are shaped, which are then later translated into technology.

So key industry collaborations where stuff is happening in the world. Obviously Open Connect foundation is also in the game there for the use stuff, but these are the ones where all the new work is happening. Key infrastructure providers are obviously those things that you probably have heard of in in the, in the early days.

Sovereign was is is and was operating in hyperledge Indian network ID Union is co-funded by the Federal Ministry of Economic Affairs in Germany and is providing also verifiable data registry and technology and SY is obviously the European blockchain services infrastructure which is also still in the game for the digital identity wallet. So watch out for these things. All these are looking for convergence because they know that they are alone, cannot really have everything they need for providing for all stakeholders the necessary services.

So they're looking into convergence, maybe it can happen, I think it would be well warranted. And last not least key industry conferences you you should go to if you're interested in not only consuming but contributing to this work is what happens twice a year at the internet identity workshop in Mountain View in in California. Luckily we now have like a European representation of that which is the Dice digital identity Unconference Europe, which is happened this year the first time in Zurich. It'll be next year again in Zurich.

So if you want to have this Unconference style approach of IRW and want to experience it on European soil, go to Zurich next year. Obviously as we are here at the Kopi Cole event, you know that the EIC European Identity and Cloud conference is like the flagship conference of KuppingerCole. It has well ly the the name of being the place in digital identity and identity and access management to be if you are in Europe and also outside Europe. But this is like the biggest event that you want to be in.

If you want to see leading edge stuff being discussed in Germany, it's in in Berlin, it has moved to Berlin and it's a very good conference to get in touch with the global community as well. And obviously as I'm here as a tele trusts board member, we have the tele trusts conference and we have the tele trusts Cigna tour attack, which is actually a very high class event. It's much smaller but you will get leading edge information and insights from the regulators, regulators and from the German community on digital identity. So these I think are the places to be.

So I'm approaching the end of my 20 minutes so I will cut it short here. So this is the, the triangle that you probably have seen many times trust triangle of decentralized identity. So I think this is the future. We will have something coming from an issuer going to an holder or owner and you can bring it to a verifier with your wallet. So this is something that you probably have seen many times. I think the winner will be the 42 of the wallet world will be organizational digital identity. So the one thing that answers all the questions will only come via good use cases from the industry.

And I'm not talking government here, I think government is helping us to have the regulatory framework. I don't like the timelines obviously of IDAs. You probably know that by now. So I think having good solutions that are very useful for us and are usable will be the winners of the game in this electronic trust ecosystems play.

So I think having good use cases that that we can really do something useful for us will come where our organizations and their interaction in this dynamic world and when they bring this to us, this will be something that brings electronic trust ecosystems in a broad acceptance. So in the end, do we have like a uniform trust model that also would enable zero trust architectures with this game yet? I think we don't, but I think we have all the building blocks in our hand.

So, and having an having a trust relationship in the electronic world requires digital identity and this will be absolutely everywhere. As we now see, and I think this was brilliantly presented by in his opening speech, if we have deep fake video capability, what can we still trust? If you want to have knowledge about who's on the other side of your line, then you want to have authentic data, you want to have an authentic connection, you want to authenticate the other party on the other end. And this can only be enabled with the things I just presented to you.

So having a trusted world will only come with authentic data and cryptographic assurance is a big part of it. And I think this is what will come with the you digital identity wallet and all that comes in the wake of that. Thank you for listening. I'm here now for more questions or later. So I hope you had a great three days already and thanks for being interested. Thank you very much Andre.