KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Tune in to this episode to explore ways to navigate tradeoffs between privacy and accessibility in decentralized identity and learn about interesting user-centric approaches that can be applied to modern identity protocols.
P.S.: You do not want to miss out on our little surprise at the end of this episode 😉
Tune in to this episode to explore ways to navigate tradeoffs between privacy and accessibility in decentralized identity and learn about interesting user-centric approaches that can be applied to modern identity protocols.
P.S.: You do not want to miss out on our little surprise at the end of this episode 😉
Hello everyone. And welcome to Frontier Talk, the world's first podcast on decentralized identity. I'm Raj Hegde. And in this podcast, we explore the intersection of identity people and technology. Digital identity is a representation of you on the internet. It essentially is any personal data that can be traced back to you. Over the last three decades. My guest on the podcast today has, has worked tirelessly to break new ground and establish a user centric identity layer for the internet.
He is a pioneer who has spent some of the most widely used identity standards on the internet today and has centered his energy around deep trifecta of identity, user centricity, and privacy here to share his take on December biases of decentralized identity and user centricity, Nat Sakimura, chairman of the open ID foundation. It's an absolute pleasure to have you on the pod today.
Thank you very much for inviting me to this venue. I'm really pleased to join you.
Likewise, the honor is all mine.
I highly urge you guys to stick around till the end of the episode, because we have a little surprise in store for you. So anyways, let's get started. So not you've established yourself as a global expert in the field of identity. What originally drove you to specialize In this space? All right.
So that's, what's a little bit parcel thing. My
I mean, that's, that's, that's quite inspiring. And for our audience, could you perhaps shed some light on the work that open ID foundation does? What essentially is the open ID foundation? And could you perhaps expound on your role as chairman of the foundation? Okay. So open 90 foundation is a, it's a non-profit organization, which has specialized on this standardization, the international standardization of digital identity and API access management. We have created main product is something open ID connect, right?
It's a standard which is being used by a lot of places from big techs to the companies, to the small guy like me is running my own identity solver since 2011. Right.
So, so that's the core product and we are actually creating, you know, the profiles add-ons and things like that, which makes it easier and more secure for people to transact on the internet. Right. And could you perhaps talk a bit about open ID connect, essentially? What role does it play on the internet today? So internet unfortunately came out without the notion of identity. Okay.
And, you know, by identity, I mean the set of achievements, right? It's going to be used to recognize one person, one entity. It doesn't really matter whether it's possibly it's a process, you know, both the things, something like that, but to make the internet environment safer to transact, you really need to be able to find out who you are actually talking to. Right? You need to be able to authenticate the other party and to do so.
We need to gather a bunch of the character, bunch of characteristics, which we call us attributes or claims from the other parties and evaluate if that's trustworthy enough. So open ID connect is essentially doing that. We call it selective attribute disclosure protocol. Okay. So it actually allows you to express yourself as having a set of Archie groups. We call it cleanse, right? Because you have claimed that claims are tested by somebody else. You usually, because, you know, if it's just self claimed, it's really helpful.
The receiving party believe this, the bike usually are tested by somebody and pass it on to the receiving party. So that receiving, receiving part, which we call grind party can actually evaluate what's in it and evaluate that it was actually a tested by somebody he trusts or she, or she trusts and the message hasn't been right. Interesting. And they're making it clear. So absolutely No, no doubt.
But I'm, I'm curious to know, like, how do you bring about a physical representation of oneself on the internet, particularly at a time when, you know, no such thing exists, there is no identity layer. So how do you come up with standards for something that doesn't really exist at the moment? Yeah.
That's, that's an evolutionary concepts, right? Yeah.
Some, some people say that openly connect these some are three point dollars, something like that. So they've been doing that full iterations for many times, right. Started off from the eldap and things like that. And then we said, oh God, okay. We'll do it better next time. Absolutely. We repeated that. Yeah. Yeah. Yeah. Perfect. So before we deep dive into decentralized identity, could you perhaps double click on the concept of digital identity in itself? So what essentially is digital identity today? So that goes back to the cost of our identity.
I guess the concept of identity is actually once, you know, somebody being able to project himself or herself or themselves, right. To other party so that they will have similar perception of yourself. And you've got all the self image and you want the other party, the receiving party to have the recognition of yourself, which is hopefully more or less the same as your self image. Right? Absolutely. Which doesn't really happen because you just can't put X rolls onto the receiver's head. And that is correct. May car sites like that.
But so you keep trying to close the gap between their perception and your process perception. And for doing that, you keep providing, you try sending, okay, this time, this kind of attributes, like how you behave, right. And then you try another thing and things like that. Then you are always adjusting it. That is to close the gap to meme as a camper. And that email is identity, right? It's your identity.
You know, that, that's what you perceive yourself as correct. That's how you want the other party to passive us. And a medium to do is actually the set of Archie is that you are going to be providing to the other party. Correct. All right. So in the technical Tom, in, in the, you know, it was redefine identity, a set of attributes related to entity. So set sets of attributes related to me is my identity. Now I'm going to have many identities, right. I have many kinds of relationships or contexts, and I choose to provide other sets of attributes to each, each context, each receiver.
But that's how identity is. And digital identity is a digital representation of that.
Okay, Brilliant. Yeah. You mentioned earlier that, you know, users, people, humans have multiple identities and the internet in particular makes that possible. So my question to you is why should people take digital identity seriously? And more importantly, how can they effectively manage these multiple identities on the internet today? Right. So let's try, let's talk the first, let's ask the rest of the first question. Why should they take these all identities seriously? Because if you don't have effective still, I didn't hear of, you can control.
You will not be able to express yourself on the internet. That is you will not be able to exist in the way you want to be in the cyber space. So unless you really take just all identities, seriously, you will not be able to exist in the cyber space, which is becoming increasingly important in our life, especially post COVID.
Well, no, the second question is how can they effectively manage multiple identities? That's a very, very hard question. It's something to do with the user interface and the understanding how it works, but it's really difficult for most people to actually make it out how things work under the hood. Right? So as an identity professionals, we have to devise a way in which people can use it intuitively just like they do in the real world, in the real world, we, you know, keep multiple, multiple identities, right? You are a face us father, you are face us, your colleagues, right.
There's a different facet, different identities. And you do it, you know, without thinking intuitively and the what, where you're targeting is trying to make some, something like that possible in the digital world as well. Unfortunately, we haven't got there.
We even, probably don't really know how to do it yet. Right. All right. But that's where we are going. Okay. Right.
And yeah, as you just mentioned, identity is fragmented today. You know, people are multiple identities. We have multiple identity providers today. There's also, well, well, we also living in an era of centralization with, with big tech banks, governments in all sorts of all sorts of entities say wanting to become the identity provider of choice. So I see a lot of similarities between the early days of the open ID foundation and the decentralized identity community today.
So to say, so my question to you would be how did open ID aggregate all of these parties in, into a single ecosystem? The situation is very different than now. So you actually have to take it with a grain of salt, but what actually helped to get all the people, you know, all the competitors in one tent was that where you are actually trying to be really use case agnostic. We also listened to the market requirements seriously. And our motto then was a simple thing, simple, simple things, simple and complex things possible. Okay.
We made sure that simple thing can be done very simply at the scale. So that kind of attitude seemed to help people to flock to the foundation to create a single standard. This single standard is actually really important because then we will get the benefit of increasing return, the benefits from the scales.
So that's, I think what happened at the time, right? And you know, the current industry paradigm, as you might know, is, is that sensitive data is still in centralized.
Honeypots, you know, we have a finite number of identity providers today and the implications of having data stored and saw tiny pots of salt is that there are irreversible data breaches, data leaks, all sorts of scandals associated with personally identifiable information. My question to you is, is decentralized identity an antidote to this problem. What's your take on this? All right.
So this, you know, centralized, decentralized dichotomy is a little bit misleading. I think the, from the user centers to your personal tasks, kind of point of view, it's more the control, which is important, right? So even if the data, the palsy is centralized, if the user is given the control and the, the provider of this harvest actually doesn't use it for their purposes. Then part of the, the, the issues that we are facing right now will be solved at the same time. If the data topology was completely distributed, still the controls on the providers side, and that's entirely possible, right?
Recently, you know, the mobile operation operating system vendor announced they are going to look into your phones and such for the things and, you know, remove or report or things like that that's entirely possible. So even if they're the policy is completely distributed, you still may not establish a desirable amount of control. So that's one aspect that we have to look at from the centralized decentralized. What's important is the control from the quote unquote right. Kind of site right now, then you talked about the data breach. Yes.
There, the breach is going to be probably at the, at this moment kind of more dangerous in the case of centralized data store. That centralize is not really a good word for that, the overarching relational data.
Right, right. Because it may be stolen one goal with one security horse, something like that.
But, and the currently the, the network that these things operates to flow to be effective for those bad guys, probably, but even the, the, the other perspectives that if that becomes fast enough, and then even if the data is distributed completely disputed to the, the mobile phones that people has down in their heart pops the wall, the top, for example, maybe correct. Having a security hole, the bad guy, maybe able to extract will there. Right.
I, I think some, some, some great points there. Definitely.
I'm, I'm curious to know, like, do you see a future where centralized and decentralized approaches to identity would coexist or are they two separate entities in their own? Right. So centralize them, these, I mean, the I've given this talk in a separate forum, but the very seldom one technology can completely replace okay. Things pilot. Right. So the existing infrastructure usually remains for a very long time and then, okay.
New infrastructure actually comes on top of, so from looking from that pattern, I, I think for a long time centralized quote, unquote, centralized and decentralized actually probably would coexist. Now one caveat is that there's no completely centralized system. It's shade of gray. Right?
So, so my next question to you is, you know, on one hand we have a billion people living without identity today, you know, denying them crucial access to two essential financial and social services. While on the other hand, big tech is increasingly correlating information about us today. So my question to you is, does decentralized identity have a role to play in, in perhaps squaring the circle to widen the access to digital identity?
Sure, it does. I mean, the, the, so there are people who are denied to have even legalized, I think she's right. And those marginalized people are not interesting enough for commercial entity to provide the identity. So for those people, something like decent tries to identity, this notion could become very important.
Now, if it's going to be a smartphone wallet type of digital decentralized identity, I don't know, those people may only have very, or the future form, right. Or they may even be lucky, good access to network or electricity. So that's something we actually have to consider that also, we also have to be cognizant that the reason why many of those marginalized people are liking access to, for example, biking subs is not because of big techs.
Right, right now we are fighting against money laundering and terrorist financing. Part of has put a lot of restriction to us, the parking service to, through our doors, but that has actually driven up the banking costs substantially. The KYC munching for the mother laundry costs so much. And because of that, onboarding those poor people with like just $50 a month income to the bank became completely uninteresting from the commercial point of view from the back.
So unless we solve that kind of problem, know the onboarding costs problem, the bank service probably won't be, will be, will not be provided to those people. So we have to look at those in a social aspect as well.
Just, just, just simple technical solution. Absolutely. That's true. That's true. There's this concept of onboarding, you know, essentially serves as the perfect segue to my next question. I'd like to explore this symbiosis of decentralized identity and, and user centricity.
You know, Yohanas Ernst mentions that any identity interface should make user centricity as its core proposition. How would you currently describe decentralized approaches to user centricity today? I can't claim to know every Decentralized identity scheme, right? It's kind of fragmented right now. So maybe generalization generalization could be hard, but the, as I understand most of the new identity schemes, including open ID by the way, is based on the user centric concept, right? It's the user who decide with that particular cleats, Chivas are going to be provided to the drawing party.
So that's the core concept to most of the, those modern identity Federation. And I did see what I did G technologies and decentralized technologies. All right. So that seems to be a lot of decentralized approach. So I don't claim to know everything. So the generalization is a bit hard, but from what I know is that modern identity technologies even cruising operating from X is based on user centricity. That means user is at the core in deciding what attributes are going to be provided to the parties now. So I'd be very surprised if a new scheme, which actually doesn't allow that correct.
Having said that there's one important point that I would like to make because I'm a consumer advocate as well, just relying too much on user consent is very, very dangerous because people tend to over consent. So I'm preaching to most people, that user consent actually is a last resort. You should try to use other legal basis if possible. Okay. Could you perhaps expound on this concept of, of why people tend to over content? I'm curious to know about this, right? So There are enough experiments, right? Conducted everywhere in war.
For example, one of the example was people I was asked to, to agree to the council's harvest and provide all the data and the false item in the house of serves. That was that if you agree to this agreement, you agree to give up your son. Right. Okay.
And well, we'll see in return was just a chocolate. Correct?
So they, they, they are, the most people actually agree. Right.
So, you know, asking quote consent to consumer is a bad idea. You it's really difficult to get the real concern.
I mean, you can have people click yes. Bottom, but that's, that does not equate to concept. Right. There are lots of conditions for consent. Correct. And one of the, the conditioning is that the call center actually understand what he's doing. Absolutely.
That's, that's one of the most important and fundamental reasons For consent. Oh God, that's a really hard, right. That is true. All right. So especially one people are confronted with so many constants screens that they have to press a button. It will become a numbing experience. They tend to start clicking yes. To everything that Is true.
I mean, every time I get an agreement in front of me yeah. Like 10, 11 pages, I just click on yes. Agree without even like reading through the agreement.
So, So yeah, I do. I do agree. It's just behavior. It's fundamental to us. This has just come on human behavior. Absolutely. If you actually seriously look at it, it's completely infeasible to, with all the, you know, those legal documents, besides most people actually don't have the ability to read it all the time. It's just really difficult. Even you've had, even if you had the ability to do that, I haven't seen a study that it will actually take full one.
I mean, unless I'm paid by the hour to read through stuff, like I wouldn't even look at legal language to be honest, legal lingo at its own has its own little space on the side. So, And that's completely infeasible and it's, it's completely unrealistic to expect that the users actually read through them and understand them and consent. Right. And I was talking to one of the big tech guy number of years ago, he was actually, he was on the identity team and she was actually fighting against their legal team.
And their legal team was asking the, I think he achieved to get consent for everything that the company wanted to collect. And the he team was saying that, look, the parceling is clicking. Yes. Within one second on average, that means that they're not reading it. So it's impossible to show that they actually agreed. Correct. So it's completely wrong to try to collect the quote unquote consent for all the things that we are trying to pay. We should minimize the data that we are collecting. Right. And just present like two or three lines of explanation about why they are doing so okay.
Instead of giving the user 30 pages document. Yep. I understand to add to that. What are some of these unsolved gaps that you see in decentralized identity today? One being the, the constant issue, anything else that comes to mind? I'll send this one thing.
The, the other thing is that the looks to me that they are very much fragmented right now from the point of view of the drawing parties. If it is fragmented, it's really difficult to adopt. Fragmentation means that the addressable market segment for each method becomes so small and it will probably become really difficult for them to justify the investment, to implement those.
So, you know, wishing that they, the space will consolidate a little bit constantly. That doesn't mean that the players consolidated, right. It's a standard. If they can come together to like a few options only instead of the 94 right now, that's going to be very useful. All right. You mentioned earlier that the open it foundation essentially was, was built on the context of, of being use-case agnostic.
While on the other hand, in the decentralized identity community, we have a large number of platforms and protocols that solely focused on a specific use case and taking this user centricity question in light. What's your take, should, should the focus be on, on, on a use case in this case, or should it be more focused on, on, on human agency on, on trying to give more power to the customer, to the end user to say, take control over the identity? Or do you need a mix between the two what's what's the right yeah. Mix here.
So we definitely need to look at the use cases, even with the open, like the connect, we have looks at many use cases and we try to solve 80% of use cases with the single political. Right. And that's possible, right.
I mean, you console everything one proposal that's for sure. But you could try to, you know, build a platform. So the protocol, which would solve majority of the use cases. Right. And then there could be use case specific bits, which is not so blight solved by the core protocol itself. Right. In that case, you should just go the, that instead of trying to make everything completely separate from others. Right. So yeah.
Mean the use case, we should be realistic on the use case, but at the same time, like you said, we should achieve that through a core protocol, which enables users to take control. Okay.
And, you know, speaking about this, this, this element of user centricity, do you have any, any, any suggestions that platforms in the space could, could, could use to say, not only onboard more parties and more participants, but also bring the focus or, or rather move towards being a more user centric platform? So to say, because, you know, I, I spend a lot of time with the decentralized identity community they are, but it's one of the most passionate communities that I've been a part of.
And, you know, there's so much to learn from and they truly want to empower the user at the front. But, you know, from a technological perspective, you have, you know, issues pertaining to onboarding private key management and credential management and so on and so forth. So any tips from your side to navigate such a complex ecosystem at this point in time? Yeah.
It's really difficult for, you know, create, it's really difficult to create easy to use, you know, user experience, the intuitive user experience so that people can actually use, we tend to talk within the tech community a lot, so to speak, and we tend to assume too much capability about the people, but that's probably a helpful way to go, right. So we need to be quite practical. And so there, we, I kind of believe that we need to a lot of user study and that can actually be cultural culturally dependent. Right.
So I, I think we don't have enough knowledge and experience on that. Right. And speaking about practicality, what problems do you think decentralized identity are, are best suited to solve? Okay.
So my, that actually depends on the descent, the definition of decentralized identity. You've got the decentralized identity as I view ours. I think she information, right. The central attributes, which is being tested by authoritative parties. There are many authoritative parties involved. For example, if you want a desktop, you have a duty from such and such school, then that's cool is DOL 32 source for the attestation, right. Or if you want to prove that you are employments in your position, that company, then that company is the authority to source. Correct. All right.
And the, my view of a decentralized identity is that these authoritative sources start issuing those attestations okay. In a common format, so that the possible in the sector like me can start using them to express themselves. Right.
So, you know, the coffee passport is just one thing like that. But what I'm hoping is that the, the full months for the other form of such thing, and the signature on the verification form methods are going to be standardized. So that from the implementation point of view and the reader's point of view, it's going to be really easy.
And, and I called earlier, you mentioned that any new technology happens incrementally. So my question to you is when do you see standardized decentralized approaches, eventually becoming a reality, The verifiable credential kind of, you know, the, the attestation side, I think it's going to help them, but some special number of years to be able to control them, control the flow of those attested claims effectively full majority of the population still needs a little bit walk, you know, and at the same time it might end up.
But for that, for some portion of the population, somebody like cloud-based service, which may look like centralized for, from the topology point of view. But as long as they don't control and it's control it's on the user side, I think that's okay. And we'll provide a way for a lot of people to actually make effective control of the attributes or identities on the cyberspace Pushing for a more hybrid approach to identity. Yeah. Right.
I mean, you know, the monitoring key, private key is really difficult for most people. I'm on the extreme side of that. I tend to everything myself right now. I do have like a file sharing service of myself. I do operate my all emails have on.
So, so far it's crazy. So I don't expect that to, yeah. I don't expect most people to be able to do it. So scalability would be an issue. Right. Right. So the term decentralized is almost always associated with blockchain technology. I'm curious to know, are there any technologies beyond blockchain that focused on decentralized identity? I think they are orthogonal. Okay.
Ideas, right. Blockchain is a technology that can be used to implement decentralized, but these centralized identity doesn't need blockchain or decentralized and she can be implemented without blockchain.
So, so finally, what is the area of innovation that NAZA Kimora is spending most of his time wrestling with at the moment? So, you know, I'm actually in the process of changing focus a little bit right now because I have, I'm pretty much done with the floppy kind of thing, financial graded API thing it's been deployed in UK, Australia, Brazil. So to be on the United States and Canada, and it's being deployed within Russia and so on, so forth. So it's kind of done to me. I mean the Virgin tool, but the enough people that I trust who working on that, so, okay. I'm moving on. Right.
And so what I'm actually looking at right now is how to express the trustworthiness of the claims, the attributes, right. So that's based on, you know, meta data, like how it was verified. Okay. Why it was verified, who verified it and so on. And so that kind of is really important in establishing the trustworthiness of the attested claims. Absolutely. And that's the kind of things we are walking right now, also that ex Tenzing to the parcel within the corporation. So we call it the authority claims.
But you know, if you, for example, you walk for Kuppinger court and you have certain responsibility and authority within the company. Correct. How do you express that? That's a good question. Right? Correct. So that's the kind of thing that we definitely lacking right now. So we have started walking that in a walking group called the KYC on idea idea. So that's one thing. The other thing is that I'm my vision of identity deployment is that, you know, no one's key captures everything. No one scheme is able to take care of everybody. Okay. All right.
So I'm country walking on the banking identity, right? So the financial institutions can actually solve trust UNCA for the customer in both individuals, as well as the large companies. And then hopefully we can set up a trust frameworks and things for that community financial committee. Right.
And then, you know, in the developing world, a lot of people, sometimes the majority of the population is unbanked. So the kind of scheme doesn't work right. Then there needs to be a whole ton to use for their high assurance, trusted identity. And the most potent Kanji for that is mobile identity, right? Like for example, in Kenya, safari comes providing Mpesa and that's that the factor in payment, because so that cam for another chunk of identity, you know, skeet sort of sweet in the juice geography.
And then my vision is that they actually interconnect on the comparator compatibility principles so they can incorporate to each other. Right. So we build the islands of those communities and, you know, stuck connecting these communities together. So that's something we are walking and working on. And actually we are making a kind of announcement of the forthcoming European identity conference. Absolutely. We look forward to having you in person at the European identity and cloud conference this year.
Some of the stuff that you've mentioned just now sounds incredibly idealistic and inspiring, and I wish you the very best of luck in all of your ventures going forward. I'm sure you're going to come up with even more groundbreaking stuff. Just like how you set up the identity layer of swords, you know, two to three decades ago on that note, you know, it's now time for, for my favorite part of the show, which is frontier fire, where I put my guests on the spot by asking them a series of rapid fire questions. So sucky Morrison, iReady.
Okay, perfect. I'll try. Okay. Let's get started. Describe yourself in three words. I didn't he privacy Arctics huh? Super. What's your mantra in life? Look inside. Okay. Very reflective. What important truth do very few people agree with you On? I don't know if it's important, but I'm actually more short tempered than most people believe.
I really, I mean, you seem like one of the most calmest people out there, like at least, you know, in the episodes that I've recorded, it's like, it, it, it, it has a very Zen like feeling today. So, so I mean, I would find that very hard to believe. So I think that's a great answer actually.
So, so what's the one skill that has helped you stay a generation head when it comes to, to the field of identity, Combination of bar, the view and ability at least ability to listen. Okay. A book you would recommend to our audience, Brave new world by Aldous Huxley. Okay. And what's the best piece of career advice You've received. Invest into yourself. Okay. And name a person who inspires you. That was the hard question, right? I was thinking It's because a personal right. I tend to get things pirate by everybody I talk to. Right. Right.
So I think, I think you're going to bypass that question. That's that's perfectly fine.
Oh, finally, what's, what's your advice to anyone listening to this podcast?
Just like I said, in my mantra, try to look inside, do not be blinded by the, the, the flashiness of the Sophos. Right. For example, when blockchain came out, everybody was going there saying that this saves the wall kind of things, which of course is not true. If you really look into it, there are lots of things that we act surely walk home. So it's really important to look at the substance
Great answer.
You know, as promised we have a little something for you guys, for those of you who might not know,
That was an incredible rendition of Sicilian. I'm sure it will be smiling up on the heavens today. Thank you so much for considering this request. And thank you again for your time. This conversation was an incredible learning experience for me, and I'm sure our audience today are a lot more wiser about concept rounding, digital identity and user centricity on behalf of KuppingerCole. I wish you the very best of luck in all of your endeavors moving forward, and I'm sure you will continue to break new ground in the identity. Thank you very much. Thanks Nat.
It was my pleasure to be That was Nat Sakimura. Nat will be delivering a keynote at the European identity and cloud conference EIC, and you can get your tickets. Why the link in the description box below. I hope you enjoyed this conversation that dabbled around decentralized identity. The question of user centricity, and also explored the concept of digital identity. If you enjoyed this conversation, please share this with anyone you might know, we try when your feedback. So please post in your comments in the comment section.
And until next time, I hope to see you again on this fascinating journey to really find the I in identity until next time stay safe.
