GAIN in 2023 - and Beyond

So as you just heard, I'm Elizabeth Garber. I have a small startup called ID partner. I'm also one of the editors of the original Gain paper and co-chairs of the technical Proof of concept at the Open ID Foundation. And I'm Shaw Chief Identity Strategist at the Open Identity Exchange. So for anyone who does not know, gain was a white paper written in 2021 and it made the case for a globally interoperable network for high trust identity information or levels of assurance. It was signed by more than 150 authors and a no logo pro bono publication.

And it has since then spawned quite a bit of work in different nonprofits around the world. And we're here to tell you a little bit about that.

In short, what we're trying to do is connect different ecosystems of trust that already exist, starting with those that have achieved scale. I'll tell you a little bit more about this picture later on. And gamers of paper originally say of over 150 authors, it was an idea, it's become a movement. So the call, it was a call to action. It was identifying the opportunity and the need for this global Assured Identity network, which enables IDs to work across borders, across boundaries, be that virtually or be that physically when we move from country to country.

And since the paper was launched, six not-for-profits have come together to move that vision forward. So we have kinda across the bottom, open, open identity exchange, we are looking at the rules and governance element around trust frameworks. O Open ID Foundation are looking at the kind identity standards and the more technical linkages that we need to make possible to enable that interoperability. Iif International Institutes of Finance are supporting us in the finance community, both where banks are IDPs and I think the original paper was kind of very much premised on banks being IDPs.

We'll come onto that in a moment. And that's not always the case as we know. But there is a big liaison into the finance community, both as adopters and providers of identity Cloud Signature Consortium in terms of the, IT links into electronic signing that take place when we use digital identities and ability to do that across border life. So when we are dealing with organizations, we need to know who they are.

And there's a foundational element of if I'm using an ID that was minted in the UK over in Singapore, the UK organization that minted it, who are they both at the framework level and digital ID provider level, are those organizations known and verifiable identities? So the, the v AI from GLYPH starts to play a key role in the overall ecosystem as that expands and then secure Identity Alliance. There's one discussion on here, here, actually it's an old slide, no longer under discussion.

No, no. They now have joined My error And they are looking, they, they look on the standards for the foundational government layer. And this is, you know, the point I was referring to earlier, most IDs come from governances and the standards that governments are using are coming be through S I S I. So having them as part of the group is really key and we are continuing to talk to other organizations about joining this movement, making it broader. We can only solve this puzzle if we collaborate. So we continue to seek additional contributors.

So if you are from another organization that's interested in this, please do listen carefully to what we're saying and think about whether they want to get involved. Cause we'll be asking you that at the end. And what we're doing here is guided by a set of principles, and those principles remain true from when we originally started and launched gain. So we are trying to achieve global interoperability so that identities be they embedded in a wallet issued by a government in a centralized manner, work seamlessly across the globe.

And that needs to be technology agnostic because those identities are going to be implemented in technically different ways. So this is not about technology normalization in any way. It's about recognizing different flavors of identity, centralized, decentralized, and ensuring that they will all interoperate.

Therefore, it's about using open standards to make that happen. Not new standards, but open standards that are available and how can we put, put those together and assemble them to enable interoperability. Now that doesn't mean those standards won't need to be improved or extended to make this happen, but we are starting with and continuing to evolve open standards pluralistic governance. So what this means is there is no one organization here, you can see this is a, a collaboration of not-for-profits driving this vision forward.

The vision isn't to create a single governance body for international interoperability. That's not the goal. Governance of individual identities will be by their, their frameworks, issuers, governments, the interoperability we want to be done in a pluralistic fashion. And this has all got to happen at internet scale. We need the IDs to be able to operate at scale across the whole globe. And one of the things I always add to this list is no new nodes.

So we don't want to be creating whilst we've got no pluralistic government approach, nor do we want to be creating new nodes that become either control points or points of failure for the inter operation. We want to do this in as distributed manner as possible.

So we are, these are our guiding principles that we stick to and we make sure that we are running these through everything we do. Like in the uk we say like a stick of rock. So Now interoperability is, it's a critical enabler of, of a lot of the things that many organizations around the world are talking about. Whether we're talking about the sustainability of the system itself, whether we're talking about how we ensure that people have access to a global digital economy. Interoperability comes up in McKinsey, it comes up in the World Bank, it comes up in ID 2020 in the O E C D principles.

It's something that is really going to be critical in unlocking the value of digital identity systems that's shown over and over again. And from a high trust point of view, this is continues to grow in relevance because you know all of the problems in the world today of increasing levels of fraud and breaches, this, we're creating a world in which an AI can actually lie to you to, to try and pass a capture check and prove it's not a bot. High trust identity is becoming ever more critical.

And we need to recognize that different wallet, different wallets, different countries will have different identity solutions. So in the original paper it was quite finance biased and it read as though the solution for this was banks creating identities and making them interoperable banks in certain parts of the war world. The Nordics, it's possible in Germany, Canada are identity providers, but by and large identity providers are governments.

And that's often just one centralized identity as we've just heard from moip, enabling foundational identity to be digital in many places around the globe. So we have banks who have government governments in some places in the world. We have telcos who are paying a role in identity ecosystem, enabling people to hold that on their, their phone, smartphone or feature phone to present who they are and make payments. So that's a key part of the identity ecosystem. We have tech giants. So in the US we have Apple hosting MDLs on mobile driving licenses. How does that work within this ecosystem?

How can I present, I'm not gonna go into how can I present that from state to state at the moment, that's a separate question, but how can I present that in the UK and how would we make that interoperable? And you know, from a tech giants perspective, I've done that from an independent or disruptive perspective. We have a whole host of people who are creating new and innovative ID ecosystems, wallets that will be delivering those platforms under the UD wallet program.

You know, it requires that a government creates a wallet and for its citizens, the government itself doesn't have to create the wallet. It can outsource that. It can create a marketplace of providers. So different governments will take different strategies around that. So we have to be prepared to and planning to work with different market entrants. So within gain we are recognizing that all these different parties play a vital part in the ecosystem and again, invite them all to participate and contribute to solve this puzzle with us.

And So now we're gonna tell you a little bit about what's been happening in the working groups so far. So in the technical gain proof of concept community group, which I co-chair with others among whom Dima is sitting here in the front, we have been working to build an interoperable. We've been working to connect different trust ecosystems around the world. And so far we did an alpha poc, which was built off of the open Id connect for identity assurance specification. And we had a number of participants, probably five to 10 who implemented that particular specification.

And we had demonstrations. In fact, last year at eic we demonstrated the transfer of data from an ecosystem in Germany, yes.com to a document signing use case in Italy. So that was, that was step one, step two.

In, in, over the course of the last year, we've been working on what is our protocol for trust management across the network. What have we done to enable the ecosystem actors from one network to trust one in another network? And so we built off of, we explored a number of different trust management possibilities and we've written a paper in which we've outlined a, a lot of our thinking there, it's probably too much detail to go into right now, but we worked with Open ID Federation, open Id connect Federation to connect off fleet in Japan.

That's, that's the identity provider in Japan. We also had a relying party in Japan, was K D D I. We connected that with a German system of banks, yes.com as well as two Italian federations. Spit and GIA is, is that how you pronounce it?

So we've, we've interconnected all of these and we've learned tremendous number of lessons about both open Id connect for identity assurance and how we, how the minimum viable specification there needs to work. And it's, it's been a really interesting process in terms of both specs working between the proof of concept and also the working groups on those specs for, for lessons learned to, to mature both at the same time. Now we're looking, so we're looking to continue that work to bring in more ecosystems into our network and continue to, to mature the specifications.

But we're also looking now to connect different types of architectures. So we're looking at how do we connect wallet based into SSI type ecosystems into our network. So this is a really live conversation. I pasted this from our Slack channel just a couple of days ago. Folks are looking at what are we, what do we, what decisions do we need to make in terms of the gain baseline profile for open Id connect for verifiable credentials. And there are many, many, many other ongoing conversations about these architectures right now.

So if anyone's particularly excited about that, please come and join us in the technical poc. And before we move on from that slide, what have I done? Just pick on so point for those of you who told me talking yesterday about data standards and the need for a common set of data regardless of the envelope, this is a way to illustrate that.

So this, this area here, I'm not stand on a chair, but verified claims in red there downwards verification trust framework claims, that's the core of O I D C for IDA shown here, sat in the middle of a verifiable credential, same data, different envelope. And that's what we've got to achieve if we're gonna make interoperability easy across the globe. Absolutely. Thank you. So at the open identity exchange, we've been looking more at the policy element.

So we've been looking at different frameworks around the globe and we've come up with this approach of an open policy rules exchange framework. We started off thinking like about kind of some kind of Uber framework that, that sat across the top that normalized everything. As we look more and more at different frameworks around the world, we realize they are necessarily different.

They reflect different policy requirements, different identity ecosystems within countries from governmental issued ID to to no governmental issued ID and lots of different proxy ID documents that need to be added together. They reflect different risk appetites, they reflect different attitudes to privacy.

So we, we, but we realize that whilst they, the policies are different, the policy titles are pretty much the same. They're addressing the same issues. So they will address privacy, but how they address privacy is a local matter. So what we started to do was unravel the elements of a framework. So it actually breaks down into three areas, general policy rules. And this is on one hand, so this is the boring stuff.

It's the, it's the stuff that sits behind and makes it work. But it's actually the really important stuff. It Really lights you up too, doesn't it?

I, I find it interesting. Anyway, but they, and you know in here you'll see things like data management minimization. So we've got privacy embedded in here, inclusion, trust mark, incident management, fraud management. So we're covering things that, you know, what happens when things go wrong. So this enables us to understand the different characteristics of the framework. And what we've been doing is analyzing different frameworks kind of under these topic headings to work out how do they address that particular area and declare that as a characteristic.

And so far we've got 178 different characteristics we've identified on this side of the diagram. And we continue to work with frameworks. I think we're heading for three or 400 different characteristics when we've got that. I know that sounds like a lot, but when you put that into these different headings and there are more headings than that, it's not that many. And so framework can say actually, well that's the characteristic I use too.

And we can start to enable frameworks to understand each other in a, through an exchange framework that on one hand can be used just for two frameworks to describe themselves to each other and understand their commonalities and differences. But ultimately should be able to systemically describe a framework in a way that a smart wallet can adapt to a new framework dynamically as we move around the globe. And then on the other side, we have accepted credentials and assurance policy. So which credentials are valid in that ecosystem? And then how are they added up into an assurance policy.

And what we're doing is creating this so that it works for government issued IDs, but it will work for wallets. So it's completely technologically and ID flavor, as I've called it here, agnostic, it enables all parties to describe and consume policy. So it's not just framework to framework conversations. A framework can describe its policy and a wallet can work out whether it can comply with that policy. A relying party can describe what its take on that policy is, even if there isn't a framework. So a relying party could use this in the absence of a frame.

So, well actually these are my policies, do you comply? And often it will be a combination of the two. Here's the framework policies. But my take on the framework policies is this, I work within the policies, but I want this liability. I want this kind of data. I'm from this sector so the credentials need to be applicable and and permitted to be used in my sector.

Oh, and importantly I want this liability. So whoever's giving me this data, if they've got it wrong, I want $10,000 liability. So we enable every, all of these parties to express their policy. And a lot of that's getting into some commercial elements of policy as well. And we've been working with these eight different frameworks around the globe to analyze their characteristics.

We've, we've done the kind of top three and we're working through the, the other five in F two to three months time we'll have all of this data together and over the summer we'll do some analysis and hopefully publish at the end of the summer what our findings are here in terms of is this going to be a possible and effective methodology? Thank you. Very exciting.

We're pretty a bit short on time but you know, we're, we're asking, you know, they're enabling this smart wallet to work out whether it meets the policy requirements and then to answer the questions that have been asked of it by relying parties, have you got a credential I want? Is the person over 18 to my rules or can you work to my local level of assurance, which can be derived from your different credentials? And then we've also identified that actually everybody pretty much does assurance in the same way. They mix things up differently.

Sometimes they accept some credentials, they don't need to accept others, they give them different strengths and weightings, they give the techniques different weightings and then they mix them up and then they mix them up again. It's like, it's like making bread. It's about how many times do you fold the dough to get to the result. And we've so far found that this works across all the different parties we've been talking to. So we're quite excited about that. I think. So we've got one minute left, we wanna make sure we use that minute for questions.

But up here, if any of you are a nonprofit looking to or looking to join a technical POC where you can connect to all these networks on the org, engage in Nick's policy work, please, please do get in touch. I'll leave this slide up, but let's use last 40 seconds for one question if there is any. Do we have any question in the audience?

No, No, I'll check online. You, you mentioned about interoperability, right? What were the key challenges that you faced and you're expecting to face in this?

Well, I mean in terms of technical interoperability, there's a number of different ways that the, the specifications that, well, I mean first of all, out there in the world there are many different specifications for these ecosystems to be built upon. And then each, each one may be configurable in different ways. And so we've been through a long process of learning how each of these entities has, has delivered open Id connect for, for identity assurance or federation and needing to really do a lot of alignment to make sure that they, they match up and, and are actually interoperable.

So that's why I say we've matured both the spec and also our own min understanding of what's minimally viable. I have other colleagues in the room who may wish to pipe up if, if they have any builds on that, but thanks for the question. If I'd add that on a kind of policy side, yeah, somewhere between policy and technical, it's lack of standards for credentials.

When we, as we break this down, we understand that actually it all breaks down to the credentials the users got. But if we haven't got them in a standard format, we can't use them interoperably and we've got standards for, you know, tracing the providence of a credential back to its source.

That's, we've got lots of standards for that. We've got some standards for, you know, credential format, DTCs, MDLs just emerging. We haven't got standards for proofing, we haven't got standards for how authenticators are bound. When someone's proofed. We need to fill in those gaps if we're gonna make interoperability work. Lots of challenges. Perfect. Thank you so much Nick, and thanks so.