The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem

Okay, thank you Marina. Thank you for Andre. Now for the next session, please welcome Eve Mailer from for to speak about the topic about spotting the verifiable credentials that are absolute must have for every party in your ecosystem. Thank you. Thanks. You will.
Hi everybody. We're gonna see if I can work the machine this time. That's not my deck and I'm not, Robert, I'm sorry to disappoint you. This is self assorted. You'll just have to trust me on this. Thank you. So I think we're all familiar with the concept of a killer app. And killer apps obviously drive growth and sales and profit and loyalty and it'd be really nice to find what we might think of as the killer app in this conversation. But things work a little bit differently when you're talking about protocols. And so I wanna just take a look at the proposition of what a killer credential might look like, a credential primary view in order to inform us about the subtleties that we need to take account of, not just around mandates, but around everybody in the ecosystem actively seeking out looking for these opportunities. And then we know that we might, we might have a winner because with a protocol we need to get a flywheel going, right? So that makes it different from a killer app, a traditional killer app. Also, if we succeed, I just wanna ask the question, will we know if security and privacy and experience have truly improved, which are our aims through all of this? Or might we accidentally make them worsen by how we do this thing?
So I wanna talk about protocol based ecosystems for a second. Probably a lot of people here were, were here for this movie, right? You, you were probably in this movie. Hi Mike. So what is different about this whole world versus an ordinary app? So protocols require all sides to change their behavior in some respect, successful ones, it turns out successful protocols, standardized specifications. They're actually, in my experience, having done some successful ones and some failures, it's hard to achieve. They, they're a little bit, they're sort of few and far between. And it's interesting to observe kind of our, you know, our shared history as a community about what happened to make these couple of things succeed. So SAML history, you know, I was the first chair of the SAML group. We finished V1 in 2001 and I was very naive at the time and I said, okay, everybody go and use it.
It's ready. And it took a few years and it was by no means assured that it would happen. And what did happen was the very first successes were around internal closed ecosystems, internal federation, shorter sales cycles. These things were factors. And it was largely for workforce. We didn't really, we didn't say Siam then, but these were largely workforce use cases that made it succeed. And it's quite, it's still quite prevalent now and popular now in certain circles. Some years later, open Id connect, did a really great job of listening to punitive relying parties and going back to the table and back to the table, having gotten advice about what would be acceptable. Because we know now about the power of those who might be willing to outsource a job if that job is done well enough and if they're not taking on additional liability. What's so interesting to me about Open Id connect in this case was it's actually an entirely different business model. Things like social sign-in things like, are you guys familiar with the word monopsony? So kind of like a monopoly. It's the power of the ingesting side of the relationship, not the vendor side of the relationship. They were driving the business and that was not really the case with SAML and they sort of went to their different corners and they're both relevant for different things. So similar protocols not that different, the one learned from the, from the previous one, but different incentives, different business models.
I've shared this diagram with this audience or similar ones before and I'm not gonna go into a lot of detail, I promise myself, I would never again say, this is a bit of an eye chart. This is the last time I swear that I'm ever going to say it. But this notion that there's a modern data privacy pyramid illustrating how regulations are going up and out I think is important for this conversation because it connects directly to user centricity because a lot of what privacy has been trying to achieve is a kind of user centricity, but it didn't even start there. So we've actually learned how hard it is to make privacy oriented and user centricity oriented solutions. Popular versus mandated. And that's directly due to business incentives. So there's, there's a lot of ways in which we can learn from this history as well.
And of course it's still happening. So with my 10 minutes remaining, I, I'd like to kind of make this a discussion, realizing that's a little bit difficult on the main stage, but we'll see how it goes. I just have one more slide and it's a doozy. So I just wanna walk through a kind of credential by credential view of what this wallet based credential kind of ecosystem could look like. Because it kind of reminds me of iot, it's not one ecosystem, it's not one market. It may be very many different kind of micro markets that have different propositions. So you know, this is obviously not the only way to analyze what we're seeing going on in our industry right now, but I haven't really seen somebody put it together the way I've been having to put it together for myself. So given that people and businesses are important and then processes are important and then technology is important, I wanted to just make this a little bit of a discussion. So I've listed, I think I've got six credentials to play with and that's not even all of the interesting ones, but I hope I have some extra interesting ones for you to consider.
The first credential type is a simple session indicator. Can you guys read that? Okay? Yeah, I think maybe you can. So you know, what might kind of strongly assured single sign-on look like in this new era? The first person, the first entity whose role I kind of wanna take is the holder. It's nominally who we're doing this all for. Let's test these assumptions. Could a session indicator you as a reusable credential actually help me go cross domain. You know, I talked about the history of cross domain, single sign on. Could that actually be a benefit for a user, for an individual, an issuer, you know, almost any issuer can produce such a thing. Do they take on new liability doing that versus the ways they're doing it now or versus the ways they've chosen not to do it? Now verifiers could be interested in this, I'm gonna say for the exact same business proposition, that single sign on as it's done today is for them, which probably means somewhat onerous business trust in most cases. So Wallace security, yes is important and we've just had some great talks going into specific detail about that. That becomes a new consideration when you've got that new piece part in the system. But in terms of the proposition, in terms of the value proposition, is it, is it that different? Which might mean those are some, some elements of friction that are gonna be added far away from the technology.
And I'd love for folks to disagree with me. Second one, I thought I'd go a little bit outside, draw outside the lines a little bit. There's a lot of interesting things in gaming in the gaming world and in the virtual worlds where it's not necessarily a skill of a character but it is an achievement of a human being. People love to show off and it might be interesting to have that be something portable that they can take into other gaming ecosystems and what that might mean for an issuer. Somebody who knows about somebody's level of proficiency for example, or you know, length of time interacting, they would probably love for people to be talking about them in other ecosystems. That's free advertising. So I thought that was maybe kind of an interesting aspect to this. The would be verifier might very well find that interesting information and it encourages community engagement, which we know is a big currency of these actual communities.
So interoperability is a question, but there might be a business model there. Pretty specific kind of credential scheme. I don't think I've seen this one. Any thoughts? I'll let you percolate. We can save them up. Citizenship is one we all know pretty well and I wanna give you my take on it. I'm fond of saying, you know, nobody wakes up and says, I think I'll log in today because it's so much fun. Identity is a tool that achieves a number of things. The way we do it now, the way we might do it in the future, in the near future, in this case, it's not something anyone asked for, it's something that's imposed upon them. I was reminded a little short while ago that, I mean there are a few business models for those who make getting through security and going cross borders easier. So things like passport renewal as a service and TSA precheck and you know, European equivalence thereof, there might be some money in that.
But the entities who produce this information do it because it's their job and they're the only ones who can do it and it's kind of single issuer verifiers. While those are important use cases, it can get down to, you know, geographical and national security. So those exist. So I say here, captive parties have made it a focus. Will it win any popularity contests? I don't know that it's that reusable and that attractive. So I'm still looking for the killer credential here. Work eligibility. So this is one that is talked about a lot and, and this one is interesting because you know, it could help people who after all in the modern world have a lot of jobs, have a lot of gigs or selling things online with a side hustle. It could be very interesting to centralize that information on the person. And the would be issuers are already generally if they're testing companies, if they're training companies, if they're a previous employer are used to producing this information, they already kind of know what their liability is cuz they've been doing it. You know, if you give a reference for somebody for their next job there, there are some clever ways I have heard there was an old advice columnist in the US who when asked how, how does one write a reference for somebody that you didn't think was really very good? Her suggestion was, I highly recommend this candidate with no qualifications whatsoever. So it's ambiguous.
So the question here is are even if verifiers are attracted, what is the cost for them to retool? Because if anybody attended my talk yesterday or my passwordless talk today, workforce back office, it is notoriously not as fresh as some other parts of it for serving customers. All right? Not a bot or perhaps private proof of humanity. So individuals may very well find this useful if they can be given some assurance of anonymity pseudonymity and if they can be assured that all the other people in whatever community they're dealing with actually are also human beings. That's not something that is frequently done today. There's a few business models out there where that's if you're measuring daily or monthly active users and that's your sole thing, then you might not be so attracted. But most companies are actually in a position to produce this and in fact the OS device browser makers are definitely in a position to do this.
And then it's just a question of are we adding liability on top of them or could there be a business model for for paying them for their trouble? And this is where verifiers might very well simply want to know and treat this as a kind of assertion, a attested credential versus having to do the work all over them all over again. So with gen AI we're already seeing fraud number spike, so this could become really quite attractive. I think with with further analysis. I spoke about this in November or December and this one I gave sort of an A for possibilities. My opinion is strengthen the, on this one, the last one, consent for sharing.
So this is one is also a little bit outside the lines, but people can find this attractive if they could trace the supply chain of their data by providing this information, there might be something that would be attractive to them there. Issuers do this now as IDPs if they're worth their salt. So they know the information, the question is sort of just packaging up to share it. They're gonna wanna know liability, particularly if it's their own data processors with them as data controller that they are in some fashion sharing this with or enticing the user to share them with, share it with verifiers would be, verifiers could maybe find this interesting as well because they will want, if they could know for a certainty what their, their rights are with respect to using this data, then that becomes a kind of a license. And so this is where we talk about respectful personal data, brokerages really changing the game. And so that's just a personal favorite of mine cuz I want that world to exist like right now. So concluding my remarks just in time, not leaving a lot of time for discussion is, well it's not easy to hit that trifecta, but I hope I presented to you some intriguing possibilities as well as a framework for how to think about these propositions and the micro markets that I think are there. So I'll thank you for your attention. See if there's any quick comments or questions.
Thank you so much Ive for your presentation. And is there any question here in the room? Yes, please.
Maybe I'll put this back on the screen just in case.
Is this working? Cool. Hi Fraser. CEO at Checked. It was more, more a comment on the gaming side. So some feedback that we've been given is like the gaming credential is not necessarily for like importing say achievements or items or law between things because they're also
Exactly the meta stuff. Yeah.
But the feedback that we were given was the things that are really valuable is being, oh God, just like, I hate the terminology, but being able to flex outside of a game. Yes.
It's showing off. Yeah, exactly.
And we found out actually. So it's more of like a social credential, which is being able to demonstrate something anywhere else, which is outside, which then feeds into almost like the influencer trend where you can demonstrate something outside of a platform. Yes. Without someone needing to even be inside that platform. So break it almost turns everyone, it's like classic like Yeah. Community economy and
It's like breaking the fourth wall. Exactly. And, and absolutely. I mean people are highly motivated by this. It's, it's like work eligibility only. It's for fun. Yeah. So that could be attractive. Thank you. No,
Thank you.
Thank you so much even thanks for, for answering the questions we need to present our next session. Thank you so much for that.
Thanks.