Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm Lead Advisor and Senior Analyst with KuppingerColel Analysts. My guest today is Annie Bailey. She is Senior Analyst with KuppingerCole, hailing from Austria. Hi, Annie.
Hi, Matthias. Thanks for having me back.
Great to have you, as usual. And this time we are covering a topic that we already had several looks on. We did that at EIC last year in September in Munich, and we had a special episode also with Martin about that topic. We want to talk again about GAIN, but we don't want our audience to rewatch, relisten to all these episodes to understand what we're talking about. So first of all, what is a game as a summary?
Yeah. So just as a brief reminder or to catch you up, if you didn't hear the other episodes, GAIN stands for Global Assured Identities Network. And this is a new initiative. It was just announced in September of 2021. But a lot is happening, which is why we're covering it again. But it is an international collaboration to leverage the trusted identities which are already issued by a different organization so that could be financial institutions, national frameworks, telecommunications. And the purpose of this is to re-use this identity information, which is already verified for any other industry. So that means a user could have access to their verified identity and bring it to a government entity that they need to interact with to their bank, to their employer, other service providers, insurance, and so on.
Yeah, that sounds like a very much improved user experience. If you can re-use your identity that is already or that is already vetted, that is already trusted, Why are we talking about it again just right now?
Yeah. So up until this point gain has been a hypothesis, everything laid out in a white paper with over 150 collaborators laid out what GAIN could be. And so it has been a hypothesis. But as of now, on March 2nd, officially, the technical proof of concept stage has begun. So a group that was launched to test the hypotheses that were laid out in the whitepaper has now convened and is getting started on this. So it's hosted by the OpenID Foundation, but this group is open to anybody to participate to that could be those who are issuing identities, so from the banks, telecommunications side to potential relying parties, who could then consume that verified identity or simply individuals who are interested and want to participate.
So for the audience who are just watching or listening to this podcast episode., Yeah, it's you. You could join you could also take part in that PoC when you’re interested, or if it's good for your business model. But you talked about hypotheses. What are these hypotheses that are the foundation, the idea behind GAIN, and what's on the agenda for such a PoC based on these hypotheses?
Mm-hmm. So the real aim here is interoperability. So being able to bring an identity from one organization that has been vetted and is trusted there, and to be able to make that portable so that the trust and the assurance travel with it and that the communication methods are also compatible. So there are a lot of levels here, ranging from technology to jurisdiction and regulation. So there's quite a long list of hypotheses to be tested here. But one of these is that GAIN should be built on top of the existing NIST networks but to be able to support many different types of solutions, so existing networks you could think of like the bank ID systems that's been working in the Nordics quite well. These are all country-led initiatives. However, they're functioning in similar ways. So if we take that idea and we expand it to a global level, looking for regional or technological systems which are working but to bring that across borders, across industries. Part of that is also the method. So being able to support multiple protocols. So things like OpenID Connect which we're familiar with and DIDComm, this is something that maybe we're less familiar with, which is decentralized ID communication and this is an emerging standard from the W3C focused on decentralized identity. So this is bringing together some of the standard ways we understand identity to some more emerging ways, including wallets and credential interactions for verified credentials. And of course, bringing in federated things as well.
So when this interoperability test is working, that would mean that relying parties, that applications that want to use this information can access this information from a single point of contact while in the background the collaboration of these individual identity information providers, make sure that you get the information that you require. And no matter where it comes from.
Exactly. So the intention is that this is technology agnostic. Able to be accessed from any region any type of reliant party. So this should function in a way like login with Google or login with Facebook where it's very user friendly. But the heavy lifting is done behind the scenes.
Right. When we do or when we work with our customers and we execute the PoC, we want to make sure that the results are adequate, that the POC is a proof of concept at scale, and meet the requirements that are made. So when we are talking about at scale, who is already participating, is it a relevant group?
So we have a promising collection of participants so far, it's still early days. So there's room for growth on that list. There are 14 participants. 11 of those are entities or organizations, and then there are three individual participants there as well. Of course, bringing their experience and knowledge. So perhaps the most notable on the list is the parent company of Sweden's BankID. They have 8 million users and 6 billion users in 2021. So this is an organization that brings a lot of knowledge in doing exactly this and brings a lot of the potential information to run a PoC as an identity information provider. Other participants bring a lot of different technical expertise, so groups that already work with PKI and digital signatures for identity, decentralized identity services, and wallets. Those who are active in open banking and Federation use cases and also assessment bodies for age and identity verification and looking at decentralized data ecosystems. What's missing from the list are relying parties. So most of these participants are those who would be identity information providers. And we need to test this PoC on those related parties, those places that add end-user with then use their identity to access services.
Right, again, if I compare it with POCs that we, a company with our customers, there are clear use cases defined beforehand to make sure that this PoC delivers on the expected results. So what should we expect from this PoC?
So in a sense, we need to wait and see what we will expect because this is a co-created effort and so these first stages and first meetings of this POC group is to mutually agree upon the goals and the expectations and set the agenda. So that still needs to happen and still needs to be reported on. But from a larger standpoint, this GAIN concept is supported and promoted by five different organizations. So it's not only driven by those participants who are in the proof of concept group but these organizations who are also contributing to the legal and the business aspects of GAIN. So those include the OpenID Foundation or excuse me, the Open Identity Exchange, the Cloud Signature Consortium, the Institute of International Finance and Life, which is working with legal entity identifiers.
Right. So when we're talking about such a concept and that is meant to be global and it can only operate on a global level to deliver on the promise, that in my opinion, and I'm not a lawyer and it requires a lot of work when it comes to So the legal aspect to the interoperability aspect for making sure that information is reliable and that you can work with this information on a cross-border approach. Is this something that they are also looking into?
Absolutely. So even though today we've primarily talked about this technical working group from a technical standpoint, really making sure this can happen. There's another working group that is gathering its forces, being hosted by the Open Identity Exchange. And this is focusing on the legal interoperability aspects. So you can think of this as how a relying party across the world could trust a digital identity coming from another country using a different framework to assess its trust level different foundational documents to prove that identity and somehow be able to map these together in a framework so that it's clear that this digital identity coming from far away across the world, vetted by an organization you don't know still works in your own country.
Right. Is there already some material around when it comes to this trust and how to apply this trust and how to assess the trust that you can have into an identity?
Mm-hmm. So the work that the Open Identity Exchange has been doing serves as a foundation to GAIN and the future work that this working group will be doing. But they published early in 2020, which could be in February, I believe it was in February. They have a guide to trust frameworks where they lay out their concepts, some main points to pay attention to some main goals to fulfill, things like really understanding the requirements of a relying party and the jurisdiction that they reside in. And one of the interesting recommendations that they have is that they imagine future solutions. A digital identity, either provider or a wallet where this is user-driven and user-based needs to have a rules engine. So basically where in this identity transaction, the rules agent decides essentially what credentials the individual already has and matches that against the requirement that the relying party has and then can determine which exactly, exactly which credentials need to be sent to both keep data sharing to a minimum and still fulfill the assurance requirements, the business requirements of that relying party. So it will be interesting to see a rules engine perhaps start to emerge and solutions.
Right. So we have technical interoperability testing, but we also have interoperability testing based on that trust framework. So really to understand a) it works technologically and b) I know what that means for me when it comes to using this identity for specific use cases. So what will be the next step starting from here?
So we have a lot to watch for. Again, since these are early days, we need to see how this evolves. But we can be watching for the participants as we did earlier, we took a short tally. We see that we have a good representation, could still be more from identity information providers, fewer from relying parties. So that will be critical to properly testing these solutions. Following that, we need to look for functionality. The groundwork seems to have been laid very well. There's been a lot of thought, a lot of effort, a lot of collaboration, going into these first stages with whitepapers, with published frameworks. But we need to see if these work and especially the hard work of mapping these assurance levels and frameworks between jurisdictions and still making sure that all regulations have been fulfilled is going to be challenging. So we can't underestimate the work that's going into this and we need to see where these key players are going to be speaking. They'll be really helpful in keeping us up to date with what is going on with GAIN, especially as we're still in working groups and POCs where not all information will be public. So one place for that will be at the EIC, which KuppingerCole is hosting in May where a lot of these key players will be speaking and bringing us up to date with what is going on
Right. That's of course a great hint. Also at EIC, which takes place in May in Berlin and this time, Berlin Alexanderplatz. So we will be there and we hope that a lot of good results from this PoC are already available as key players from these five organizations that you've mentioned will be available there as well. And we'll be speaking about that topic. Thank you very much, Annie, for bringing us up to speed with regards to what is going on right now, because this is just a work in progress. So that will be results made available over time. But surely at EIC, for all of those who are not yet ready to participate but are interested in learning more about the game and how that fits into their ecosystem, we highly recommend taking part in EIC, either in-person in Berlin or digitally, because it is a hybrid event where you can also participate electronically. So thanks again Annie, for being my guest today. What are your expectations, will that work out, or is this something that needs to take shape over time?
Yeah, I'm hopeful. This is a great conversion of a lot of solutions that are coming on the market, really focused on verifying identity and working to preserve the trust in it for re-use. And then with initiatives like this, the solutions have a means and a vehicle to be used by enterprises and be useful. So it's an interesting convergence of the technology and the willpower to make this interoperable at a global level.
Absolutely. And I want it to work. So that's maybe also a good starting point because it really can serve the user and serve the business. So again, thank you very much, Annie, and looking forward to talking to you soon. Looking forward to seeing you in Berlin and looking forward to having you in a future episode very soon.
Thanks. And bye-bye.
Thanks, Matthias. Bye
