The Disruptor: Decentralized Identity Systems and Verifiable Credentials

VIDEO TRANSCRIPT
Speaker 1:
So, this is an incredible group of people up here that just have a deep, deep understanding, and unlike an analyst like me, put their money, their company's money, where their mouths are when it comes to decentralized identity. And one of the things that we've been talking about for years and years and years, because, from my perspective, and Doug, you were articulating that earlier, when I think about how identity works and I think about how it should work in the future, and I look at this kind of hierarchy and the static controlling nature, I'm not trying to be negative about it, but just the way identity systems are structured today, I do think there's a better way. Maybe it's this. Maybe it's something else. But decentralized identity, verifiable credentials have the potential to move us to this more scalable, more user-centric distributed model. We've been talking about this for years and years and years as user-centric identity and various iterations of it.

How do we flip it from, as an individual, I go to a hundred places and reestablish myself, or I have something, whatever that something is, that basically says, "Here's who I am and what you can do with my information," and others accept that? And at a real simple level, and to me, I started thinking about it a lot more during the whole COVID rapid digital enterprise expansion. And one of the ways I've characterized it is the systems and services start collapsing under their own weight. People just can't keep up with all of this. But that's one side of the coin. So, we have hope that it'll limit the unnecessary proliferation of personal data, passwords, IDs. We're going to talk about password lists tomorrow. This could be a means towards that end, provide us a foundation for stronger verification and vetting and so forth. We had writing about this for a long time. I've been involved with this for a long time. I'll change the six there to five.

But it is all about, and I think we're at a point in the industry, where ... I'm not going to say much more, which, again, will make everyone happy. I really want to go across the board and have the panelists talk about, and here they are, minus Lasse, talk about the following: What does decentralized identity and verifiable credentials, what does it mean to your organization? What are you doing with it, products and services that you have? And in the first ... I guess we'll do about four or five minutes for everyone. And in that first period, you don't have to answer all of these. We'll keep these up. And I know, Pam, you and I talked about, you had a brilliant way to very succinctly explain kind of what this is in a quick way, but I think we all want to understand. And these are critical vendors, from Microsoft to Avast with a name change coming up, to Ping, to 1Kosmos, to IBM. These are big vendors that have substantial impact on our industry, in effect, a lot of us in here that are making investments in this area. So, without further ado, I'm going to turn it over to Pam, and we'll pass it down and just kind of hear what you have to say.

Pamela Dingle:
All right.


Pamela Dingle:
Kicking it off. All right. The light is green. Okay. So, just to kick this off, I think there's sort of a couple of things to level set here, and then I think everyone can sort of add to where I've missed some color. From my perspective, there are two important things about decentralized identity and verifiable credentials. And I'll try and pull those two apart because I think, Patrick, you noted earlier that people often conflate them. So, the first one is the presentation model. Decentralized identity, in general, tends to be about a long-lived credential that is given to the end user, and then the end user owns it and stores it and puts it in their pocket. And at some point later in time, they present the credential. Right? So, they choose to give the credential, right, very concretely to a verifier who might want to consume their information. Right? So, it's a two-step model, and that's very different from the federated model, in which the user is basically a passenger, not a driver. Right? You get redirected to a site, an identity provider speaks on your behalf, over your head, to assert claims about you. Right? And so, that presentation model is number one.

And then the second piece is the standards piece that underlie it. And a verifiable credential is a bundle of attributes. We've talked a ton about attributes, but the amazing thing about a verifiable credential is it can describe what you are. It doesn't necessarily have to describe who you are, although it could. So, if you have a fishing license, is a perfect example, right? A fishing license is based on your ability to pull fish out of a stream, not based on that I'm Pamela Dingle, the person. Right? And so, that ability to assert authoritative claims and to do it in the two-step model is a big deal. And then the standards behind it, one is the integrity model, and that is really decentralized or a potentially decentralized key management, meaning there has to be a way for you to go and get the public key to verify the statement, to make sure it's not been tampered with. But the other piece of it is you've got the bundles of claims, you've got the key management, and you've got the underlying trust model. How do you know, now that you know that the thing is tamper-proof, how do you know that the entity that claimed it, is somebody you should trust in the first place? So, those are the three models.

Speaker 1:
When you talk about trust models, you've talked several times today about a trust framework. Is that one and the same?

Pamela Dingle:
Yeah, I think so. I mean, there are decentralized ways to establish trust. We talk about trust anchors. There are lots of centralized and there are also distributed ways, like a certificate authority would be an example of, is a trust anchor. Right? And you can derive your trust from certificates. You can derive it from domains. You can drive it from a ledger. All of those things are fine. Yeah. So, I'll leave it at that and pass it on.

Drummond Reed:
Do I have to follow Pam? She did a really good job of explaining it. I feel I don't even have to take out my wallet to explain what self-sovereign identity is, which I always do, because she's just done a great job explaining it. So, instead, what I'll do is I'll talk about what Avast, the company that acquired ... I was formerly, as Gary knows well, chief trust officer at Evernym, which was acquired by Avast last December. Subsequently, they also acquired SecureKey, largely based in Canada, that runs the Verified.Me network, the bank ID network in Canada. And this is because our now mutual boss, Charlie Walton, who was a VP identity at MasterCard, really believed in where this was going, exactly what Pam just said, and said, okay, the future is digital identity wallets with credentials that are signed by issuers all over the place, not just certificate authorities, but CAs are really good sign signers too. Right?

In other words, this is not either, or. This was brought up earlier. It's going to be hybrid. It's going to be just like the web was layered over existing information systems. The decentralized identity can be layered over federated and centralized systems. So, what Charlie Walton saw was this is going to be big. It's going to be big for the identity and access management industry, but it's going to be even bigger for consumers, the people out there that actually are going to hold and use these digital wallets.

Now, quick show of hands, how many folks in this room are using a digital wallet today? If any of you have a Google or Apple phone, and you didn't raise your hand, are you not actually ... You've never put a mobile boarding pass in there? You've never put a ticket in there? Okay. Key point, those are proprietary digital wallets, controlled by those vendors. And I'll just point out that the level of concern in the industry as it's been developing about proprietary digital wallets being the future has led to a lot of industry angst and concern, which culminated last month in the announcement from Linux Foundation of the OpenWallet Foundation, an open source project to create open source Linux of digital wallets, a shared, not a shared end user wallet, a shared engine, very much like Gecko or Blink or engines for browsers. It's a huge job. You want the security, privacy, all the things that would be needed. That's what a number of companies come together.

I'm happy to next hand the mic to Patrick because Ping is, along with Avast, one of the other companies. I should, before I do that though, put out the caveat, this morning, because Avast, in September, officially merged with NortonLifeLock, this morning the new corporate identity was announced. This is the first panel I'm on where I get to share the new name. The overall corporate brand now is Gen, G-E-N, Gen Digital. So, I'm now a member of Gen Digital, and that's what all the brands are going to be underneath. So, over to Patrick to talk more about that.

Patrick Harding:
Thank you, Drummond. Guys, I apologize for being up here again. So, I don't know. I-


Patrick Harding:
Yeah. Yeah, I know. But this is the one I'm really, really, really passionate about. So, actually, I saved the best to last. We at Ping have been sort of thinking, investing in sort of decentralized identity in the last three years. We bought a company called ShoCard back at the beginning of 2020, which was a blockchain identity company. They were called really as a sort of a way to sort of get started in this space. So, I spent a year beating the blockchain out of them so that we don't use that anymore. And now, basically, we're really focused on right now the notion of leveraging verifiable credentials as a way to, as we said earlier, push identity to the edge. We started with verification, and actually, funnily enough, we started with verification, sort of the hacky, like let's take something physical and make it digital by taking a selfie, taking a photo of a government credential, validating that, and sort of relying on that verification.

That's very quickly going to be replaced by other types of credentials, like a mobile driver's license that the states will issue directly into the wallet itself, which just becomes a digital first essentially model for doing this sort of thing. And we'll see follow-on credentials that we'll be able to verify from there. We're also going to be delivering a credential issuance service, we'll be calling our credentials service, to allow organizations to essentially issue those credentials as well. We've also spent a lot of time in the standards world essentially looking to ensure that we get agreement on a verifiable credential format or formats that we can all use, the wire protocols of how you move those credentials over the wire from the issuer to the wallet, and then present it from the wallet to the verifier as well. And again, we might have some multiples of those too. But looking, we're doing to interop on those sort of things. Worked very closely with Microsoft to do interop in that area. We'll be working with Avast on that stuff too.

So, again, what we heard from our customers over this journey the last three years has been, A, we don't want anything proprietary from Ping. We don't care if this thing you bought can do this, but it's done in a proprietary way. This stuff has to interoperate with other vendors and other implementations. Otherwise, it's not going to scale and work. I mean, that's been in Ping's DNA from the very beginning.

The second thing is that, when I was talking about this with companies three years ago, we were coming to them with use cases, or we were trying to basically work with them to discover use cases. That's changed significantly in the last three years to the point now where we have organizations, them telling us about the use cases they have for this, and it's happening in all sorts of industries. It was actually really, really exciting, and I can elaborate on some of those a little later, but the fact that the industry's at a point now where they know what to do with this and they feel like it's going to actually solve business problems, create a better user experience, et cetera, et cetera, et cetera, is actually really exciting. So, it's ripe in terms of the timing for this stuff right now. Thank you.

Javed Shah:
I run product management at 1Kosmos and I've spent 20 years in centralized identity management, and I have only spent one year dabbling with decentralized identity. So, I'm definitely blown away by the possibilities obviously. But I also am a firm believer that, I think it's been said here before and Pam also mentioned that there has to be some sort of an overlap or at least an interconnection between this concept of federating your identity. You are the user being redirected. Sure, but you are consenting to the app after all. Right? So, you do have some power. All of the power has not been taken away from you, with this other concept of, "Well, can I persist?" the fact that you are who you claim to be. We did prove you. So, at 1Kosmos, the program that we are envisioning involves reusability of the verified login. Given that we are a small startup in this market climate, to put that much investment in this space is obviously a measure of our conviction, of course.

But just a simple personal anecdote, I think, is what's driving some of the larger vision that we have, which is, look, I was just looking to add a fifth line to my AT&T family account. AT&T had me scan my driver's license, and I've been a customer for 21 years. Some sort of an inflection point, for sure, drove that action. That is interesting in itself. But, guess what? Just two weeks earlier, and I'm talking about the last three months, two or three weeks before the AT&T event, I had done the same thing for my naturalization application, for my citizenship application with the U.S. government, with USCIS specifically. The only question I had at that point was, when AT&T asked me to do this, was why do I have to submit the same driver's license, scan the front and the back again, right?

So, perhaps there is something to be said for the DL. Not everybody's a fan of the driver's license. I understand. It can be unbundled into just your identity attributes that potentially you could present for authentication at RPs that care for them. But there is something to say for the reusability of this effort on part of the user, the reuse possibilities that verifiable credentials and decentralized entities present are in general use cases that are already on the table.

So, early days for us. As a vendor, we would love to interop with the Microsoft platform, the IBM platform, and have this value pitch to users, get issued a VC anywhere. It's okay. We are the glue that will make these large behemoths who are investing so much time and energy into this new, I'm going to call it paradigm. Right? We'll make it possible, from an interop perspective. We may not be the $500 million investment with the VC platform, but we perhaps could be the $5 million interop glue that enables one person to not have to scan their deal twice in two weeks. So, that's where I think we are trying to crystallize the space for us at least.

Milan Patel:
Thanks. From an IBM perspective, I guess, fundamentally, there's two use cases that we're going after, and it's in line with what everyone was saying here in the context of, when we talk about verifiable credentials, the attributes asserted by an entity outside of a domain, what you're really doing with that credential as you establish a new relationship, is a passwordless onboarding in the context it, right, where you're taking a credential issued from a different domain, presenting that to the context of not having to scan your mobile driver's license or DMV twice, right? That's use case one.

Now, once that relationship has been established, there's then the subsequent interaction with that entity. Right? And we do that today with like FIDO or QR code, but passwordless authentication. Right? So, the input of one becomes then the subsequent continuous interaction of the others.

And so, what we're doing in that context, and we've had a tech preview for a few years working with customers, partners, for proof of concepts, but, really, and where we standardize that in terms of how we're implementing it, and it's not to say that this is what we're going to be doing going forward, right, but this is where we rooted our technology stack. Right? We're using Hyperledger, Indy Hyperledger, Aries, but that's not to say that's where we're going to stay, right, because a lot of what's going to drive us is where the market adoption happens. But where we're seeing market adoption and initial success is passwordless onboarding, passwordless authentication, delivered through a verifiable credential format. So, that's what we're seeing. And how we see this playing out in the context of what we're doing, we have a heritage in IAM, user repositories, LDAP, AD, non-LDAP or AD, just in random databases. Those become, and I guess this goes back to the hybrid, right? The way that we're seeing verifiable credentials is a two step. Right?

Step one is you've got all your user attributes in disparate sources. Right? We were talking to a DMV where they have core identity in active directory or LDAP, but they have driver's license attributes in a non-active directory. So, the question becomes how do you capture the attributes that are necessary, that comprise of a credential, which is a driver's license, and then deliver that to a user? And that's what we're looking at, is, how do we allow for being able to connect to those sources where those attributes live? Because, at the end of the day, these entities that have the identity are, in our view, issuers. The entities that consume that identity, right, are verifiers. We're just the digitized printer that allows you to produce it, the digitized reader that allows you to read it. So, that's how we're thinking about IAM in the context ... or sorry, decentralized identity, verifiable credentials in the context of our identity as a service. I guess, spoiler alert, I'm going to be showing some of that at the reception. But, yeah, I mean, that's sort of the net of that.

Pamela Dingle:
I have another use case if you want to hear it.

Speaker 1:
Yeah.

Pamela Dingle:
So, I like the use cases discussion because it makes it more concrete. Right? It's a little less abstract. One of the use cases that we're focusing on a lot at Microsoft right now is actually entitlements in life cycle management. So, if you think about where we're going with multifactor authentication, strong authentication, we're getting to ... The concept of step-up is changing because everyone's already stepped up. Right? We want everyone to come in at a high assurance level to begin with. And yet, what we need is the authorization, but just in time authorization. And so, the question becomes, what if I can issue something to my guests, issue something to my employees, that is the token that they present, that they understand? It's concrete, right, for them to prove they're entitled to do a thing, right, to get access to a package of applications, for example. Right? So, that's how we're looking at this.

And we have this, we're building it in. But the idea that, if you've got somebody, if there's a set of content that's available to anyone who's taken security training, then why not give them a card that says, "I took security training." Right? And then the moment they have to get into one of those applications that is an authentication or authorization context, that you can simply demand, "Oh, you want to get to this? Show me. Prove to me that you've had the security training. You have? Okay, you're in." Right? So, that's another kind of concrete use case.

Drummond Reed:
And can I give you two more because we're on concrete use cases?

Speaker 1:
We'll take turns doing this.

Drummond Reed:
I know. But at least, we'll go fast, so that we ... But it makes it concrete for everyone, including the audience. You can broaden what Pam was just talking about. In my view, the single most successful verifiable credential on the market today is the NHS staff passport. It is the credential that the National Health Service in the UK, which, I think, is the world's fifth largest employer, needed to give doctors and nurses to be able to quickly move between facilities, which they're doing all the time in the NHS. But during the COVID crisis, it was a crisis. They needed to speed that up by an order of magnitude. And they said, "We could do that with this new-fangled digital verifiable credential." And they even bet on, at then, a very small company, Evernym, against our good friends here at Microsoft.

Well, we both had solutions, but at least they bet on both of them actually and got them out there. But the staff passport became the way that doctors and nurses could check into a new facility, instead of hours moving to a facility, in minutes or even seconds. Right? It was literally a matter of an iPad sitting there that you can bring in your wallet. You've been issued the credential, you scan a QR code, and the light turns green. Okay? Now that's a very, very important authorization. A doctor or a nurse is being authorized to actually deliver healthcare at your facility. Okay? I think that's pretty extraordinary, and it's put in place by a healthcare system, the national healthcare system of the UK.

The other example I want to give you is just one that ... Pam and I are both neighbors to British Columbia. They've always been a leader in digital identity. You can go to the app store right now and get the BC gov digital wallet, based on Hyperledger, Indy and Aries, today. You can't use it unless you're a British Columbia citizen. In fact, you can't use it unless you're an attorney in British Columbia that needs access to a set of records that is their beta test site. But talk about authorization, that attorney with that credential can get access to a set of records, their depositions, that only attorneys can access there. And they said, "If we put this in place, and we show this works, we can roll this across all of the other BC government, every place else they need it." So, it's moving straight up. I actually believe the killer use case is authorization because you're jumping up beyond just authentication or multifactor authentication. You're getting that with the package. And as those use cases start to roll out, it's going to just ... huge sucking sound.

Patrick Harding:
Totally agree. So, again, I think it's going to touch all aspects of where identity is used today. It's going to be used for identification, things like where you need to do enrollment, registration, verification. It's going to be useful for authentication, as an example, which is passwordless, which, actually, to be honest, it'll be an interesting discussion, see where FIDO goes with that. Then it's also going to be used for authorization entitlements. So, it touches all three places, but it's a common technology that can be applied everywhere, which is a very, very different way of thinking about solving identity problems over the last 20 years. Nobody's thought about it that way before.

One example, just one of many examples that I've seen that organizations are getting excited about, and just one industry is, say, rental cars. All right? I very recently tried to rent a car online. And for the first time, I was given the opportunity in their mobile app to actually have them verify my driver's license remotely, as opposed to having to do it when I actually show up at the desk. Now, they were doing it by having me take a selfie and taking a photo of my driver's license and stuff like that, but at least they recognized, all right, there's opportunity here to improve the customer experience, if I can do it remotely. Guess what? It's going to be a lot better when I can do that with a mobile driver's license, all right, as opposed to having to do all of the selfie, well, take a photo of my driver's license.

But a very next obvious step, beyond that, is to actually, for me to be able to share my auto insurance verifiable credential. Again, this is just another piece of plastic in my wallet because I think every single piece of plastic or piece of paper that's in my wallet is going to have a digitized version of it that's in my digital wallet. Now I can share my auto insurance information. So, wouldn't it be nice to know what situation I might be in to say which of these insurance boxes I should tick when I'm renting the car basically because I've got no idea today what I'm covered for, what I'm not covered for. And suddenly, I can get a much better user experience in that way. Same thing applies with healthcare, a number of areas, so it's exciting.

Javed Shah:
I'm going to take a stab at this. Yeah, medical PII, right? So, 1Kosmos is a full-service credential service provider. There is this alliance called the CARIN Alliance, right, which tries to drive initiatives that secure access to PII and enable relying parties to access patient data securely. It has several working groups. One of these has to do with healthcare ID insurance cards or digital ID to protect medical PII. There is this construct of introducing FireScopes within the identity token that the user is authorized to carry. FHIR is a fast healthcare identity resource. I think I got that right. Just the scopes that authorize the nurse who's just authenticated with the hospital to get access to a subset of the patient's medical records. Right? It isn't too much of a stretch to envision the verifiable presentation be that claim inside an identity token.

So, I feel like this is a really strong possibility of this hybrid happening even before the full vision of the VC, verifiable credentials, decentralized identity is realized. You might actually see hybrid solutions for specific use cases that come in to the marketplace and have good adoption, especially with the UDAP Tiered OAuth specification that's kind of talking towards the same idea of how to protect those MPII Firescopes to match relying parties who expect certain Fire representations from certain CSPs. There is nothing stopping dedicated representations of those coming into being and simply being carried. The identity token is just a vector. It's just a carrier. It could carry representations potentially, which would lead to, I hope, better adoption of this model of decentralized identity. Just something to consider.

Milan Patel:
I guess, a different take on the use case. So, apparently at IBM, when you hit 10 years, you've got to renew your badge. And I tried to go to work one day, and I couldn't get into the building. So, I had to-


Milan Patel:
Which is why I'm about to get into ... So, what I had to do was, the badging office is only open Tuesday, Wednesday, Thursday from 1:00 to 4:00. So, I had to go back home and then come back later to get my badge. But, I guess, where I'm going with that is, I think one of the comments was, instead of focusing on the security side as the driver, focus on the business side. And the business side is, just when I was getting my badge, I just asked a simple question. How much do we pay for 300,000 employees to get a physical card, right? And then how many times do you have to reissue it? If it gets lost, what do you do? So, that's the business side in terms of that.

And I guess the other thing that I'll say is, I think a majority of scenarios that we think about in the context of verifiable credential is more like, how do I present my identity online? But the same notion can be used, right, because there's also physical resources that we access, buildings. And then even in the building, when I go in to IBM, there's a design studio that only certain people go in because there's customer wire frames. There's sponsor stakeholder map, and only certain people should get into that building in the building. Right? So, this is where a lot of those types of scenarios blur in which you tie security benefits from the authorization standpoint, but also align it to a business model, which is, how do I help reduce footprint? Clearly, there's ESG initiatives around that as well. But that's a good way to quantify that, and that's what we're looking at as well as a stakeholder of ours, is IBM corporate secure is not doing things for IAM, but

Milan Patel:
Oh.

Male:
Can you hand him another microphone?

Milan Patel:
Sorry, it's just going to be quick ... who's not doing anything related to IAM, but they're doing IAM in terms of what employees and what buildings they have access to. So, that's just another spin on a use case.

Pamela Dingle:
Interesting.

Speaker 1:
So, first and foremost, the updates are great. This is substantially different than the discussions we had a year or two or so ago, where it was, we had these pilots and these things that were going on and people were kicking the tires. There's real use cases. There's real products out there, and all that's really positive. As we see any technology begin to turn the corner and get more rapid adoption, one of the challenges, and we see this in IAM, of course, all the time, is how this fits with the other IAM infrastructure that's already out there. And if anyone has thoughts or comments or positions in terms of what you're doing to integrate what we're doing in ... It may be less relevant to a company that primarily does decentralized identity and verifiable credentials. But for Microsoft, for IBM, for PING, perhaps others, but at least, for you three, how does this fit in your overall portfolio? How do you see it integrating and so forth?

Patrick Harding:
Do you want to do it again?

Pamela Dingle:
Yeah, sure.

Patrick Harding:
There you go.

Pamela Dingle:
First ... Oh, there we go. Anyways, so we are really looking at how holistically we can integrate this stuff. There's no point ... Again, the hammers in search of nails, right, is always a problem. So, this is not a replacement for the technology that already exists. There are just places that lend themselves naturally. And so, for us, for example, governance is definitely one of them. Entitlements, we're integrating into our SIAM solution because we think that's another huge opportunity there. Generally speaking, we are using a technical stack that uses HTDP, and there are other alternatives in the ecosystem, but, for us, that means that a lot of the same component parts that you're already using today, like JWT tokens and things like that are reused for decentralized. So, we are hoping that that actually helps for expertise. Right? If you have someone who understands JWTs, right, then, and JSON, then you're going to understand in theory the decentralized piece and how the verifiable credentials are passed back and forth. So, that's kind of our strategy. Pass it on.

Drummond Reed:
As I mentioned, since Avast Norton Gen now has a combined user base of over 500 million users, we intend to empower them with the digital version of this within the next year.

Male:
Wow.

Drummond Reed:
And we will be partnering with hopefully every company I'm sitting next to because we are not natively an IAM company. We're going to be natively a decentralized identity company, empowering consumers to do a whole lot with that new ... Actually, as much as I bring this up, I actually want to make a very important point because I was literally on a thread about this on the OpenWallet Foundation list earlier today. This is an amazing tool, but, by itself, oh, it does nothing. Right? A human wallet only does something when I, the agent that uses it, actually take actions with it. Same is true of what we're going to be talking about with a digital wallet. All the action is in the agent.

That's why Avast is just starting to talk about the digital smart agent. And what we believe the digital smart agent will do with your digital wallet will blow your mind as a consumer in the next couple years. And we intend to lead that experience and partner with folks that are not on this panel, which are going to be primarily initially digital merchants who have a whole lot of interest in a better relationship, lower friction, better user experience, all of those things. So, that's what we're going to be focused on. But I still think that's just the tip of the iceberg. But, again, we will be partnering with all these other companies because it's their customers that we need to integrate with to deliver that experience.

Patrick Harding:
Yep. Evolution, not revolution here. I mean, there's nothing that we are talking about that isn't going to be just built on the existing infrastructure that we make available to our customers today. It's just a different way of using it. You still have to integrate with the same sort of things in the backend as an issuer or an IDP or as a verifier or an RP. It's just a different way of moving that information around, I suppose, is the way to say it, that opens up new business opportunities with some new crypto and stuff like that. But in the crux of things, I don't think it's that different.

Speaker 1:
Quick question there. If it's not that different, does that mean, if they've already done the integration with your other things, this should work pretty easily?

Patrick Harding:
That would be the goal, yes.

Speaker 1:
Okay.

Patrick Harding:
Because we are talking about standards. We are talking-

Speaker 1:
Sure.

Patrick Harding:
... about interop. And essentially, it's as much going to be about application integration on their end essentially as how do I take advantage of these new credentials? How do I request them? Where are they? Where do they live? Not every credential is going to live in the Avast wallet, as an example, no matter how much Drummond likes to think it. Some of them will be in the platform wallet from Google and Apple. Some of them will actually live in another competitive wallet to Avast. Some of them will actually live in the native application itself. So, take Gecko, that example I gave. Gecko isn't necessarily going to make their credential available to other wallets. They might just natively have it inside the native application on the phone. And if I want to release it, I open up the Gecko wallet and release the credential and stuff like that. So, I think there's a lot of user experience stuff to work out, but, at its crux, I don't think it changes some of the backend infrastructure organizations have to take advantage of. If we talk about Web3 and incorporating that new sort of paradigm and world into this, then I think we're starting to talk about differences in the way people have to think about some of their infrastructure when we get to that point.

Javed Shah:
So, as primarily a consumer of the platforms that would enable the printing of the credentials, really nice word there, I would just expect and hope for all of these implementations to be as stateless as possible, as interoperable as possible, and hopefully ride on those now fairly well-grooved standards that folks have picked up. We just talk about OAuth protection of APIs, instead of API keys, for protecting APIs. That's a big deal. That took a decade to happen. So, please don't store any state in your platform so that verifiers don't have to worry about that state or look it up by external, which obviously increases the burden, right, the tech burden. So, yeah, other than that, I think everything that's been said is pointed very nicely in a direction. I would love to see that future happen and actually become that intermediary sometimes for end users to possibly improve their user experience by removing one hop or one fewer scan or presentation of some ID.

Milan Patel:
Yeah, and for us, similarly stated, it's a extension into a different set of use cases. For example, when customers or users or customers of our platform went from SAML to OpenID Connect, it was just use, verify to do that, right? It's like a new use case that gets enabled. Same thing for FIDO, same thing. So, just like how someone would pay per user per month for single sign-on, per user per month for MFA, per user per month for risk-based authentication, per user per month for verifiable credentials, right, at the end of the day, it's just a new delivery model of the attributes that ultimately live in some directory. Right? And that's what we're targeting. I guess, so Web3 was mentioned and-

Milan Patel:
No, I guess the point of view we're taking right now is we're strictly focused on the IAM side of it with verifiable credentials. We know and have an eye on what's going on, Web3, and still trying to comprehend it ourselves in terms of what it is and what does a sound architecture for Web3 look like? I couldn't describe it, but I just mention that from a vendor standpoint. We're maniacally focused on it being in the context of an IAM evolution for now until we see otherwise to think we should be focused on it more in a different context. But that's where we are.

Javed Shah:
I just have a quick point to make. I don't think this came up. Pricing and packaging, right? We have customers and partners coming to us, as a tiny vendor that we are still, but the use cases are there. So, the questions are coming. How would you price this out, right? Would it be the number of proofs? Would it be the number of issued credentials? Would it be the number of presentations made? I don't have an answer to it. It's just a question.

Milan Patel:
Yeah. I guess you could put it in the same notion, right? How do people charge for single sign-on? Do you charge it per sign on? Or do you charge it per user that's active in a month, and then it's just ... So, that's the thinking that we're taking in that.

Patrick Harding:
Okay. Actually, one comment I was going to make, and it actually ties into this pricing conversation, is not every use case for verifiable credentials necessarily has to be cross domain, all right, where it's issued by one organization, consumed by another. We're actually seeing a lot of use cases where people want to issue credentials within their domain to basically be used by their customers back against them. And one example of that is actually just simple identity verification with the mobile ... sorry, with a regular driver's license, where they need to verify a user's identity every time they come into the bank to cash a check essentially. They're not necessarily a banking customer, but they want to use the bank to cash a check. Therefore, they've got to check who they are. Therefore, they go through a document verification, which costs arbitrarily two bucks every time they do it. All right? They don't really want to have to charge the customer $2 every time for doing that, but they're doing that right now.

What they're looking to do is essentially take that initial verification and turn it into a local verifiable credential that represents that verified user at that point, just as a verifiable credential inside that banking application at that point. That way, the next time the user comes back in, it's now just verifying that verifiable credential. They don't have to go through the whole document verification thing again. We'll still charge them $2, just joking. The whole point of that is to reduce the cost down to pennies or something like that. So, it's a huge cost saving for them to do that by leveraging verifiable credentials in that situation.

Drummond Reed:
Since Patrick opened the Web3-

Patrick Harding:
I just want the last word.

Drummond Reed:
There you go. I always like to point this out. Do I use this for identity or payment?

Drummond Reed:
So, I asked the question before, how many of you have a digital wallet on your phone? How many of you actually have a cryptocurrency wallet and are willing to admit it? We're not filming you. All right.

Speaker 7:
I won't use it for anything, but I have it.

Drummond Reed:
Okay. So, I've got news for you. Web3 thinks about wallets in terms of cryptocurrency exchange, value exchange. Okay? We're talking about in this panel largely in terms of identity. The OpenWallet Foundation, that conversation focused very quickly on ... In fact, there are three use cases, identity, payment, and the third one you could call utility or access, car keys, hotel keys, office keys. Right? They're all digital credentials, but they're neither about identity or payment. Right? They're about access. You can start to see where we're not going to be in Kansas anymore, at least on the consumer side and even over on the side. I think this is great news for the current IAM business because you're about to become about a whole lot more, right, all of digital authorizations for everything in your enterprise life and in your personal life.

Pamela Dingle:
Nice. Yep. Well, since we're on the Web3 kick ... Oh, wait. We were on a pricing kick for this, the low, low price of ... No, I'm just kidding. I will not get into Microsoft pricing strategies. But no, from a Web3 perspective, I think the other thing that the people in this room are probably thinking about right now is future-proofing. Right? So, even if you are the biggest blockchain skeptic in the world right now, what you don't want to do is put yourself into a situation where you can't move fast the moment that changes. And that could change on a dime. Right? And so, the great thing about the standards that underlie this is that you don't have to use anything decentralized or anything blockchain or any kind of ledger unless you choose it. And so, you have this ability to pivot if and when it makes sense for your business. And that is something that some of the other protocols don't have built in. Right? They have these sort of bespoke kind of trust models and bespoke ways to validate the integrity of the credentials that exist today. So, just something to think about.

Drummond Reed:
Coming back over to Patrick.

Patrick Harding:
Well, no, not really. So, I introduced Web3 because I didn't say blockchain, so I said something different. And to me, Drummond nailed it. It's actually about payments and a complete transformation the way payments are going to occur online. And in the identity industry, we've got to get comfortable with the fact that we're going to be sharing a wallet with the payments industry. And I think that's actually a good thing because a lot of the identity issues that we've seen, certainly around identity theft, is because we've actually tried to apply payment models that were built for the physical world and map them into the digital world kind of poorly. The notion of basically typing in the number that's on the piece of plastic on your credit card, along with four other numbers and stuff like that, into a website and then allowing them to store that information for some, forever, and stuff like that, the whole thing's broken, let alone for the fact that you can't pay for small value transfer.

You can't make micro payments with the payments industry that was built for buying physical things because nothing physical was ever going to be worth a 10th of a penny sort of thing. But in the digital world, that can occur. So, we're going to start to see this blend together, I think, in many ways, not the least of which will be, I'll use the wallet for similar things that maybe, when I'm paying for something, I can also share identity information. Maybe I can be paid when I share my identity information, so this doesn't have to be one way. This can be bidirectional in terms of where payments go as well. So, there's all sorts of opportunity and innovation to occur there, I think.

Speaker 1:
So, I think we're at a point we can take any questions from the audience. Is it a little too late?

Speaker 8:
Can I prove it? Is 2023 the era of decentralized identity? I heard that in 2019.

Drummond Reed:
And I appreciate your bullishness. As Gary and I think most folks on this panel know, I've been very bullish about it. One thing I've learned-

Speaker 1:
Since 1996, I think.

Drummond Reed:
Yeah, exactly. That is ... That's a quarter century. That's a long time. One thing I've learned though is that, when it comes to trust, things move slowly. It takes an awful lot. I mean, the web could take off, and it did very quickly because anyone could turn around, once they hit view source on an HTML page, and create their own, and bingo. But you don't do that in an IAM system and just change stuff overnight. So, you don't even do it. It goes even more slowly when you talk about those foundational sources of trust such as governments. One of the things that, I mean, I consider it the biggest sea change I've seen in 25 years in this business, when the European Union announced, "We're doing a digital identity wallet initiative for all of the EU, all 27 member states." And the original ambition was to have it all done in two years. Right? Well, it ain't going that fast, and it's a real challenge.

Speaker 1:
That is shocking.

Drummond Reed:
Yeah, isn't that shocking? However, I will say they also committed to, I think it's a total of 26 million euros towards an open source digital identity wallet for which the tender was awarded on Friday. It hasn't been public yet. And I will tell you Avast/Gen is not one of the winners. I think there were 10 bidders, but bottom line is there's going to be open source project in addition to the OpenWallet Foundation for that wallet. And the standards are way up here.

One of the things to keep in mind ... We've been talking about payment. We've talked about identity. We talked about utility. The other requirement of that wallet is digital signatures. Any EU citizen is going to be able to use that to apply a legally valid digital signature, acceptable anywhere in the EU, and I bet you pretty much anywhere in the world with that wallet and the proper credentials inside of it. Imagine what that's going to do for digital business. I personally believe that, like with GDPR, they set the bar. It took the rest of the world quite a while, and a lot of people are going to argue about that bar. But the same thing is going to be happening here and Canada, our good friends there. It's not just BC. They're not far behind. And I'm happy to say Avast has been working with a country that's going full-on straight into decentralized identity for the entire country. It's the country that is best known for gross national happiness, Bhutan.

Patrick Harding:
So, well, not next year. All right? I think, well, and I also think, in the U.S., it's even going to be longer. You're going to see more happening in Europe faster because they're more privacy, I don't know, focused.


Patrick Harding:
Well, I mean, there's all sorts of technology people can use and play with, but, and that's going to be available. But I think the business drivers that are going to get organizations to be willing to fund this and actually make the changes, I don't see happening in the U.S. I still think that's going to be privacy driven in Europe first. All right? Look, even the notion of having a mobile driver's license, all right, in the U.S., 50 states have to implement this, all independently, across 50 different goddamned vendors that they all have and stuff like that. Okay? It's like a mess. In any other smart country in the world, the federal government issues driver's license, or maybe not. Australia's like seven states, but, okay, that's one example. Another example in the U.S. is just something simple as sort of how I use my passport to get into the country. All right? Everywhere else has gone digital essentially, where I can take a biometrics, scan my passport, go in. Here, I still have to talk to someone, all right, the guy at the desk and stuff like that. So, it just seems to be slower to adopt more modern identity technology in the U.S. than elsewhere in the world. So, that's why I see it happening.

Drummond Reed:
I'm so surprised-

Speaker 1:
Pass that over to Milan?

Drummond Reed:
... because we're such a unified country.

Male:
Yeah. Right.

Milan Patel:
I have similar sentiment to Patrick. I think it's going to be maybe beyond 2023 in the sense of that. And I think it's twofold. Fold one is, I just, talking to customers and just market, I think there's more near-term core IAM problems that they need to solve, which is why I said this is a two-step, right? Step one is modernized apps and user management. The outcome of that becomes how you can streamline and deliver a verifiable credential. So, that's one.

Number two, I think, is just from a business context, right, I think you'll see more productization of those capabilities in the core IAM solutions. And I think, once that's there, the buying motion to then do a POC or do something is less, right? You have to go through less barriers of entry through procurement today. Say I need to do this skunk work, whereas, if you already have the platform that supports it, your propensity to do that skunk work is higher probability. So, I think it's a combination of just what do I got to solve for today? And then how accessible is it in the context of what I'm using today? And I think that goes back to Pam's point on, it's an evolution in the context of how you deliver it, but it's also ... It's just natively in the solution that I have. Right?

Speaker 10:
Okay. Do you think Microsoft might have-

Pamela Dingle:
Yep.

Speaker 10:
... faster ramp?

Pamela Dingle:
So, in one sense, I think this is the year, and the reason ... and I will say this not for sales reasons or marketing or anything. So, Microsoft is in production with a solution. Right? So, there are real production solutions out there. Right? This is not theoretical. This is real, but in the same way that a truck used to be four wooden wheels, right, and a chassis, and now there's the cool little tailgate thing you can kick with your foot, right, that suddenly beautifully comes down. Right? This is the beginning. And so, I hope that it could be the year of decentralized identity for almost as long as it's been the year for PKI. Right? Could happen.

Male:
And on that note ...

Yeah.

Drummond Reed:
Can I put in a plug for decentralized PKI? Having put seven years of my life into the decentralized identifier specification, which did finally get approved the WC3 in July. It's a very, very deep subject. But as Pam was saying at the outset, the submerged part of the iceberg of decentralized identity verifiable credentials is decentralized PKI. And I believe that will actually, 10 years from now, be recognized as, oh my God, that was like HTML. Right? It was like, oh, it's what's just going to unleash all kinds of things, but it will take a while. And those who take advantage of it first, I think, and that'll be my last point, there will be the early winners in this, and they will innovate around what can be done with decentralized digital trust infrastructure, whole new apps, and business models. The existing IAM vendors will also win big, but they're in a great position to do that anyway.

Speaker 1:
I think we have one question.

Speaker 11:
Well, I probably have a compound question actually. Hi. Actually, I'll throw it out to Drummond since you're showing off wallets. I have a wallet, but it's full of transaction cards. There's no identity card in here. I have a credit card. It has a number on it. The name's irrelevant. It's only the number the vendor ever cares about. Even at the front desk here, when I checked in, the bank verified this card before they gave it to me. They verified who I was, but they asked for my driver's license to prove that I was that person presenting this transaction card, that the credit card wasn't an identity card in itself. I'd even argue the driver's license might not even be an identity card and that ... I can't remember the last time the government checked what address I live at. I just walk into a registry. I say I want to renew my card. They just hand me another one. So, I guess it's what are we managing here? Is it an identity management thing that we're doing? Or are we going back to what Andrew brought up? Was it really account management? So, our wallet's really just account management collectors? Or is it something to be used for identity management? So, from a consumer perspective, just what am I controlling here that's my own? I'm shifting the conversation a little bit from 2023, but ...

Drummond Reed:
I'll give you a ... First of all, I totally agree with you. I love the fact that once verifiable credentials came to the fore, and I started using this metaphor. I didn't have to talk about identity really anymore. I could just talk about what credentials do you need? I mean, do we really think about identity when we use this wallet? We think about, oh, okay, we need to prove something to someone to get someplace, do something. It's all about attributes. I totally agree with that. The point you're making about, well, it's about the transactions, what I can prove about myself. One of the things I think we're not yet taking into account is, when I have on my side a digital agent, a digital wallet that's keeping track of what I'm doing, I'm building up information that is incredibly valuable. And it's all provable, right, to whatever party needs it, that now you're starting to see ... I mean, think about a decentralized Equifax, right, where all of us ... and we can share some of that information. We can develop actual online reputation. That's when it really gets exciting. And you're right. That won't be ... Identity-wise will start to be the caboose on the train.

Patrick Harding:
Yeah, I would add that you are right because, honestly, users shouldn't care. An organization shouldn't care. I mean, honestly, an identity is used for things like KYC, where there's real world associated reasons to actually deal with AML, like when ordering checks, OFAC checks, stuff like that, where you need real world identity. But in the context of being able to use a payment card, absolutely, it should just be an account number. Unfortunately, the physical representation of it gets associated with a name. All right? And that name needs to be validated, so they have to use the driver's license to verify it's you, and they then take the look at the selfie, like the little picture of it to make sure it's you. And it's just a little crazy train of trust. But if that payment card was represented digitally, and you could prove ownership of the private key by being able to basically unlock it for that credential, you don't need any more information than that, absolutely. So, that's, I think, one of the areas that is sort of, people aren't necessarily aware of, that we always talk about identity, but it's actually eliminate and remove identity in many situations as well.

Milan Patel:
And I'll just say your compounded question was a compounded credential use case, right, where you were mentioning your credit card number and the name on there. And then you said, "I also had to show my driver's license." Right? I think the ability to say that it's more you than not with the fact that you own both of those credentials, and then the attributes on those credentials match gives a higher ... I'm not saying it gives 100% assurance it's you. Right? But it gives a higher, and that's ultimately with what you then possess in the wallet, allows you to show in the context of that compound use case.

Speaker 11:
Okay. Can I just, actually along your lines on, I mean, the compound, other compound use cases, the driver's license, to me, is a compound credential. I mean, somebody had to give me a valid birth certificate that said ... because, unfortunately, a driver's license, which should be just, going back to Pam, it's an entitlement. It's an entitlement to drive a vehicle of a certain class. But they've added things like my birthday. Well, where did they get that from? Well, I had to get some credential about my birth certificate and my address and so on and so forth, or actually my biometrics that are on there, which, eye color, height, and all those other good things. So, I mean, I don't follow the space. I don't operate in DID or verify credentials. I kind of dabble on those edges, and I'm really curious. But in the digital world, will we request multiple credential verifiers for, can you verify this photo of Derek? Or can you provide a validation about his credential provider for his birth certificate-

Milan Patel:
Yes.

Speaker 11:
... or his church, or was it his government? Was it-

Milan Patel:
So, I would say, as a holder, the obligation is to obtain the credentials, just like you didn't come with a primed wallet. Right? You had to go through the actions to get it. On the verifier side, I think, ultimately, it gets into the tango where you get to say, "Oh, I didn't bring my driver's license, but I have my passport." But at the end of the day, it's like, as you transact, there's a business policy that needs to be defined. Right? You can't take a library card and say, "This is my vetted identity," as you're going through a certain interaction. Right? Certain interactions require certain attestations or levels of assurance. And that's where it gets into self-issued versus government-issued versus some entity-issued. Right? But there's still that threshold of assurance that needs to be considered as credentials that are not only obtained, but then presented, from a holder standpoint.

Speaker 11:
Right.

Speaker 1:
Well, thank you everyone. This was a great session.