Welcome to our webinar, Road to EIC, Exploring the Power of Decentralized Identity Solutions. Today we have a panel which consists of quite a group of super interesting panelists.
We have here Kim Hamilton-Duffy, Executive Director at Decentralized Identity Foundation, Dr Torsten Lodderstedt, Technical Advisor of Wallet Foundation and Lead Identity Architecture of SPRIND, the German Federal Agency for Disruptive Innovation, Drummond Reed, Director of Trust Services of GenDigital, Kristina Yasuda, Identity Standards Architect also at SPRIND, and then me, Martin Kupinger, I'm the Principal Analyst of KuppingerCole Analysts. As the title says, we want to look at decentralized identity solutions, which also will be a very important topic at EIC.
So when you look at the agenda of this year's European Identity and Cloud Conference, you will observe that there's a lot around EIDAS, EUDI wallet, decentralized identities, but also how this maps to enterprise identity management and many, many other topics. And today we want to look at what it is, explore a bit the concepts, what will make it succeed or fail? So where are we? What is to be expected in this journey? And why is this so essential to business? So this will be some of the talking points we will touch today, quite a number of things.
And as I've said, this will be also super important as a theme for the European Identity and Cloud Conference, which you definitely shouldn't miss. It will be, I'm absolutely confident, the premier identity management event this year with many, many participants and a lot of interesting discussions. So with that, I stop here. And even while I quickly introduced you at Heidel, it might be maybe great if all of you can quickly introduce yourself. So maybe we go in the order of what we had on the slide. So starting with Kim.
Hi, I'm Kim Hamilton-Duffy, Executive Director of Decentralized Identity Foundation. I've been working in the decentralized identity standards and tech space for probably about seven years now. Thank you for having me and having me represent DIV.
Okay, I see Torsten, you're the next. Hey, my name is Torsten Oderstedt. I am a technical advisor at OWF and I'm also leading the German eIDAS wallet implementation project. I have been an identity for 17 years now, mostly consumer identity, and I've also contributed to identity standards for quite a while. And now I'm decentralized identity. I'm since four years, thanks to someone nudging me in that direction. It was Kim Cameron at that time. Drummond.
Hi, Drummond Reed, Director of Trust Services at GEN, which was formed by the merger of Avast and Norton LifeLock. It's previously at Avast and then Chief Trust Officer at Evernym, where we helped get the space started, co-author of this book on self-sovereign identity. And currently I'm on the steering committee at the Trust RIP Foundation, where I co-chair the Trust Spanning Protocol Task Force, and at the Open Wallet Foundation on the governing board there, where we hope to help standardize and provide code for open standard digital wallets everywhere.
Okay, and then last but not least, Christina. Hi, I'm Christina, Identity Systems Architect at Sprint.
New title, new affiliation, very excited to be working closer to the epicenter, how I call it, to me. So I really believe the next few years is, you know, we need to cross the chasm for decentralized identity system. So really excited to be working closer with the actual implementers and use cases. The past few years have been working a lot on the standards that are now being implemented at scale, so that's my background.
Okay, and so I think most know me, Arti Kovir, one of the founders of Kovir Code Analysts. The identity is based for more than three decades now. So starting with early LAN manager network versions and stuff like that, I have to admit I haven't been very engaged in developing identity standards, but I'm following the evolution very much. And so right now we look at, as the title says, the power of decentralized identity. And I think probably the starting point for this, and looking at you, who wants to start with a very short and concise definition of what decentralized identity is.
Sure, I would say standards, technical approaches, and principles that provide individuals a holistic digital identity in presence, in non-presence. It restores the privacy norms that they expect in the real world and empowers them to curate and package their skills, experience, identity data as they see fit.
Okay, there's already a lot in about what it will deliver. I think when we talk about decentralized, the opposite of decentralized is centralized. And I think we've seen centralized identity for long. So decentralized in that case means it's in the control of the user in contrast to it's in the control of an organization, isn't it?
Yeah, I think the user might be a bit misleading. I mean, the way I like to put it is the user can present the data about the users directly to the client or relying party or verifier, however you choose to call the party, without being redirected to a third identity provider. I think it's a bit maybe technical term, but the fact that user is talking directly with the service provider that needs to identify and authenticate the user is the biggest factor here. So the decentralized in that name is honestly really confusing.
So I think, and I don't know, issuer wallet, verifier model or three-party model or wallet model might be better, but at least that's the biggest gap diff for me. Drummond?
Martin, I always get out my wallet and just go, we're bringing this decentralized metaphor to, which has been decentralized for centuries, right? They're issuers, holders and verifiers of credentials everywhere in the world, no one central authority. And we're just emulating that work, doing everything that's necessary to emulate that online, which is a lot, which is a lot.
I mean, it required going deep into how did you enable ordinary individuals to use digital wallets that have cryptography built into them. And so that as Christina said, you can present a credential and the verifier or relying party can verify, yep, that's actually signed by an issuer I trust. That's not easy. And it's taken a long time to develop the standards and now the code and the governance that's actually going to make that work, but we're getting there. I like that metaphor, by the way, because you have a lot of things in the wallet. So it's not just your ID card you have in the wallet.
You have way more things in the wallet. You have your payment cards. You have your driver's license in the wallet. You have your health insurance card. You have so many things in the wallet. And I think this is very important also to understand from a metaphor perspective. It's not just proving that you're Martin.
Christina, back to your comment. And I think this is also something where user definitely wasn't the right term because user always is associated with a human. And at the end of the day, it's not necessarily a human that has a wallet. Torsten. Yeah.
I mean, listening to what Drummond and Christina just said and what you said, I would say the two words decentralized identity both are confusing. Because it's, I mean, I have built federated systems that are decentralized, right? We built a bank-based identity system with a thousand of IDPs. And it's more than just identity, as you just said. So the metaphor Drummond just made is excellent. In the end, our society is organized in the way that we have a certain trust model. And the trust model is the same for your physical wallet, for the federated identity, and also for the decentralized.
I also prefer to use the term wallet-based applications or wallet-based model. It's always the issue that you trust in. The difference is to what we have done before, the federated identity model was mainly focusing on web SSO.
Basically, it solved a certain problem at a certain time. And I think what we can do today with wallets was technically impossible 20 years ago. Just to think about Passport and all those previous attempts to come up with decentralized solutions. And even today, I can tell you it's pretty hard to fulfill the requirements for maintaining a digital identity on a low level of assurance high. We haven't solved the problem yet, right? So we can do reasonable security and good user experience, but the security and the data privacy and so on is a pretty hard topic.
So from my perspective, decentralized identity basically means that we do with digital credentials what we have done with physical credentials before. And it's the key enabler for digitizing the society. That's why we as Federal Agency of Disruptive Innovation believe this is a disruptive innovation. This is a key enabler for the digitization of the society going forward. So there's another aspect that we may be missing and not to spend. So there's a real risk with this group, especially that we may spend the whole hour defining decentralized identity. I'm not going to do that, I promise.
But there's a key part that we're missing. So traditional digital identity architectures, and we've done this already, people are called users, customers, they're supplicants, right? So companies are asking for your money, your data, and you're the supplicant in this role. You're proving who you are, but you don't get the same affordances in return. You don't know who you're interacting with online. So you authenticate, no one authenticates to you.
So that power imbalance, and it doesn't mean that we're expecting individuals to carry the same power as the state to be able to issue credential, you know, government officials, but it does mean that people should be able to know who they're interacting with online and have that same kind of, you know, restore a bit of that power imbalance that's happening. Yeah. And it was, Trumman brought it up with his book, was it this term of self-soaring identity, that's still sometimes it's used probably lesser than in the past.
I think the late Kim Cameron at some point made a very tough comment about his association with the sovereign power in self-soaring identity. But I think sort of giving back control and the flexibility, but also I think this is what, which leads us to the use cases. What is it, what we can do differently?
It means, and this goes a bit back to user today. It means when we go to the website A, we register and create a user account, still typically a frequently with a password. Unfortunately, sometimes we can do it a bit better, but still this, and they create in their own identity silo. And then the next one does the same with us, et cetera. And I think this entire way of working with other parties is changing because we have this, and this brings us also to the difference to the classical sort of enterprise identity silos or customer identity silos.
It gives us the opportunity that we just decide what we share from our wallet for a certain purpose. And it will, and this I think is essential for a lot of use cases, will for instance, massively simplify all these onboarding processes we know nowadays from the web.
Drummond, you're nodding. No question. The strongest interest we're seeing initially is in digitizing processes that today require either paper to move, whether it's a visa or some kind of worker credentials. So worker credentials, workforce credentials, there's a certain friction in enterprise use of that, especially if you need to have a worker, for instance, cross borders or a doctor move around between hospitals where there are regulatory requirements.
By digitizing that process, for example, the National Health Service in UK turned a process that could take, it was consuming like a hundred thousand doctor hours per year of moving around doctors between hospitals. And by turning that into verifiable credentials, they took something that could delay a doctor like up to two days to move into a new hospital down to like 20 or 30 seconds. Yeah. So when we look at use cases, I think this is what we started. So the difference between traditional identity concepts and decentralized identity enables them.
Where do we see, where do you see the most compelling use cases for that? So Drummond, you brought up one. Some other examples from your end, who wants to add? So he mentioned my favorite one, I think learner worker credentials. I'm very passionate about those. Some other very compelling ones we're seeing in diff. So you touched on it already, Martin. The decentralized identity standards and architectures doesn't just represent people, non-person identities can appear.
So in our IOT special interest group, we're seeing a lot of interests in DIDS for, in IOT use cases, DIDS and claims that enable chains of trust to say, you know, agent or acting on behalf of person, you know, all of these kinds of complex arrangements, especially as you bring in AI agents to it. And then I think our favorite one is coming from the travel and hospitality case.
So these are really interesting because with all the focus on sort of government ID and these very sort of high stakes or maybe even regulated use cases, travel and hospitality brings in a lot of the sort of lighter weight claims that many of us were passionate about from the beginning, self-attestations. No one gets to issue what your preferences are besides you, if you want a window seat or aisle seat.
And so travel and hospitality has some very compelling use cases and also the need for this sort of robust, direct connection between the traveler and the service providers that they're interacting with, say if their trip gets disrupted and they need to reschedule and you need to send up a whole slew of cancellations or requests. There's a lot of really compelling use cases and DIFF is going to be focusing on that more heavily.
Yeah, Torsten, what are your favorite use cases? Oh, well, there are a lot. And I read in the newspaper recently that after the e-prescription was launched in Germany, the take-up is tremendously. So far we have paper-based prescriptions and what I read is last month we had close to 50% e-prescriptions, which is enormous. So it fights fraud. It is very efficient.
Oh, well, yeah, the system died for a day. So that also demonstrated that there is some central component involved in that because it's single use credentials. But this kind of use cases that we haven't thought about, which are not in any way tied to our identity, are really, really interesting. And they serve a real purpose, right? And if it's just safe paper.
Christina, any favorite use case from your end? Yeah, I'm not sure I have a favorite one, actually, in the sense that I'm not sure we know the whole range of use cases that are going to emerge, meaning we know the first one that sounds promising, but I don't think we still have kind of a really large ecosystem for any of the use cases. There's like thousands of issuers, a few selected wallets, and then 10,000 of verifiers. So I think focusing on a few that have been already mentioned.
Oh, there is, Tristan? No, no, no, no. I just wanted to indicate to Mark that I want to add something.
Yeah, so focusing on those initial use cases that have been mentioned, making sure the wallets out there, it has first meaningful credentials, and then that kind of becomes the basic platform that should lead to explosion of various use cases. And also, when talking about use cases, I do think it's very important to differentiate different types of use cases, because there is definitely the highest assurance, like government identity, or even how is my life or death related data, versus there's maybe more kind of, I wouldn't say less sensitive, but maybe lower assurance, like hospitality.
Maybe hackers don't care if I'm sitting in IOC or Windows, that kind of range. And those are the enterprise and consumer identity, obviously, or citizen identity, how I think I like to call it these days. So it's very hard to pick favorite, it's a huge potential, yes. I think so.
Tristan, you want to add something? No, I just popped out in my head that in the end, all those use cases, and also what Dramund described, depend on two things, which is trust and interoperability. And that has been the biggest obstacle. And since we are talking about a broad range of use cases, most of them have nothing to do with identity, right? They are all different domains with different government, governance structures, and so on. And that has been a real, real big issue.
And that's why I believe that the EIDLS regulation is a very important regulation, because it will set the basis, the fundament for really building that application on top of that. Because if you don't know each other, you need to establish trust. And that's one of the biggest problems that need to be solved in decentralized identity, from a technical and from a governance perspective. And so far, it is not solved. But it's one of the biggest challenges that we are facing right now. And interoperability is the other part.
If you cannot talk to each other, because you don't understand the language of the other party, then it's not going to work. And if you take a look into the immense number of technologies that exist in that space, on the different levels, it's really a challenge to come up with something that all can agree on. And then you take a look in the architectural reference framework, for example, you see that even the European Union could not agree on a single credential format, for example, just as one data point, right? I think interoperability will be key.
It's interesting, we see quite a number of comments in the chat of the event already. So what one is, I think, is very important. Someone saying, yes, we have e-prescriptions in Sweden since years, but without decentralized identities. The claim is, it's not a necessary use case. I would say it's yes or no, you can do it without. But I personally believe you can do it better with. I think it makes it more flexible, more interoperable. The onboarding becomes simpler. This is another one of these use cases. And I think this is very fundamental.
There's a lot of paper-based proving every time you need to be onboarded somewhere. You're asked to provide ID card, passport, diplomas, tons of other things. And this is what we can make much more straightforward by trusting the issuers of such an identity. And I think this is really sort of a fundamental or foundational aspect of the entire decentralized identity sort of evolution or revolution we are facing, that we can reuse these things, that we have trusted proofs of a ton of different things.
And it was interesting, I was on a panel recently where someone, many of you will know it, Andre Durand of Bing Identity, said he talked about tens of thousands of credentials you may have in your wallet. And I think we need to think in scale when we think about this, because our life is big. We have so many things in our life we do. And that digital wallet probably is much bigger because it's relatively hard to carry all your diplomas in the wallet, so to speak, just from a size and weight perspective. But in a digital wallet, we can do it.
We can do it very different and at a fundamentally different scale. And I think this can impact our lives, which, by the way, I believe also, and maybe we look a bit at the key criteria for success. We already heard interoperability. We heard some of you talking about the level of assurance. And I think this is, for me, and I'm also curious about your opinions, for me, this understanding of levels of assurance is also a very essential element. We need to understand to which extent can we trust a verified credential.
And on the other hand, we need to start thinking and not everything must be super, super, super secure, because it depends on what we want to do. So we do payments from our phone to a certain extent every day with our fingerprint or face or whatever, by just unlocking the phone. So we do a lot of things which have a certain level of sensitivity and are not insecure, but also not probably the, okay, there's anyway, no 100% security, as we learned about a German EID card trust recently.
But I think we need to understand which level of assurance do we need for what, especially also when we think about what our self-issued credentials and other things, they can be of a certain value. Drummond, you're nodding. I'm nodding because I do deeply agree with you.
I think as we're proceeding, I'm seeing more and more interest, not just in defining the claims that a credential would carry, but levels of assurance, which is ironic because I think back to the evolution of OpenID and when we were defining the standard claims you could share with an OpenID, we got into exactly the same discussion. Well, can we associate levels of assurance with different claims for the same reason? I think it's persistent, Martin, that levels of assurance are simply something that verifiers are not always, but often looking for, especially for higher assurance.
And so we need to design it in, but it's pretty straightforward to do that as in your design of your claims for your credentials. So it all ends up being, well, what are verifiers looking for?
Therefore, what has to be in the credentials? Therefore, what has to be issued?
Therefore, what does the governance framework have to tie together for everyone? As we put together those ecosystems, we'll start to see more and more examples and things will normalize to some extent. I don't know how long that's going to take. Hopefully it goes quickly. I think there's one other aspect that's tied into what you're saying, Martin. So you mentioned that in your digital wallet, you can have a ton of credentials, right? And so the risk, of course, that we haven't touched on yet is that do you end up with a ton of digital wallets, right?
And that would come from, say, different issuers are preferring different forms of wallets or different use cases. So you end up having a lot of them. And so in terms of what we need for success of the ecosystem, standards, one layer, of course. People interpret standards very differently. So just ecosystems in which you can assure different roles are swappable. I can choose my wallets. I don't have to have a lot of different wallets. And even I can opt out. There needs to be a sort of path for people who, for whatever reason, don't want to use these new types of credentials.
They can continue to use their paper forms for whatever reason. And that's important for resilience. Yeah.
Okay, Thorsten, go ahead. That's an interesting aspect that you're raising. I think today it's desirable to minimize the number of wallets simply because then you can have the different credentials in your wallet and can present them in one context, right? But depending on how the technology evolves, it could also be a solution to have all the apps that you have for right now on your phone for the different service provider, each of them serving as a wallet. Why doesn't that work today?
Simply because operating systems and browsers do not allow you to dynamically pick where to get the credentials from. And there's work underway at W3C to work on this kind of stuff. So I could even imagine a more modular solution, perhaps in 10 years from now, not for the next couple of years. So I think that we should really try to figure out where we can build a good wallet, right? And to get large-scale adoption. But going forward, I could even imagine other kinds of solutions. So Christina, go ahead.
Yeah, I think we're talking about the same thing. But to me, the assurance topic feels like part of a bigger problem question, which is the trust framework, right? Where I do wonder, I do think we should be careful with the term user control, because there are a lot of mechanisms needed to make sure that issuer is an authoritative issuer of that data, and to whom the issuer wants to share that data.
And again, it depends on use case, depends on, you know, maybe it's okay that anyone gets the data, or maybe it's not okay, and the issuer wants to have a bit more say in where the user can show that credential. And also, in which wallet, which credential can go in, is also an important kind of checks and balances in place.
So I think it's user control, but within that framework of, you know, like user protection, so to say, you're getting a credential, not from a random entity, but an entity who actually knows that information about you, into the thing, the wallet that knows how to protect you, and you're presenting it to an entity that, you know, should be using that data, so to say, right? Like, getting these three pieces in place and make sure they're enforced, I think are just super key to ensure that people have trust in this whole thing, right?
Because it may sound convenient that like, no, because to earlier question in the chat, and to Drama's wallet, like, I don't carry that wallet anymore, right? Like, I think many people just carry their phones or laptops, right?
So, and like, yeah, I had to bring my wallet the other day, because I had my, you know, insurance card there. But like, if it was digital, I wouldn't carry my wallet, right?
So, but like, it's not enough, right? Just to say, hey, it's just that it's convenient, you have to make sure that those protections are in place. So I think that kind of is important. And maybe one thing missing is the lifecycle management of those credentials as kind of remaining big topic. Because it's, it's hard.
Like, what does it mean that credential valid, not valid in a digital form? I'm, I'm not going to get into that. I think it's, I mean, we could, but I think it's a really big topic, just like wanted to put the keyword out there.
Well, I want to add to what Christina was saying, she called it a really important part, because I think that was an early kind of misconception, and still what we combat today in terms of adoption. And I think you touched on maybe Kim Cameron's reaction to maybe the term self sovereign identity. And so just to lighten the mood a little bit, you know, we don't use that term much anymore, a lot of times, because depending on your audience, there's a non trivial chance you're trying to, you're part of a cult, you're trying to overthrow the government or both. And that was really bad for optics.
So we started this trend towards decentralized identity we're using now. And it doesn't mean that and well, so anyone can say anything about anyone. So that's true at the core. But to Christina's point, like, how does anyone you know, does it mean that I can issue Christina some kind of, you know, state government ID for wherever?
Yeah, I mean, I can, but can I get someone to accept it? And, and that's really the parts that we're talking about. And I think that's what people may not be aware of, in terms of where the sort of focus is right now, establishing those levels of assurance of fitness for, for purpose, establishing that this issue is indeed authoritative for the claim that they're trying to make.
So, yeah, that's a really good call out. Yeah.
So, again, we have quite a number of comments here. Before we continue with this, we talked a bit about criteria for sex, success and touch or what could make it maybe fail, it didn't go that deep into that. But I think one interesting comment is that it's interesting that the IDs and the you the single digital gateway aren't really synchronized efforts, as it appears, maybe Tostner can comment on that a bit later. And we have some interesting things around wallets as well, like so we can much better check the validity of a wall of a credential, we need to do that probably.
But it's also a credential may prove for instance, the provenance but not necessarily the correctness of information sample was that a news might be have been published by BBC or Reuters, but we don't know whether it's accurate or not. So I think there are a lot of things we need to learn, I think over time, which will be very interesting to see. It will be also interesting to see what happens with when we take the IDAS, what happens with non-EU citizens in that context. So how do we factor it isn't because that will be important. So that is important.
But I think one of the things you some of you brought up and which I see as a as a concern is how many wallets do we want to have? And how do we deal with different wallets? And I think this is this is for me, this is one of the essential thing. So I look at it very much from a user perspective. For me as a user, it's very clear, I want to have more than one wallet. Because I want at least to have a wallet for my personal and for my business life, minimum.
And my personal wallet and my business wallet must be the same automatically on different devices, like my smartphone, my notebook, my desktop computer. So I want them to be synced. And I want to have a friction free replacement of my smartphone.
And I don't want to deal with many different wallets, I want to decide which wallets I use, and how many of these I use, I probably will accept that I can do certain things with my government only with a specific wallet, which is certified, but I would expect my government to be very flexible regarding certification saying, okay, you can use that wallet, as long as it passes a certain threshold, so to speak, in the security considerations, that would be my expectation. So what's what are your thoughts about that? I'll start by saying that's also my expectation.
And also what we're increasingly seeing and Jen is explicitly working on is hybrid architectures where you have your local wallets, but you also have components in the cloud. It's not necessarily a cloud wallet, it might be, but it is something that enables those components to work together. There's a number of efforts that have gone on in the industry. As Kim knows, the Decentralized Identity Foundation has the decentralized web node work that is focused on how do those things talk to each other in a secure and privacy respecting manner.
So I definitely think that the very problems you brought up, Martin, are going to increasingly lead to hybrid architectures. I'm curious what the other panelists think about that. Karsten. What I have learned in my life as identity architect is, no one is thinking about identity as long as it works. So I fully agree with you, Martin, you just want it to work. I absolutely agree with that. Can we make that work? We will try. Will we succeed? Let's see. So just to pick one, right?
Just moving credentials between different wallets is a super security critical function, because if it is done incorrectly, someone else can impersonate you. So you might need to accept some obstacles to make that work. But basically, I'm with you. On the timeline, I think we are in the beginning. In my perception, one of the key elements why this whole initiative like AIDA can fail is there's not enough implementation experience. We need large scale implementation experience to really figure out what works, what does not work. And I agree with what Jamin said.
I also, in my mental model, what I need is my wallet that has the credentials that I typically need in my daily life and that I need to identify myself. And there is a tons of certificates that I have in my bookshelf or on my desk or in my safe. They can go into the safe or I put them on the wall like my diploma. And I think we need to figure out what the architectures are that work, that scale, that are secure enough and so on. And I'm really excited that with AIDA, we have a chance to really figure that out.
And there are the large scale pilots that are underway right now, where we will try to do a first test in a large scale across different member states. And I think, and I hope that will inform our decisions going forward. The fear I would have with large scale pilots is that they might be too much focused on large sort of government near use cases with a high assurance profile, but not across the full range of use cases. So I think ideally it would be something which is relatively sort of low assurance as well, as high assurance use cases are covered.
So doing it across different types of use cases. And I think the other risk is if you do it with a few large scale use cases, probably the problem of wallet explosion or so to having too many wallets more likely will not appear because you say these are all use cases centered around a specific wallet. But when you then go broader... Let me counter your arguments. First of all, the large scale pilots that I'm talking about, four different large scale pilots address a variety of use cases, including education, health, and all that stuff. So it's not just government identification.
That would be pretty boring, right? So the large scale means it's across member states. So there are a lot of use cases. And I can also, as the project lead of the Germanite project, if you want to test a use case, talk to us. We can work together on that. Even if it's a low assurance use case, if it is a compelling one, because we want to build an ecosystem that really is embraced by the society. And we are open to that. We run that project as an open public consultation process. So we anything about our project, we have an open discussion. We have workshops.
I think German, you already attended one of those. So we want to get that kind of feedback, help us to understand what are the use cases that we need to implement first.
Okay, great. Kim. All right.
Well, so I was thinking about your early question, but then I want to pivot. So there was something about you mentioned having two different wallets. And I think we already got to the idea of we still don't know what these concepts or nouns are. There's going to be some data modeling exercise, right? Because is it a wallet that you carry two different profiles? Like that's not a natural mapping to human experience. But what are those terms? What are those like categories for how you store your credentials? In terms of large scale pilots, you touched on what are the risks that can emerge?
And I think that one could be in terms of the architecture reference framework, specifically that's been pointed out is so formats and signature suites with advanced privacy characteristics, like zero knowledge proofs and anti-correlation. Those are early in the standardization cycle. And so there's a risk of finalizing or freezing choices too early. So I think that the ARF has very solid defensible choices, but the risk is being locked in as emerging standards with improved alternative characteristics become available.
And so I think that the place to really capture that is in the, they mentioned the sort of anti-correlation privacy concerns in the non-functional requirements section. I think that that would benefit from a very sort of more careful consideration and sort of taxonomy to allow those choices to emerge as new alternatives become available. Okay. In the interest of time, we only have some 15 minutes left. So we need more time.
No, no, no. I just said we need more time, Martin. We need more time.
Yeah, I think I have so many comments also here from the audience. I think I want to want to quickly touch one of these. So what I understand so far is decentralized identities about wallets and credentials. We're mainly talking about wallets and credentials, not about identities here.
So, but I think this goes back to what we discussed at the beginning, that the term decentralized identity potentially might be replaced better by wallet-based whatever. So that is maybe not the perfect fit. By the way, Draman, just for your information, some of the people commenting here use DID as an abbreviation for decentralized identity. Even while I know that we are in disagreement here, because DID also stands for the standards of the DID Foundation. I think we probably best let the world decide about this finally. Just so you know, Martin, I have become used to that.
I mean, when I hear DID, of course, I think decentralized identifier, because I spent seven years on getting that standard all the way through the W3C. So then I began, it was actually the EIC last year. I started seeing DID in the title and I said, wait a minute, it's an abbreviation for decentralized identity. And I'm like, oh, but now I'm used to it. So I'm okay with it. That's where the market goes. It's close enough.
Okay, great. So I want to go through three more aspects relatively quickly. The first one is when we look at where we stand with the work, what is the main thing that is missing from your perspective? Maybe every one of you, the one main thing you feel that is missing, still missing, that we need to add.
Torsten, do you want to start? No, give me some time to think, please. Okay. Who wants to start? Kim? We touched on most of the ones already. So I think the huge one to me, and glad to hear it's being factored in, is a wide range of claims. And then making sure that, so like the, how do you say, like high assurance to lower assurance claims, even self-attestations.
And then the one other thing would be things where they're sort of packaged in interesting ways, like ones where you would want to sort of minimize, maybe the collective amount of the credentials would contain a lot of data, but then you want to make sure that you're not oversharing for a given use case. Interoperability, of course, is a non-negotiable. I think it would be nice to have a bit more focus as an industry. And what I mean is, hopefully we can give you your wallet, Martin, in 10 years or so, but we have to take it gradually, right?
We have to prioritize, like we can't solve all the problems, all the questions at the same time. And we have gotten so much better as an industry at that. But I think kind of focusing on starting with what we know works, knowing that maybe it's not perfect and saying, look, we're going to get to a more perfect solution in, I don't know, three, four years. And just setting those expectations clear and focusing on what we want to make work right now.
I think it's already happening to some extent, but I think we should be doing that much more because otherwise, you know, like the industry's focus just, you know, being here and there doesn't really help with like creating bigger, larger scale use cases and deployments. I hope it will not take 10 years, but I'm positive because I think with the momentum, I think the point is always when it starts to become adopted at scale, then we will learn a lot more than sort of in the experimental stage we have been in, in the past year.
So I could imagine this, that was the power and all the attention to EIDAS and the EUDI wallet and other initiatives. And also what is happening outside of Europe, when you, when you look at things that very rarefied credentials in the Microsoft world or things you have on LinkedIn, I think there are so many things that are sort of going into a certain direction that may speed up things massively because the more work on that, the faster we will move forward, hopefully. Yeah. I don't think the point was to debate if it's going to be 10 years or five years for 15 years.
I think the point was, we're not going to get there from the very beginning. Understand that. Time is a factor as well.
So I mean, doing it incrementally has been turned out a very successful working mode for the software industry in the last 20 years. That holds true here as well. And I think it will take time. And Martin, my own estimate is it's going to take a decade. So we will, we will start quickly and we will roll it out.
I mean, for the German speaking, for the German project, we were, we are considering to really do it incrementally, even things before we are obliged by the regulation. But nevertheless, we need to be carefully and we really need to have the time to consume and to digest what we learned in order to improve the technology that we use, because most of the technologies that are being used there are not as mature as let's say X5 or 9 certificates. So they haven't been used on that scale. And what we have right now is we've got attention through the EIDAS regulation.
We've got people, very passionate people working on it. So those are excellent prerequisites, but we need time to really get it right. Yeah. But I think the good thing is more people work on it will make it move faster, but still there will be learnings. And I think, you know, take SAML, take every other standard, SAML, SAML version one versus SAML version two, OAuth versus OAuth version two, SLS, SSL version one versus two versus TLS. It's also an evolution. I think it will be, yeah, an evolutionary process.
Drummond, short statement from you before we move forward. We're running a bit out of time. I just want to make the point that where, to Christina's point about focus, what we're seeing is the focus that ends up being successful is on an ecosystem because you have to put all the pieces together, the issuer, the holder, and the verifier, and the governance in order to start producing the value cycle and to get the flywheel going. We're not going to have one ecosystem. We're going to have many, many ecosystems, and then they'll start to harmonize and we'll get to an ecosystem of ecosystems.
But if we follow that progression, we will get there. I'm very confident. Yeah. So we have one question here. I'd like to pick before I move to the last a few topics. So will you, EIDA, settle on one requirement for wallet and the technical product, or will each country select different products or custom-built based on cross-border needs?
Oh, we have 27 member states, aren't we? The regulation clearly says there are three options. Member states implement the wallet itself, it gives that task to someone else, or it establishes the ecosystem where wallet providers can be certified. And believe me, member states are sovereign. And we use that sovereignty to figure out what's the best solution. So speaking for the German project, we are still in the discussion process, what we're going to do going forward. And we are considering all those options.
So government-provided wallet, ecosystem with even privately run wallets, or a mixture of both. We haven't decided yet. And we also discussed this in the context of the public consultation process. And depending on that, yes, they will use different products, they will use different services, they will use different architectures.
But hey, what I have learned is, even between the different member states in the European Union, there are cultural differences. And you need to acknowledge that and appreciate that. So that they are different, and they will most likely have also different wallets. I like mixture and flexibility. But that's just my opinion. So if you could, in a single sentence, say, why is this topic, decentralized identities, wallet-based, whatever, wallet-based future, so essential for digital business? So not government, but really for digital business. One sentence from it.
I think it's going to have the same impact, Martin, as credit cards did when they were introduced. And we went from cash to a credit card.
I mean, now, of course, the credit card is this, right? I use this for mobile payments for almost everything. And I think we're looking at the same thing, that level of consumer convenience and business value and trust of moving to a trusted digital relationship, which I do think the exchange of the credentials from the wallet to the business is only the start of now what can be a secure, private connection, and many other things will move to that new channel. So that's what I think is going to drive it.
Kim, very short statement. Yes. I'm going to throw out arbitrary numbers. So streamline onboarding improvements by 90 percent, and then even improved identity, streamlining reuse, even within an organization. Okay. Christina? Isn't it cheaper COGS from like a business continuity perspective? Because if you can get the same data that you need anyway for business continuity cheaper, faster, in a more reliable manner, that's it, right? Thorsten?
Well, a digital credential doesn't need to send to you by the post. So I believe digital credentials will disrupt the way business is done. Yeah. I believe process costs, channel reduction, drop-off rate reduction, all the things, we make things simpler. And that is what I feel is very important. So my final discussion point would have been, will it break enterprise identity management? Will it break our business systems? Will it break things? And I think this is very important from my perspective to understand.
We have, in a positive sense, a disruptive potential for innovation. But it's not disruptive in the sense that it breaks things. So at the end of the day, you can't just add this as an alternative to your onboarding process, to your process you deal with customers or with employees. Imagine you use the wallet and instead of onboarding someone in your identity management system, the person presents the information from the wallet that it's Martin, which is, by the way, quite good with remote work.
And then you add a credential that says, okay, this is Martin, who is principal analyst at Coupang Call Analysts. And then Martin is in a project at a customer and receives the next credential. So we can do so much things so much better without breaking what we're doing. We will need to innovate. We will need to move forward, but it's not that it breaks. And this gives me, by the way, this gives me the hope that some things will move faster because we don't need to create always a fundamentally new system.
We also can add this to a lot of solutions that we have as just a better way to deal with them before we then leverage the full potential behind it. That would be my perspective. Any single sentence, final statement from you?
Yeah, I do think it has a potential to radically change how we behave digitally, because speaking of identity, right? Like identity is a collection of attributes bound to an identifier, but the number of attributes we can express online is very limited. So to earlier point, the user can't really pick and choose. So building up on your example, if now in person, I can change what affiliation I tell you, like my body language, you have so much information and I can pick and choose how I present myself to you. And I can't do that digitally right now.
There's just username, password is limited to the attributes tied to it. And if we can change that, if we can make that richer, and if you can get this user selectively presenting different versions of themselves digitally, that will make the digital world so much richer. That will change a lot, right? If we just think beyond kind of just onboarding kind of use cases, it does have the potential to change the digital experience. It has a huge potential.
Christina, this was a wonderful closing statement for this panel. So it really, I think, summarizes a lot of what we've discussed today. So with that, if I manage to click the right thing, again, the hint on EIC.
At EIC, we will discuss much more of that. All the panelists of today will be there, and many, many, many other experts. So don't miss being at EIC, because I think it's really the place to be when we want to look at a future of where is it going. And with that, it's up to me to say thank you.
First, thank you to my four panelists, Kim, Christina, Drummond, Thurston, for taking the time. Thank you to all the attendees and a very intense discussion in the chat. So we had really a ton of comments in the chat. I couldn't pick up all of them. And hope to see you at EIC. Thank you.
