Stepan Gershuni, VC Marketplace WG Lead, Decentralized Identity Foundation
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. Hello. Hello everyone. So goal of my talk, I will be speaking about decentralized identity. What problems does it solve? And then what is the step, the next step after decentralized identity, how we build decentralized persistent reputation, what are the real world challenges that we're facing today that it can solve?
I, I will explain a couple of use cases and then offer model of how we can design a decentralized reputation system. So, Yeah, so as I, I, I believe all of, you know, the trust problem and, and, and the problem of identities becoming more and more important and pressing in the modern world in just the last few years, YouTube pandemic due to growth of digitalization, the number of users of our digital identity increases increase exponentially. So today we have people who work for companies for years, like two years who never met their, their coworkers.
We have people who do a lot of their business activities online. We have businesses who do multimillion dollar deals through zoom and, and, and digital digital assigned contracts. And that is only going to increase. So Eric Schmid, I think it was year 2007 when he gave his radiation speech. He mentioned, he said, this words that in network worth trust is the most important currency. And since then, this just became more and more true. So just a few words about myself.
I'm a lead product manager at affinity with developing self-sovereign identity frameworks for developers, and also building use cases on top of those in Europe and, and Asia, India, Singapore, and China. I also found that a south sovereign identity company focusing on educational credentialing, which is still operating, but I'm, I'm not very operationally involved in that. And I'm working with Steve distance, rather identity foundation, which is organization focusing on standardization and designing use case authentic and, and, and ways standards to use decentralized identity in real world.
So I want to trust to just take one step back, talk about what identity and decentralized identity actually means. So identity in, in, in, in the, in the context of, of decentralized identity is, is, is just for two things. So first it's identifier, something that identifies you, inly your passport number, your phone number, your blockchain, address, your email, and then a number of attributes. And we use this term decentralized identity. When we want to apply this model to the use cases where this is not controlled by any single entity.
So that's, that's pretty simple. Whenever we need possibility. Whenever we need to reuse this data across multiple sources and service providers, especially those who do not have good trust or connection between each other, we then use different self-sovereign identity or decentralized identity technologies. And we achieve this portability and control of the customer over their data. So instead of using Google or Facebook, we can now have our own identifiers that we fully control, and we can use to get access to multiple services. This is to put this into perspective.
This is actually very old problem. It existed for Melania actually for, yeah, for thousands of years, the problem of establishing trust between people is part of every economic transaction. If you think about it and way back, it was just personal. And if I personally know someone that means I trust them, it was quite simple. It worked well. We needed to scale it. So civilization grew. So we invented paper based trust. We have documents, we have stamps.
We have all these things to scale creation, trust between people and that solved the scaling problem that also introduced a lot of vulnerabilities. You can now temper with documents, you can create fake documents and that problem still persist. And then in the late 1970s, public key cryptography was invented. And that obviously created a new wave of methods of how we establish stress. So today, every time you open up a webpage, every time you do a credit card transaction, every time you send a message digitally email, it is signed through digital signature methods.
And that is what we primarily use for every identity application to take. So that also allowed us to scale the system much faster, allowed us to reduce the cost of establishing trust by hundreds of times. But it also comes with, with, with challenges. One of those is that we need to have this system centralized at some point.
So if we, if we design a public infrastructure, as someone who is controlling it for, for DNA system, for identity providers, there's always a controller who can influence the system and who can even gate our access to our personal information. And another problem that I want to talk about is how trust is structured in the modern way. So fundamentally trust is established through credentials and credentials are binary, atomic, atomic things, atomic events.
So on, on the left, I have kinda a, a very rough representation of how bureaucratic or credentialing systems work today. And example of that could be education. So if I'm studying in university, I get my diploma after 3, 4, 5 years of studying, and that is like a step function. So I didn't have diploma. Now I'm certified professional and suddenly, or maybe I'm learning how to drive. I got my driving license. Now I have this credential. I can get access to new services. I can find a job. I can drive a car on the street, but this is not how reality actually works. In reality.
When I'm studying a university every day, I meet new people, I learn new things. I complete different projects. So every day there's new skills, new competencies, new information that I acquire and reality actually represents something more like this graph on the right. It is more like a gradient function where every single day there's a lot of events happening. So we cannot really compare. So due to simp, we had to simplify the credentialing system.
So we invented these things like diplomas, like driving license, all the standards documents, and that was the best solution we had for this paper age. However, for the digital age, we can do much better. So we can actually now capture all these smaller atomic events and build this persistent reputation that is not bounded by the single organization that can work across multiple sources of data.
So my, for example, my professional reputation is not just the fact that I have diploma and CV. It's the fact everything that I did during my working career. It's everything that I studied. It's all the projects that I completed. It has all, it's all my network. It's all the information, or I dunno, books, articles, papers that are read. And today it is actually possible to capture all of that. The problem that exist is that these things are siloed. So the main problem is actually fragmentation of this identity.
So today I want to give another example, which would be a driver who works for Uber. They have their own reputation. So when you complete the right, you can rate your driver and it builds up their profile. And that actually allows them to, to basically make more money and, and, and, and, and kind of go up in tier within Uber system.
However, if I'm working as a taxi driver for Uber and Lyft and get taxi and grab, or any other of those services, it is not possible to transfer that reputation across different applications. Same thing happens for the same problem with education. So I can have my LinkedIn profile and, and, and the problem is that it cannot be fully trusted. Anyone can put any information on their LinkedIn. They can put anything on their CV, that data is not verified, and therefore cannot be trusted.
So employers have to spend, and on averages cost about $4,000 to do the whole hiring and assessment process to hire one employee for, for, let's say it company. So, because, so, even though that data already exists, all those records of my, of, of different learnings, different projects that I completed, it exists in the digital form. It might even be cryptographically signed because of the fragmentation of this platform platforms. It is not possible to combine and have them in the, in the, in the single reputation profile.
And moreover, this should not be owned by a platform like LinkedIn or platform like Uber. It is actually data about myself. So this is where the self sovereignty principle comes in. There's nothing today from technical standpoint, that is stopping us from building a reputation system that is fully open and decentralized and allows customers and users to build their reputation throughout their life. It can be professional reputation, it can be education, it can be anything, it can be business reputation, it can be anything. And it allows actually getting more services.
So fundamentally what we are solving, we're solving the cost of establishing trust. And if we, if we are able to breach those fragmented sources of reputations into a single system or a single data vault that contains all the data points about my let's say, professional working history, we are able to reduce this cost drastically because there's no need to integrate and directly wear this data from different providers.
Oh, verify, do this background checks each time you hiring a person, maybe another example. I recently moved to Germany. I used to live in United States and Russia. So everything that I had, a lot of different reputation, kinda profiles that I built up during while I was living in different countries. So when I move, when I changed my country, I need to start from scratch. So I need to start again with my credit rating. I need to start again with my educational.
I had to translate my diploma, which actually costs like 500 euros because I had to physically mail my diploma from California to, to Berlin and then do a translation. And, and, and, and yeah, the fundamental again, problem is that this is not, there's no easy way, no standard, no protocol that allows us to, to transfer this data. So I want to share some principles, how this protocol, how this distance reputation system should work.
So, first of all, it has to be open. And by open, I mean, it has has to be opensource, but it also has to be trustless. Trust. Examples of trustless systems are blockchains. For example, those are systems that are not only, they're not controlled by any single entity and they are radical open. So the security model is based not on the fact that they're GA there's gated security perimeter, and no one can get the access because those systems are actually quite regular getting hacked banks.
And I dunno it corporations, even though they have those security parameters, they're still getting hacked blockchains. On the other hand, they're completely open. Anyone can do anything. There's no person. If we take example of Bitcoin, there's no person that has more control, no developer that has more control than anybody else. And yet that system is securing almost three of dollars. And if you're able to hack it, you have a bug bounty where three of dollars, not, not, not a bad thing, but, but it works for over 10 years.
And, and, and, and that's a, that's a good model. It, in order for it to work, it has to be built based on the share on the open shared standard.
It, it has to give full control over the data to, to the customer, which means that the data has to be encrypted and stored ideal in decentralized form, maybe using decentralized addressable storage system and another important part about reputation. It has to be the main specific. So you cannot have general reputation of how good of a human being I am. It has to be very specific. So if it's a professional reputation, it has to measure my career and my professional activities. If it's my reputation as a driver, it has totally measured those things.
So there's no reason and no value in mixing those together. So we are not to trying to build like the credit social credit score system like China has, which is fully controlled by a single entity and kind measures all things about the person of how good they are in general, that doesn't help unless you want to use the system to, to control. If you want to, to use the system to empower people, it has to be controlled and own by the end users. And it has to be very specific for, for the application.
And then lastly, just, I want to share some of the values that I think are important and this disinterested reputation protocol can create. So the first thing that it does, it basically extracts the function of reputation from within the firm or within the application into this open protocol. And that is, and that is benefiting both enterprises and, and customers for Intel customers. It's what I explained. I just have control. I don't care where, where my data originates from.
I can access it at time and share it with anyone I want, but then for the enterprises or for startups or smaller companies, it is important because they don't need to build this from scratch. So every end or B2C service that is large enough, it has to have some kind of risk scoring or reputation system. It costs a lot of money to build it. It is complicated.
So instead of building it from scratch and hiring the whole team, why don't we offer it as just a few, few lines of just a few API endpoint that they can use to create this self-sovereign identity profiles and, and build reputation for their customers. And then we can also have, and, and, and, and the design that we're working on, it can assume the fact that you can have multiple scoring models. So for the same professional reputation, there's no need to you. You don't have to trust any single scoring or assessment method or procedure.
You can have a marketplace, or you can have a competition of different assessment techniques that are using the same data. So me as a customer, I control my data world. I have all records of my professional activity education. Then I can share it with different scoring models and whichever scoring model produces the most accurate result will be used more by the employers who want to hire me. So there's an open competition. It's not a, and open competition ultimately produces, produces innovation. Yeah. So that's brief. That was brief introduction into why disinterest system is important.
I think the end goal is to enable and actually empower ability to generate trust between people are in gradations that is done in peer to peer manner. That does not, does not rely on intermediaries.
That, that, that, that enable it. And yeah, if, if you're interested in the system, if you want to see it in action, or just learn more, please reach out as my handle on, on, on different social media networks. And thanks a lot for, for attending.