Right. So first disclaimer, you're my first life audience in, well, over one and a half years, you are super lucky that I didn't forget to put on pants before I enter the stage. So you are also probably totally keen on hearing another product presentation of a vendor. Yeah. I have to disappoint you. This ain't one. I like to talk to you about dis your identity, but in the context of vaccination proof, vaccination, credentials, vaccinations certificates. Yeah. Different words for essentially the same thing.
The fundamental problem this try is trying to solve is I like to prove something to somebody else and there should be a strong proof so they can verify it. And at the same time, I like to reveal as little as possible. And only to people that I think are worthy to know this fact, for example, I'm vaccinated.
But again, not too much so not where.
And for example, by which doctor I got vaccinated, and again, only to the persons like that fact to know now for vaccination, probably like everybody should probably know, but you can think about other use cases where I do not want to overshare this. So when we talk about vaccination certificates and how they get issued, let's ignore a fundamental problem, at least for Germany. Yeah. And other countries use different mechanisms, but in Germany, some of us still have that old vaccination passport paper based. Yeah. I know.
Probably somebody here from Sweden will laugh about that. They have a really good digital solution for all that. But the point is that, yeah, I know that there is a bit of a security issue taking a paper based thing that I can, you know, easily fake with a printer and then turning that into some, something digital that's trusted.
I know there's an issue. Let's ignore that. The other thing is when you talk about disappear, identity of the topic of blockchain comes up. Is that a solution?
No, it's not. Yeah. At least not for this vaccination credential. I'm not full disclosure.
Again, I'm not a fan of blockchain and many blockchains should be a database or as we can see should be a PKI. So this has nothing to do with blockchain.
So relax, distributed identity for those of you that have no idea what I'm talking about. So the dispute identity foundation, they create standards around dispute identity. There are a couple of SEP standards, like self issue, credentials, the data storage wallet and verifiable credentials, the control of dispute identity. So user self severing identity is that you as a user decide what you share with others. Yeah. And do that securely.
And again, only to the ones that you trust, you don't wanna always share. Now, if we compare that with identity Federation, which has been long around the long time compared to this view, identity Federation is ancient. Yeah. SAML is old enough to drive a car by now. Yeah. In identity Federation, you log into an identity provider and the identity provider share something with a service provider.
Now, as individual, you don't really know or don't have any control over what is being shared. You might not even see that if it's encrypted.
On the other hand, if we're talking about, and it's disability identity environment, you get issued something by, in this case, the equivalent of an identity provider. And you decide with whom you share this information. So for example, you do get the credential. I am vaccinated. And then you decide whom to share it with all good now identity Federation, and di you think they might be competing and it's like, yeah. Okay.
Identity Federation, you have no control. That's old stuff. It's true.
It's, it's, you know, it's mature technology and this identity, that's the cool stuff, you know? Yeah. I can control everything who sees what it's certainly better, but we don't believe that, you know, this is where that identity will just replace identity Federation. That won't be the case. There won't be a winner in this case often they will actually work side by side. So you might have one part of your overall, you know, transaction being handled by an identity Federation solution. Yeah.
Like the actual log on, for example, the single sign on, and then actually sharing your user profile could be something that's based on some distributed identity standard. And you can mix and match.
As I said, yeah, there might be pure identity Federation solutions still like, you know, in 20 years there might be pure solutions. And of course the mixes.
So let's have a look at one substandard in specific specifically, which is very viable credentials. This is the one that is relevant for our vaccination credential or vaccination certificate in general, an issuer creates a very fireable credential that the owner can present to somebody else and prove a certain fact, a certain claim. I am vaccinated easy enough.
Technically verified credentials are little adjacent documents, which are digitally signed. So you, you cannot change it. Nobody can change it after they got issued. At least not without being detected. And in the end, anything can be in there. Yeah. For this talk. Yes. It's vaccination, but it could be anything else could be your diploma, driver's license. And what else
Now, some of you are old enough that there was something similar about 20 years ago. And some people go like, what was that? What was that attribute certificates?
If you were into PPI about 20 years ago, there was something called attribute certificates. And they're like normal certificates. Like the one that you may have and not use, like for email signatures, for example, EDBI certificates were just containers. They didn't have public key. They were just a signed container that actually pointed to your real identity, which was a normal X 5 0 9 certificate. And where you can put any information into that. Yeah. So it could have been a driver's license could have been a vaccination certificate, for example. Yeah.
So anything you put in there you could have shown to somebody else, you had the control over your adequate certificate and you choose to share that or not 20 years ago.
Yeah. The matrix was still new. And now we have matrix part four coincidence, I think not so brief again, going back in time, what was the main difference between adequate certificates and very credentials? The format was one of the fundamental things was different. Adequate certificates used what ass and one, the best thing you can say about as, and one is mature, right?
Couple of issues here and there with paring, you know, security issues and so on. But it's pretty mature, very far credentials way cooler, right? So text base, easy to read. This is what the kids use nowadays to exchange data. Next proof let's go back to on topic. Now this is an example of a vaccination proof that I totally made up for this presentation. This is not how this thing looks in real life.
It's just, I wanted to have it on, on one slide.
If you never seen a verified credential, it's pretty much like that. At the top, you have some context. If you're into XML that might be equivalent to your name space, then you have the metadata. In this case who actually issued that very fiber credential. If it's a vaccination certificate would be one of your countries, authorized places that can issue those vaccination credentials. Now could be some, you know, health department or whatnot. The next is the actual claim themself. This is including who's this for.
So which identity, what kind of vaccination, what is the status of the vaccination? We all know with COVID 19, some in some cases you need two shots. This is all in the actual claim. And then we have the thing that makes it secure, which is the proof. The proof is the part that binds everything together. This includes a digital signature in this case that of course protects against tempering and make sure that whoever validates that can make sure that this got issued by a trusted issuer.
Now, this is all in one page. This, you know, again, totally completely made up. This is the real thing, almost the real thing, still fake data, but this is how it looks like in real life. We still have the, the metadata. We still have the actual claim. Who is it for? And what the vaccination actually is all about.
So, you know, which is it one or two, two of two and so on. So this is what you would actually have maybe on your phone. That's the stuff that you actually showed this morning. If you have it before you got into the building, actually, before you got into the show, you already were in the building. So who creates those proofs and how are they validated? Now of course, some would like that they can self issue a vaccination credential, which of course is not the point.
Yeah. Only a selected few are illigible to actually issue those certificates.
Very similar to a traditional PKI, where you have a bunch of CAS maybe that are trusted and you have registration of authorities that can actually issue certificates. It's very similar to the concept here where you have a bunch of trusted issuers and then instances that can actually issue those certificates. Yeah. The registration office for, for example, in Germany, the pharmacies can do that.
Yeah, of course, doctors in the end, the actual trust point, the one that issues has control is in many cases, some out of some government agency or somebody that you know's a pointed government agency and that's true across Europe. Now the proofs and again, build pet peeve with blockchain. Yeah. The proofs are actually in the current model are PKI based essentially. Yeah. And this is the perfect fit for this.
There's just a couple of issuers. How many you member states, do we have take that number? Even if you double that it's still a relatively small amount of issuers.
So PKI model is actually the way to go. They actually thought about using blockchain for this. And I know in brainstorm sessions, this always okayed allow, there's no bad idea wrong. This was a bad idea from the start. They should have died. 30 seconds after being brought up. Yeah. Blockchain. Would've been totally the wrong trust model for that one. Yeah. It's people need to take a step back and say, you know, the trust model that we need is fundamentally not distributed. So blockchain doesn't fit.
So they actually try to, you know, force Ram blockchain down to this and make it work with blockchain. That's it was just the wrong approach, right? So this is traditional PKI based.
Yay. For PPI. So the components, we got the issuers, I mentioned that those are the ones that actually do issue the very far credential.
Now they, of course, some are, must have the methods to check. If somebody's actually allowed to have a vaccination credential, there might be, as I said, potentially multiple issues like in EU, every country has one or multiple issues in the end, they create the proofs, they issue it, they sign it and then somehow ship it to you. Yeah. As part of like a printout with a QR code on it, for example, the wallet is also part of many distributed. It architectures the wallet in this case, in, in Germany is the co pass app. Yeah. Where this thing actually lives. Now it does need to be super secure.
So I mean, the credential itself is digitally protected with the signature, but you want it to be secure enough so that not everybody can read it.
And that's the whole point you want control over who you share this with. So app smartphone is the perfect place because you know, you have it all with you and it's secure enough. And then we have to verify us. And this is where it gets interesting. The verify us, no, the verify they of course trust one or multiple issuers in case of the vaccination credential, they need to trust multiple issues because this thing is valid in multiple countries.
So they can do all kinds of things, like check the signatures, check the schema, you know, check the trust status of the issuer because one issuer might have you a problem with trust. We almost had that problem in Germany somewhere. You remember? Yeah. So generally just checking on the technical side is the thing in, okay. And then give thumbs up or thumbs down.
Now let's have a look how this looks in real life or how this should look in real life. Now we have a vaccination certificate here and we actually see my awesome second name now.
And we have this highly qualified individual that wants to check my vaccination credential. You know, he's highly qualified because he has a Bluetooth headset on. So whoever checks me, the bounce in this case, scans the QR code for my app. The next thing is the app actually is the fire. The system was designed to work offline. So this thing checks locally, the signature of the cert of the vaccination certificate and display my name, my birthdate and the status of my vaccination. Is it valid or not valid yet? Yeah.
If the two weeks haven't passed, for example, and then the individual that validates that would need to check. If my vaccination credential actually really belongs to me, it's not an identification document, your passport, your identity card identifies you, not the vaccination credential. So what needs to happen is that whoever checks, the vaccination credential actually checks your passport or ID card and they need to check as everything matches and everything is okay, they let you in and you can start the party. So at which point, yeah, 1, 2, 3, 4, 5, at which points can things go wrong?
This is the interactive part of this presentation. What do you think? Which parts can go wrong
Party as always, always the risk that the party's not good, but accept the party, accept the party. What can go wrong at which point can things go wrong? Four? Anything else?
I actually say two, one and four. Every point a human is involved. Why? Because how many times have you showed your credential? And they just look the QR code, maybe scroll it up a little and wave you in.
Yeah, they actually need to check this with an app that does the verification. I studied computer science. I cannot read a QR code just by looking at it. So I don't think anybody can, so they need, actually need to check this. And the second thing is they need to check if it's really you, if the credential is really something that you own, and it is issued for you, which brings us back to this morning, who of you had to present passport ID card when the vaccination credential was checked this morning, crickets. So close scooping, a Kohl. So close. Yeah.
That actually was not correct this morning. They, you filled out the paper, you put on your own name. Yeah. And then they waved you through, they checked it. They scanned it, but they didn't make sure that this certificate belonged to me. Did anybody have that check ID card passport?
No, almost, almost.
So finally I told you it's not a product presentation, but let me just briefly tell what secure ID does with dispute identity. We have a prototype of, of a very fire service up and running at very fiber credential IO. So full points on domain squatting. And you can actually have a little playground here where you can validate very fiber credentials. And of course, security. We do a lot of MFA around multifactor authentication with smartphones, hardware, identity, confidence scoring, and so on registration. We do all that as well.
But again, this is not a product presentation. Now with that, I have 26 seconds that says on my screen for a question, for example.
Okay. There we are. Yeah. So first of all, thank you. Thank you. Yes. First of all,
