Kantara Workshop at the Consumer Identity World 2017 EU
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Kantara Workshop at the Consumer Identity World 2017 EU
Kantara Workshop at the Consumer Identity World 2017 EU
Alexei, can you take us away So I can start Cool again? Well, welcome everybody. So for those of you who don't know me, I'm out process. I'm the president of Kimara at the moment and have been for a few years now. And this is the second in our series of these workshops that we've had this year. So we have the first one, September, September 11th, We had September 11th in Seattle where we went through this, we've got this one today, and then we've got the next one in December 11th, 13th, 13th gonna be in Singapore. So really if the world tour that we've run around yet and the 12th. Okay.
And it's been, it's been a really interesting sort of voyage teaming up with KuppingerCole in terms of looking at the consumer identity space. This is one that Canara is quite heavily involved in and very heavily invested in. And so during the day, I'm gonna hand over the column second and, and sort of go through things. But during the day, the purpose that we are here is so that we can try and share with you guys what we are doing and, and in engage in discussion.
And so, you know, we've got some panel discussions out here. We've got various people who are gonna be giving some presentations ample time to ask questions, to talk about things that engaging conversation and having the conversation with us in here in the room really widely are here. So I encourage that as we go through event and go through the day.
So yeah, at the moment, I'm hop to backup data on the moment. Welcome. Thank you all for coming.
And John, Thanks Alexei. And to the event, as you know, tomorrow, we'll start our part of the event, consumer identity world be focused on all aspects of consumer identity, particularly here, GDPR, and some of like are as partnering with us on these. It's a good opportunity to get the tire message out about the work that they're doing. Cause it is quite important, especially with things around GDPR. And then we'll have the event here this week and again, in Singapore in a couple weeks as well.
So if anyone would like to join us on, on the rest of the tour and for now, I will turn it back over to, Right. Thank you, John. Thank you a and welcome everyone. It's it's great to have you here in Paris and we're just, what we're going to do is really just walk through. I was trying to give you a sort of a sense of what the agenda is, is playing up. Like you want have a quick look at what the, the afternoon is.
That's we'll get to it in June course, but I just want to, first of all, cause ad by welcome to everyone, else's I, the executive director of Canara and many of you know me, but if you don't here, I am, it's lovely to meet you even, even if just virtually at the moment, but by the end of the day, I hope we, we know each other pretty well. What we're gonna do here is we've got an interesting sort of mix of, of folks because Canara, as a global organization has quite a large presence in mainland Europe and we're go, we are presenting with some of our workshop, our working group chairs.
We're going to present some of their work in the different working groups. So you're gonna have a chance to meet and interact with those working group chairs. Basically the, the, the day has kind of cadence to it in the sense that we're going to do some sort of standups and short, short presentations followed by a panel of some of those people and, and potentially some of you as well, the audience, if that's what you, if you feel that you can contribute along the way.
So that's the kind of idea we're going to basically start with an overview of Canara cause just to give me a sense of how many have not who Canara at all. Okay. So it's about five six of you. Okay. The rest know it. So you put your hand up if you know it reasonably about a few. Okay. Know it well. Okay. Right. So it's roughly a third, a third or third. Okay. That gives me a kind of sense.
I think we are probably pitch pitched the day upright then, because I'm gonna start with sort of, kind of giving you a walkthrough about what Tara is, the principles that holds a brief overview of some of the work. And then we're gonna sort of kind of get into more detail cause you're gonna have your working group chairs and, and sponsor Ellen with us. This is with his not president's hat on for a moment, but for sponsor hat on followed by the, by the work chairs and corn Rouge has a special announcement, which we've reserved for today.
We're gonna finish the coffee in around an hour 20, something like that. And then we're gonna gonna get into a little more detail there around the some specifics that are actually coming from some of those working group chairs. It's almost a sort of a pivot to relating some of Canara working group, working group work into some of the things going on in the EU. And we're gonna finish then with sort of a board facing panel. And we are proposing to finish, get into lunch at around 1245, something like that. Then we're going to move into the afternoon session.
You'll see that we're gonna open that up with Joren who's in the audience now from DIAC and Katrina Dow. Who's not yet in the audience that she's got other other meetings this morning in Paris. She's joining us in the afternoon from Miko, and they're gonna give us a sort of a, a different jurisdiction, different continental view of things of, of that's why we called it postcards from abroad, few things that are going on elsewhere in the world. And we're gonna have them up on a panel that panel too, there is really all about pulling together.
Some of those ideas with a sort of, kind of a, you know, what's missing, what, what need, what gaps need to be filled in terms of the, the consumer identity access management offering, is it as it's merging, merging into today. So we're gonna finish then around three o'clock for coffee. Then the afternoon is really going be after the later afternoon session is more specifically around vendor solutions.
So these are members of Canara who, you know, both volunteer their time and effort to Canara, but also of also running businesses, their businesses building and thriving on the, but as they consume can Tara's artifacts. So we're gonna talk to you a little bit about what they're doing in some of that space, again, around four 15, we're gonna have those folks on a panel. We might add again to we'll see how the room is shaping up. At that point.
We might add other folks to the panel in the, towards the end of the day, we're gonna have almost like a group session about what more can Cantara do in the, in the mainland EU area. What can we achieve in terms of pieces of different work that might have come from the gap filling exercise that we could potentially get into? Because we have, you know, the ability, the working group structure, the publishing structure, and so on to do that.
So we wanted to sort of, kind of get your ideas in a sort of collective and collaborative way about what new pieces of work need to be done, who could potentially do them, who will pay for the work to be done. And we are finishing around about five 30 quarter to six when we are going to be moving across to cafe Lockwood, courtesy and four truck who's turned on some drinks and some nibbles there to, to end the day with them a nice congenial fashion.
So I'm just going to any questions, first of all, about the agenda before I move on Claire as Martin, of course, it sounds very organized and now you're gonna find, we really are next up as we go along actually now, and this is the very first, first sense of that because I just, cause I just see, cause I just see the next thing is that I should have bought a sign in sheet, which I do have. So I'm going take this and Make sure this is the everything you say. Okay. So you are having a sign in sheet coming around. Now this is just in time organization, right?
And this, the sign in sheet basically says, well, these are our, this is our privacy policy and this is our, our intellectual property policy. And we give you links for that. But fundamentally what it says, the way that Cantara runs, it has four intellectual property policies and a working group typically chooses one of those for, to operate its work. Under what happens is when you join a join a working group, whether you're a member or a non-member participant, you are signing a thing called a group participation agreement.
And the group participation agreement basically says that anything that I'm contributing I'm, I'm effectively, you know, I it's free of other, I it's my it's my contribution. And I'm contributing it to you. Otherwise, I'm going to say, no, it's not my IPR. And it belongs to this other entity or person and effectively we're able to use that, that contribution in the work. Now of course, what we do is we do a double check on that when, when we come to publish something, that's why we do a public review and the chance for folks to lodge any IP claims in any other work that they see.
But the, the issue that we've got when we have these kinds of group discussions here is you've got a whole bunch of folks that haven't signed a group participation agreement who may contribute from the floor. And we would love to do that, but we want to be really, we want to have it, make it really clear in your mind that as you do that, right, unless you tell us, no, this is not my IPR. Please do not use it. Or this is my IPR and we don't want you to use it in any way, shape or form. We won't write anything down.
Then we basically need to know that otherwise we're going to make the assumption that if you are shouting it out from the audience, that you are expecting it to be noted, consumed, and otherwise, you know, taking them to the work. Okay. So that's the way that we're going to, but that's the, basically the way that we run these, these meetings and we, we try to run them almost like in extension, if you like as an extension of a, of a typical working group.
So moving along then, I just want to give a little bit of a context here, because as we get into, you know, the wise of where force or Canara, we really want to start with that sort of scene here, you know, what's, what's the domain. Well, the domain that we're in of course is digital identity and personal data. And the transformation of that we're in this industry, we we're either consumers or, or suppliers to this, to this industry of consumer identity management and personal data. We could call it different things.
We could, we could describe it in slightly different ways, but fundamentally that's what it is, you know? And it's in, in, in many domains and in almost every domain, really you have to have this sort of, kind of collect collective action, this, this sense of collaboration moving, moving, the dial, moving things forward.
It's, it's an interesting thing I find actually, and, and it's often folks say, well, what can I get? This is particularly companies actually, rather than individuals, companies will say, what do I get out of? Cantara what do I get?
And it's, it's a two-way thing. It's and what are you gonna contribute for? What you get out? Because it actually is a two-way, it's a two-way street there.
This is, you know, this, we are, you know, a, a, a fairly cash strap, nonprofit, you know, we are not a global corporation. You don't get everything out. It's not a one way, one way traffic.
It's, it's a, it's a two way street where you contribute as much as you put in. So for Canara itself, of course, what does, what does, what does this mean? Cause many of you, many of you have, you may have seen the, the Canara logo. And of course, Joanie was in the audience was here and this was, this was produced in 2009. And you can see there that it's a little stylized. What do you think those it's a, it could be a rainbow.
Does anyone sort of sense what those, what those little impacts of, I bring it back to much, a much bigger one, say much bigger on the left hand side, so you could call it various things, but that little stylized sort of half loop thing's actually intent to mean bridge because Canara is in Swahili, African languages, Arabic, Arabic down through central Africa, Swahili means bridge wooden bridge. And in fact, this name was for Canara was, was given to us, contributed to us by NA Saur Ofri also chairman of the openly ID foundation.
So it was NA's name course, Nat being Japanese, his, his parents were diplomats and he spent most of his childhood in Africa and he learned to speak quite a lot of the language. So that's how the name Canara came to be wooden bridge. Everything we do is done in a set of, in a process of collaboration and doing things together. So what are the things that we do?
And, and one of my Twitter, if you follow me on Twitter, I'm at to say quite often others talk, we do, because we are in a, we're in a, a space where there's any number of folks that tweet and blog and white white paper, and they survey and they, they, they comment and they observe that they run conferences, but what do they actually produce? And the point that Canara, it's always been to produce something tangible and you'll see that coming through the work groups and you'll see it coming through the work that it does.
That's why it actually has an operational side to it as well, founded in 2009 Delaware. And very recently also founded in Estonia. And it's not a, it's not a wholly owned. The Australian operation is not a wholly owned subsidy of the us. It's a completely separate operation and a separate organization that was deliberately done.
Initially, of course, when, when I, I took this role, I was offered this role from Joanie and she was departed, departed to the great white north. The, and I was, I was, you know, as a new Zealander, but having a British passport and, you know, in stage in life getting a us work visa, wasn't gonna be the easiest thing in the world. So the board decided, well, that's okay, Colin, just use your, your British passport and, and go to England and set up, you know, can, we've always been wanting to do it. We all set it up in the UK. So that was fine.
And then of course, when we heard about this, this referendum coming up for Brexit and we thought, well, you know, it's never gonna happen, but you know, maybe we'll just wait. So we decided to wait till June, of course we know what the result was there. And then of course at that stage, we then had the us election started bubble.
We said, well, you know, it's a foregone conclusion, isn't it. But let's just wait and see how that plays out. So by the end of that, the board were pretty determined that we weren't gonna actually have any hard connection between Canara us and Canara Europe.
Very specifically, if you remember some of the election rhetoric from the Republicans around how data was going to be surveyed surveilled, if you like, we wanted to have the option of actually bringing the complete membership database, the us, and putting it into the Frankfurt service so that we would actually have it completely out of the site of the us government month. So that was the reason for having the separate, the separate organization in Estonia, strong ethics and societal purpose. Something that you'll see very much in what we do.
And basically we have that notion of wanting to give, give users back control of their data. And we'll actually see that as a sort of a, a fundamental underpinning all the way through can Tara's work.
It doesn't make us popular necessarily with some folks that we want to do that it makes us core as a result, but we are very strong principle about giving the power back equalizing if you like equating the power between the customer and the service provider and, and particularly around the power of what they can do with their data, the business model is, well, we already talked about below barriers to participation just before I move on to that. And that was because you can actually, it's not a pay to play organization. It's a very diff very, very difficult business model to run.
I might add, I dunno how Jo did it. I'm still learning, but it is a difficult business model to run because most are run on a pay to play. In other words, you can't join you. If you don't join, you don't get anything. So because Camara has this principle of low barriers to participation, it actually a lot of its stuff is available for free and you can join and, and contribute into a, into a working group without, without paying any money at all.
There's a limit to what you can do when it comes to decision making, for sure, but it's possible to do that, but it is one of those things that, you know, the more you invest, the more you get out of it. And that's why you have, of course, the working group chairs and representing those organizations in the room today, because this is a way in which we can pay back their contribution to us. The membership, their business model is effectively. Those three things.
We, we make our money such paltry as it is from membership Jews, from running the trust framework. That's the process in which we have our accredited assesses, assess some assessment, some requirements, service assessment criteria. We typically call them out of a standard and they approve service providers to be able to, to demonstrate conformance and compliance with that standard or set criteria and our trust mark for it. So we have a, a business around that with our major customer, the GSA, the general services administration in the USA.
And we also have the working groups as a, as effectively, the, the, the, the thought bubble, the innovation part of the side of the house. So basically it's bringing in an idea, building it through, towards a report, building it through towards recommendation or a specification, sometimes some of which move to the, to the trust framework, the trust services side of the house to be monetized to a program completing assessment.
So we have these sort of, kind of, you'll actually see this going through the, the membership side, but then particularly something starting off life in a working group, and then moving across into the trust services side.
Our mission is there though on the screen, the global consortium for improving trustworthy use of it and personal data through innovation standardization and good practice, pretty straightforward, easy to think hard to do, but folks in the room are spending great parts of every day, helping us make that, make that so our value proposition to, to folks, whether they are government members, corporates, individuals is fundamentally, particularly for the corporates is brand association with the things that we do and you'll start to, and this is an example, as you've gonna see a different series of logos coming up on the screen, this is a way in which member organizations who are going to speak to you today are able to associate their brand with things that Canara is doing.
And the other thing of course is, is it has, because it's got the low barriers to participation. We actually get a whole bunch of, of leading, leading edge thought thinkers into Canara where you typically wouldn't have them. You wouldn't find these people in a corporate environment, but something that, you know, a lot of that bleeding edge thinking doesn't come out of the corporate space. It actually comes from individuals garages and, and, and round coffee machines and so on. And it's a way of trying to find a venue where, where corporations can find those people and tap their knowledge.
And that's certainly what we try and do. Some folks join us because of our formal liaison with so working group five.
And we, we actively contribute into that and contribute some of our work that way as well. We do have one with it, UT and other folks, but it's certainly the ISO working group five one that we are spending most time on. And so for those who aren't able to get to their national, their ISO national body, you know, they they're shut out for some reason, or just simply find the process too difficult. We find that they tend to come to Cantara and use our relationship with them.
So they can see the documents, the draft documents coming down from ISO and be able to have first side of them and contribute to them. So, and we have this, you know, this mix of thought leaders, individuals, and organizations that I said quick snapshots, not all our members, but it's a quick snapshot of, of what's there. And you'll sort of, kind of see a real mix of, of small and large of identity folks of personal data folks, some of whom you going, you are going to hear from today.
So these are probably, I I've, I've chosen three, but we've got a lot of other work as well that you're gonna see on the next slide. But these are the things that we're best known for certainly in the standards and specification space. ISA often Uber is, is mentioned as it is in the UK, often without any attribution to Cantara, but that's where the, the standard that's where the standard looks, that's where the work is done.
And it's, it's basically the only game in town when it comes to access user managed access control in Europe, we tend to think of exact doing that, but exactly is a corporate centralized. Very, yeah, it's, it's, it's an industrial kind of way of managing access, which is not really user driven at all.
And Uber is really the only game in town to be able to do user managed, delegated access, and that's, and it's built off O and of course, one of the things, if, you know, ol quite well, it's, it's a, it's a two party, two party sharing construct, and basically we've created, we've extended our to make it multiparty. We're gonna talk a little bit more about, and I think we might be, we're not gonna be joined by Eve mailer. Who's been championing UHA and the workers, the chair of the, of Thea working group.
We're not gonna be blessed with her today, but we are gonna be blessed with Justin Richard, Richard. Who's going to be, who has done a lot of work for done a lot of work for Cantara generally actually with the, with the consent receipt machine readable work as well, the consent receipt specification getting a lot of traction and a lot of awareness in, in Europe, because of course it was, it wasn't really, it's not fair to say that it was purpose built for GDPR mark.
Was it because it was really, it was it's it's designed as a global as a global specification, but it has particular application to the consent requirements in GDPR as a, as a underpin standard. So a lot of these things, of course, you know, consent receipt is a classic case where we are having a strong interchange with ISO C 27 working group five, where ISO 2, 9, 180 4, I think going to see it to first committee draft is privacy notices and consent. So you can understand how, how close these two pieces of work are. And the editor for that is none.
Other than that, Saara from NRI and Canara board member the third and last, but certainly not least is Ken Tara's trust framework operations put in the two logos. The two trust marks there for created assesses. One of whom is gonna speak to you today. NSU is NSU is an accredited assessor for Canara in Europe.
And Canara the approved logo is the, is the trust mark that service providers get once they're ceased against the particular set of criteria, but there are more, and you're going to hear a little bit about some of these as we go on during the day, cuz we have representatives of some of the working groups in the room. We certainly have, we have IRN, we don't have a federated intra working group rep to talk on the, the implementation profile that we're doing with the higher ed space. We don't have anyone on smart on blockchain, smart contracts.
I'm I, I can't attribute at least in public where this, where that quote came from, but it was someone very, very well known in the USA in the federal space. And it, it makes interesting reading actually the blockchain smart contracts report. And we've actually, it's it's for several months, it topped our list of downloads because we are counting the number of people that download our specifications and, and thoughts. So I'm going to take you through a number of lenses here, as we do this into ways in which you can look at Canara stuff.
One is that it's sort of kind of a nurture develop, operate. There's a sort of, kind of cadence of, of bringing some work in whether it's something that we've driven ourselves or it's something that has been sponsored in, in there. And an organization is using that Canara development platform to take an idea true to a report or a specification, whatever it might be. And out of that, we build those standards and requirements, which in turn, we turn into assessment criteria to operate a trust framework around.
So, you know, as I was saying to a director quite recently, trust frameworks are fundamentally, they have a commonality and when you and the, the discussion was, oh, but you know, we are looking at one, that's got that's on a different subject, in a different scope. And I responded to him saying that trust framework are like cakes. You can have chocolate ones and banana ones, and you can have some with icing and you can have some in the little but funded. They have to have some fundamental pieces of the recipe like baking.
So, and, and basically if you have those fundamental things, they are a trust framework and you, you modify how you, how you operate them and how you manage them depending on what those different, those different toppings or flavors might be. But fundamentally they are the same thing. So it doesn't matter really whether you're doing an identity trust framework or a personal data trust framework, they have to have some, some, some evidential key components that you actually apply to it. So we have certainly done that in the identity space for the us. And we hope to do more of that in Europe.
One of the interesting things of course, is that, you know, the, the certification that we have to the authorization, we have to operate trusting the GSA from the one that we would have to have if we were gonna operate it for government UK, verify, which is different again from the one that we would've to have, if we were going to operate it for E IDAs, which is different again from the one that we would've to have, if we were operating it for the digital transformation agency in Australia.
So one of the hard things for a non-profit in this sort of kind of space is there are just so many different sets of criteria and hoops to jump through that. It does make it kind of frustrating at times to, to be able to offer fundamentally the same thing in various, slightly different flavors, all costing you more money. Another way of looking at is kind of in this gear type scenario that it's basically effectively, we have this, this cadence of, of working together, building membership and, and liaisons, and then applying governance structure over the top to the work.
So yeah, not unlike O has like to see Susan in the, she may disagree with him in the audience here operates its white papers. It's registry the economics of identity conference last week, which was very good I here, but there's a difference perhaps with, in terms of operating a service. And that's really what I wanted to sort of try and get to there. Another way of looking at it is, is the sort of, kind of two sided platform.
It looks a little bit like the open ID foundation here because you know, open ID has, you know, you can build various, there are various working groups that take the open ID protocol and, and apply it in different ways. And it does have, you know, a self, self attesting platform for open ID, interoperability and connections.
So, you know, from that perspective, it's got some elements of the same thing, which is fine if you've got the open ID protocol, but if you haven't got the, if you've got, if you arrive and say, I want to do something with another protocol or something with something different, then that in the open ID, foundation's not the place to do that because the only work on the open ID protocol. So this is another way of looking at it and then refine and implement. And another way is really to look at the, the working groups in a continuum, through a program.
And I'm trying to give you these sort of, kind of thoughts here and just as I finish off and pass on. So once again, just covering off the strong ethics, the community principles, the brand association, the center of excellence. I sort of kind of wrap those up, I think in the last, in my last few slides.
So I won't deal with them in any great detail here except to say, you've gotta have them present if you're gonna actually move some stuff forward, particularly as a, you know, as a, as a nonprofit and, you know, working with volunteer large and volunteer labor, I just want to rest a little bit on, on Canara Europe, still under construction effectively. It was established in tar in January, it's effectively at the moment using it. It it's going to be in many respects, look very much like the us it's gonna have mirror of the, of the us website with some things changed and personalized.
It's, it's basically it operates to use the Canara trademark and logo type and all the artifacts. It does that through a license agreement with Canara us.
It says, I've already said it's, it's running servers in Frankfurt. And it basically in all, all respects, including membership is, is fortunate at the moment the, the Euro and the us dollar are so close that it just basically makes sense to, to make it the same, the same dollar or Euro amount. We'll be announcing a little bit more about that early next year. But one of the, one of the thoughts that we wanted to leave you with here of course, is what else should Cantara Europe do?
And, you know, certainly we've been involved within two months of it being formed. We found ourselves as a consortium partner for project. We dunno whether we've been successful in that. And an interesting, an interesting twist we actually find in Canara members that we have a whole bunch of other folks that are actually in, in an opposing bid.
So, so it'll be interesting to see which, which group wins that, but there's already agreement. That's gonna be quite a lot of collaboration because the purpose for this consortium for taking Canara Europe is because they wanted to use the development platform. It seems that from the other aspects, from the other bid that we've seen, that also makes up Canara members was actually in their mind that they were gonna use can Tara's platform if they won as well. So whichever way it looks like we were going to be in there.
So to at least help with the doing side, I just wanted to briefly kind of, I talked a little bit over those slides about how consul compliment overlap. I, this is a very broad brush attempt to try and show where the overlaps and the gaps are cross Fido, Canara mobile ecosystem forum, open ID foundation, and OA. And I just wanna finish here to say, well, nurture, develop, and operate. That's what we do.