KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
|
|
Guardianship is a condition of life in human societies. When we are young we may be looked after by parents until we become adults. When we are adults we on occasions need others to look after us, and sometimes we may need increasing levels of care as we age.
|
|
|
Guardianship is a condition of life in human societies. When we are young we may be looked after by parents until we become adults. When we are adults we on occasions need others to look after us, and sometimes we may need increasing levels of care as we age.
|
Yeah. So this is a project that I hope will it's been a passion project for me for maybe two years. And I hope it is. I can instill some of the interest and passion in the audience about what this is gonna be about. I'll go through about 150 slides in about 20 minutes, and that's not true. I'm gonna be doing quite quickly just for the sake of interest. I do ride a bicycle.
I, and I wear a hat when I go outside because it's Australia and it's very sunny or it's, it's sometimes cold, but you need to wear a hat. So hence the little avatar thing, the company I work for Azu and I also work for four 60 degrees, not the topic of today's conversation, but they're obviously deeply fascinating. I wanna talk about guardianship and why it's important for all of us. And I absolutely genuinely me, all of us, any one of us listening onto this particular presentation, there's a fundamental few observations I want to make.
Firstly, guardianship is a part of all of our lives. So at any one time we were, once children being looked after by adults, perhaps as adults, we have become parents ourselves. And look after children, perhaps we've looked after friends, perhaps we've had to look after our own parents at times. And perhaps at times we may be cared for as elders. Guardianship is a concept is something we kind of get socially deeply. It's part of the way that we operate as human beings, but our lives are therefore complex.
They're defined by relationships with people and they change those relationships and our dependence and independence changes over time. We are rarely independent and fully self sovereign, and that's a really important concept in the conversation stream. That's around self sovereign identity. So at the moment, as it stands, we don't really have any good model.
In fact, any model at all for guardianship in our digital lives, if you've any of you had the misfortune to have to look after the estate of a deceased person that was part of your family, or perhaps you're now looking after the affairs of someone who no longer is financially able to look back themselves, intellectually able to look after themselves, you need to take kind of ownership or control of things that were once theirs. And that can be very difficult. It'd be very difficult to prove you have that right, or that responsibility.
And that can be very traumatic in a time when it's emotionally charged anyway, to do these things. So it could be very confronting. We've heard people say quite genuinely quite in, in some senses of anguish, that they will never kind of work with banks and others again, who have not provided them a good service in those situations.
And yet, of course, it's very important. You do check very carefully, but someone isn't behaving as an imposter and actually trying to take over things. So we we've tended in identity terms to fixate on proving the identity of an individual and not relationship rights or duties of people. And we just don't have the tools with guardianship. So in the absence of this good solution, we have this effect where we get bruised demeaned and diminished. And that was the phrase that I was thinking of earlier that I I'll never bank with them. And I'll tell my friends to leave them too.
And we kind of need a better way. Now this work that I'm about to describe started in around about 2019, as far as I was concerned has probably had predates that as well. A group from the sovereign foundation of taskforce were writing a white paper on guardianship during 2019. I became part of that towards the very end that white paper was published at the end of 2019, and a working group was established to carry on doing the work. I was the chair. I am still a co-chair of the APAC group with my good friend and colleague Joe Spencer.
And during the 2020 period, we worked with some very, very good people in Europe, in particular, and also in New Zealand on two documents, one was a, an implementation guideline. The other was the technical requirements document. And since that time we've been doing presentations articles and other papers around the concept of guardianship, as we've kind of decided we can express it. And as you see on the far right corner, you are here, you're at the E EIC conference 2021. And we're gonna talk about the journey he, how we got there.
So during 2020, we thought we would have a very simple job to do. We thought we'd just be able to pull together the bits and pieces like Lego bricks from SSI and create something that would describe how you would do guardianship. We didn't wanna solve the problem by which, I mean, I give a sort of precise definition of guardianship and exactly how you should solve it for any case of guardianship around the world. We kind of figured that would be a bit tricky and a bit hard, but we just wanted to get a, kind of like a blueprint approach that would give, encourage good design.
But we found there was a problem. The white paper, I mentioned in 2019 had two use cases. Those use cases focused on Maya, a refugee child in a camp and Jamie who was a suffering from dementia in, I believe Canada. And those two use cases were their foundation for the requirements that were meant to be kind of dragging outta the documents, but we found, we just couldn't do it.
It's very, very hard to drag requirements straight out of a use case, at least the way these ones written, which was quite narrative style by a lot of sort of solution aspects inside them. And then we realized, of course, that guardianship actually doesn't have a one size fits all solution. The countries that you come from or are in right now, the, the places you've been to all have different understandings of what a role of guardianship might mean. It'll have different words for it, different kind of expectations of rights and duties. It doesn't sort of fit.
In fact, there's a chapter for the S the soft sort identity book written by KH young and Esti on why exactly we don't understand guardianship in the same way. And it starts with a sentence that says you don't guardianship doesn't mean what you think it does. And I think we realize that some way during 2020. So we had to have a way of thinking about it would allow us to understand guardianship in a way that was generally applicable enough for us to sort of move forward.
And we actually started working with stuff that was coming out of the lab and a group from TNO, as well as the other colleagues from sovereign and other parts of the world. And we started building a mental model. So we didn't take a straight path and not read bullet points out, but basically we wandered all over the place. And in fact, the way we like to think of it is we rediscovered the design squiggle. I dunno if you seen the design squiggle, but you start off by thinking this designs gonna be simple, be very yeast to do no problems.
And then you start realizing all this other stuff starts getting in the way, and you can move all over the place. And after a while, if you're lucky, you start seeing patterns and things get a bit simpler and you start moving towards a better place and maybe things become simpler again. And that's effectively the journey we took throughout most of the 2020. So we worked out five things, first thing, and you'll see a model as to how it works is that jurisdictions by which, I mean, the, the authority by which the guardianship arrangement is recognized are essential to guardianship.
Now we consider a jurisdiction to be generally a legal state country or a state of a, of a country if you have laws per state, but we can actually consider jurisdictions to be any, any organization or, or, or recognized authority. You could have an org, a jurisdiction, which is a, a company. You could even have a jurisdiction, which is a house in a sense that the household recognizes somebody has a responsibility. Somebody else you could create a guardianship credential. That would probably be a very strange relationship and a house to actually do digital relationships.
But anyway, you can imagine that a jurisdiction has a flexible interpretation in our model. We needed to work with existing laws. So we basically wanted to recognize the, the safeguards and the protections and everything else that are provided by existing laws. We didn't think that guardianship should demand any law to be rewritten, unless of course, that law demands things to be done in person or with things like wet signatures and, and so on. So we wanted to align with, and even augment the sort of physical relationships and, and ways of understanding guardianship that already existed.
The next thing we were working on was the idea of using a verifiable credential, a w three C verifiable credential data model as a standard for expressing guardianship. And that proved to be relatively simple.
Actually, the, the verifiable credential offers you a number of different attributes to, to play with by sort of standard. But of course you can augment these and add, add other claims and qualities into a verifiable credential definition. And I've listed a few of the ones here that are sort of, kind of obvious for a, for a credential that expresses the guardianship arrangement. So you you'd want to know who issued this credential, which the jurisdiction that they are from who it is given to the guardian, who it refers to the subjects or the dependence, the, the type of relationship.
Is it a, a power of attorney or power of medical attorney, power of financial attorney, or some other form of relationship? What are the rights and duties specifically for this relationship? And maybe it has a start date, maybe it has an end date. If you think about being a parent or a child, then at the eight point in time, they're generally considered an adult. And that may be whatever age it is in the jurisdiction, 18 or 21.
So it may have a natural end date for an event point of view, or it may have an end date because it's only been given a certain amount of time for this particular caring relationship to exist. So the number of a number of facets can be able to the guardianship credential, the mental model that we defined we realized was absolutely essential unless you have this context and understanding, then it becomes really difficult to get your, your hands on and your mind around the idea of something like guardianship.
And if you've built such a mental model, you've gotta test it and you've got to see if it behaves the way you expect it to. Does it accommodate all the use cases you can think of? Would it actually work in practice? You've gotta test your, your mental model. The next thing is really an observation that came out of some of the, the discussions that in fact are still ongoing to some extent about wallets, digital wallets.
So there are a number of ideas that have been expressed that it would, or it should be possible for guardian in the sense to take over the wallet of the dependent, to gain access to the credentials that the dependent has, and then to make use of those credentials on behalf of the dependent.
Now, our sense in the, in the authoring group that created these two documents was that actually, that's probably not a good idea, and we don't think you need to have special purpose sort of wallets for guardianship, where in fact, we think when you look at it more deeply, you realize that what we've already got, if we've got a, a, a normal form of SSI, wallet is perfectly sufficient to handle the cases that we can consider for guardianship. And if you did create the ability for a wallet to be taken over, you've inevitably added it back to all which reduces wallet security for all wallets.
It, it increases the risk of impersonation. So the guardian pretending to be the dependent, so that either defrauding the dependent or defrauding, the verifying organization that, that, that they're presenting themselves to. And in many ways we felt it arose both privacy and dignity, dignity of the defendant. So what's in these two documents that I prefer to first is an extraordinary colorful diagram. This diagram is the mental model in pictorial form. And I'll just briefly describe some of the key points of it, that there are three areas show in this diagram.
The first is the, the governance area, which, which I should see later refers quite neatly to the trust overall P idea of a governance and a technical stack for, for frameworks and the governance area. We have a, the concert of a jurisdiction, the legal entity that creates laws and police so on, which has objectives to both describe and define in a legal terms of type of guardianship arrangements that they wish to recognize each of those partnership arrangements. When we think of define time as a type. So there will be a number of different types.
I've mentioned too so far about powers of attorney, where you might have a medical power of attorney or a financial power of attorney or others. And you may have a recognition of parents or wards of court short. And so on. Each of those types of guardianship may have duties and rights on both the behalf of the guardian and the dependence in terms of what the, the, the two of them have as a relationship rights and duties. And when you have an instance of it, a runtime instance of it, then you'll have an instance that is a guardianship arrangement.
You'll have the, the duty and rights become exta. In terms of that arrangement type, the stakeholders then become legal entities that are recognized by the jurisdiction. And the jurisdiction is basically enforcing that arrangement as it exists. That's the, the way the mental model works in a, in a brief sort of run through. We also in these documents proposed ways in which you might describe the credential in, in terms of sort of verifiable credential templates and other elements. This is some reasonably technical work in it.
And we went through a whole bunch of detail reviews of these two use cases I've mentioned. And we found when we, we, the use cases were presented as video content and are sort of online. And what we found was when we did the transcripts of those particular videos, there was a lot of interesting kind of issues with the way that things were provided. Some of them were actually solution oriented approaches, such as sensors inside the souls of shoes to know when a someone living with dementia has wondered sort of somewhere they can be found because their, their shoes have sensors.
And that sounds a bit odd, but it's actually quite sensible because one of the things people don't tend to forget to do, if they have dementia risk to put their shoes on when they go outside, but they might forget to put the phone in their pocket or some other device. So it wasn't, wasn't a silly idea, but it was an unnecessarily detailed solution point. So we found that there were some issues to do with those use cases. We only came up with 24 requirements, which if you think about what we're trying to describe as a nominally small number of requirements.
So that proves, we think that the fit, the verifiable interest is really very good. And then we have seven items for future work. So we've seen some work, really validating this approach. So one of the key workers for the working group stereo worked with the TNO rubber bank in K and B to demonstrate an approach in this year in 29th of April. And we've been Joe myself and working with the good health past blueprint team to provide a, an addendum on partnership for that group.
We need different kinds of assurance levels, the types of partnership, credentials that we have, like the missed levels of assurance and so on. We need to have a look at that wallet takeover issue is, is, is the way we've understood wallets the right way to understand are there, in fact, some things that might be useful from the wallet. You'll see later, I have an idea about, I think the presentation, we made an assertion in our documents that we don't want to have what we've called OIC guardianship scenarios.
In other words, the verifying party doesn't know that I'm a guardian, the performing on behalf of the dependent, we would rather, that was always transparent. The, the varying verifying party always knew it was a guardian who was operating on behalf of the dependent, because that would make the liability and laws much, much clearer, and much less likely to cause problems for people.
We realized that the approach we taken with guardianship actually is applicable to many other things you could consider simple level consider say, pets and things as something that we have to be guidance for, we can extend it to other types of relationships. Indeed, even things like I, I mentioned organizations having a, a responsibility or recognition of roles within the organization, and that can be considered forms of guardianship and so on. We need to do some work to update these existing use cases and the white paper and that sort of work to do.
And we realize that the technology approach will keep changing. In the sense the, the, the approach we think we've identified with guardianship is fairly resilient to change from technology, but the, the technology will keep improving and changing and, and evolving.
So, and the other effect is that the, the thinking and guardianship might actually affect the technology changes. Five last things to consider discovery discovery is an idea that says, if an adult who has had an active life becomes incapable of looking after themselves, and if they are now in this wonderful SSI world. So I previous presented was also talking about, they may have accumulated credentials.
Now the guardian needs to know quite often what it is that they have in their lives, that the guardian now needs to be responsible for things like bank accounts or savings accounts or, or other other items. Now, the dependent may not want to share those things, or maybe incapable of sharing those things. So how does the guardian find out about them? And that may resolve itself in some form of discovery. We have to be careful about that. It's not the same thing as a wallet takeover. It's about a way of presenting the credentials that exist.
And then the guardian taking the, the appropriate paths to confirm with those credential providers, their role as the guardian. But there may need to be a way of discovering things. We may need to have a way of ensuring appropriate representation. We don't want guardians pretending to be dependent, but if a guardian has received credentials on behalf, depends.
So think of a parent whose child gets vaccinated, it's quite likely the parent receives the vaccination record, but a time and future, the child may want to have those records, those health records or academic records, other things the parent accumulated themselves, one thought would be that you kind of have to hand 'em over. The other thought is that in fact, if you write them the right way, those credentials were always meant to be for the guardian they're given to the guardian, but the subject is the dependence it's right. That the guardian holds them.
It is also right that the dependent may also get their own copy when they become an adult or recover independence. Well, a couple, one, couple of last things receiving parties are key to the whole process working, unless it is pointless, having a guardianship credential, as someone recognizes that it's worth something, it means something, and they should do something about it. And inevitably, it's up to the receiving part to decide whether is good enough to allow you to do something. So that's not as much a social political issue as it is a technical issue.
And we need to be mindful, I suppose, this very, very human condition we're describing here. We need to balance agency dignity and care. This isn't just about a technology design. This is a human social design.
So, so how do we manage this process that gives people as much dignity and agency as possible in their lives, and yet affords the appropriate amount of care given to them by a caring person. And then we've gotta think about things that are sometimes challenging, transitions, recovery, validity, and endings.
We, we in technology terms, so, and often think about ends very well, but things do end. And what do we do when they end, when, when the guardianship relationship ends, or perhaps when they, when a, when a depend, cease, ceases to live, what, what do we do with the credentials they have? How do we handle handovers?
How do we, how do we manage this process? And that's a, that's a lot of, again, the sort of social technical design thinking that we'll need to do. If we look at SSI and trust over IP, which is what TP stands for. There's a bit of a tension between the idea of guardianship and the independence that SSI seeks. So what we need to do is look at the, the relationship between these two things.
In fact, there's a very natural one. These two diagrams on the left that you see comes from trust over IP. It's the diagram that they use to describe governance and the issuance of credentials and on the right is where I've just added in words, to describe a guardianship arrangement as we've described it in our model. So what's next, we've written a whole bunch of stuff about this. You're very welcome to read it.
It's on LinkedIn, generally also now on our website, we're doing presentations at, I w we're also doing once a day at cup, and there's a whole bunch of ongoing work, which you would be extraordinarily welcome to join us with right now, we're finishing off this addendum to the blueprint for the good health pass and travel pass. That's the good health pass, collaborative being producing with trust over IP. And so we were also still doing the monthly meetings on the guardianship working group for, so, and that was it.
