Event Recording

Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World

Name: Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World
Uploaded: 2022-05-13T12:00:00+02:00
Duration: 19 min 6 s

Drs. Jacoba C. Sieders

Consultant, Strategic Digital Identity

Independent

Posted on May 13, 2022

The Internet had been created without an identity layer, leaving it to websites and applications to take care for authentication, authorization, privacy and access. We all know the consequences - username and password still being the dominant paradigm and, even more important, users not having control over information that personally identifies them. The risk of data misuse, of being hacked or manipulated has become a significant challenge and and requires a new approach in times of an emerging web3 and its core capability of transferring value. Is decentralized, DLT based Identity the solution that finally will enable DeFi, NFTs and DAOs? Join this awesome keanote panel to controversially discuss this topic.

Video Description

Show Transcript

Thank you, Warwick for the introduction. And the good thing is we have a panel here where I probably need that to make much broad introductions because all well known people welcome by Cedars CEO of P identity and NA who is one of the leading people in all the standards work around ID foundation. Cetera. It's a pleasure to have you all here on stage. And so where I wanna start with is, so this has identity, a human decentralized global, et cetera, and it's says web three. So what is web three? Who wants to, to provide an answer in that?

Well, I think that web three, as we were discussing, it's uniting all the buzzwords that are, are coming out in internet today, like NFTs blockchain, self-sovereign identity, distributed, decentralized, anything that is not good at the internet. That should be improved. That's probably what we call web three. That's what I learned. I don't know.

I mean, COVID hit and I miss web two when all of a sudden web three came out. Yeah. So I asked my chief architect there. I was like, what's web three.

He's like, well, you know, web one was the web and you had a browser and everything was pushed to you. Then web two was we interacted with websites and like web three is gonna be in the Metasphere. And I was like, all right, I'll kind of take that definition, But very, you know, you just said in the back room that it was, you know, web two, one, it came out was a cool new kids, right? Oh yeah. Every generation has to have their own Version. Yeah. And then web three is another new cool kids who is aspirationally human-centric decentralized and so on and so forth.

But I believe if we continue this course of a, war's going to end up centralized again. Why? Because of the very nature of information technology and human being information technology it's inherently, you know, has decreasing marginal cost and increasing return, which actually, if you let free market and thing to go on, it's going to result in the NARI, which is either monopoly or oligopoly that's. Yeah. You's You're, I, I actually totally agree with that.

So I, I think my observation is everything new starts out kind of decentralized and then invariably figure people figure it out and they centralize it. And we just, we, we end up in this never ending, you know, way. Yeah. Just look at SMTP. It was supposed to be completely decentralized. Who operates? You say own SMTP server. I do. Yeah. Normally right. Almost now everybody is using Gmail and now look com and things like that. Open ID was supposed to be completely decentralized.

Now it's treated like the, the metaphor for centralized service it's we are repeated, but, But, but I do think at least with respect to digital identity, I, I think I'm observing two equal and opposite patterns. Emerging. One is corporations are certainly in the process of attempting to centralize the identity control plane, centralized privilege, centralized access control governance, centralized, authentication, centralized, hopefully the future of administration of, of, of authorization policy. So on the one end, we're centralizing the control plane within the company's purview.

But on the other end, the equal and opposite is if the individual can have some aspect of decentralized control over aspects of their identity and their attributes are verified claims. So it, you know, the, the wave theory, if you will, of over time. But I also see that oftentimes equal and opposites emerge and they battle it out. Eventually centralization wins and we started over again, unless You lose. But if you look at the surfaces that corporates are using the supply chain, the data thing, it's not no longer a centralized world, even if you try to centralize the control there.

And I think there's a nice parallel that one of my leaders in financial world, he went to visit his brother who is in cell biology on Harvard university teaching as a professor. So my manager went there to his brother and he came back and he said, in effect, we should defend data and control and security in the way a cell is defending itself. So the defense lines that we need to build are not centralized. Right? You can't do that any longer because data is everywhere. It's in transit. It's in it's. Yeah. It's impossible. We have to find a new decentralized model of defense.

This was four years ago. Yeah.

So, but my point is that it's probably not the technology which will deliver that, or technology has some part of it, but it's not only the technology. We have to have the governance part of it. We have to have the setting, the games rule of games, which is enforceable. And I think this is a very important point. You brought up with this control blade and, and not with the governance aspect. I think that there's a difference between where does it reside and how can we connect it? How can we use it? How do we control it? How do we govern it? And these are different layers.

We, we need to keep segregated. I think it's something we also find, find in decentralized identities as a concept where, where, where the proof of someone. So a strong proof is a very essential element in that, but I carry around the proofs I've got, and they are accepted by, by someone else that will be relatively fewer proof providers. Probably there will be a side of the national governments. There will be relatively few. You mean The federalized In decentralized? Yes. I think the proof providers will not, will be somewhat more central than the ID itself, which will be very decentral.

And I think there Will be smaller sources of issuing certificates and, and proof, but there will be of better quality and there will be less data to be stored because you use only the golden source. Not every company is copying the whole set because they don't need any longer. So that's a good way of centralizing, I think. Yeah. But you know what, so there are authoritative issues of the attributes and non authoritative issues, right. Or corroborative.

And, you know, for my university degree, my university is going be the authoritative issue, right. For my employment I'm self-employed right now. But for my employment, it's my employer. Who's going be the authoritative issue of that claim. So it's never gonna be completely decentralized. We have no, we have a com you know, realized the fact that these are decentralized fundamentally. Right. And also one point we shouldn't conflate the control plane, which is the authorization piece. Right. And authentication. Yeah.

And the claims At the end, isn't, isn't the point that we maybe shouldn't discuss that much about, is it centralized or decentralized for somewhere in between that much about how do we make it work together at the end? That's the point?

You know, we had go back to Sam. So on the early Federation standards, the point was we needed something that helped us to integrate end information that recit in different places at the end. It's I think really the standards and the APIs, which are at a core point, how do we make it work and what will be the standards? And maybe go back back to web three, which will be the standards that allow to use whichever type of identity in that.

However, it will look like brave new world, An exciting, exciting time. I mean, clearly there's a whole group of individuals now that I've discovered there's a whole underground. Now that's actually pretty broad who have seen all the prior standards that we developed are taking from all of that knowledge now and applying it. So it seems to me like, we're probably not that far away within the next couple of years, this feels a lot like it did back in what, 2000. Yeah. Right.

Three, 2004 in SAML. But, but, but I think it's, it's developing a much broader set of use cases. All Right.

I'm, it's a dejavu though. Yeah, yeah. Yeah.

And, and I think I, you know, for my a little bit outer, so I'm clearly involved in industry. On the other hand, as an Analyst, I have was a little bit an outer perspective. I think we are way, way more evolved and standards and also standards that are ready for the decentralized world we are working. So a lot of people are working very hard on, on, on making this work around, did standards, but also around extending open ID into that world and all that stuff.

And I think this is something where, where the capability of dealing with identities in web three probably is there earlier than web three. Well, I think that the, the problem is not developing good stuff working in web three, but bridging web two web one with web three, because they're separate dimensions, they're completely separate. And when I look at the innovations that are now being done in the European south sovereign identity lab, which is the European blockchain, where that people can play on and they can get money.

And one of the use cases is digital identity or many of those infrastructure applicants or awarded applicants for grants from the EU were about integrating old stuff, making it work that the, the classical identity problems in identity management, like delegation to make it work in a web three type of environment. And, and I think that's, that's very difficult. So have a nice standalone web three identity ecosystem working. Okay. But then how to integrate it with the old web two reality, As well as it's not the technical play.

As I told you earlier, we have to have some kind of governance around it put in place. I mean, if we just do the technical play, it's going to Be, this is what this one in particular, right? Because we're talking about cross domain, very sophisticated, a trust fabric. Yep. That's starting from a root of trust that all future trust is gonna be layered upon. So the governance layer around the foundational elements of say proof of your real ID, that a fabric of additional claims will be layered on top of that. We certainly better make sure that the foundation of that cross domain trust is there.

And the governance, as you say, of the issuance of those credentials is a big deal. That's why, But the go, the governance will be by it's by default some sort of consortium shape, right? Because there is not one global governance institution. That's Why there's also the other side, because when you take decentralized entity and then you have tokens from, from a lot of different parties in a future world where you say, okay, my wallet is really good filled with, with proofs I have. And the point is stands still for, for the relying party. What is my level of trust? And it's interesting.

I had this see, had quite a number of conversations around this around assurance levels or, or trust when integrating decentralized identities into the traditional enterprise IM world of the organizations. And I think this goes back to what you said now, at the end, it's, it's about governance. It's about what do I accept to which point and what can I then sort of do on authorization decisions based on that. And this is, I think also something which will be a learning a part of a learning.

So, so how do, how good do we trust, to which extent do we trust to make which decisions? And that also will then control which types of proofs do we need.

Yeah, that, that, that's a matter of in, in a way you're saying that if we can measure security, we can easily more easily exchange Trust. I would go away from measuring Security.

You can't, you can't. Yeah. You can't measure security. You can estimate, You know, that's throw one thing. That's why we are walking on gain, right. As we announced in the last EIC and you know, very, very actively, a lot of people are coming together and there's going be a panel about gain announcement later today as well. So if you're interested in this kind of thing, you might want to go there. I'm not gonna be on the stage.

All the cool people are going to be there, but it's, it's this kind of setting in the corporation probably that actually needed, I mean, technology, pure security play. Yes. So for example, the protocols that I'm creating has a formal security verification. That's pretty insecure, but right. And for self sovereigns, I've been running my own identity server connect identity server since 2011, but nobody uses it, right. Nobody accepts, how do you pass away the Bryan party side?

That's the question you're Gonna have to explain to me some point that the trustworthiness of selfer claims, this is where this is where the entire notion that our digital identity is third party validated, maybe more trustworthy than self asserted. And you really think about the fact that we could collect those third party attested claims, but then control the distribution better control, better privacy, but you just recognize the trustworthiness of our claims is validated by third parties, only talking about the particular relationship you have with that third party.

So if I'm employed by XYZ, it's XYZ, that asserts the claim that I'm employed by X, Y, Z, that has more trustworthiness. I think there's some low hanging fruit in this whole centralized decentralized model companies can issue verifiable claims about their own users to have the users then share it back with them. Totally trustworthy.

And so in that scenario, and, and there's a whole slew, I think, of low hanging fruit use cases with a model doesn't necessarily have to jump two or three levels up in the kind of the trust fabric in order for us to play with and test the notion that a user is gonna be. So like in banking, when, when you are doing as a bank, you want to, to, to have a customer, which is a legal entity, you have to do your KYC on that legal entity, right. It means organizations need to have identities that have some trust level as well, because if they become issuers for other parties, right.

And the onboarding, or the KYC for onboarding an organization into such an ecosystem as an issuer, or even as a validator that should also emerge as a new governed type of process. And I think that would be key because relying parties, the number of them and the trustworthy net of them and the use cases they support that will be deciding for the success of any identity ecosystem. Yeah. So I think, yeah, there is a diamond that we should dig up and, And I think it'll be very interesting to observe which types of proof, so to speak, gain really massive traction.

So we have this employer issued once we see a lot of traction, especially in the EU about government issued. Once we have things like gain, which then is more network of parties, which already did a strong proofing and share that there might be reputation networks, there might be other things.

So, so I think there will be also quite a lot of experiments we see in the next years about this is a way to, to do it. And I think time and practice will tell what is accepted, where I think this is, this is something and, and this probably will then go a little bit back to what NA said earlier around all legal polls. So there will be some large trusted issuers, which will take it a strong role, but flow into decentralized identities, which then can be used on large scale.

Well, I certainly think governments for the most part, have the mandate to basically verify your real ID and then everything else will layer on top of that basically be attached to it. But that that's kind of the root of trust. I'm Andre Duran. Unfortunately, if the government says I'm Andre Duran, otherwise I'm somebody else. Yeah. The government is the authoritative source of the government registered name, right. Yeah. Right. That's right. Period. And so they should issue it.

And so I'm telling my government, I'm sitting in many governmental organizations and they're discussing it like forever and I'm telling them do it. Yeah. Unfortunately the clock is ticking. So to speak in front of us saying we only have a few seconds left. So I think we need to, to conclude with this panel, if I give it a try, I think the point is we, we all believe in an important role decentralized identity. And we also are, are aware that the world will continue.

So to speak to cool kids will bring up something new and decentralized identity will play an important role, but we will also probably learn a lot of things about who are the issues. How do we trust things cetera, over the next couple of years, and things will always tend to merge and then to support decentralized integrated with traditional identity management, web two with web three or whatever. I think this is what we will see here. Thank you very much to all of you for your input in this panel. Yep. Thank you. Thank you.

Like this?

Don't like this?

Why don't you like this?

Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World