KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Trust Over IP Foundation (ToIP), which just had its fourth birthday, has long held the conviction that technical trust alone is insufficient for enabling human trust in digital interactions. Thus, ToIP has been developing a dual stack that pairs technical architecture with governance architecture.
To maximize technical interoperability, ToIP believes there must be a minimum viable “trust spanning” protocol that enables ubiquitous secure, private data exchange. Then every digital trust ecosystem can choose which higher-layer “trust task” protocols—such as exchanging digital credentials between digital wallets, or verifying ecosystem participants using trust registries—they need to meet their specific authenticity, confidentiality, and privacy requirements.
With regards to the harder problem of human trust, in the real world this is built through relationships, agreements and other intangible elements within a context. By contrast, in the digital world trust has to be engineered. This means each ecosystem needs to be able to define their governance architecture, policies, credentials, and trust lists/registries that can be communicated both within and across ecosystems using interoperable protocols to maximize the potential for cross-ecosystem trust relationships.
This interactive panel, moderated by ToIP’s Executive Director, will convene a set of ToIP leaders to explain why they have been investing in this new approach to decentralized digital trust infrastructure, where it fits with eIDAS 2.0, how it builds upon (not replaces) X.509 PKI and OpenID, and what to expect over the coming year.
The Trust Over IP Foundation (ToIP), which just had its fourth birthday, has long held the conviction that technical trust alone is insufficient for enabling human trust in digital interactions. Thus, ToIP has been developing a dual stack that pairs technical architecture with governance architecture.
To maximize technical interoperability, ToIP believes there must be a minimum viable “trust spanning” protocol that enables ubiquitous secure, private data exchange. Then every digital trust ecosystem can choose which higher-layer “trust task” protocols—such as exchanging digital credentials between digital wallets, or verifying ecosystem participants using trust registries—they need to meet their specific authenticity, confidentiality, and privacy requirements.
With regards to the harder problem of human trust, in the real world this is built through relationships, agreements and other intangible elements within a context. By contrast, in the digital world trust has to be engineered. This means each ecosystem needs to be able to define their governance architecture, policies, credentials, and trust lists/registries that can be communicated both within and across ecosystems using interoperable protocols to maximize the potential for cross-ecosystem trust relationships.
This interactive panel, moderated by ToIP’s Executive Director, will convene a set of ToIP leaders to explain why they have been investing in this new approach to decentralized digital trust infrastructure, where it fits with eIDAS 2.0, how it builds upon (not replaces) X.509 PKI and OpenID, and what to expect over the coming year.
Thank you. A good afternoon everybody. As he said, my name is Judith Fleener. I am the Executive director of the Trust Over IP Foundation. The Trust Over IP Foundation is about creating a complete architecture for digital trust over the internet at internet scale. It's an easy task. It's actually is a, you know, some easy components to it, but what it takes is a whole lot of collaboration and that is why the Trust Over IP Foundation was founded.
Our membership started with 20 founding members and we'll, we'll talk a little bit about the two-sided stack that we created and why we felt governance was important beyond just technology. But we are now over 500 members of individuals and organizations helping to create this world that we are all moving into what we create, we create standards, white papers, recommendations, templates, things that anyone in this audience can use. That's the whole idea.
It's all open sourced that once we create something like a meta model, you are able to download it, use it with your consultancy when you're creating your own digital ecosystem, et cetera. That is our goal. And so I am very blessed today to be joined by six of our steering committee members. Why don't I get to introducing them to you because they are the, the meat of the show today. So first here in the status T-shirt is Andre Udra, who is the CIO for that organization. Information security is his passion.
Since the turn of the millennium, he has a decentralized visionary and has been in very many active rules both in SSI and other things related to decentralized identity since 2015. Christophe Wave your hand. Christophe Christophe is the head of IT development and operations at Ggl Global Legal Entity Identifier Foundation. So I know that a lot of times people say gly as if everybody knows about it, but it's just about global legal identifiers. So everyone needs to use these.
In 2017, Christophe joined the International Organization for Standards, commonly known as iso as a co-lead of the technical committee. 68 FinTech technical Advisory Group is OTC 68 FinTech tag. So for those of you that are in the ISO world, you know what that means, but it is to deal with digital identity. He has an extensive experience in developing and implementing solutions for the financial industry and financial technology as well. Drummond Reed here on the end is the director of trust services at Jen or Gen Digital.
He co-edited the W three C decentralized identifier spec 1.0 and he is the author of kind of what is known as one of the major publications in the area of SSI if you're first learning, which is the Manning publication Self-Sovereign Identity. It is kind of the definitive book. So if you're trying to learn about this, that's a book to get and he pulled together experts from the field to create that book.
Carla Lenna is the managing director of standards for G gly and she has project managed the entire VLAI development process, authored the VLAI Ecosystem Governance Framework, which you're gonna hear a little bit more about later in this talk. And we are very blessed to have you here.
And then on the end there, Maria Wallace, she is the managing director for digital identity for Accenture, leading the decentralized identity innovation for Accenture, working with clients that span not only geographies but industries as well as various use cases to realize business process reinvention and optimize that is powered by the digital wallet and verifiable credentials. And certainly last but not least is Whinging Chu from Future Way fu. He is the director of technology strategy at Future Way.
He is the lead author for something we will be talking about today, the Trust Over IP Trust spanning Protocol, which just came out in as a draft specification, an implementation implementer's draft. And he also co-authored, you know, when I say authored, this is all done in community, but a big part of the work was done by him for the technology architecture specification draft, which a new version of will be coming out later this month. So check back to our website.
So as you can see, we have a panel here with a lot, a lot of experience and background in identity, decentralized identity, data management, et cetera. So let's start with the first question to you, Drummond. And I'm gonna turn the clicker over to you. Drummond is going to go through. What I would like to do is we have a dual cited stack, right? Yes. Why do we have a dual cited stack? Why is that important to the scalability of decentralized trust or even trust of any kind? Perfect.
Use this, Grab a mic. One of these over here.
Alright, is this one on? Can? Yeah.
Okay, good. So first I wanna say that the, this is our, our mission right here. The next set of slides I'm gonna show you are our, what we call our third generation of diagrams for communicating the trustworthy peace stack and all of what we do. And I'm gonna call out right now that Mr. John Phillips there led the work on this third generation visual architecture for this.
And it's, it, it was good six months worth of of dialogue among our different working groups. So this is the first time we're showing it at a major conference. So we heard it is where the reveal it. So we're gonna step through this as if we're sitting in a whiteboard, and you can explain this to almost anybody is our goal.
Obviously, if you're gonna tackle internet scale, decentralized digital trust, you gotta start with technology, okay? So there's always been that component, as JU just said, the key reason that we started the trust RIP foundation, we said we've got to pair the technology, the by which you can achieve technical or cryptographic trust with the governance that will allow you to achieve human trust, okay? No matter what or where you need to do that.
Now, the next aspect was that trust rp. The whole reason we started the Trustwave Foundation was that we said if we want to achieve trust at the same scale of the internet and as global as the internet, we should be following the design of the internet. It's a four layer stack and we have a, a document called design principles for the trust OVERP stack. It's about two years old. That will explain why are there four layers in the internet? Why do we need those same four layers for what we're doing with trust?
Overp ing will tell you more about layer two, which is the critical one, the spanning layer that actually enables interoperability just like the IP protocol does for the internet today. So that's why the four layers, and you can see they're all technology layers. They extended into governance because governance is not layer specific when it comes to governance. You are running and you're, you're designing and operating a real ecosystem, a real community. We call trust communities of any size of any scale, of any location for any purpose.
You could say with the, with the trust communities we have on the, on the web today, there are roughly 200 certificate authorities in the world and they all, every website in the world that uses HCPS, which thankfully is now, the majority relies on those 200. And yet do we really have 200 roots of authority in the world, right? Just roughly the number of governments we have. But I mean there are many, many more than that. So we're gonna get to decentralization. We need governance that can operate everywhere.
So the next thing is the trust RP model is about how do we get to interoperable technology and governance models that can be referenced in the same way how you govern and your policies and your ecosystem are up to you, but others are only gonna be able to interoperate and you're only gonna be able to, to span trust across ecosystems if your policies can be understood in, in a standard way someplace else. So what you see now is with the trust RP model for the technology and governance, it's instantiated by digital trust ecosystems.
Everything you see there is something that an ecosystem, any particular ecosystem says this is what we're gonna do. We're gonna use these elements of the technical stack, we're going to follow these templates or models on the governance stack, but they're all of their policies and ecosystems don't stand alone. I mean you obviously could do that, but just like in the real world, we use the term ecosystem, which is now being broadly used here in these conferences because digital trust ecosystems all interoperate together.
You hear all about IDA here at this conference, you know, headline bulletin, EIDA is not gonna be the only digital trust ecosystem in the world if they want 'em to be interoperable ecosystems learn and interact with other ecosystems. Yeah, this reinforces that.
Both, both in and out. So all of this, if you get the sense of, of living evolving ecosystems, that's the other, that's exactly what we're gonna have with digital trust. Now we expand up to the full model and I'll, I'll take a second to let you appreciate this is if you wanted to say, okay, let's now instantiate all of the, yeah, the cameras come up. The good news is this very picture at at at scale is on the now on the trust RP website.
If you go to the main page and then just click on trust RP model, you'll actually see the complete set of slides that I just ran through and, and is both the light and dark versions available, John? Yes, exactly. Last thing I'll say about this before we turn it over is this is now what we call this, this third generation model. It's a template.
It's, if you're familiar with business model canvas, this is the trust model canvas. So John has created actually Google Slides templates, anyone can come download those templates and start to design and put together the trust model canvas for your ecosystem and your partner's ecosystems. And you can even start designing and it will start to look like a global network of interoperable digital trust ecosystems. That's what trust YP was founded to help you achieve. And I think that's it for me, Judith. Thank you Drummond.
So let's give him a hand for the, you know, going through the entire thing so quickly. You know, that could be an hour presentation on itself when, when it normally is done. But in the description of this panel, it was minimum viable protocols for maximum interoperability. And so the keystone of our stack here, you see how the, there's a stack is one of them at the second layer, which is something called the trust spanning protocol. And so I'm gonna invite winching up to talk about the tru spanning protocol. And when you want the hourglass, let me know.
Sure, yes. So we have, I think your key word is a minimum and then the maximum interoperability, right? So there's a two contradiction there, something minimum and maximum. And this idea came really from the internet or original internet itself. And I'm very, I'm old enough, I was involved as a young person actually writing some of the earliest versions, the original version of some of the internet protocols.
Now the, the network internet come from in networking is really to connect networks. So at the time there are many people, smart people invented many networks and they thought their network is better than others. Like we all think, you know, if I have id I design it, it's better than my competitors, right? So they thought same way, but in the end there's all many different reasons and competitions on that. And what really people find is like rather than trying to settle which one's better, how about we find, find a way to connect them.
Like even though they are different networks, we can still be able to communicate and what, what can we communicate over very different design networks? And they find out like there will be something minimally reachable to all the people, all the nodes in the network. And that is the beginning of the internet and the beginning of the internet protocol once one thing they left out of that, that is trust. And so we thought maybe we can follow the same philosophy and maybe find a way to add trust back into it, right?
We don't want to miss all the other benefits but still be able to somehow come out to some trust and what is that minimum thing we need to do. And so rather than go into technical details, I'm looking for a few quotes. So maybe those were better to illustrate that the, the purpose of the protocol. The first quote is from American poet, what Whitman in the poem that he says, I am large, I condemn multitudes. We human beings have many, many different multitudes in ourselves and we are not going to have one identity.
We are gonna have numerous of them people, some people call personas, but you know, you, your ID to pay tests and your ID to, I don't know, date to go shopping are not gonna be the same. We shouldn't be looking for one identifier. That will be I think actually quite scary. So want to think about that. And our nature and our, these are definitely multitudes. The second one, it's a, from a Greek philosopher Heus who says, no man ever stepped into the same river twice for it is not the same river and he's not the same man. And so we change all the time. Our identity system will change.
Some of the identity only lasts for seconds, even milliseconds. And so depend on the, the longevity of the identity you are doing the this, you know, all the evaluation, everything is different and maybe we can say, oh, I'm gonna create a permanent, you know, forever lasting identity that's gonna be very costly and also very dangerous because you'll be keeping track with lots, lots of data too. So I just want to say that in time domain, these things will change, right?
And so, but that's been all being said. We still need to communicate and that's the end goal. How do we get the maximum communication possible with the level of trust that you may need in that moment? So my last quote is really about a language. What we need is a language to really, for different people with different IDs to talk to each other. If we have that protocol and all the ID system will actually be better off and that's maybe the most critical thing we can build. And so the last quote is from Ludwig Stein, which says, he's my favorite philosopher.
He said, the limit of my language means the limits of my world. So we want to reach you everywhere. We need to know a lot of languages. We can't try to force people to speak one single language. And so we need some kind of a meta language, maybe something like a gesture that we can, you know, say hi and be able to know each other before we pull out our passport. Trying to verify, right? And so that's the spirit of this trust spanning protocol.
And if you go to the next slide on the, this deck is a, a layer two, we think that will be the, the spanning part, you know, before I present the passport, I need a language to get to a level that you and me recognize each other. And then you ask the question, can you show me your passport? And then we can continue, right? So you need a language to start with from, from whatever credential you may be required for the conversation you can have. And I think that will be the critical core.
If we have that language, then all of a sudden the design space for IDs, which we call layer one, the trust support systems. So the layer one you can have identify very, very strong for international travel, for tax paying, for banking, et cetera. But you can also have very casual, very easy short living identifiers that, you know, you, you create one and sort away right away, right?
So all those become possible and becomes possible to, for this diverse identifiers to reach some level of minimum requirement that we can, we can then live with and then build a possibility for the conversation that's gonna follow. And, and, and so the really, the key thing people can ask is what are those minimum requirements? And so we identify three of them and that's been built into draft spending protocol. I wouldn't go too much into detail, but there is a draft specification on the standard and there's also a draft implementation that lives in open wallet foundation as just called TSP.
So if you want to really get into code that's also available, it's written in a rust and you are welcome to also contribute or join that effort too. So what are the basic things we need to do in order for the, you know, first level trust to have for other conversation, more interesting one to happen and we identify number one is, so-called authenticity. Authenticity is very abstract term to say, well there's a unique identity or unique thing here allow, you know, it's like me going to a, you know, border, the officer see me, I see him.
And, and that is the authenticity we already established that you don't need to know who exactly I am not yet. But that's the authenticity you will create. The second one is then depend on your situation. We may not want this particular conversation to be public, so that's confidentiality. People know a lot about that. We can use, you know, public keys to encrypt to keep the conversation actually confidential between the parties involved. And that is optional. Some conversation don't need to be, you know, or or confidential.
So, so that, you know, for a lot of them we do want. And so that is a optional feature. That will be our second. The third one is harder to explain, but we call metadata privacy, which is really the fact of the knowledge that this conversation ever happened. So you can think of it like a room, you want to not only keep the, you know, discussion private, but also that the, the discussion happened between so and so.
Those metadata information also provide, and that's even more optional for some conversation that may be necessary, especially for people who concerned about their conversation being tracked for example, on the internet, right? So we have a lot of bad cases where those tracking can happen. And so that will be another potential optional feature that we can have in order to do this.
And we do that by introducing concepts like intermediaries, support systems, et cetera, that go into how to make this much more scalable into these scale we talking about in billions of nodes and you know, really planetary scale for these systems. I think that will be a key or introduction of what TSP is, what trying to do if trying to do the minimum. And if you think about all the, you know, things you really care about that is on the eye layer and that's why the bigger pictures shown the rest of the things.
But I would really encourage you to think about it like as a philosophical design for the system to last long and be flexible and be able to evolve as we real applications happen. What do we really want to do? We don't want to link the whole thing up. If you build a like high skyscraper, it's really hard to change but if you build, you know, in in layers you are you, you are more flexible and this system can last longer. These are very expensive system to build. So we want to make sure that it can adapt to future needs. Thank you wing Jing.
And I'm just gonna back up and ask you one last question here, wing J just sure it's a yes or no. So if we go back to this, yeah, layer two what we call is our tres padding layer. And a lot of what's been talking being talked about in a lot of the sessions here this week is really at layer three at the trust tasks, all the other stuff we talk about, credential exchange, et cetera.
So the, in the trust spanning protocol, you could use various what we we term vid, which is a verifi verifiable identifier. There are multiple types of verifiable identifiers. You've heard about a lot of 'em, everything from did to, you know, I'm not gonna name 'em all here but yeah, yeah you, but you could use any of them at the exchange layer and still use the trust spanning protocol. That's the way it's been designed. Am I accurate? E exactly. We even higher level, we, we hear quite a bit about centralized identify, you know, federated, decentralized, which ones better, et cetera.
I would say you will find that one is better for, you know, will find the applications that one particular one is better for it anyway. So there's no one answer and we shouldn't be seeking one answer. I think we can be inventing even more varieties of these identifiers and the protocols design so that there is a introduction or exchange we call appraisal capability within the protocol allow you to ascertain where that trust level of signal or information is there.
And so that verification step allow you to have a, a meta protocol in a way that actually, you know, determines how much trust information you really need and can you verify it and then decide to go to next step. Again, it's very similar to we, you know, shake hands first and then before we pull out our business cards, right?
And so, but this allows you to get to the next step. Thank you very much winging. And so going back to this where there are then trust tax and there's a myriad of 'em, this is just some examples, but one of the things in generating trust that we would need is trust registries. 'cause each ecosystem you are going to be dealing with that ecosystem's trust list, trust registry, whatever. And so we created a trust registry protocol.
Drummond, would you like to just very briefly talk about the trust registry protocol and then we're gonna get to the people who are actually using all of this to see how it is being used in the real world, Right? So in the four layer stack, the, we consider one of the supporting systems as a trust registry and and you notice it's different than verifiable data registry.
The verifiable data registry is what the two parties connecting a layer two would each check the other's verifiable data registry for usually obtaining the public key and or endpoint they're gonna be dealing with and then assessing is that a strong enough cryptographic trust for what I need? Right? So blockchains basically all did methods or vid methods, vid types we call them would use verifiable data registry of some kind. Some might be blockchain based, they may be wallet based, they may be X 5 0 9 based, it doesn't matter, right? That's the whole idea is whatever it is.
Now, the purpose of the trust registry is when you move up to the higher layer, the classic example is, okay, now you're gonna present me with a verifiable credential and it's from an issuer who could have any one of those DIDs or bids behind that and signing it. I can verify the signature just using the cryptography, but how do I know if they are authorized in that ecosystem to issue that credential, right? We ran into this program, we started to work on the trust registry task force when we were faced with covid credentials and making them interoperable worldwide.
That's actually where I first met Marie when she was coming to that problem from then IBM. So, and we said, look, it's, you know, it might seem a little abstract to need a trust spanning protocol, but when we get to how are we gonna have a worldwide network of, of, of covid credential issuer and verify registries, it was obvious we needed a protocol and it needed to be as simple and standard as possible. So it's one example of the trust has protocols that you would see at layer three.
You saw many others examples, but that one is the other one that we've leaned into and that's also an implementer's draft now. So both of those are being implemented and being put to work. Oh that's right. There's this diagram. So the co-chair of that task force Darryl O'Donnell was unfortunately had to fly home today. But it's a good example of if you're out there as an ecosystem and you need to talk and discover what other systems can you, the trust registry protocol you see at that top layer could be used to talk to any of these systems.
Now if you have a, if you have a a native system that's, that's designed directly for that protocol, that's this example here, you want talk to an O Open ID federation, that's this example here. You want to talk to some other trust establishment bridge like the US Federal Bridge, that's this example here. Or you can bridge to other protocols such as train or use trusted list. The goal of the TRP is doesn't matter, let's make it as interoperable for instance as a DNS protocol for the web. So I think that covers that one. I think that was good.
And the main point is as I talked to the, I i I think it should be called the trust registries protocol, but what drum, what what Darrell the chair said to me, he goes, well it can't, it's a trust registry protocol because you could make your own ecosystem's trust registry using this protocol. But I think the, the secret sauce of it is then the ability through API to to connect to whatever the other jurisdictions protocol or trust list is to be able to make the trust decision between trust registries.
So let's talk to somebody who's actually been doing stuff in the world using some of our protocols and we're not mentioning 'EM all here, we didn't talk about the carry stack or anything like that, but we have Christophe and can you share about how GLIDE has used the TOIP metamodel to create your governance framework and for the VLAI ecosystem and how that all ties to what we're talking about here. Thank you Judith.
Yes, very happy to do that. So perhaps you can bring up the live slide already and basically life used the trust of IP ecosystem governance framework meta model, a very long term as a blueprint for the VLEI ecosystem governance framework, short V-L-E-I-E-G-F and the V-L-E-I-E-G-F and I think, yeah, exactly that's what I'm looking for.
The V-L-E-I-E-G-F basically defines the the operations model for the VLI ecosystem and things like how are the organizations that we call qualified VLEI issuers qualified by life and which roles do they play in the VLEI ecosystem to make all that happen that needs to happen. The V-L-E-I-E-G-F has been created in full accordance to the trust over IP ecosystem governance framework metamodel. And that results into a set of more than 20 documents that make up the BLEI ecosystem governance framework.
And it contains for example, credential definitions such as our role credentials as you can see here on the slide where it is laid out that the role credentials contain the organization represented by their legal entity identifier, the person by their person identity, usually their name, and then of course the role that they have in the context of their organization. Because we're not talking about natural persons here in the context of the VLEI, but about persons in roles with the organizations.
Unless I missed some important news, I believe the VLEI ecosystem governance framework is still the most comprehensive implementation of the trust over IP meta model. And for those of you who have seen my presentation on Wednesday in the big room where I talked about the European business or banking authority and their pilot project that they're currently doing with us, they had hired Gartner Consulting actually to review the the EGF and we received very positive feedback from from this organization.
Yeah, the VLEI ecosystem governance framework is based on the very strong governance of the global LEI system. And that means that life is not only organizationally but also technically the root of trust. And you can see that here at the trust chain that we have in the VLEI with life being at the top and all of these credentials for example, we have here these role credentials. This is persons representing organizations can not only be verified themselves and whether they have been revoked but through the whole trust chain.
And that is what makes the VLEI system so unique next to the rules that are laid out in the VLEI ecosystem governance framework. We also enforce technically a lot of these rules by the VLEI software development kit that we offer to our VLEI issuers so that we can also ensure that the governance is actually followed.
So what we found very helpful, and I think Carla specifically, that the trust over IP stacks help focusing on specific aspects of a ecosystem governance framework and, and you can just use other existing ones like the trust spending protocol that we just have heard about and we did that and I thought a very good comparison is that the IP addresses in the internet is basically, I believe a very good comparison to what the trust spending protocol is to the trust over IP ecosystem governance framework metamodel.
And if you look at the trust over IP technical architecture specification, you will see that there are 18 requirements in total for this layer two trust spending protocol and seven out of these 18 are actually about identifiers. And in short, what trust over P requires for identifiers is verifiable identifiers and then there's of course different categorizations. So within verifiable identifiers you have centralized identifiers and decentralized identifiers. And then again, within decentralized identifiers you have non autonomous and autonomous identifiers.
And for those who are not familiar with these terms, autonomous identifiers are those that are cryptographically bound to the key pairs of the identifier. So you need no other mechanism to look up whether this identifier really relates to a private key that has made a signature, for example. And at life as we have selected CARRY and A CDC as the foundational technologies for the VLEI, we have chosen such an a ID an autonomic identifier in this case, which is the strongest class of identifiers that are covered by the trust over IP model.
And yeah, if you would like to learn more about this, I think Judith is the perfect partner to ask for. And that's it from my side. Thank You very much Gustav. So I'm just gonna step back one slide here that we kind of skipped over. So we talked about governance and the governance here you can see the whole cycles. Well one is, you know, defining the requirements at the very beginning. And what our governance task force has done is created all these tools that you as consultants, as organizations, as somebody putting together a trust ecosystem can utilize.
These are all available on our, this is just straight from our deliverable page. So you can pick those, use the templates, use the guides as a, a way of forming your governance framework. And so I'm actually now going to invite Carla up. Carla is the person who used our, our meta model to create the governance framework for life to manage all of this.
And Carla, I'm actually gonna kinda harken back a little bit to what Drummond was talking about with trust registries. Could you link into not only how the meta model works and and how many documents and what you've done, but, but more importantly, how does it link to the other things we've developed like the trust registry protocol? Thank you Judas. It's nice to be able to bring this all together because what G Life is trying to offer is a solution for organizational identity as, as Christophe has has reviewed.
And before we can do this cryptographically binding a person in their role to their organization, we first have to verify that the organization actually exists. We have to verify that when the organization presents its credential that it's linking back to a real world identifier. And so when Judith me the question about trust registries at this particular point, the trust registry is not a trust registry of vle, it's a trust registry of leis.
And so we're talking about the global LEI system as something that was created a number of years ago that ended up presenting the perfect opportunity in order to be able to leverage these codes and reference data in a repository by linking them with the verifiable A CDC credentials. And then to remind what Christophe started with in that corner up there. G LIFE has placed itself as the root of trust for the VLEI system. But the first thing that one needs to verify is that you got your five minutes.
Yes, I don't know, he just went like this. So the first thing that one needs to verify is that G Life is the root of the, that the LEI is actually belonging to that organization, that that organization actually owns that identifier that the verifiable credential is point is pointing to.
So we, we have that first level of verification in the the LEI system, which is the, the trust registry that we go back to. Then we can combine these data points, the illegal entity identifier, the person's identity and the role that they play and then cryptographically bind the person and then be able to verify them all the way up and down the chain, all the way up to the global LEI system and the glypho the root of trust.
So that's a very, very good way of being able to bring some of these concepts together and how we combine in order to be able to use the tools tackling the entire VLEI ecosystem governance framework was quite a task. I have to say we had a lot of the governance already foundationally in G Life we're under regulatory oversight. There is validation that's involved in being able to get an LEI in the first place. We extended that as we've just spoken about by using the LEI as a core foundational element in the vle that that we then designed the ecosystem around.
So we've got our business rules, governance rules, the entire set of documentation that we sign with a qualified VLEI issuer including the, the specific requirements in order to be able to become a qualified VLEI issuer the kind of program that they go through. And they need to pass both operationally and technically is part of the ecosystem governance framework. And then a large part that Christophe referred to before. So each one of the VLEI credentials that we designed that is tied to the autonomic identifier that GLY established the root of trust. Each one has its separate framework.
So the one for the qualified VLEI issuers, they also get an autonomic I identifier an external identifier that can be delegated and they also get a credential from GLY when they pass the program. And this starts the chain of credentials. So GLY at the top, the qualified VLEI issuer, they sign up clients who are owners of legal entity identifiers. They get almost a root credential, if I could call it that, starting with just, its LEI inside and this is the first one that we just talked about that can be verified all the way back to the global LEI trust registry.
And then the organizations decide how they're going to put together their collection, their issuance, who they're going to authorize in order to have vle. We involve our qualified VLE I issuers in issuing VLE to officers and we can involve either the qualified VLEI issuers or the legal entities themselves can decide to issue more functional credentials that that also fulfill this role here.
And each one of the documents in the, the ecosystem governance framework describes the rules of the various roles and the procedures that need to be gone through before somebody becomes eligible in order to be able to get A-V-L-E-I. The other thing that we've done is we've built some very, very strong governance into the issuance and revocation process. We actually use a credential that gets inserted into that chain so that the, the legal entity itself's authorization instructions to issue and revoke are also part of that chain as well.
And these, some of these ideas came just from taking a quick look more closely at governance and how to be able to strengthen it with the, with the VLEI system. Thank you Carla.
Carla, I'm gonna ask you for a one number answer. Okay. How many documents are in the governance framework for, for the framework 24 24 Documents? So when we talk about governance and why trust, why people thought the governance side of everything was so important, developing that takes as long as the technology and it's something that you really need to be discussing in each ecosystem or use case that you're, you're working about.
And so I'm gonna kind of turn it a little bit when I, when we have Andre talk here, the, because being here in the EU and working with the digital identity while wallet a RF, they have specified certain protocols in certain cases like open ID for verifiable credentials. How do you see the evolving emergence of a stack like this that actually allows for multiple protocols affecting them?
Yeah, maybe let's start a bit bit behind that. So maybe I would like to warm up after the, the lunch break a bit more. So who of you is using trust registries every day? Who of you is using a smartphone every day? So should I a ask the first question again?
Alright, so this is not just a theoretical framework, right? So this is like real world stuff and this is in our daily realities today. So what we have done at trust over IP is make a model that you can make it approachable to your customers, to your clients, to governments, to anyone who you want to talk about this too.
So, and this is exactly what we are doing also with our customers who are interested in getting into digital trust ecosystems. So make that digestible for them to understand what what it's actually is there entering and trust OIP is an extremely great model with the trust model canvas as we now call it. And I love that term because I always love the business model canvas. So trust model canvas is a brilliant term for that to discuss with your clients how you want to model your use case.
And it keeps on reminding you on every single bits and piece that you want to discuss with them to get to a solution that is workable, particularly in the jurisdiction you're trying to achieve it. So if you wanna be AI that's compatible and compliant in the end. So whatever that means with the 2.0 version coming out, you have to consider what the mandatory steps are, you have to include in your, in your modeling. And this is actually what you have to do with a, with a framework that is easily digestible, like the trust rp trust model canvas AI does regulation is a very complex thing.
Those if you have read it, you know, it's not just the regulation itself, it's the EEU A RF, which is like a pre spec of an Etsy standard. So it's tons of different things. So if you wanna discuss it with your client, you can go through all the different layers and tell them, look, this is what it looks like in E ida. So what we have done with our customers is in every single use case we implement, we go through that model, right? We ask them what is like the partners, the stakeholders you are talking with, and what is it they're interacting with in in your world?
So let me give you an example. We have presented here at the conference, we work with a a global construction company and they have implemented a use case very specific to that industry. So we ask them, okay, what are the stakeholders you're talking to? They are collaborating on construction sites with dozens of different organizations. So you want to identify these organizations and establish a trust relationship between them. So you have to ask how you get create the, the trust spanning between them and what are the identifiers you're actually using?
Are you using certificates from the BKR world? Are you using extended validation certificates to ensure the endpoint? Or are you using DDS to basically establish something like a DICOM connection? These are all the questions you want to discuss and ask in, in modeling such an ecosystem. And we have, we have implemented these solutions going through that.
And this is not only in the creation phase of the ecosystem that we use it, but also when we write up the governance framework as Carla and Christophe have so vividly laid out, this is a, this is a work that is worthwhile because you can prove that you have considered every aspect of the trust ecosystem and have solved it.
And if you wanna discuss with regulators or other interested parties or other customers, you can basically tell them, look, we have written it all up and if you want to have the details, you can go along this model and understand what we have considered and and, and come to the conclusions. And this is not a single thing. And I think this is what's also very relevant to understand. If you see this, this model, this is like a plan do check act thing. So this is changing over time. So regulation changes over time, technologies change over time.
So you want to do a true up every, every time everything something new comes up and you want to take into account if this is relevant for you. So let's say at some point the either three comes around the corner, you want to be ready to discuss and see what the changes are, you have to apply to your ecosystem governance framework. So I want to just close with a, with the urge to not see this as a theoretical construct. This is very relevant.
If you want to create a use case that you want to have rolled out through the world, you better do your homework and go all through the, the, the layers and the bits and pieces and write it up and be ready to challenge your decisions as you move along. And this is a brilliant model and I hope you like, like to use it as we do.
And yeah, so if you want to learn more, come to trust OIP. We're always happy to encounter new members, but as you know, it's open source, you can look at it, but hopefully you come to us and help us drive it further. Thank you. Thank you Andre. And now I'm gonna invite up somebody who was one of our original founders of the trust of R IP Foundation. Accenture has supported TUIP all along the way and they are kind of leading the way in a lot of ways with actual multiple ecosystems.
The, the term that I'll always hear Marie say is minimum viable ecosystem. And so Marie, I'd like to invite you up the, you know, you could give an hour long presentation on this, but if we can keep it to like five minutes so that you talk about ecosystems of ecosystems, I wanna give the audience some time left over to ask a few questions. Can you tell us why this is also important? Absolutely. So people often ask us why did IBM get, sorry, excuse to, I used to work with IBM, which is also founding member Accenture. Why was it, why was Accenture involved in this?
And and it's not because we're a charity and it's not because we, we love, you know, we love, but, but we do, we we, we do believe in the open source we fundamentally do, but also we're a company and we see a huge business opportunity. So I, I was talking earlier on and I talked about that this is a trillion dollar opportunity and I think I'm being conservative and why do I think it's a trillion dollar opportunity in Accenture? We spend our entire days and nights, weekends, often helping our clients reimagine the world, reimagine their businesses.
The world is challenging for businesses at the moment. You know, they have to, you have to have save money, you know, AI is coming along, you know, job security isn't there anymore. There's just so many challenges for companies and all of our clients are asking us to help 'em figure out how can they weather the storm, how can they be more efficient? How can they look at new, new business models? How can they look at new, bring new offerings to clients? How can they minimize their risk?
And one thing that has become fairly evident, and I think with Drummond that that said this to me at one stage, and I always use it, is we live in a decentralized world. You know, we all walk, walk around the world. We're not all like, we live in a decentralized world that a decentralized world needs a decentralized infrastructure. So when we start to look at complex use cases with our clients, we, we do absolutely talk about minimal viable ecosystem. And minimal viable ecosystem can initially be two companies.
So you can argue with two companies, you don't need a lot of this, this infrastructure. But the reality is, is when you think about very small simple use cases and they're super important, you wanna start simple that gives you incremental value. But what we find as we look to generate more and more value, you start to grow out the participants. And this is what's the power of decentralized identity, decentralized data economy. The ability to allow you to very, very flexibly grow the entities that, that interact with each other for a specific business process.
And this is exactly the reason why IIII stand on the the shoulder of giants because I can't take credit for any of this really cool stuff. What I absolutely do do though is I use this all the time and I find that this is what's going to enable us to weather the, the, the major changes that are happening as our world becomes more digital as, as it becomes more data driven.
Because what this allows us to do is start to completely reimagine how the value of data, the value of identity and specifically, you know, we work a lot when we talk about, you know, the inter interaction between ecosystems. So we talk about the acceptance, like very often what happens I see is we have, you know, one ecosystem looking to address a very specific use case. So earlier today I was at a panel with a guy doing amazing stuff around supply chain in the pharma space and that's a brilliant use case and there's huge value for that.
We also have another ecosystem that's doing stuff around, you know, consumers or it's doing stuff around healthcare. That specific supply chain use case is looking at, you know, verifiable drugs as an example, but that's also a use case that's very interesting. During covid we did a lot of work around things like, you know, if somebody's taken a vaccine, if there's a negative reaction, how do we actually start to capture, you know, information from individuals about reactions they may or may not be having to drugs.
That's a really good example of if you can actually now take this, this, this ecosystem over here, this use case and you can start to translate it, you can start to exchange data between that, use that ecosystem and another ecosystem. Now all of a sudden you completely change the value proposition.
And, and what I always talk about is the utility of data. You start to completely transform the utility of data both for the individual and for the organization.
So, so what I guess I would say before I wrap up is even if you are looking at simple use cases, and even if you are looking at just a handful of entities that you can maybe manage this in a, in a very simplistic way, recognize that I absolutely guarantee that while what you're doing will give incremental value to your clients, there's no question, but there's an exponential value opportunity there if you start to just look and explore in the future, maybe two years from now, maybe three years from now.
And this is when this type of stuff is going to be absolutely fundamental to realizing the type of value that we all, we all expect and hope and to, to enable us all to start to realize this trillion dollar opportunity that we see just bubbling away waiting to be, to be leveraged. That's, thank You. Thank you. And so what we wanna do now is open it up to any questions, but before I do that, I just wanna let you know if any of this sounded complicated to you on the front chair up here, I made a sheet that anybody can come and get with QR codes.
So if you wanna learn about a specific thing, it takes you right to the blog about that where you can get to the GitHub repos, et cetera. Also because we are trying to get all the digital credentials into the phone, but right now it's still not there. Do you have your phone there, Carla? Can you hold up your phone? What she has on the back is this with all the cards because they're not all in the phone yet, so if you need a place to put your cards and tell the credentials are inside, I've got a few of those sitting up there for you as well.
So I don't see the Kipper Cole moderator here, so I i I have to just apologize to anybody who's put questions in online. I don't have the device to read those, so I will just open it up to the room. Are there any questions for the panel In the back here?
Can you, So I like Carrie, I think it's very interesting, but I find that I only hear about it in very narrow spaces so far here, IIW things like that. What's your view on sort of getting that more widely adopted and even in the event that weren't to happen too widely, say in the European Union for example, how does it interact with people who choose not to use it? So there's kind of a two part question there. He's talking about a, a protocol that we did not talk about today in this meeting, which is the, the carry suite of protocols, which is technically three different protocols.
You can find the QR codes to learn more about 'em on here, but what I will say about that is you say it's not widely adopted yet, the, it's just the public review at this point. So, and that was just launched in March. They jumped on early on and have been in part of the development of it. So Goly is utilizing it today. There are other startups, several of them in stealth mode that are using it today that we can't speak to. But do you wanna speak to that a little bit as well?
Yeah, just two, two additional points on that. So it's true, it's not very broadly adopted yet, but one of the important reasons why we chose it is the interoperability to be able to actually connect to other systems and not creating a siloed system or a lock in effect that we had seen with other protocols that we had looked at before. And I believe it's always the question what you need.
So we, I talked briefly about the different verifiable identifiers that are defined in the trust over IP stack and we decided for autonomic identifiers butcher because believe we have a very high requirement for security. And if that is not the case with what you do, then, then that's just that. But we want to be interoperable and we cannot only recommend reviewing the requirements that you have for your use case. Did you wanna add on to that?
Yeah, I want to, two points to add to it. One, of course if you think about TSP or the trust bending protocol, one of type of potential IDs will be, you know, the a IDs informed carry. So that's it's one, but that's only one if you can use many other different IDs. We also have several new identifiers being developed right now. Our give at least two examples. One's called did Trusted web, the other one's called did web S Both of them take some part of carry people really like and trying to simplify or make it more compatible to web technology as existed today, right?
And so those are different variations of ID potentially can all be interoperable within trust spanning protocol. Other questions? So I I I apologize, I wanna apologize to the people online if you put in questions.
I Okay, good. I I don't have a way to see them. So I would like to thank our panel for being here, but more importantly than thanking the panel. I know you're all important. I would like to thank all of you. There's been more than 45 people here today on the Friday after lunch. And so you guys are the ones that really should be thanked for being here, being interested, educating yourselves and moving everything that needs to happen for humanity forward. So I'm thanking you and I am gonna ask Drummond one last question. Okay? Yeah. What is the call to action for these people?
We like all of you to go straight home and start implementing the trust manning protocol. No, seriously, if, if you do one thing, I would, again pop over the trust RP site. You can get the straight QR code, but take a look and read through.
Again, I want to compliment John the fine work on the what we're now calling the, the the trust RP trust canvas and start thinking about how you can use it with your project. It doesn't matter if you're on the technical side and you wanna look at, all right, do I have everything covered top to bottom on, on, on the sack or you're on the governance side or you're both, it is about the whole thing. And then tell us about it. Tell us about it. At Trust RP it's all about the feedback. It's been four years to get to this point and it'll probably feed four years more.
We'll be telling about this until we've got a world of interoperable digital trust ecosystems, at which point we'll have to have another conference. So thank you everybody. Yes. Like you said, the, the, the trust canvas or the, that we used, we call the trust canvas lag in lake, a business canvas is available on our website. It's under this place that says model. And so you can use that in explaining things to people. But also at the bottom of that page there is an interactive model for how decentralized trust works and I think we chose the airline industry or something.
Anyway, you can click and see how different things work. So thank you and have a rest, good rest of your conference. I know there's some more sessions and then there's some more keynotes and have a safe journey home.