Good afternoon. And, you know, I really want to thank you for being here. I'm sure your brains are very full after this very, very interesting week. I am Judith Fleenor. I happen to be the Executive Director of the Trust Over IP Foundation. Today I have brought together several of the other Foundation Executive Directors here to talk about what's kind of been on the screen. I don't know if you noticed the little quote at the right-hand side of the main thing.
It says, The Evolving Identity for Upgraded Realities. So that's what these people are all about, the evolving identity for upgraded realities. Mike Jones, in his keynote address on standards, said, Standards development is all about making choices. And then Andreas, the next day in his presentation, The EIDAS Protocol Challenges and the Art of Timing, said that the best way forward is not to wait to make the choices, but to get started and tool for interoperability. And by being prepared with multiple protocols to be used in context.
One of the best ways to do that is to get involved early in the standards development, open source code development process. And that's where the decisions are made. For those of you that are Broadway fans, you may know the musical Hamilton. And in the musical Hamilton, it's in the room where it happened. And so these people that are sitting here today are people who have been in many, many rooms where it happened. And so I would like to take this opportunity to ask each one of the panelists to go ahead and introduce themselves.
I'm going to ask you to say your name, your foundation that you represent today. And then any one or two lines that you want to say about other working groups you've been in, previous to this role, in this role, that gives context for how you are qualified to sit up here and be executive directors, or in Joseph's case, the person in charge of the, not just the standards, but the certification for those standards in open ID. So if you just do that, and then in a minute, I'm going to give you an opportunity to tell us all about your foundations. I'll start.
So as to whether I'm qualified to be up here, we'll leave that out of scope, but I'll introduce myself. So I'm Kim Hamilton Duffy, Executive Director of Decentralized Identity Foundation. And my background is in software engineering and architecture, ranging from core systems libraries to distributed systems and algorithms. I fell into decentralized identity about seven years ago when I was CTO of Learning Machine, working with MIT Media Lab on what we called block certs.
And this was a way to allow people to control and own their own professional and educational certifications and credentials for life. And so since then, I've gotten more involved in various standards orgs and NGOs, working on both from a range of W3C, US Chamber of Commerce, World Economic Forum, etc. And in general, just trying to build a world where people have access to more economic opportunities and can transact more safely. So I'm Nick Mothershaw. I won't stand up, I'm tall enough already. So the Chief Identity Strategist at the Open Identity Exchange.
I've been with the Open Identity Exchange in this role for four and a half years now. Prior to that, I was with Experian for a good long time. But I got into the identity industry, I guess, back in the 90s, when I was dealing with the identities of criminals, possible criminals and their associates, who we politely called nominals at the time to not give them a label. I was involved in systems around intelligence management, collection, informant management. So that was one form of identity. And at that point, we also started to put biometrics in.
So we had some very early forms of one-to-many and many-to-many biometrics matching. We were using those in public in Europe in 2000, believe it or not. So this stuff has been around a lot longer than most people think. Everyone thinks it's all biometrics and AI behind it is all new. That's nearly 25 years ago now. It was live. It found football hooligans in Euro 2000. There was a riot in the Netherlands at the time, and our software identified the ringleaders who incited the riots. There were three of them, and they kicked off each of the three riots.
They moved from one to another, and we proved that through facial recognition. We found who they were. So that was the start of my journey there. I did 15 years at Experian, way too long in hindsight. But on that journey, I did a lot around fraud. So I know an awful lot about fraud prevention and detection as well. And latterly, I got into digital identity, which is where I got a real passion for the concept of reusable identity. I became chair of OIX during that time.
And then when I decided I wanted to move away from Experian and focus solely on digital identity, OIX were kind enough to give me this position, which I've been doing ever since. Great.
So, yeah, I'm Joseph Heenan. So, yeah, slightly less blonde and slightly less hair than our actual executive director, but unfortunately, Gail couldn't be here today. So I'm the standard specialist and the certification director at the OpenID Foundation. I've probably been involved with the OpenID Foundation for about seven years now, something like that. Before that, I was actually a mobile app developer, and I'd like to quit. I was actually developing mobile apps before mobile apps existed because of the route I went through there from embedded software. And I'm also the CTO at Authleet.
And that's how I actually got involved in this space. Some people that I knew from the mobile app business actually dragged me into this identity stuff. And it's quite nice actually being, I still use a lot of that native app knowledge because there's not many people that are at that intersection of mobile and identity.
And, yeah, and it was actually Nat Sakamura's fault that I got dragged into all this certification stuff. After I'd started at Authleet, he pointed at these folks in the UK that were doing some kind of open banking thing and needed a certification suite for it.
And, yeah, that kind of snowballed into that getting donated to the OpenID Foundation as their FAPI test suite. I'm now one of the authors of the FAPI 2 standard, which is a high security and interoperable profile of OAuth. And I'm also one of the co-chairs with Christina and Torsten of the Digital Credentials Protocol Working Group at the OpenID Foundation that develops the OpenID for verifiable credential issuance and verifiable presentation specs that you've already heard a lot about at this conference. Okay. I operate in both countries and in the trust frameworks in both of those countries.
From my background, I'm actually a lawyer. I started out in the legal profession. I actually started out as a trial attorney. And I moved to Washington, D.C., where I am now, about 30 years ago. And I have been working in government positions for the first half of my career. And in the last 15 to 20 years, I've been managing nonprofit organizations far larger than Kintar. This is the tiniest organization I've worked with, but with members providing continuing legal education programs, providing a variety of things to thousands and thousands of members.
And I made a pivot to the digital identity world from there. And I was mostly recruited, frankly, because of my experience with running large nonprofit organizations and my business operations and entrepreneur-type experience. And that's what I brought to Kintara. And I know we're going to talk more about what the organizations do, so I'll leave it at that. But this is not my first time for being in this executive director, CEO-type role. But it's certainly been fun to make a change to this area. So as you can see, this panel is very well qualified and has a lot of experience and background.
As I said, I'm the executive director of the Trust over IP Foundation. And I first met Kay 15 years ago. It was during the Obama administration, so how long ago was that?
Anyway, in the United States, there was something called the National Strategy for Trusted Identity in Cyberspace. And they put together a public, private, and government consortium called the Internet Identity Ecosystem Steering Group, IDESG. And so that's where I met Kay. She was the executive director of that. And since then, I have been in this space. What I will say is my current job, I got directly from that experience back at the IDESG, where I volunteered for five years. I was the chair of the human experience working group. And all of that was volunteer.
None of that had to do anything with my job at the time. But because of that, fast forward, I was then asked to participate in other things. So this is just my shout out to everybody here. Any one of these organizations would love your expertise, your time. You would be welcomed with open arms to participate. Especially if you think you're new to this industry, it's the best place to learn and kind of hobnob with the experts in this industry.
So with that, I would now like to have you each tell a little bit about your organization and what it does, what its key objectives are today, and if there's any primary thing you're working on in your organization today. And then after we go through each one of the organizations, I'm going to then start talking about how do we differ, how do we come together. So don't talk about that yet. Just what are you doing today and what is your primary focus? Thank you.
Yes, I can start. So our focus is on two prongs and enabling decentralized identity ecosystems. So development and community building and advocacy through our work and the work of our members. So one way to think about it is through our three-part cycle. And those are incubate, graduate, apply, and grow. So on the incubation side, we work heavily on incubating new standards, reference implementations, use cases, and blueprints. The mature phase of that is either maturing within the organization or donating to other orgs and those not represented. So OpenID Foundation is one we've donated to.
IETF is another that we've donated to. And then lastly, in the apply and grow phase, we focus heavily on building implementations, documentation, and, in general, community engagement to really draw attention to how these work.
Now, our reference implementations are not restricted to diff specs. We use those of other organizations. And so we're really keen that people not view decentralized identity as having to stick into a certain silo. Nick? Open Identity Exchange, OIX, DIFF, Decentralized Identity Foundation, DIFF. A lot of times, we just use the acronyms. And for new people, it's always good to have an acronym and the name go. So will you talk about OIX?
Yes, I can do. So our vision at OIX is that we can all have a reusable identity that is trusted wherever we go around the globe. So that's our kind of lofty vision, a bit like Microsoft's computer in every home across the world, which nobody thought would be achieved.
And, hey, now we've got loads. And we carry them around with us. So we set a lofty vision. And the way we go about achieving that is through thought leadership. We publish papers and guides. We influence governments and those who write trust frameworks. And we do a lot of promotion of digital ID as well in terms of what is it, how will it work, dispelling some of the myths around it, around things like fraud and biometrics. Are they a problem or are they a good thing? The areas we're working at the moment are we've got two main work streams that are applicable on a global basis.
One is we're looking at global interoperability with just an analysis of eight trust frameworks. And we've found that they all have a common DNA of digital identity. And we're extending that to at least another four over the summer. We're going to be publishing that work. And that's now a tool that enables frameworks to understand their relative positions around policy. We've got 75 different policy criteria that we've identified with 289 possible values. For a criteria, if everybody's got the same value, that's good. They're entirely aligned.
If we've got eight different values, that means nobody's aligned whatsoever. And they're all doing it in a different way. And most of the time, we've got two, three or four, which means we've got a reasonable degree of alignment. We're not saying frameworks need to align. They're necessarily different. But this enables them to reason around their differences and make decisions about interoperability. The other element we're looking at is frameworks for wallets. We've a long time published guides to trust frameworks. We extended our guide a couple of years ago to embrace credentials.
We didn't talk much about wallets because we were a bit scared of it. We're now fully embracing that concept. We're adding the kind of issuer role and a new role, the use case service provider that sits between the relying party and the wallet, to unravel the complexity of the wallet or wallet, maybe, to meet the relying party service needs. And those two elements are live working groups at the moment. So if you are or were to be a member, you can get involved in that work. And Joseph, you're here representing the OpenID Foundation. Tell us a little bit about what they're focusing on now. Sure.
Our vision, not actually that similar to Nick's, helping people assert their identity wherever they choose. So we'll talk about the differences between our visions and what we do later.
But, I mean, our mission is very much to lead the global community in creating identity standards that are secure, interoperable, and privacy preserving. So the oldest protocol that is having its 10th birthday celebrations this year is OpenID Connect. It's used by billions of users, millions of applications across the world. So that's definitely what we're most well known for. So for people that don't know, that's the thing that is basically being used when you hit those log in with Google, log in with Microsoft, log in with Yahoo type buttons. That's all driven by OpenID Connect.
But there's other standards that we've worked on recently. So the FAPI standard that I mentioned recently, that's been adopted in open banking ecosystems across the world, but also health, open insurance, things like that. And that's an interesting one because in that space, we actually got to the point where regulators in the various ecosystems were saying, hey, this OpenID standard actually makes you secure and interoperable. You have to use that.
Whereas I think adoption of OpenID Connect was much more organic that it filled a need that people actually wanted to accomplish something specific. And obviously, I already mentioned the verifiable credentials work that we're doing. That's growing in popularity and complexness every day. It's widely adopted by the EU, California, DMV, other states across the US. And then we've also got other protocols like shared signals that are already well used by some of the big tech providers to provide kind of fraud events about accounts and help.
You know, if Google knows that your Google account has been compromised and you used it to log into another provider as well, then they can notify the other provider that, hey, something freaky is going on here. Maybe you want to do some extra authorization next time you see this user. And that standard's actually also been adopted by Apple. If you want to do sign in with Apple ID as an enterprise, you have to implement the shared signal spec to share those events back and forwards with Apple as well. So a lot of exciting stuff. Not just one or two things. Yeah.
So, Kay, Cantera Initiative, a slightly different organization than some of these others. So I want you to speak to what it is that Cantera focuses on.
I mean, you do have your own working groups and people that discuss some of the same similar things. But what is Cantera all about?
Well, I was actually sitting here thinking to myself, we don't really have a good acronym. We're just Cantera Initiative. I don't have a, you know, DIF and OIX and even OIDF, I've seen. So we're kind of boring that way. But so we're in some ways a little bit more bifurcated. So in the U.S., we are a membership organization and we do have members. And I'll talk in just a minute about what the membership is engaged in, what kinds of things we're doing and opportunities for you, if you would be interested in getting engaged in some of the issues that we're working on.
But the other side of Cantera is really that we are a conformance assessment body. And so what that means in the U.S. is going back 10 years or more, Cantera worked with government as well as with the private sector and took the NIST digital identity standards that were existing at that time, and they've, of course, been updated a couple of times since it first began.
But with that, created a conformance assessment program, which means that we have auditors, we have a very specific process for how we audit solutions, credential provider solutions, to determine whether or not that they meet those NIST standards. It's not like lab testing, but it is testing of a sort because it is done by accredited auditors who really have more expertise in digital identity than anything else. And we're also very technology agnostic. So it doesn't really matter to us what the solution is, what types of ways that credential services are provided.
What we're really auditing and what we're assessing is, does it meet that standard? By the same token, a few years ago when the United Kingdom rolled out its digital identity and attributes trust framework, I keep looking at Nick because I know he's from there, and he and I see each other in many places all over the world. But we were approached by the U.K. government asking if we would be interested in being a conformance assessment body in the U.K. as well.
Obviously, their trust framework is different. There are a lot of similarities. There are many things that are certainly very ISO-centric, in some ways differently than what you see in the U.S. And we said, absolutely. And so we are also a conformance assessment body or sometimes a certification body you might hear referred to. We work with the United Kingdom Accreditation Service, UCAS, to be accredited under ISO 17065 as a certification body.
And we provide those kinds of audits and certifications through the digital identity and attributes trust framework, which of course includes GBG 44 and 45 and so on. And we are actually engaged with other governments around the world who are talking to us about doing some similar things with them. Most of that I can't really talk about at the moment.
But including some who are already using the standards of these other countries and are interested in bringing our conformance assessment to their countries, because what we really provide is a service often to governments, relying parties, purchasers, where, as a third party, we've actually done that audit, we've done that test, and we can say whether or not this solution meets the standard, which is, I think, often comforting. It makes those purchasers more comfortable that this isn't just a sales pitch. This person is actually showing us.
They went through, and we have a very rigorous process, and it is very much a specific type of process. It really puts those solutions through their paces so they can have a lot of confidence. And frankly, what we see is less fraud and reduced risk for companies that are able to meet those standards. On the other side of the house are our work groups. This is where members who are interested in innovation, who are wanting to really work on up-and-coming issues, focus on some very specific things. We have one right now on deep fakes, which is beginning to morph. It's been a discussion group.
It's really going to become a work group to produce some actual products and likely requirements. We have another one on privacy-enhancing mobile credentials, working with mobile credentials, mobile driver's licenses, e-wallets, and the same kind of thing. We have one on consent receipt, and I'm sure I'm forgetting some. I'm sure you're forgetting a lot of them. You can go to their website, and everything's open, right? Yes. Can I just say one thing? Just so you understand what the work group does, the consent receipt group created requirements. We are a liaison into ISO.
They gave them those requirements. They're now in ISO standards today. So that's what you have an opportunity to do in those work groups if you're interested in those areas. Thank you. And actually, that's a perfect transition to any one of these groups. I sometimes call us proto-standards groups because we'll write the initial standards, and then they may move on to other standards body, IETF, ISO, et cetera. So I'm often asked, which one do I join so I can be in the room where it happened? And my answer is all of them.
And so I want to talk now a little bit about what the differences are so people understand the differences, but then we're going to go in the next round to where are we collaborating and where are we doing things. So I'm going to start with what are the differences with OIX and OpenID Foundation because there's a lot of confusion there. You're both traditionally from the centralized world, then moved forward into decentralized world. So what is the differences from your perspective of your two foundations?
And try to be a little succinct and clear because one of the things we aren't doing very well as foundations and initiatives is being clear about what our special secret sauce is and where we mix that all together to have a full meal. I guess the succinct one is OIDF, we do standards, OIX does policy. So I'll say a bit more about what OIDF does and then Nick can expand on what policy is maybe.
So OIDF, we're very much a standard setting organization. So we don't really lobby governments apart from where it's very specific things that we need to do to get our standards adopted potentially like we're going through with the CFPB in the U.S. at the moment. That's a whole other story.
But yeah, we very much stay in the standard setting organization. So we don't do implementations. We don't do trust frameworks. We just write standards. We have volunteer people that come into our working group and they create standards.
And yeah, eventually some of them also end up as ISO documents just because some countries can only use standards if they're ISO documents. Nick, do you agree? Yeah. So we sometimes describe it as the rules and the tools, policy and standards. So we focus more on the whole trust framework or ecosystem as you're assuming on the trust over IP diagrams. What's the governance required in that? What's the roles? What are all the rules that are required? And there are a lot of them. So we've got a framework model with 41 different areas of rules in. The data analysis has got 15 areas.
So I think we've simplified that a bit with the details still in there. And what we help is explore those different areas. And within there, there is the technical rules. There's things like trust registries, technical standards for protocols, data standards. So we touch into that, but we don't get that technical. And that's a deliberate choice. We kind of exist in that policy area. And we do do a lot of influencing of framework writers now in terms of helping them understand the differences between the frameworks. That's where we've gone now. But we help form the frameworks.
We're giving a lot of feedback to NIST on version 4, for instance. We're next week meeting to do the feedback to EU on the ARF. And we'll be looking at that from a policy rather than a technical basis. Thank you. And now kind of what I want to call the three-pronged triad of kind of the decentralized world of foundations. We have trust over IP, which I'm from. And I didn't kind of really say what trust over IP does. But basically, we develop standards, recommendations, white papers, templates that can be used by consultants, by people setting up digital trust ecosystems.
And so everything we do in the area of both our technical standards and our recommendations, white papers, et cetera, is all out in the open. And it's there for you to use. So please go to our deliverable page, download it, use it. So that trust over IP is one in the triad. Decentralized Identity Foundation is another one in the triad. And then the third one is Open Wallet Foundation, which is in that triad. And I'm just going to, before I say my perspective on the difference, I'm going to turn it over to Kim and say, what do you think the differences between our three foundations are?
Yeah, and I think they're all highly complementary. We'll get more into that.
I think, first of all, in terms of Open Wallet Foundation, it's very clear they're focused on the intersection of wallet and code. So that's a very critical role. And it's an important role. But it's just one part of what we need in a decentralized identity ecosystem. What happens when you're in scenarios involving multiple devices or cross devices? And then also what happens past the initial identity verification or authorization event? We also get asked about the difference between OIDF. And so you're talking about in the decentralized space, they are in the federated.
And so it's part of our canon, right? So we're moving past login with Facebook. So we want to put people in a situation where they are more in control of their data, minimizing the opportunities for surveillance and tracking that they didn't intend. So one quick thing in terms of tying it together. A focus that we've had a lot in this conference is the flow of data from an individual to relying parties or verifiers or organizations so that they can verify you. We've not talked a whole lot about how trust is afforded to the individual in return. So that's one of the critical parts.
To say most of our interactions are not also cleanly in the context of one connection. So a lot of the fraud that we experience now as individuals, they start from a text message, a call, something like that, that then ask you to log into a website. So we're very focused on the richer set of communications and identity verification. So mutual authentication, the ability to interact with other parties in a way that you know and can trust is secure. And then let's see.
So, yeah, the ability to securely manage your own data through methods like decentralized web nodes. And I find trust over IP highly complementary. They really take a leadership role in trust frameworks, and we'll get more into that a little bit later. Thank you. And I will just put it very succinctly how I feel the difference between DIF, trust over IP, and open wallet. Trust over IP is working on the complete architecture of a technical stack. Many of the components in that technical stack are developed at DIF, are developed at OpenID Foundation.
So we're kind of giving the recommendation for the whole stack. For example, in our trust spanning protocol, which we just announced last or the implementer's draft, it was out last month, so you can find that on our webpage.
But in it, there's this concept of a VID, which a lot of people haven't heard of, which is a verifiable ID. Well, there's a lot of different types of verifiable ID. OpenID for verifiable credentials is one, right? If you want to go on the full other spectrum, a carry AID, which is, you know, probably the most secure but not appropriate in every situation. And so we coined this term a VID, and there's multiple different types of VIDs. So we work on the technical stack.
But I think in the triad, we are the only one that works on governance and that we've always paired our stack with technical stack and a governance stack together. And a governance, we've kind of moved away, if you just sat in our presentation, from like having it being a layered governance stack, is it's really something that runs. It's you define your governance. You run your governance. In the running part of it, you have to certify and make sure that your technologies that you're utilizing have been certified to fill into the governance.
And then you have to reevaluate it again as things change and morph. So it's constantly going. It's kind of a run mechanism. So in Trust over IP, we have this governance side of it, which everybody leverages. And then the other thing I would say is different with regard to you articulated it very well. Open Wallet Foundation, by its name, is very focused on wallets and wallet agents. And if Daniel was here and he apologized, he had to cut out early. Daniel is the AD of the Open Wallet Foundation. I've had this conversation with him many, many times. We don't do standards. We do code.
So Trust over IP, OpenID, we do standards. They do code. So they're working on the code for the wallets and the wallet agents. So that's really kind of the difference. So now let's move to some of the similarities. And where are we collaborating? I'm just going to start right away because you said governance frameworks, governance frameworks.
And OIX, I want to say it was almost two years ago when you were working on your framework document, and you were just starting to put the section in for self-sovereign identity. And we reviewed it at Trust over IP, and we got some of our experts on it. And we went back and forth with, like, three or four versions of it. So that whole section that's in the OIX document has been vetted by Trust over IP and by people that were already implementing self-sovereign systems. And so there is this, you know, I want to also go across the camp. It's not just the foundations.
There is not, you know, here's centralized world, here's decentralized world. There really is this bridge that is happening, and it's in these organizations that we're working together. So that's what I was thinking of as, like, how we collaborate with OIX. Do you want to add anything else to that, Nick? Yeah. And as you said, that was nearly two years ago, wasn't it? I was trying to figure out how long ago that was.
Yeah, it was kind of around May, two years ago, when we released that. And, yeah, that was us moving our guide to frameworks forward and making sure it was embracing self-sovereign and the emerging world of wallets. So right now we're working on moving that further forward to be more embracing of wallets and, you know, the surrounding actors in that.
And, you know, looking at the ecosystem diagram you put up there, you know, we'll continue to collaborate. We should map the framework analysis we've done into that ecosystem components because the way we've cut it with the 15 headings, you've got around 10 on there. You could recut and, you know, it's just the way you organize things. You underline that.
You know, there's governance, there's tech. You know, all the headings you've got there are relevant in the way we're doing it. And we're doing the rules bit. We're not doing the tech.
You know, you're doing the whole stack there, and we're looking at the rules element and the detail of what goes in them. So I think we continue to be aligned there as we move forward.
And, you know, one of the things I mentioned is this new role we see emerging. The EU's got the relying party instance now, which is some kind of agent for the relying party. We've got other projects looking at credential wallet selectors that, you know, sit between the two. We think there's a lot of also policy and process that needs to happen in there to make sure that that is, you know, meets the user's needs and meets the relying party needs. So I think as we evolve that, you know, we should be talking about that as we go forward. Yeah.
And then I'll just say, T-O-I-P, just we've been working steering committee to steering committee for over a year on kind of defining, you know, where do we want to collaborate? Where do we, you know, feel that we're different? And we've kind of really decided that there is a role for two organizations.
You know, we were investigating of, like, do we really need two organizations? And because we do have slightly different focuses, we decided that made sense. But we're talking now about working together, for example, on a hackathon around the hospitality industry in October timeframe and other things. So do you want to speak to anything about how we might collaborate? Yeah. So the hackathon, I think, is a great way, not just from the expertise of Trust Over IP, but Judith specifically, who has rich expertise there.
And so, you know, as I mentioned, the work of Trust Over IP on, well, governance frameworks, but then I would also say a lot of effort into risks and harms evaluation. So I rely really heavily on that from Trust Over IP, from Conterra, governance framework mapping work that's happening in Open Identity Exchange. And then with OpenID Foundation, we work heavily together for, you know, bridging from the sort of open decentralized world to the federated world. And so that's been very successful. And in the past, we've donated standards as well. And then the wallet touches on much of what we do.
I think they will also end up using a lot of our libraries, like Universal Resolver for DID resolution. And, yeah, so highly complimentary. There's a lot of work to do.
And, yeah. So Kay is sitting over here very patiently because, you know, we're talking about the standards development process, the code development process, and the open environment, which is kind of the beginning.
You know, you start with the standards, you do the code, or the code informs the standards, et cetera. But before anything is going to be deployed and put at scale in any way, there has to usually be some certification that this code and that it's matching the standard and the code is operating the way it should be done. And this is where certifications come into play, where you're talking to certify something. And so we have two organizations here that have certifications as a part of their portfolio of what they do.
And so I'd like to have Joe and Kay talk about the difference in your certification programs, like what's required to get certified in each of the programs. And since you are the person in charge of certification at OpenID, why don't you start.
And then, Kay, you counter after that about how your certification program was different. Yeah, thanks, Judith.
So, I mean, I guess the main thing about our certification program is we're entirely focused on testing our protocols. And our protocols are too oversimplified about how data moves from one place to another. And we just test that interface. So it's a very technical certification. It's a very binary certification. You either comply with a protocol standard or you don't.
And we have automated tools that can pretend to be the other party in that standard's interaction and try doing different positive flows, different negative flows, and making sure the code that's being tested behaves in the right way. And then you get a pass or a fail, essentially, at the end. So we don't have auditors. We just have a tool that tests.
And then, yeah, once you're certified, you get listed on our website, and that's your evidence to whichever body was looking for you to be certified that you are actually certified. And it's quite a lightweight program.
We just, you know, if you're a bank wanting to certify, you run the test yourself using our test system against your server, and you get that pass or fail result, send them to us, pay the certification fee, and you get listed. So, yeah, I think.
Yes, and we don't call ourselves a standards body, but we definitely in all of our work groups are working on standards, right, that we feed into other groups. As I mentioned, we have a liaison to ISO and with OASIS and other groups, right. But in terms of our conformance assessment process, it is very different. It is that we do have auditors.
And one of the reasons that in our work groups, like focusing on deep fakes, for example, we're looking to figure out what are some of the ISO standards that are either out there or that need to be developed, but we're also looking at it from the aspect of what are the requirements. If I'm an auditor, how do I know if you met the standard? Because it is not like a tool that we use for testing. And many of the things that are being assessed is do you have policies in place to deal with fraud? If you find fraud, what does your policy say you will do? How are you going to react?
How are you going to fix this? And it's one thing to have a nice policy written. It's another thing to put it in practice. So the auditor's job is to put you through your paces and have you be able to demonstrate and show this is how the process works. This is what happens, right? This is the result. And in addition, we are, you know, for the most part, we're implementing a conformance assessment for government-issued standards, for the most part.
Most of the governments that we are currently working with are pretty transparent and have had collaboration, right, with the community, with the public, to establish those standards. For example, in the U.S., NIST has already been working on a version 4 of their digital identity guidelines. They're not out yet. They went out. Lots of comments came from the field. They revised them, and they'll be coming out again in the next couple of months and so on. So it's a very iterative process in which we all have an opportunity.
And what we try to do is figure out how can a company demonstrate that they meet that standard in a way that, as a third-party auditor, I can really say, yes, in fact, they do do that. So it's a process that takes you through several steps, very similar if you've ever been through an ISO audit, where you have a couple different phases of that audit before you actually are given the certificate. But it does not involve a tool. It doesn't involve testing like a lab testing. And we're continuing to expand the areas that we can do that in. I talked about DeepFakes.
I talked about mobile credentials. I mean, there are other areas where we recognize both purchasers and solution providers are asking for those kinds of requirements where we can help audit and assure purchasers that what they're buying really does meet those ISO, those international or the country-specific standards, because there's always going to be a few things that are specific to each country that won't be identical everywhere. So I suppose that's a little bit of a different way of approaching certification.
But I also appreciate you giving me the chance to talk about the workgroups, because they really help feed into what does that have to look like. And I think they help us make sure that our process is robust and accurate and more in line with what those who issue standards want it to be. So thanks. Thank you. And so one last question that I'll just popcorn. Somebody can jump in if they want to answer this before we go. We want to leave some time for questions from the audience.
Why is it important for organizations to support foundations across the board and not just, like, be in one little foundation and that's the only place they play? So what is that reason? And I'm going to start with my proposed reason. And it's because we are solving global problems that will create future-looking solutions that just can't be solved by any one company or any one foundation, and that it takes that collaboration to be able to do all that needs to be done to have that new future that we're talking about. So anybody else who wants to add on to that topic, please jump in.
If you agree with it, you just say, I don't need to say anything that says it all. Or if you disagree with it, feel free to do that because that's what workgroups are all about.
Yeah, I think I like that perspective. And then one I'll add also is that real transformations are underway. And I think if we look at it with more of an open mindset and the new opportunities are enabled by what we're building here, I don't think we have to look at it as this is my piece of the pie and I'm going to grow that piece. I think that it's critical that we work together. And the work that we're doing, I think we've called out, is highly complementary.
Yeah, I think to add to that, the pieces of the pie or the puzzle or jigsaw puzzle, they are specialist pieces with specialist knowledge, which is why no one organization can resolve this on its own. And if you were to think, well, there's a dozen different organizations here. I would pick to join one. You'll not be seeing the full picture. It'll be like you've only got one piece of the jigsaw puzzle in your hand and it might just be a bit of sky. So you're not seeing what that whole picture is. So that's why it's important to collaborate across the board.
But that specialism of the different areas is why we exist as different organizations. One of the things we've started is a kind of specialism analysis across the organizations and trying to come up with the specialist categories. When I get a little bit more mature, we'll share it with other organizations and we can hopefully fill in and add our specialisms and create a bit more of a map about where we all sit. I think it feels to me we've kind of quite clearly explained the different positioning here today.
But being able to articulate that in a way that can be read, I think would be really useful. I think you've hit the nail on the head with what everyone has said there. I think it's important to emphasize that we really do all work together as well. I'm technically the board member at Open Wallet Foundation that represents your three organizations. I forgot that. Do you have an Open Wallet Foundation representative on here when he's on the board? I've never asked you if you voted for me or not.
Our Open ID Foundation technical director and one of the chairs of our IDA working group is a board member at OIX. We've worked very closely with Kim on the presentation exchange standard because that's really a place where the two organizations needed to collaborate. We've worked very closely with W3C because it seems the browsers are getting involved with all this verifiable credential stuff. It's not always easy, I have to say, starting out some of these new relationships because it does sometimes feel like the other organization might be attempting to step on your toes.
It takes a while to make sure you know where the dividing line is and that both sides know where they're going. I think that's a really great question. There's another organization that's not here, but you know I volunteer a lot for Women in Identity. They're working on doing research around a code of conduct and developing a code of conduct. I think they really hope that they are going to be able to put together principles and requirements for how you know you're building that equity into all of your identity solutions.
But they've already made comments to me about they don't really know where to start if they were going to try to do conformance assessment. That's a whole other ball of wax. It's a pretty extensive program to just stand up from scratch. It's probably not that easy. What they have already talked to me about is essentially having us take what they've developed as their requirements as that code and sort of road test it. Having our auditors put companies through their paces to see does this really work and what does it seem to mean? What are sort of the performance metrics once we see that?
All of our hard work we see now in practice. In some ways, Kentara is probably a much more nuts and bolts organization. We really look to a lot of the output from the other organizations because it very much informs what we're doing in our work groups. I also think over time informs what our conformance assessment schemes look like. It's an interesting mix of how that all comes together. Thank you. Before I go to the one final question to each person, are there any questions in the room? Yes. Probably this is a basic question for you, but what's going to happen for W3C Consortium?
Because still they have data specs and so on. But my impression is it's going to be moving to DIA for IETF. What's going to happen? Since they're not represented here on this panel, and I do know some people that probably know, I wouldn't want to speak to them for that answer because there's a lot of speculation out there about what's going to happen. At this point, and just knowing from the conversations that Diff and I had, we had for over a year the two steering committees met. We had conversations. We discussed where the future was going, et cetera.
And if you'd asked in August, I would have said it was going to go one way. And if you asked in October, I would have said it was going to go another way. And when it's in that formation process, it's too early to say or to speak what's going to happen. Thank you. Is that helpful? Yeah. Okay. Are there any questions online? Are we okay?
Oh, great. Thank you. The panel described well what each foundation does. I have a question on that. For each foundation, who are your members, and what value do they get from their membership?
Oh, that's a great question. Do we have time for that? Okay. So our members, so our structure is we have a steering committee, general members, and contributing members. So the steering committee and the general members are funding members, but any contributor who's a free member can do anything a steering committee member or whatever, except for if we go to a vote. But since we're working on consensus, we have never taken a vote. It's all been consensus. And so our members, you can look at see all of our different steering committee members.
I don't want to accidentally call one of them out without calling the other out and giving the advertisement there. But our contributing members, we've got about 400 individuals and organizations that are contributing. So I don't know if that helps. Our members are, I describe them as builders, and that's not just developers. It might be leaders, product managers, anyone who are really focused on building the solutions and products of the future.
And so how they benefit is, you know, this space is very new, and it's a good opportunity to work with others to figure out how to navigate, to access other experts and really benefit from that. Yeah, our members are, again, we're not-for-profit, as we all are. I'll name some members. So we've got people at IAG, International Airlines Group. We've got a whole number of banks, like Barclays and NatWest. We've got Microsoft. We've got a plethora of identity providers. We've got Visa and MasterCard.
So we've got a real mixture of people from the identity ecosystem, finance ecosystem, and relying party ecosystem. And, you know, they're there to do two things, learn and shape.
So, you know, some people will come along, they'll sit in a working group, they won't say a great deal, and they'll come around and say, that was brilliant, I really benefited from that, I've learned. Others will be very vocal. They'll have an opinion, they'll want to drive things in a particular direction. They're the shapers. So we've got a really good mixture of both.
Yeah, and again, I think I'll avoid naming any actual members to avoid upsetting anyone. You leave somebody out, you're in trouble.
Yeah, well, there's a lot. I mean, we have 400-plus members in total, right from the big tech firms you'd expect, down to, you know, some of the banks, some of the financial institutions, but right down to individual members. And what the members will get is a vote on the standards, and an individual member's vote counts as much as one of the big tech votes, which is important. Can't have big tech dictating too much what we do. But the people that pay the highest level of membership do get a guaranteed board seat, which lets them somewhat set the future direction of the organization.
But again, our individual members and the smaller members are also represented on that board, and I think it's very important to say that that board does not have any actual influence on the standard setting. The standard setting is all done by the working groups, and it's just volunteers and consensus, and stuff doesn't get blocked by big tech just because they're paying a lot to be on the board. So I told you about our conformance assessment program, right? And in that sense, there is no membership there, right?
If you decide that you want to go through conformity assessment, you would like to get a trust mark, you would like to be certified, you pay a fee and you go through that, and there is no requirement for membership. And I think for those companies, you know, what they're getting is that seal of approval. In the U.S., by example, the U.S. government has issued a special item number schedule, which is for only vendors who have actually gotten the Contara certification, and that's the only way you can get on that.
It's a special procurement schedule, which allows federal and state government agencies to purchase services very, very easily. So none of that is membership, but there's things in there for companies, if your company is interested in some of those. On the other side of the house, where it's members, I would say that a lot of what we get are people who are innovators, people who are out there looking at what's the next product line that we need to, you know, develop, and they're coming together and sort of brainstorming with like-minded people. But this is far more practically oriented.
It can't just be discussions. It has to result in something, right? And almost everybody that comes to those, they need something, whether it is that they need conformance assessment for their deepfakes product or they need for there to be standards that we feed into some of these other organizations that really addresses the type of technology solution they either have or are looking to develop, or whether it is they just have a sense of they thought of everything as they're developing new products.
So I think that I would say most of those folks are really the innovators that are really out there. Sometimes they're the lone person in their company that's really trying to be forward-looking, figure out what's the next greatest thing and how do we get ahead of that. So I want to thank the person who submitted that question. And so to close the panel here, I want to ask, you know, each person, what's your call to action? And my call to action is going to be in the area of this kind of membership or who participates. I love how you call them innovators, developers, you know, et cetera.
My call to action is two points. One, if you're in a position to fund foundations, join at the level of funding that you can because our organizations run very, very leanly. Mostly everything is done by volunteers, but we still need servers. We still need outreach. We still need travel for people to be able to come and sit on panels like this, et cetera. So if you can fund, please do, and fund as many of them as you can.
My second is probably a little bit more important, which is fund not by the finances but by putting your people in these organizations, not just in one of them, but spread your engineers out, your legal people out, your communications people out, so that then they can feed back to you what is happening in each of the organizations. And the people to put are not your best engineer.
Granted, we would love their best engineer, wouldn't we? But this is a great way to groom new talent. You got a new engineer who's thirsty to learn. Let them sit with the experts sitting in these working groups, listen, learn how to collaborate, how to disagree appropriately, et cetera. It's free training for your organization, and that's my call to action. Anybody else want to add a call to action?
Yeah, I can start. I wanted to start with thanking you, Judith, for teeing up this discussion. I think that this conversation is incredibly important, and thanks to the executive directors and delegates that joined today. And I think we should continue this discussion, continue to think expansively in how we continue to work together. I want to also amplify what you said around funding the organization. So we do operate very lean. A lot of us will be we operate critical infrastructure as well at DIFF. That includes Universal Resolver and other efforts coming up soon.
And so we do this as information, educational resources, getting people up to speed. Access to these communities, getting in the room, provides you with such a huge advantage when you are building leading products based on these new architectures.
So, yeah. So I'm realizing that the timer wasn't started, and we are a little over. And so if you guys can, if there's anything else that's different than what we've said that you feel needs to be in the room, otherwise we probably should let these people go.
I mean, I think I'll just definitely say that, at least at OpenID Foundation, that there's no cost to contribute to our standards. And if you're building with our standards, if you're using them, if you've got use cases that need them, please come and join the work groups and tell us what you need. And it's only by all working together that we really manage to build these key standards that get good at option and actually work in the real world.
Yeah, and if you want to see change, collaborate with others. Doing it on your own is impossible. Collaborating with the groups you've got here and others like us means we have a chorus of voices, a chorus, a collection of talent that's working together to innovate and make change. And the only thing I would add is we really want people who are also action-oriented, who are not just wanting to have esoteric discussions but actually want to make things happen. So we welcome you. Thank you all. I think you are all people who are in the room where it happened.
And so if you'd like to continue the conversation, I'd just ask you to go outside in case there's another group that needs to come in here. Thank you for spending your Friday afternoon after a very wonderful conference by Kupfer and Jekyll. And I would like to thank the staff, Kupfer and Jekyll, for allowing the executive directors to speak today. Have a great afternoon. Thank you.
