KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The puzzle of identity. How do we solve it? Collaboration! This panel of Executive Directors from the major identity foundations will discuss how each of our foundations are solving key pieces of the puzzle to make the vision of trusted, secure, privacy-respecting identity a reality.
We all have a common vision! To obtain and share trusted identity credentials to prove who we are to instantly, securely and seamlessly access services, both online and face-to-face, anywhere around the globe. Sounds easy, right? It’s really not!
We are building on an internet that was never intended to form trust between parties.
We have to build the technical tools, the policy and gain regulatory agreement to make this a reality.
We have to make sure we deliver ecosystems that interoperate, respect user’s rights and privacy, and are secure and will scale.
It’s a complex puzzle that requires collaboration to solve.
This Panel session hs been brought together by Judith Fleenor, Executive Director of the Trust Over IP Foundation
The puzzle of identity. How do we solve it? Collaboration! This panel of Executive Directors from the major identity foundations will discuss how each of our foundations are solving key pieces of the puzzle to make the vision of trusted, secure, privacy-respecting identity a reality.
We all have a common vision! To obtain and share trusted identity credentials to prove who we are to instantly, securely and seamlessly access services, both online and face-to-face, anywhere around the globe. Sounds easy, right? It’s really not!
We are building on an internet that was never intended to form trust between parties.
We have to build the technical tools, the policy and gain regulatory agreement to make this a reality.
We have to make sure we deliver ecosystems that interoperate, respect user’s rights and privacy, and are secure and will scale.
It’s a complex puzzle that requires collaboration to solve.
This Panel session hs been brought together by Judith Fleenor, Executive Director of the Trust Over IP Foundation
Good afternoon. And you know, I really wanna thank you for being here. I'm sure your brains are very full after this very, very interesting week. I'm Judith Planer. I happen to be the executive director of the Trust Over IP Foundation today.
Hey, I've brought together several of the other foundation executive directors here to talk about what's kind of been on the screen. I don't know if you notice the little quote at the right hand side of the main thing. It says the evolving identity for upgraded realities. So that's what these people are all about, the evolving identity for upgraded realities. Mike Jones, in his keynote address on standards said, standards development is all about making choices.
And then Andreas, the next day in his presentation, the IDAs protocol Challenges in the Art of Timing said that the best way forward is not to wait to make the choices, but to get started and tool for interoperability. And by being prepared with multiple protocols to be used in context, one of the best ways to do that is to get involved early in the standards development, open source code development process. And that's where the decisions are made. For those of you that are Broadway fans, you may know the, the musical Hamilton, and in the musical Hamilton, it's in the room where it happened.
And so these people that are sitting here today are people who have been in many, many rooms where it happened. And so I would like to take this opportunity to ask each one of the panelists to go ahead and introduce themselves.
I am going to ask you to say your name, your foundation that you represent today, and then any one or two lines that you wanna say about other work, like what working groups you've been in previous to this role, in this role, that, that gives context for how you are qualified to sit up here and be executive directors or, or in, in Joseph's case, the person in charge of the sta of the, this not just the standards, but the, the certification for those standards in open id. So if you just do that, and then in a minute I'm gonna give you an opportunity to tell us all about your foundations.
I will start so as to whether I'm qualified to be up here, we'll leave that outta scope, but I'll introduce myself. So I'm Kim Hamilton Duffy, executive Director of Decentralized Identity Foundation. And my background is in software engineering and architecture ranging from core systems libraries to distributed systems and algorithms. I fell into decentralized identity about seven years ago when I was CTO of learning machine, working with MIT Media Lab on what we called block certs.
And this was a way to allow people to control and own their own professional and educational certifications and credentials for, for life. And so since then I've gotten more involved in various standards orgs and NGOs working on both from a range of W three C, US Chamber of Commerce, world Economic Forum, et cetera. And in general, just trying to build a world where people have access to more economic opportunities and kin syntech more safely.
Okay, so I'm Nick Miller short. I won't, I won't stand up. I'm tall enough already.
So, the Chief Identity Strategist at the Open Identity Exchange, I've been with the AB Identity Exchange in this role four and a half years now. Prior to that, I was with Experian for a good long time, but I, I got into the identity industry, I guess back in the nineties when I was dealing with the identities of, of criminals, possible criminals and their associates who we called, we politely called Nominals at the time to not give them a label. And I was involved in systems around intelligence management collection, informant management. So that was one form of identity.
And at that point we also started to put biometrics in. So we had some very early forms of one to many and many to many biometrics matching. We were using those in public in Europe in 2000, believe it or not. So this stuff's been around a lot longer than most people think. Everyone thinks it's all it's biometrics and AI behind it is all new.
You know, that's maybe 25 years ago now. It was live, it found football hooligans in Europe, 2000. There was a riot in the Netherlands at the time. And our software identified that the ringleaders who incited the riots, there were three of them. And they kicked off each of the three riots. They moved from one to another.
And we, we proved that through facial recognition, we found who they were. So that was my, the start of my journey there. I did 15 years of Experian way too long in hindsight. But on that journey, I did a lot around fraud.
So I, I know an awful lot about fraud prevention and detection as well. And laterally got into digital identity, which is where I got a real passion for the concept of reusable identity. I became chair of IX during that time. And then when I decided I wanted to, to move away from Experian and focus solely on digital identity OX were kind enough to give me this position, which I've been doing ever since. So Great.
So yeah, I'm Joseph Henan. So yeah, slightly less blonde and slightly less hair than our actually executive director, but unfortunately Gail couldn't be here today. So I'm the standard specialist and the certification director at the Open ID Foundation. I've probably been involved with the Open ID Foundation for about seven years now, something like that. Before that, I was actually a, a mobile app developer and I liked equipped, I was actually developing mobile apps before mobile apps existed because of the route I went through there from embedded software.
And I'm also the, the CTO at Auth Fleet. And that's how I actually got involved in this space. Some people that I knew from the mobile app business actually dragged me into this identity stuff. And it's quite nice actually being, I still use a lot of that native app knowledge to, 'cause there's not many people that are at that intersection of mobile and identity.
And yeah, and it was actually Nas Nat Sima's fault that I got dragged into all this certification stuff is after I'd started at Orley, he pointed at these folks in the UK that were doing some kind of open banking thing and needed a certification suite for it. And yeah, that, that kind of snowballed into that getting donated to the, the Open ID Foundation as their FPI test suite. I'm now one of the authors of the, the FPI two standard, which is a high security and interoperable profile of OAuth.
And I'm also one of the co-chairs with Christina and Sten of the digital Credentials Protocol working group at the Open ID Foundation that develops the open ID for verifiable credential issuance and verifiable presentation specs that you've already heard a lot about at this conference. Okay. Thanks Judith.
Hi, everyone. I'm Kay Chopard. I'm the Executive Director of the Cantara Initiatives. So technically we're not a foundation, but we are a nonprofit and we are incorporated and recognized in the US by the IRS as a nonprofit. We also actually have an affiliated company in the UK because we, we operate in both countries and in the frame the trust frameworks in both of those countries. From my background, I'm actually a lawyer. I started out in the legal profession. I actually started out as a trial attorney and I moved to Washington DC where I am now about 30 years ago.
And I have been working in government positions for the first half of my career. And in the last 15 to 20 years, I've been managing nonprofit organizations far larger than qantar. This is the tiniest organization I've worked with, but with members providing continuing legal education programs, providing a variety of things to thousands and thousands of members. And I made a pivot to the digital identity world from there. And I was mostly recruited, frankly, because of my experience with running large nonprofit organizations and my business operations and entrepreneur type experience.
And that's what I brought to cantara. And I know we're gonna talk more about what the organizations do, so I'll leave it at that. But this is not my first time for being in this executive director CEO type role. But it's certainly been fun to make a change to this area. So as you can see, this panel is very well qualified and has a, has a lot of experience and background.
As I said, I'm the executive director of the Trust Over IP Foundation, and I first met Kay, 15 years ago. It was during the Oma Obama administration. So how long ago was that anyway, when the, the, in the United States, there was something called the National Strategy for Trusted Identity in cyberspace. And they put a together, a public, private and, and government consortium called the internet I identity Ecosystem Steering group, every I-D-E-S-G. And so that's where I met Kay, she was the executive director of that.
And since then I have been, you know, in this space, what I, what I will say is my current job, I got directly from that, that's experience back at the I-D-E-S-G, where I volunteered for five years. I was the chair of the, the Human Experience Working Group and all of that was volunteer. None of that had to do anything with my job at the time. But because of that, fast forward, I was then asked to participate in other things. So this is just my shout out to everybody here. Any one of these organizations would love your expertise, your time. You will be welcomed with open arms to participate.
And especially if you think you're new to this industry, it's the best place to learn and, and kind of hobnob with the experts in this industry. So with that, I would now like to have you each tell a little bit about your organization and what it does, what it, what it's key objectives are today, and if there's any primary thing you're working on in your organization today. And then after we go through each one of the organizations, I'm going to then start talking about how do we differ? How do we come together?
So don't, don't talk about that yet, just what are you doing today and what is your primary focus. Thank you.
Yes, I can start. So our focus is on two prongs in EN enabling decentralized identity ecosystems. So development and community building and advocacy through our work and the work of our members. So one way to think about it is through our three part cycle. And those are incubate, graduate, apply and grow. So on the incubation side, we work heavily on incubating new standards, reference implementations, use cases and blueprints. The mature phase phase of that is either maturing within the organization or donating to other orgs and those not represented.
So Open ID Foundation is one we've donated to I-I-E-T-F is another that we've donated to. And then lastly, in the apply and grow phase, we focus heavily on building implementations, documentation and in general community engagement to really draw attention to how these work. Now our reference implementations are not restricted to diff specs. We use those of other organizations. And so we're really keen that people not view decentralized identity as having to stick into a certain silo. Nick Open Identity Exchange, OIX diff, decentralized Identity Foundation diff.
A lot of times we just use the acronyms and for new people it's always good to have how the acronym and the name goes. So will you talk about OIX?
Yes, I can do so. So the open, our vision as OIX is that we can all have a reusable identity that is trusted wherever we go around the globe. So that's that kind of lofty, lofty vision. And a bit like Microsoft's a computer in every home in across the world, which nobody thought would be achieved.
And hey, now we've got loads and we carry them around with us. So we, we set a lofty vision and the way we go about achieving that is through thought leadership in, we publish papers and guides, we influence governments and those who write trust frameworks. And we do a lot of promotion of digital idea as well in terms of what is it, how will it work? Dispelling some of the myths around it around things like fraud and you know, biometrics. Are they a problem or are they, are they a good thing?
The areas we're working at the moment are, we've got two main work streams that are applicable on the global basis and one is we're looking at global interoperability. We've just an analysis of ARU frameworks and we've found that they all have a common DNA of digital identity and we're extending that to at least another four over the summer. We're gonna be publishing that work and that's now a, a tool that enables frameworks to understand their relative positions around policy. We've got 75 different policy criteria that we've identified with 289 possible values for a criteria.
If everybody's got the same value, that's good, they're entirely aligned. If we've got eight different values, that means nobody's aligned whatsoever and they're all doing it in a different way. And most of the time we've got two, three, or four, which means we've got a reasonable degree of alignment. We're not saying frameworks need, need to align, they're necessarily different, but this enables them to reason around their differences and make decisions about interoperability. Then the other element we're looking at is frameworks for wallets.
We've long time published guides to trust frameworks. We extended our guide a couple of years ago to embrace credentials. We didn't talk much about wallets 'cause we were a bit scared of it. We were now fully embracing that concept. We're adding the kind of issuer role and a new role, the use case service provider that sits between the reliant party and the wallet to unravel the complexity of the wallet or wallets maybe to meet the reliant party service needs. And those two elements that you know are live working groups at the moment.
So if you are or were to be a member you can get involved in in that work. Andrea, Joseph, you're here representing the OO Open ID Foundation. Tell us a little bit about what they're focusing on now. Sure. So I mean our vision actually that similar to Nick's helping people assert their identity wherever they choose. So we'll talk about the differences between our visions and what we do later. But I mean our mission is very much to lead the global community and creating identity standards that are secure, interoperable and privacy preserving.
So the oldest protocol that had its is having its 10th cen, 10th birthday celebrations this year is open, ID connect. It's used by billions of users, millions of applications across the world. So that's definitely what we're most well known for. So for people that don't know, that's the thing that is basically being used when you hit those login with Google login, with Microsoft login with Yahoo type buttons, that's all driven by Open Id connect. But there's other standards that we've worked on recently.
So the the FPI standard that I mentioned recently that's been adopted in open banking ecosystems across the world, but also health open insurance, things like that. And that's an interesting one 'cause in that space we actually got to the point where regulators in the various ecosystems were saying, Hey, this Open ID standard actually makes you secure and interoperable. You have to use that. Whereas I think adoption of Open ID connect was much more organic that it filled a, a need that people actually wanted to accomplish something Pacific.
And obviously I already mentioned the verifiable credentials work that we are doing that's obviously growing in popularity and complexness every day. Obviously widely adopted by the, the eu, California DMV, other states across the us and then we've also got other protocols like shared signals that are already well used by some of the, the big tech providers to provide kind of fraud events about accounts and help.
So, you know, if, if Google knows that your Google account has been compromised and you used it to log into another provider as well, then they can notify the other provider that, hey, something freaky is going on here, maybe you want to do some extra authorization next time you see this user. And that standard's actually also been adopted by Apple. If you want to do sign in with Apple ID as an enterprise, you have to implement the shared signal spec to share those events back and forwards with Apple as well. So a lot of exciting stuff, not just one or two things.
Yeah, It's Kay Can initiative a slightly different organization than some of these others. So I want you to speak to what it is that Canterra focuses on. I mean you do have your own working groups and, and people that discuss some of the same similar things, but what is RA all about?
Well, I was actually sitting here thinking to myself, we don't really have a good acronym. We're just entire initiative. I don't have a, you know, diff and OIX and even OIDF I've seen, so, so we're kind of boring that way.
But so we, we are a, in some ways a little bit more bifurcated. So in the US we are a a membership organization and we do have members, and I'll talk in just a minute about what the membership is engaged in, what kinds of things we're doing and opportunities for you if you would be interested in getting engaged in some of the issues that we're working on. But the other side of of cantara is really that we are a conformance assessment body.
And so what that means in the US is going back 10 years or more, Cantara worked with government as well as with the, the private sector and took the NIST digital identity standards that were existing at that time. And they've of course been updated a couple of times since it first began. But with that created a conformance assessment program, which means that we have auditors, we have a very specific process for how we audit solutions, credential, credential provider solutions to, to determine whether or not that they meet those NIST standards.
It's not like lab testing, but it is testing of a sort because it is done by accredited auditors who really have more expertise in digital identity than anything else. And we're also very technology agnostic. So it doesn't really matter to us what the solution is, what types of ways that credential services are provided, what we're really auditing and what we're assessing is does it meet that standard.
By the same token, a few years ago when the United Kingdom rolled out its digital identity and attributes trust framework, I keep looking at Nick because I know he's from there and he and I see each other in many places all over the world. But we were asked, we were approached by the UK government asking if we would be interested in being a conformance assessment body in the UK as well. Obviously their trust framework is different. There are a lot of similarities, there are many things that are, are certainly very ISO centric in some ways differently than what you see in the us.
And we said absolutely. And so we are also a conformance assessment body or sometimes a certification body you might hear referred to.
We are, we work with the United Kingdom Accreditation Service UCA to be accredited under ISO 17 0 6 5 as a certification body. And we provide those kinds of audits and certifications through the, the digital identity and attributes trust framework, which of course includes GBG 44 and 45 and so on. And we are actually engaged with other governments who around the world who are talking to us about doing some similar things with them.
Most of that I can't really talk about at the moment, but, and including some who are already using the standards of these other countries and are interested in bringing our conformance assessment to their countries. Because what we really provide is a service often to governments relying parties, purchasers, where as a third party, we've actually done that audit, we've done that test and we can say whether or not this solution meets the standard, which is I think often, what's the word I wanna say? Comforting.
It makes, it makes those purchasers more comfortable that this isn't just a sales pitch, this person is actually showing us they went through and we have a very rigorous process and it is very much a specific type of process and it really puts those solutions through their paces so they can have a lot of confidence. And frankly what we see is less broad and reduce risk for companies that are able to meet those standards. On the other side of the house are our work groups.
This is where members who are interested in innovation, who are wanting to really work on up and coming issues, focus on some very specific things. We have one right now on deep fakes, which is beginning to morph. It's been a discussion group where it's really going to be become a work group to produce some actual products and likely requirements. We have another one on privacy enhancing mobile credentials, working with mobile credentials, mobile driver's licenses, eWallets, and the same kind of thing. We have one on consent receipt and I'm sure I'm forgetting some.
Oh, I'm Sure you're forgetting a lot of 'em. Well Let Me just, you can go to their website and everything's open, right? Yeah. Yes. Can I just say one thing just so you understand what the work group does? The consent receipt group created requirements. We are a liaison into iso. They gave them those requirements. They're now in ISO standards today. So that's what you have an opportunity to do in those work groups if you're interested in those areas. Thank You. And actually that's a perfect transition to any one of these groups.
A lot of the, I sometimes call us proto standards groups because we'll write the initial standards and then they may move on to other, other standards, buddy, IETF, iso, et cetera. So I'm often asked, which one do I join so I can be in the room where it happened. And my answer is all of them. And so I wanna talk now a little bit about what the differences are so people understand the differences, but then we're gonna go in the next round to what are, where are we collaborating and where are we doing things.
So I'm gonna start with what are the differences with OIX and OpenID Foundation because you, there's a lot of confusion there. You're both from the, traditionally from the centralized world, then moved forward into decentralized world. So what is the differences from your perspective of your two foundations? And try to be a little succinct and clear. 'cause one of the things we aren't doing very well as foundations and initiatives is being clear about what our special secret sauce is and where we, you know, mix that all together to have a full meal.
So, I mean, I guess the succinct one is OIDF, we do standards, OX does policy, so I'll, I'll say a bit more about what OIDF does and then they can expand on what a policy is maybe. So yeah, OID we're very much a standard setting organization, so we don't really lobby governments apart from where it's very specific things that we need to do to get our standards adopted potentially, like we're going through with the CFPB in the US at the moment. That's a whole other story.
But yeah, we very much stay in the standard setting organization. So we don't do implementations, we don't do trust frameworks, we just write standards. We have volunteer people that come into our working group and they create standards and yeah, eventually they, some of them also end up as ISO documents just because some countries can only use standards if they're ISO documents. But yeah.
Nick, do you agree? Yeah, yeah, absolutely.
And we, we sometimes describe it as the, the, the rules and the tools, you know, pol policy and, and standards. So we focus more on the, the whole trust framework that, or I guess ecosystem as you are, you know, terming on the trust over IP diagrams, what's the governance required over in that, what's the roles, what are all the rules that are required? And there are a lot of them. So we've got a framework model with 41 different areas of rules in the data analysis has got 15 areas. So I think we've simplifi simplified that a bit, but the details still in there.
And what we help is explore those different areas and within there there is the technical rules. There's things like trust registries, technical standards for protocols, data standards. So we touch into that, but we don't get that technical and that's, yeah, a deliberate choice we can exist in that policy area. And we do do a lot of influencing of framework writers now in terms of helping them understand the differences between the frameworks. That's where we've gone now.
But yeah, we, we help form the frameworks. We're given a lot of feedback to NIST on version four. For instance, we're next week meeting to do the feedback to EU on the off. And we'll be looking at that from a, you know, a policy rather than a technical basis. Thank you. And now kind of the, the, the, what I wanna call the three-prong triad of kind of the decentralized world of foundations.
We have the trust over ip, which I'm from, and I didn't quite of really say what trust over IP does, but basically we develop standards recommendations, white papers, templates that can be used by consultants, by people setting up digital trust ecosystems. And so everything we do in the area of both our technical standards and our, our, our recommendations, white papers, et cetera, is all out in the open and it's there for you to use.
So please go to our deliverable page, download it, use it so that trust server IP is one of the, in the triad Decentralized Identity Foundation is another one in the triad. And then the third one is Open Wallet Foundation, which is in that triad.
And I, I'm just gonna, before I say my perspective on the difference, I'm gonna turn it over to Kim and say what do you think the, the differences between our, our three foundations are? Yeah, and I, I think they're all highly complimentary. We'll get more into that. I think first of all, in terms of open wallet foundation, it's very clear they're focused on the intersection of wallet and code.
So that's, that's a very critical role and it's an important role, but it's just one part of what we need in a decentralized identity ecosystem. What happens when you're in scenarios involving multiple devices across devices, and then also what happens past the initial identity verification or authorization event. And just in con we also get asked about the difference between OIDF.
And so, you know, you're talking about in the decentralized space, they are in the, the federated. And so one we're, it's, it's part of our canon, right? So we're moving past login with Facebook. So we wanna put people in a situation where they're more in control of their data, minimizing the opportunities for surveillance and tracking that they didn't intend. So one quick thing in terms of tying it together, a focus that we've had a lot in this conference is the flow of data from an individual to relying parties or verifiers or organizations so that they can verify you.
We've not talked a whole lot about how trust is afforded to the individual in return. So that's one of the critical parts to say most of our interactions are not also cleanly in the context of one connection. So a lot of the fraud that we experience now as individuals, they start from a text message, a call, something like that, that then ask you to log into a website. So we are very focused on the richer set of, of communications and ident identity verification. So mutual authentication, the ability to interact with other parties in a way that, you know and can trust is secure.
And then, let's see, so yeah, secure the ability to securely manage your own data through methods like decentralized web nodes. And I find trust over IP highly complimentary. They really take a, a leadership role in trust frameworks. And we'll get more into that a little bit later. Thank you.
And I, I, you know, I will just put it very succinctly how I feel the difference between diff trust over IP and, and, and open wallet trust over IP is working on the complete architecture of a technical stack. Many of the components in that technical stack are developed at diff are developed at Open ID foundation.
So we're, we're kind of giving the recommendation for the whole stack. For example, in our tri spanning protocol, which we just announced last or well the, the implementer's draft, it was out last month. So you can find that on our, on our webpage. But in it the, there's this concept of a vid, which a lot of people haven't heard of, which is a verifiable id. Well there's a lot of different types of verifiable id open ID for verifiable credentials is one, right?
If you wanna go on the, the full other spectrum, A carry a ID, which is, you know, the, probably the most secure but not appropriate in every, in every situation. And so we, we coined this term a vid and there's multiple different types of, its, so we work on the technical stack, but I think in the triad, we are the only one that works on governance and that we've always paired our stack with technical stack and a governance stack together and a governance.
We've kind of moved away, if you just sat in our, our presentation from like having it being a layered governance stack is it's really us something that runs, it's you, you define your governance, you, you run your governance, you in the rev running part of it, you have to certify and make sure that your technologies that you're utilizing have been certified to fill into the governance and then you have to re reevaluate it again as things change and morph. So it's constantly going, it's kind of a run mechanism. So in trust over ip, we have this governance side of it, which everybody leverages.
And then the other saying I would say is different with regard, you articulated it very well. Open wallet foundation by its name is very focused on wallets and wallet agents. And if Daniel was here and he apologized, he had to, had to cut out early, Daniel was is the ED of the open wallet foundation. I've had this conversation with him many, many times. We don't do standards, we do code. So trust over ip, open id, we do standards, they do code. So they're working on the code for the wallets and the wallet agents. So that's really kind of the difference.
So now let's move to some of the similarities and where we, where are we collaborating? I'm just gonna start right away because you said governs frameworks, governs frameworks, and OIXI wanna say it was almost two years ago when you were working on your, your framework document and you were just starting to put the section in for self-sovereign identity. And we reviewed it at trust over IP and we got some of our experts on it and we went back and forth with like three or four versions of it.
So that whole section that's in the OIX document has been vetted by trust over IP and by people that were already implementing self-sovereign systems. And so there is this, you know, I, I wanna also go across the campus. It's not just the foundations. There is not, you know, here's centralized world, here's decentralized world. There really is this bridge that is happening and, and it's in these organizations that we're working together. So that's what I was thinking of as like how we collaborate with OIX. Did you wanna add anything else to that, Nick?
Yeah, I think, and as you said, that was nearly two years ago, wasn't it? And we we're both, I was trying to Figure out how long ago that Was.
Yeah, it was, yeah, it was, it was, it was kind of, it was around, yeah, it was around May two years ago. Yeah, we released that. Yeah.
And yeah, that was, that was us moving our guide to frameworks forward and you know, making sure it was embracing of self-sovereign and the emerging word of wallet. So that right now we're working on moving that further forward to be more embracing of wallet and you know, the surrounding actors in that and you know, in, you know, looking at the, the ecosystem diagram you've put up there, you know, we'll continue to collaborate.
You know, we should map the framework analysis we've done into that ecosystem components. 'cause you could, the way we've cut it with the 15 headings, you've got around 10 on there, you could recut and you know, the, it's just the way you organize things. You underline that you, there's governance as tech, you know, all the headings you've got there are, are are relevant in the way we're doing it. And it's about as we're doing the rules bit, we're not doing the tech, you know, you are doing the whole stack there and we're looking at the rules element and the detail of what goes in them.
So I think, you know, that we continue to be aligned there as we move forward. And you know, one of the things, I mentioned this, this new role we, we see emerging, the eus got the line party instance now, which is some kind of agent for the relying party. We've got other projects looking at credential wallet selectors that, you know, sit between the two. We think there's a lot of also policy and process that needs to happen in there to make sure that that is, you know, meets the user's needs and meets the relying party needs.
So I think as we, as we evolve that now, we should be talking about that as we go forward. Okay. Yeah. And then I tiff I'll just say just diff TOIP just we've been working steering committee to steering committee for over a year on on kind of defining, you know, where do we wanna collaborate, where do we, we you know, feel that we're different and we've kind of really decided that there is a role for two organizations.
You know, we were investigating of like, do we really need to do two organizations? And because we do have slightly different focuses, we decided that made sense. But we're talking now about working together for example, on a hackathon around the hospitality industry in October timeframe and other things. So do you wanna speak to anything about how we might collaborate?
Yeah, so the hackathon I think is a great way, not just from the expertise of trust ip, but Judith specifically who has rich expertise there. And so, you know, as I mentioned the, the work of trust IP on well governance frameworks, but then I would also say a lot of effort into risks and harms evaluation. So I rely really heavily on that From Chester ip. From CONT ra, sorry, pronounced it wrong. Governance framework mapping work that's happening in open identity exchange.
And then with open IID foundation, we work heavily together for, you know, bridging from the sort of open decentralized world to the federated world. And so that's been very successful and in the past we've donated standards as well and then the wallet touches on much of what we do. I think they will al they also end up using a lot of our libraries like a universal resolver for did resolution and yeah, so highly complimentary. There's a lot of work to do.
And yeah, So I Kay sitting over here very patiently because you know, we're talking about the standards development process, the code development process and the open open environment, which is kind of the beginning. You know, you start with the, the standards, you do the code or the code informs the standards, et cetera. But before anything is gonna be deployed and put at scale in any way, there has to usually be some certification that this code and that stand that it's matching the standard and the code is we're operating the way it should be done.
And this is where certifications come in play where you're talking to, to certify something. And so we have two organizations here that have certifications as a part of their portfolio of what they do. And so I'd like to have Joe and Kay talk about the difference in your certification programs, like what's required to, to, to get certified in each of the programs. And since you are the person in charge of certification at, at OO Open id, why don't you start and then Kay, you, you, you counter after that about how your certification program was different.
Yeah, thanks Judith. So I mean I guess the main thing about our certification program is we're entirely focused on testing our protocols and our protocols are too oversimplified about how data moves from one place to another. And we just test that interface. So it's a very technical CER certification, it's a very binary certification. You either comply with a protocol standard or you don't.
And we have automated tools that can pretend to be the other party in that standards interaction and try doing different positive flows, different negative flows and making sure the code that's being tested behaves in the right way and then you get a pass or a fail essentially at the end. So we don't have auditors, we just have a tool that tests and then yeah, once you're certified, you get listed on our, our website and that's your evidence to whichever body was looking for you to be certified, that you are actually certified.
And it, it's quite a lightweight program and we just, you know, if you're a bank wanting to certify you run the test yourself using our test system against your server and you get that pass or fail result, send them to us, pay the certification fee and you get listed. So yeah, I think Yes and, and we don't call ourselves a standards body but we definitely in all of our work groups are working on standards, right, that we feed into other groups as I mentioned we have a liaison to ISO and and with Oasis and other groups, right?
But in terms of our conformance assessment process, it is very different. It is that we do have auditors and one of the reasons that in our work groups like focusing on deep fakes for example, we're looking to figure out what are some of the ISO standards that are either out there or that need to be developed. But we're also looking at it from the aspect of what are the requirements? If I'm an auditor, how do I know if you met the standard? Because it is not like a tool that we use for testing. And many of the things that are being assessed is, do you have policies in place to deal with fraud?
If you find fraud, what does your policy say you will do, how are you going to react? How are you going to fix this? And it's one thing to have a nice policy written, it's another thing to put it in practice. So the auditor's job is to put you through your paces and have you be able to demonstrate and show this is how the process works, this is what happens, right? This is the result. And in addition, we are, you know, for the most part we're implementing a conformance assessment for government issued standards.
For the most part, most of the governments that we are currently working with are pretty transparent and have had collaboration right with the community, with the public to establish those standards. For example, in the us, NIST is, has already been working on a version four of their digital identity guidelines. They're not out yet. They went out, lots of comments came from the field, they revised them and they'll be coming out again in the next couple of months and, and so on. So it's a very iterative process in which we all have an opportunity.
And what we try to do is figure out how can, how can a company demonstrate that they meet that standard in a way that as a third party auditor, I can really say yes, in fact they do do that. So it's a process that takes you through several steps. Very similar if you've ever been through an ISO audit where you have a couple different phases of that audit before you actually are given the certificate. But it does not involve a tool, it doesn't involve testing like a lab testing. And we're continuing to expand the areas that we can do that in.
I, I talked about DeepFakes, I've talked about mobile credentials. I mean there are other areas where we recognize both purchasers and solution providers are asking for those kinds of requirements where we can help audit and assure purchasers that what they're buying really does meet those, those iso those international or the country specific standards. 'cause there's always going to be a few things that are specific to each country that won't be identical everywhere. So I suppose that's a little bit of a different way of approaching certification.
But I also, I appreciate you giving me the chance to talk about the work groups 'cause they really help feed into what does that have to look like and I think they help us make sure that our process is robust and accurate and more in line with what those who issue standards want it to be. So thanks. Thank you. And so one, one last question that I'll just popcorn somebody can jump in if they wanna answer this before we go, we wanna leave some, some time for questions from the audience.
Why is it important for organizations to support foundations across the board and not just like be in one little foundation and that's the only place they play. So what is that reason? And I'm gonna start with my proposed reason and it's because we are solving global problems that will create future looking solutions that just can't be solved by any one company or any one foundation. And that it takes that collaboration to be able to do all that needs to be done to have that new future that we're talking about.
So I, anybody else who wants to add on to that topic, please jump in if you, if you agree with it, you just say, I don't need to say anything that says it all or if you disagree with it, feel free to do that. 'cause that's what work groups are all about.
Yeah, I think I, I like that perspective. And then one I'll add also is that real transformations are underway and I think if we look at it with more of an open mindset and the new opportunities are enabled by what we're building here, I don't think we have to look at it as this is my piece of the pie and I'm gonna, you know, grow that piece. I think that it's critical that we work together and the work that we're doing, I think we've called out is highly complimentary.
Yeah, I think to, to add to that, that the, the, the pieces of the pie or the puzzle or jigsaw puzzle, they are specialist pieces with specialist knowledge, which is why, you know, no one organization can resolve this on its own. And if, if you, which I think, well I, you know this, you know, it doesn't, doesn't organizations here I I will picked join one, you'll, you'll not be seeing the full picture. It'll be like you've got, you've only got one piece of the jigsaw puzzle in your hand and it might just be a bit of sky so you're not seeing what that whole picture is.
So that's why it's important to, to collaborate across the board. But it, that's that specialism of the d different areas is, you know, exactly why we exist is the different organizations. One of the things we've started is a kind of specialism analysis across the organizations and trying to come up with a specialist categories where I've got a little bit more mature, we'll share it with other, other organizations and we can hopefully fill in and add our specialisms and create a bit more of a map about, you know, about where we all sit.
I think it feels, to me we've kind of quite clearly explained the different positioning here today, but being able to articulate that in a, in a way that can be read I think would be really useful. Yeah, and I mean I think it's, you've hit the nail on the head with what you, everyone has said there and I mean I think it's important to emphasize that we really do all work together as well. And you know, I'm technically the, the board board member open wallet foundation that represents your three organizations. Never actually we got that.
Did you have an open wallet foundation represented V here while he's on the board. Never asked you if you voted for me or not, but that's, But yeah, I mean our Open ID foundation technical director and the chair of, or one of the chairs of our IDA working group is a, a board member at OIX. So we've worked very closely with Kim on the presentation exchange standard 'cause that's really a place where the two organizations needed to collaborate.
We've worked very closely with W three C 'cause it seems the browsers are getting involved with all this verifiable credential stuff and it's, it's not always easy, I have to say starting out some of these new relationships 'cause it does sometimes feel like the other organization might be attempting to step on your toes and it takes a while to make sure you know where the dividing line is and that both sides know where they're going.
I think that's a really great question and I, I guess, and there's another organization that's not here, but you know, I volunteer a lot for women in identity, right? And they're working on doing research around a code of conduct and developing a code of conduct. And I think they really hope that they're going to be able to put together principles and requirements for how, you know, you're sort of building that equity into all of your identity solutions.
But they've already made comments to me about they don't really know where to start if they were gonna try to do conformance assessment, right? Because that's a whole nother ball of wax and it's a pretty extensive program to just stand up from scratch is probably not that easy. And so what they have already talked to me about is essentially having us take what they've developed as their requirements as that code and sort of road test it, right? So having our auditors, auditors put companies through their paces to see, you know, does this really work? And what does it seem to mean?
What's, you know, what are sort of the performance metrics once we see that where we actually all of our hard work we see now in practice. So in some ways Cantara is probably a much more nuts and bolts organization and we really look to a lot of the output from the other organizations because it very much informs what we're doing in our work groups. And I also think over time informs what our conformance assessment schemes look like.
So it's, it's an interesting mix of how that all comes together. Thank you. So before I go to the one final question to each each, each person, are there any questions in the room?
Yes, Probably this is a basic question for you, but what's gonna happen for W three C consortium because still they have the specs and so on, but my impression is it's gonna be moving to DIA for are IETA for what's, what's gonna happen? So since they're not represented here on this panel, and I do know some people that probably know I wouldn't wanna speak to them.
So for, for that answer, 'cause there's a lot of speculation out there about what's gonna happen and, and at this point and, and just knowing from the conversations that diff and I had, we had for over a year, the two steering committees met, we had conversations, we, we discussed where the future was going, et cetera. And if you'd asked in August, I would've said it was gonna go one way. And if you asked in October, I would've said it was gonna go another way. And you know, when it's in that formation process, it's too early to say or to speak what's gonna happen. Thank You.
Is that Helpful? Yeah, yeah. Thank you. Okay. Are there any questions online? Are we okay? There was One online. I was gonna read It if you Oh, oh great. Thank you.
I, The panel described well what each foundation does. Following on that, for each foundation, who are your members and what value do they get from their membership?
Oh, that's a great question. Do we have time for that? Yeah.
Okay, so our members, so our structure is we have a steering committee, general members and contributing members. So the steering committee and the general members are funding members, but any contributor who's a free member can do anything. A steering committee named member or whatever, except for if we go to a vote. But since we working on consensus, we have never taken a vote. It's all been consensus. And so our members, you can look at, see all of our different steering committee members.
I don't wanna accidentally call one of them out without calling the other out and, and giving the advertisement there. But our, our contributing members are, we've got about 400 individuals and organizations that are contributing. So I dunno if that helps. Our members are, I describe them as builders and that's not just developers. It might be leaders, product managers, anyone who are really focused on building the solutions and products of the future.
And so how they benefit is, you know, the, this space is very new and it's a good opportunity to work with others to figure out how to navigate, to access other experts and really benefit from that. Yeah, and our members are, again, we're not for-profit as we all are, aren't name some members. So we've got people like IAG International Airlines group, we've got a whole number of banks like Barclays and NatWest. We've got Microsoft, we've got a plethora of identity providers, we've got Visa and MasterCard.
So we've, we've got a, a real mixture of people from the identity ecosystem, finance ecosystem and relying party ecosystem. And you know, they're there to, to do two things, learn and shape.
So, you know, some people will come along, they'll sit in a working group, they won't say a great deal and they'll come and say, that was brilliant. I really, I really benefited from that. I've learned. Others will be very vocal, they'll have a, have an opinion. They want to drive things in a particular direction.
They, they'll, they're the shapers. So we've got, we're a really good mixture of both. Yeah.
And again, I think I'll avoid naming any actual members to avoid upsetting anyone. You leave somebody out here in trouble.
Yeah, well there's a, there's a lot, I mean we have four, 400 plus members in total, right? From the big tech firms you'd expect down to, you know, some of the banks, some of the financial institutions. But right down to individual members and what the members all get, it is a vote on the standards and an individual member's vote counts as much as one of the big tech votes, which is important. Can't have a big tech dictating too much what we do.
But the people that pay the highest level of membership do get a guaranteed board seat, which lets them somewhat set the, the future direction of the organization. But again, our individual members and the smaller members are also represented on that board. And I think it's very important to say that that board does not have any actual influence on the standard setting. The standard setting is all done by the working groups and it's just of volunteers and consensus and stuff doesn't get blocked by big tech just 'cause they're paying a lot to be on the board.
So I told you about right, our, our conformance assessment program, right? And in that sense, there is no membership there, right? If you decide that you want to go through conformity assessment, you would like to get a trust mark, you would like to be certified, you pay a fee and, and you go through that and there is no requirement for membership.
And I think for those companies, you know, what they're getting is that seal of approval in the US by example, the US government has issued a special item number schedule, which is for only vendors who have actually gotten the quintara certification. And that's the only way you can get on that. It's a special procurement schedule which allows federal and state government agencies to purchase services very, very easily.
So none of that is membership, but there's things in there for companies if your company's interested in some of those on the other side of the house where it's members, I would say that a lot of what we get are people who are innovators, people who are out there looking at what's the next product line that we need to, you know, develop. And they're coming together and sort of brainstorming with like-minded people, but not, this is far more practically oriented. It can't just be discussions, it has to result in something, right? Almost everybody that comes to those, they need something.
Whether it is that they need conformance assessment for their DeepFakes product or they need for there to be standards that we feed into some of these other organizations that really addresses the type of technology solution they either have or are looking to develop or whether it is, they just have a sense of they thought of everything as they're developing new products. So it's, I think that I would say most of those folks are really the innovators that are, are really out there.
There's sometimes they're the lone person in their company that's really trying to be forward looking, figure out what's the next greatest thing and how do we get ahead of that. So I wanna thank the person who submitted that question. And so to close the panel here, I wanna ask, you know, each person, what's your call to action? And my call to action is gonna be in the area of this kind of membership or, or who participates? I loved how you call them, innovators, developers, you know, et cetera. My call to action is two points.
One, if you're in a position to fund foundations, join at the level of funding that you can because our organizations run very, very leanly. Mostly everything's done by volunteers, but we still need servers, we still need outreach, we still need travel for people to be able to come and sit on panels like this, et cetera. So if you can fund, please do and and fund as many of 'em as you can.
My second is probably a little bit more important, which is fund, not by the finances, but by putting your people in these organizations, not just in one of them, but spread your engineers out, your legal people out, your communications people out so that then they can feed back to you what is happening in each of the organizations and the people to put are not your best engineer. Granted we would love their best engineer, wouldn't we? But this is a great way to groom new talent.
You got a new engineer who's thirsty to learn, let them sit with the experts sitting in these working groups, listen, learn how to collaborate, how to disagree appropriately, et cetera. It's free training for your organization. And that's my call to action. Anybody else wanna add a call to action?
Yeah, I can start. I wanted to start with thanking you, Judith, for teeing up this discussion. I think that this conversation is incredibly important and thanks to the executive directors who join and, and delegates that joined today. And I think we should continue this discussion, continue to think expansively and how we continue to work together. I wanna also amplify what you said around funding the organization. So we do operate very lean. A lot of us will be, we operate critical infrastructure as well at Diff that includes Universal Resolver and other efforts coming up soon.
And so we do this as information, educational resources, getting people up to speed, access to these communities, getting in the room provides you with such a huge advantage when you are building leading products and based on these new architectures. So, yeah. So that I I, I'm realizing that the timer wasn't started and we are a little over. And so if you guys can, if, if there's anything else that's different than what we've said that you feel needs to be in the room, otherwise we probably should let let the, let let these people go.
Yeah, I mean, I think I'll just definitely say that, at least at Open ID Foundation, that there's no cost to contribute to our standards. And if you are building with our standards, if you are using them, if you've got use cases that need them, please come and join the work groups and tell us what you need.
And it's, it's only by all working together that we really manage to build these key standards that get good adoption and actually work in the real world. Yeah. And that's that if you want to see change, collaborate with others, you know, doing it on your own is, is impossible. Collaborating with the groups you've got here and, and others like us, means we have a chorus of voices, a chorus of a collection of talent that's working together to, to innovate and make change.
And the only thing I would add is we really want people who are also action oriented, who are not, you know, not just wanting to have esoteric discussions, but actually wanna make things happen. So we welcome you. Thank you all.
I, I think you are all people who are in the room where it happened. And so if you'd like to continue the conversation, I just ask you to go outside in case there's another group that needs to come in here. Thank you for spending your Friday afternoon after a very wonderful conference by C Cole. And I would like to thank the staff c Cole for allowing the executive directors to speak today. Have a great afternoon. Thank You. Thank you.