Kantara Initiative Meet-Up - The Identity Place To Be

Hi, and good morning. I'm Kay Chopard. I am the Executive Director of the Cantar Initiative, and welcome to this morning's workshop. I I am going to be kicking things off, and I thought that one of the things that I might do is talk a little bit, at least about my background, because I've only been with the QANTAR Initiative for about a year and a half. So I know that there are a lot of folks who may not know me or know anything about me. And this is kind of what we hope to, to go over today.

There'll be lots of folks participating, some in person like John Wonder Lake here, who's with me upfront, and then several people who will be participating virtually. So what, we'll, we'll kind of go over, this is the outline for the next few hours. Talk a little bit about the mission and the vision of the cantara initiative and what, what we see as our value proposition, what we have to offer the community.

One of the things, because I'm relatively new, I have had some of the leadership ask if I would talk about the health of Cantara because we're actually doing extremely well and we're very excited that we seem to be growing by leaps and bounds. And then the board of directors, Andrew Hughes, is the board chairman and president of the board of Directors of cantara, and he will be giving an overview about what the plans are for the coming year and, and sort of the vision of the board and where they wanna focus.

And then we have multiple work groups at cantara, and the chairs of those groups will be making presentations, and it will be a combination of folks here like John, and as well as those who are attending virtually to really talk about what they're doing, the things that they've accomplished, the things they've published and what they're working towards. And then at the end, we hope to talk about our diversity, equity, and inclusion and accessibility.

We've added VA initiative, which is something that we really are excited to be working on, as well as some other projects that John and others will be talking about. So, so that's an overview. We intend to take more breaks than just the break at 10 30, partly to switch speakers and all, but also partly to kind of break up into four different sections, if you will.

What, what we wanna to address at cantara. So, so our, our vision and our mission, our, our vision being the equitable and transparent exchange of identity and personal data for mutual value and the mission to grow and fulfill the market of trustworthy use of identity and personal data. And I have a couple slides that I wanna kind of talk to you about.

What, what does this mean to sort of flesh out what cantara is really focused on? I guess before I get there, CANTARA is a nonprofit company registered in the US as a nonprofit. It is separated into sort of two parts, if you will. And the membership, which is open to individuals and companies of all different sizes, is very focused on the work groups, the activities there with a much more of a focus on towards standards. And they'll be talking to give you a report about that. And that's really part of what members do.

And then the other part of the organization is that we serve as a certification body. And so companies who wish to be certified in the US against the NIST standards of 863, current version three for digital identity guidelines. We are also a certification body recognized and accredited in the uk where we do certifications against the UK digital identity and attributes trust framework. And we are engaging with many other governments in the EU and around the globe.

And, you know, we hope to continue to work in that area and, and we sort of hope that having now started to, you know, we have an office in London now for example, that we didn't used to have, and we hope that we can work towards the common good and towards interoperability that that would be one of our goals, which often seems out of reach, but, but we're excited to, to really have the opportunity myself as the executive director. I actually come from a legal background. I'm an attorney. I worked most of my career in a completely unrelated field around the justice system.

I, I was a former practicing attorney and for the last 20 years I've been working with other nonprofit organizations, many of which have been much, much larger in terms of the size and the scope of what we did and the budgets. Canara is relatively small, but that said, since I've been a part of cantara, it's been amazing to see the growth we have. We had more new members last year. Our insurance program has, has quadrupled since I've been here in 18 months. So it's very exciting to see.

And I know that my, our accountant is always commenting about our finances and you know, we pay our bills on time, but we, we seem to keep making more money, so we keep having more revenue than we have expenses, which is always a good place to be. Not that we are rolling in dollars, but we, that said, we just keep going up and we, we broke a record last year for what our total revenues were, and it looks like we will break that again this year by considerable amount.

So yeah, thanks. So I'm hoping that means that we will have some money we can invest in the organization and we can talk a little bit more about that later. But let's just talk a little bit a a about sort of the value that Cantara brings and what makes it unique maybe among nonprofits. So this was kind of the why that my, my communications lead put together.

And for I think most folks at this conference, this would be something that makes sense to you, you already know this, but as I'm introducing people and because having talked with the conference organizers, they actually were telling me that about half of the participants at this year's EIC conference are first timers and haven't been here before. So they may not have heard about canara.

So just to give you the background, part of the reason that CANTARA really exists and that we, we have the mission and the vision that we do is because as you all know, citizens, residents in any country have to manage multiple IDs typically, right? And what we see in, in many countries is the lack of op opera interoperability, not just internationally, but between sectors. We certainly see in both the US and the uk for example, not the best interoperability between say the healthcare industry vertical, if you will, and sort of traditional digital identity working with government.

And yet those are places where people who use those services would, would really benefit from a better interoperability. There's often not very much transparency, and every time that a person has to use a new application, it can increase that com, that complexity. So what we hope we see that this can in increase confusion, there's continuing to be con security concerns. And every time I, I think you, you look at any publication, there's all new things about ai.

We've talked about decentralized identity, all of these things that are being addressed at the conference that just raise concerns and create a lack of trust in general. So what cantara hopes to do is to really enable that trust and interoperability. And this is where, you know, what underpins a lot of what we do is our identity assurance program. That's the certification program in the us.

It has a different title because obviously it's, they're different digital identity standards that are applied to the uk, but it really provides a foundation we believe that where solution providers who develop their solutions against those standards that offers the possibilities of interoperability. But you see that feeds into, well, let me go to this next slide that feeds into the relying parties who are the purchasers, right? Of these solutions. And they are also trying to meet the needs of their consumers.

And where I would suggest to you is that we're Qatar really, really works is our focus is much more on the solution providers, right? Where we provide the accreditation, the sort of underlying the confidence people can have in those solutions because they meet those standards, but also relying parties.

And we have more and more relying, relying parties, including even government agencies who are joining Cantara because they see the value in trying to understand and making sure that their concerns about what they're trying to purchase, if you will, is being addressed in our accreditation programs and, and the work of our various work groups and consumers. Clearly their experience feeds into all of that. There are some other groups and other nonprofits that I think probably do a better job of focusing on or actually communicating with consumers.

And we're sort of the, the, the folks in the background, you know, it's like, what is that old saying about a duck that's paddling, you know, across a pond and as they're going it looks like it's very smooth, but underneath they're paddling like crazy, right? Well, we're the paddling like crazy underneath?

We're, we're not necessarily in the public view. We're not, we're not out there championing all this when it comes to the consumers and to the general public. But that said, what we hope is that we can help solution providers and relying parties offer services that meet the needs of customers and is responsive. So that's sort of the role that, that we play. As I mentioned, I'm the executive director.

I've, I've been there just a little bit over a year and a half, so not a super long time, which is why I'm grateful to everyone who's going to be speaking today because I, I, as a lawyer, I don't have the in depth background on digital identity. I certainly talk a lot about policy and things like that, but there's a lot of really impressive folks who are part of the organization. This is just a quick snapshot of our board of directors.

For those of you who have, have perhaps been with Cantara in the past, I think historically that the board of directors was made up of primarily folks who paid a fee, additional amount of money and could get a seat on the board. And when I started a year and a half ago, we did away with that. And there is no longer, you can't pay your way onto the board of directors. I mean that in the nicest way, but, but it's, it's not a pay to play model. All of these folks were elected from the general membership and both individuals and companies have a vote in that, in that election.

And each of these folks does represent a specific organization and they, and while they are the representative, representative of their company, they certainly have played a key role on the board of directors. And I think since I've been here, now that we've changed to this model where it's an open election among all the members, we're seeing much more interest in participating on the board. This is a board that's bigger than it was when I first began, and a lot of new faces and a little more diversity than we might have seen in the past. So we're very excited about that.

Andrew Hughes, who I know is with us virtually is, was newly elected as the president and chairman of the board. He, his term is for a year as the board of directors serve for a year, but they can also run for reelection. And you'll see that we also, at the moment we have US, Canada and the UK all represented and we would love to welcome others. Recently cycled off was a member of the board who's here at the conference, who's from Germany. So we would love to, you know, open that up to anyone who's interested to think about elections happen in December every year.

So Andrew will be talking after I give my overview to tell you a little bit more about the strategic directions that we're looking at and what we hope to do in the coming year. But again, that's the current board. And we also, I mentioned how Cantar is really sort of split into two things, right? The membership is very much engaged in the work groups and then the assurance program, which has its own, you know, the bottom line is we're auditors and if you've ever had to work with an auditor, you know that most people don't like us that much.

And because we're testing everything and looking at things, and it's very important to maintain our impartiality and to be very neutral. And we are also right now working on getting our accreditation through ISO for ISO 1765 in the uk, which it was, it's mandatory in the UK to be one of the certification bodies. So there are five certification bodies that do audits against digital identity there. And all of us are going through that process and we're basically all at the same place. Once we do that.

We'll also be doing that here, not here, not here in Germany, in the, in the us although we have auditors also from some of the EU countries. So we've been talking about what would make sense in the EU and engaging in a lot of those discussions too. But on the membership side, the work groups that I talked about, I, I just wanted to point out the leadership council. So the leadership council in is different from a board of directors where the board of directors has the fiduciary responsibility for the organization.

The leadership council really represents the members and the work groups and the work and the things that they are doing. So currently the chair of the leadership council is Alec Laws. Alec is from Canada, he's with the company Identos, he's the chair of the leadership council and he's also the, excuse me, the chair of the UMA work group. He'll also be talking later about mid-morning, a little bit about the council itself and the things that they do. And then also about the specific work group that he's on. And with him is Jim Pasqua.

Jim is is the vice chair, and he is also, he's vice chair of the leadership council. And then he chairs another separate work group. So these two also sit on the board of directors to really represent the members who are engaged in the work groups and the work of cantara and hopefully making sure that the board is fully informed and you know, sometimes they have to look for resources, sometimes they just wanna make sure that that input is there.

So it's, it's kind of one of those because there's that separation and because for example, our certification programs require that neutrality, that impartiality, there are a lot of things that we have to do that are very separated. And so the hope is with the leadership council being there, it's, we will never have a situation where the left hand doesn't want the right hand is doing and vice versa, right?

So that's, that's the goal for that communication. And they've been terrific. Someone actually asked me the question about, well, how many people actually come to these meetings? Pretty much, it's always a hundred percent participation. So people are very actively engaged, they're coming to the meetings, they're having the discussions.

And so I, I'm sure that contributes to why we've, I've been having such a successful past year or so. So some of the things that the organization does, I should probably be watching my time here because I know people have to speak in other sessions, so I, I don't wanna take up too much, but this is just kind of an overview of the kinds of activities that you see cantar doing. Obviously one is workshops and conferences. So we typically have something that always occurs at eic.

This is my first year of being here, but I know that the CANTARA workshop has happened for many, many years and there are lots of other conferences, Iver in the u in the US Identity week, at least since I've been here. We've participated in identity week in the US in the eu, and it looks like this year we will be in both of those as well as identity week in Asia.

So, so we really try to make sure that we're represented in a lot of places. We also, as I mentioned, have the work groups who are tackling a lot of really important issues and, and really much more focused on emerging issues, emerging markets, emerging technologies. And that's what we think is one of the benefits of those work groups, the opportunity to really work on what are the up and coming things.

And while there's a lot of specialty groups, and I know that they're all doing their own workshops right now, you know, but it's, it's an, it's an exciting opportunity for a lot of folks both individually and representing their organizations to come together on those, as I mentioned, the assurance programs, right? And we're, we're currently certification bodies in two countries, but we are talking at length with a lot of others. And then we partner and really have liaisons with other groups and what we would call thought leadership, some of that obviously around standards development, right?

So we have liaisons into ISO for example, and other, other standards related bodies, but we also are working with different sort of industry verticals by example.

So we do a lot in the US with healthcare, which is private industry in the US and healthcare providers who have suddenly realized that maybe identity could be a big deal when it comes to now that, especially with covid now that so many folks are doing, you know, creating patient portals, needing to share information electronically, all kinds of things that didn't happen because they were, they're all private and while they're a regulated industry in the US they're still, they're not government agencies, right?

So we've been working a lot with them to help them understand the assurance process and, and what it means to have those standards and meet those standards. And then there's other organizations, you know, we worked with several banking institutions earlier this year and and really tried to facilitate as a liaison with the banking industry and also with in the us nist, the government agency there to talk about, again, another regulated industry has different needs and all, and yet really has to have a focus on digital identity as well.

So those are a couple of examples in, in the UK we liaison primarily with not just the government agencies there, but also other certification bodies. And we meet on a regular basis to talk about the implementation of their digital identity and attributes trust framework. And we've participated in the pilot that they've had going on. They initially had an alpha of that pilot and now it's in the B diversion and we've been a part of that. And the certifications that we are doing are part of that beta version and the pilot is still going.

But it's been a wonderful opportunity and I know it, it's been clear that we were selected because they knew of our experience and our expertise. And unlike some of the other certification bodies, you know, contar is focused on digital identity and really not anything else.

So, you know, the British Standards Institute, for example, is also a certification body. And they said to me, we don't have any auditors who know digital identity, you know, they, they do all kinds of other things.

And so, so anyway, so we are there to also, you know, offer our lessons learned if, if that's of interest. And so far, so anyway, so lots of different ways that we also partner in liaison with other groups. What did I do wrong? There we go.

Okay, so for 2023, and Andrew Hughes is gonna talk about this in much more detail. We're sort of building on some of the strategic initiatives or what are our priority areas for a while now. So one for the US is the modernization of NIST 863, and you may know that they have come out with a, a revision for, and we provided several hundred comments to their proposed revision and so far have not talked to anyone that's done quite that many.

So we, we offered a lot of our thoughts about what, how they could improve that and you know, they're the, they're the government, so we'll see what they decide to do with that, but, but we continue to work with them and we hope that they'll appreciate that we're just trying to help them make it better and that we we're hoping that it was constructive and useful and maybe thought, thought-provoking as well. We're also looking at expanding internationally.

I and I, as I mentioned, another thing that, for example I do as the executive director is quarterly I convene and facilitate a meeting of representatives from a variety of governments around the world, which can be challenging because the time in Australia and the time in Canada is very different and the UK and trying to make that work. So we've been alternating basically between early morning for some people and late at night for other people.

And, but it's been really a, a wonderful experience and I actually asked the group, did they wanna keep doing this because I know that they have relationships through their state departments and all of that and, and they have said that they feel like it's a benefit. And so, you know, I just try to be a fly on the wall and let them have their conversations. But we hope that doing things like that will help facilitate that kind of mutual recognition and interoperability and it's an opportunity for them to talk about what they're doing and what their concerns are.

It's also fascinating to hear the different experiences in different countries. Canada was, was doing something and put out something for comment and Australia was like, when we did that, we had a hundred thousand comments and they were all about people who basically didn't want government to know who anyone was. Not sure quite how you deal with, you know, life in general that way. But anyway, so it was fascinating to, to listen in to them talking about their experiences. The other thing that is really a focus for us is member engagement.

And we, we have a vice president actually that was elected to the board specific to member engagement. And I know he is excited to get started in that role and hopefully will continue to help us provide more benefit to the membership in any kind of a role, in any way that you'd like to participate. And I think there's lots of things that Qatar could be doing and so hopefully that'll help corral and encourage more people to come and join us. And then the last one I mentioned earlier about diversity, equity, and inclusion, and we've now titled that group accessibility as well.

That's obviously a hot topic in a lot of places. And we're, again, our focus is, I don't wanna make it sound like we don't care about consumers, obviously we wouldn't be interested in this if we didn't care about consumers, but we are not there to advocate or represent consumers. We're there to work with the market in the marketplace and figure out what makes sense for business solutions and why should a company care about this, why should governments care about this?

What's, what's the return on investment in that? So that's our focus, which obviously can't ignore the consumer, but is maybe a little bit different than what you might see. We have not so far focused on things like HR practices and management and all of that. We've really been far more focused, I will admit on solutions and, and, and testing and standards for that.

What, what might that look like? So those are, are kind of the, the things that we have, I guess I didn't really mention our, our certification programs. We also have a vice president elected specific to the assurance programs, someone with a lot more technical expertise and we've made some changes in that, in that program as well.

A again, for those of you who might know about CANTARA and our certification programs in the past, by example, companies that were interested in getting their solutions certified originally just against the NIST standard 863, they actually had to become a member of cantara and myself being a lawyer that concerned me as perhaps perhaps creating an appearance of impropriety or bias. And so in my, in my first few months, I suggested to the board that it just, it wasn't a very good look and that instead I don't think that anything improper had ever happened, right? The auditors are independent.

There is a certification review board that looks at what the auditors do that is independent. The board of directors had no insight into what was sort of what the process was like. They had no insight into solutions or, you know, basically company secrets, right?

That said, we split it up a little bit more. So now what we've done is, is you do not have to be a member of CANTARA to go through the assurance program.

In fact, there are no discounts provided, there is nothing, there is no benefit to you in going through certification by being a QAR member. That said, if you go through that program and there's an application fee, there's a trust services fee once you've actually been audited and recommended to receive the trust mark, if you decide at that point that you would like to join cantara, then we do give a discount. So there's a discount that direction. But in terms of getting any benefits for going through the assurance program there, there isn't any connection there.

So anyway, I probably more detail than you ever wanted, but this is looking at our identity assurance framework. So cantara has, is a trust framework provider has been since 2010. So obviously that long go precedes me. The program specifically has, has assessors in the US there, we call them auditors in the uk there are specific criteria, they have to have a certain amount of training. We really look for auditors who already have expertise in digital identity.

Again, as we, as I mentioned in in, in the other countries where we work, a lot of those certification bodies don't have that. And so the complaints that they get are that their auditors learning about digital identity while they're trying to do an audit. And we have really tried to circumvent that issue by only accrediting auditors who already know something about digital identity technology. And in addition, they have to have training in being an auditor, which is typically ISO courses. There are specific courses that they need to go through.

And it can't just be that you got a certificate, your lead auditor, someone from an accredit accreditation body has to have watched your auditor perform. That's how we know that you actually know your stuff. So it's not just, I went to a four hour class online. It's a pretty rigorous criteria to select those auditors. And we've actually been increasing the requirements, which we've gotten a little pushback about, but we think it's important to maintain the integrity of the program.

So if you decide you wanted to get accredited, you can't come in and just pick someone that you'd like to have as your auditor. You're only allowed to use the ones who are accredited through us. And that accreditation is renewed annually. So they have to maintain all of their other certifications and they have to show us proof every year. And then these, so essentially we then do these third party assessments as third party conformance testing. And if it's determined that that a solution conforms to the applicable criteria, then we issue trust marks.

And you'll see in the slides here, these are, are some of the ones that we issue currently in the us The ones for the UK look a little bit different obviously because they are focused on the standards for the uk This just kind of shows the cycle of what, what that assurance program looks like. So at the top we have what we call the Canara Assurance Review board. In the UK it is the Qatar Trust certification board and they, they sort of have oversight over the whole thing.

So they, they look at, for example, the credentials of those who want to be accredited as auditors and assessors and make a determination if their experience is acceptable. And you know, there are things that you have to comply with. So I have had already, since I've been there, times in which I've had to said to an auditor, I'm sorry until you come into compliance, we will not be accepting any more audits from you. And you know, surprisingly not, maybe not surprisingly, they they did.

They, they got all of their certifications updated, did what they needed to do. So that that was only a temporary situation. But just to let you know, we're pretty hardcore about that. And then we also have the identity assurance work group and they will be talking Denny, I'm pointing to in the audience here, it's gonna be talking about what that group does. They really manage that identity assurance trust framework at cantara and they have a lot of, of real expertise in, in those kinds of standards.

And that's made up of members of the from Cantara as well as you have the ability to participate in the work groups without being a member. And you have to sign a group participation agreement. You have to agree to our antitrust policies, our intellectual property policies and all that. And as long as you're willing to do that and abide by those, you can, you can be a part of the group without necessarily joining, although we'd love to have you join.

So, and then you see there are different, in the US there are different classes of approval. Those are all based on the NIST criteria and then the solution providers you see over to the one side along with the accredited assessors. And we have a tremendous amount of documentation so you know what to be assessed against and what the criteria are, and it's really taking those standards and making them more actionable, right?

So that you can really understand how do I know if I meet the standards and, and the criteria are, are much more specific and really drilled down so that that can be something that everyone can be on the same page about. So we provide these third party assessments. The evaluation of what that auditor did in the process of testing your solution and auditing it is then reviewed and approved by this review board in the uk it's a certification board, they do the same kind of a thing and then a trust mark is issued.

And we have folks who have what we would call like a full credential service that they provide and that they're audited for. But more and more we have found that companies instead wanna be audited for what we are calling component services, which means they're providing something very specific to that credential, you know, process, if you will. And they typically have expertise that's specific to that piece of the credential service provider process for of that digital identity solution. And what happens is, is that they then contract with others.

So what we're seeing more and more is companies specializing in a specific area and then coming together as contractors. And so what what happens is purchasers, the relying parties want to know that everyone who's providing that credential service for their, for whatever it is they need, right, are all certified. So that's why we're getting more and more component services that this assessment is based on a three year cycle in the us currently in the UK it's based on a two year cycle.

The first year as a, as a full assessment of all the applicable criteria, years two and three, they basically look at half of the criteria that apply to the solution one year and the other half the next year. And then in the third year they start, then they have to start all over with a full audit again. So this is just an overview in, in the UK they have the digital identity attributes and trust framework. They also have GP G 44 and 45. And right now their framework is specific to right to work, right to rent and disclosure and barring services.

And excuse me, that's really where we, you see the quality, integrity and authority. That's, that's really what our focus is. We wanna make sure we have a quality program, we wanna make sure that we have all the processes in place to ensure the integrity of the auditing and the third party conformance testing that we do. And then the authority that we have, as I mentioned, is really a focus on our focus on digital identity and making sure that that's, you know, that's our swim lane and that's where we try to stay and keep working in.

These are just, you know, why, why, for those of you who may not be members, why you might want to think about it. You would have an opportunity if you join cantara to engage in policy development at iso. As I mentioned, we have a formal liaison relationship there along with other global policy and standards organizations in emerging areas. The ability to collaborate and innovate, as I mentioned, we in many ways, we are working towards interoperability across industries, across sectors and internationally, across countries.

We are the only accreditation body in the US that does the classes of approval for IAL identity assurance levels, authentication assurance levels, and federation assurance levels in the us which is how their system is set up. We are one of several in, in the uk and then anyway. And so those are some of the things that we offer. We offer I think a lot of things for individuals as well as for companies. And then the last thing that I, I mentioned about that we have done a diversity equity and inclusion survey.

We are doing, we did one last year, I'm not sure if if our chair of that group will be talking about last year's survey, but it was interesting. We, we just didn't find that we had any data about equity and accessibility and, and again, not looking to what do consumers say they need, but rather trying to understand what do companies do. And we had, we had everything from small startups who responded with like three or four employees and they're just getting off the ground. Two companies with more than 10,000 employees. We had responses from Canada, the us, the UK and Australia.

We had responses from both solution providers and relying parties. And we, and we also, we, we really were asking about, you know, what people's experience, how, how much was this of importance? And we tried to gauge that a little bit by saying, so how much money are you spending on this? And it was interesting to see, you know, there were a, a couple of solution providers who were spending up to a million dollars trying to do something with, to, to create equitable sort of access to their credential services.

So it's, you know, then I had other people saying, we're just trying to figure out what we wanna do. And some people who said, well, we're just trying to hire, we're trying to hire more diverse workforce and we haven't figured out how to address this. Out of that, we had several companies that volunteered, oh, I should also say we had some government agencies as well who also responded, which was a different viewpoint. But anyway, it, it was a very diverse response. And so what we hope is this year we're releasing the survey again.

And I encourage you if, if you're interested, if you have, I know that you'll have access to all of these slides and everything. I'm looking to the back in case they shake their head and say, no, you won't, you'll be able to go hopefully to that, to that link. And like I said, we, we, we want to do this again this year and see what we learn is, is everything still the same? Hopefully encourage more companies to participate.

It's anonymous, we don't share who it is that actually responded, but we do ask for the, the identification, identification of the company in part just to make sure that I don't have five people from the same company responding to the survey. So that's about the only thing we use it for is to just make sure we don't have duplication. But anyway, so that is, is my overview.

As I mentioned early on before some of the folks were in the room, Cantara I've only been with cantara for a little over 18 months, but in that time, in my first six months, the, the companies participating in our certification program doubled last year. It doubled again, which is in effect a quadrupling of the size and the number of companies that we engage with.

So we are, we are working on strategies. You know, when you only had three or four companies, it was easy to go to our website, which is where we list everyone who's been certified and see what, what they were certified to do.

Now it's, you know, to go through 16 to 20 companies and read about what they're certified for and, and I'm getting this from purchasers, right? It takes too long. So we are working on creating a dashboard and so on. So it will be searchable and you don't have to spend several hours reading about what everybody's audit was for and what their certification is for.

So anyway, all all good things. And as I mentioned, our membership has grown in the past year and we, we are, we are continuing to not only be able to pay all of our bills, but also to bring in more money. So we hope to invest in and continue to do things like I mentioned with the certification program and other kinds of things that really help us to continue to provide good service to our members and, and hopefully to the marketplace. Any questions before I turn it over to our next speaker in the back? Are there any questions in the chat or anything from the virtual participants? Okay.

Oh yes sir. You said that in the full cycle takes three Years? Yes. In the Uk two Years. Yes. Why is it The uk I think right now in the UK it's two years because they haven't officially ended their pilot cycle. I will tell you that we have recommended to them that they should go to the three year cycle, which is more a more typical ISO cycle.

So I, I suspect they will do that. I think in the beginning, because of it being a pilot, they were reluctant to do a three year cycle in case they were gonna make a lot of changes to their trust framework or you know, I think they kind of wanted to see how that was gonna all play out. I do know that they're working very closely with ucast, the United Kingdom Accreditation Service, which is who we get accredited by in the uk. And my understanding from talking with them is that they are encouraging them also to go to a three year cycle.

But I think it just has to do with that it's the pilot, it's a good question, but I think that three year cycle is more common, so I suspect they'll move to that. And as I mentioned earlier, I don't know if you were in here, it was clear that one of the reasons that we were chosen to work with them is just because we have been doing a third party conformance, you know, auditing program for so long. And so they do ask us, you know, have you done this before? Have you done that before? What was your experience?

And th this is one of the areas that we also said, well, it might be a good idea if you kind of did it the way everyone else does. So I think they'll, I think they'll do that. It's just for now it's still a pilot, but, okay, good. Anyone else? So is is my next speaker, Andrew Hughes online. Okay.

Do I, do I need to advance his slides for him? Yes.

Okay, perfect. So with that I'd like to turn it over to Andrew Hughes. As I mentioned he is, he was elected this year, not just to the board of directors, but also in the role of president and chair of the board. And he's a long time member. He's been a longtime liaison for us to iso to specific work groups and things.

So Andrew, are you there? Hi Kay.

Yes, I am here. Awesome.

Okay, so welcome everyone. Unfortunately my travel plans changed for the conference. I was looking very much forward to attending in Berlin, but right now I'm at home in Victoria, British Columbia, Canada in the dark of night. Hopefully you've got good weather there. Lemme just give a quick introduction to myself before getting into the slides. This is gonna be a quite a short overview of the Cantera board and what we're up to, so hopefully we can get through reasonably quick. So once again, I'm Andrew Hughes. Currently I'm director of identity standards at Ping Identity.

I've been in the digital identity information industry since around 2007, coming from background of information security and information privacy within the province, species and public sector generally been active in kenta since 2012. It's been a long time. Lots of interesting stuff has happened over the years. I've led and am leading some, some of the work groups including the identity assurance work group and previously the consent and information sharing work group, being on the boards and leadership council chair for, I think it was five years and these days with Cantera.

As Kay mentioned, I'm president and board chair for 2023 and I'm very active at ISO and I'm one of the liaisons to the SE 27 working group five work group at ISO with, oh, I see my face now on the screen where the general purpose identity management standards are, are being developed. So next slide please. And kay, if if you have any questions or someone from the room, just let me know.

Okay, so just gonna revisit the, the vision mission and our capabilities. I know that Kay covered these in the previous section, but I just want to give an indication of how the board of directors is shaping canter's work and guidance and our path forward, our strategic path forward to actually realize the vision and, you know, keep working on the mission.

These, these things take many years and many decades to, to accomplish. So lots of work to, to continue to do. I'd like to just highlight again that in with Cantera and the Cantera board, you know, we revisit our vision and mission every year to make sure that we believe we're still on the right track. That the market and where the market appears to be going is about in the, the same place we thought it was in the previous years. And we make adjustments as we go forward.

So in the vision, you know, our, our our board over the years has, has come to realize as fairly obvious in the marketplace that equity and transparency around exchange of identity and personal data, it, it's not really always equitable and it's rarely transparent. What information about you is collected and shared within identity management systems and between organizations.

Also, the concept of mutual value really isn't part of the equation in the market today. So our vision, as you can read here on the screen, to see the equitable and transparent exchange of identity, personal data for mutual value to level the playing field, to bring people back into the mix and have agency and control over their information. And to do that, we work every day as the board and Cantera members to grow and fulfill the market for trustworthy use of that data.

And as Kay mentioned before, and I'll dive into a little bit more, we, we at Cantera and in the boards focus on innovation, standardization and good practice. We use our work groups to incubate topics of interest in industry, look for significant emerging trends and determine what we can do in our special role as cantera to make sense, make sense of, and help align on those emerging trends.

We participate in international standardization bodies and we actually are on the implementation end of standardization with our assurance program because the rubber hits the road, as they say when the auditors come in and check to see that you're actually doing what you, what you promised to do as a business. Next slide please. Very quickly the, well the, the organization structure. So I'm hoping that people in the room love organization structures and find them very exciting cuz sadly I do. This is one way to represent the Canera organization.

I hope everyone in the room laughed when I said that cuz I can't hear you. So in the middle we've got, you know, Cantera as the non, non-for-profit corporation, the five one something in the US I can never get the number straight so I won't, I won't say it specifically. We actually have three organizational units.

Most people see the board of directors and leadership council as our main, main entities within Cantera, but there's actually a third very important one, the executive director, Kay, and the corporation itself, it's easy to forget that if you're a non-profit corporation, you actually are a company and you have to take care of business, do the, the back office operations, set up staff and execute on the programs. And Kay leads our staff team and contractor team to deliver the, the business to our customers who are in the assurance program.

They're service providers of identity services, proofing and authentication, and also actually are accredited auditors in the pro in the assurance program as well. They have processes, they have to go through maintenance of maintenance of their accreditation and qualifications, and they have to stay up to date with the requirements of the programs. The board, I'll skip over to leadership council. Leadership council really is about our industry innovation.

This is where we have a, a broad reach throughout the community, practitioners throughout the industry looking for and bringing ideas on where various white papers could be useful to improve the equity and transparency of information sharing and identity. And they form discussion groups and work groups to, to talk about and develop recommendations and other materials on those industry innovations. This is where the collaborative development happens within Cantera, within a work group structure.

Basically the primary objective of work groups is to develop reports and recommendations that cover the topic through debate and collaborative development, refining over time until the, the messaging and the structure is, is right, the participants are the major stakeholders because they participate in work groups and other community groups. And as Kay mentioned before, these are member Cantara members and non-members equally. One of the very important aspects of Cantera is that we, we've, we've, we actively try to lower the barriers to entry and participation as far as we can go.

So we allow free access to our community groups so that we can get as many voices into the mix as, as we can without putting any barriers, unnecessary barriers into place. Then we come to the board of directors. So as mentioned, I'm chair this year and really the board is, you know, we're, we're just calling out two of the major, major functions and responsibilities of the board.

First is a corporate fiduciary, so making sure that the, the corporation is healthy, robust, has good processes and practices, adheres to all the rules and regulations, bylaws that we've, that we have set up and giving financial oversight to our operations through K and also setting strategic directions. So taking input from our connections throughout industry and leadership council connections throughout industry and formulating the path of travel for Cantera, sticking within our, our mission to achieve our vision as you might expect.

And really the stakeholders of the board of directors are the Cantera members primarily. Of course the non-verbal participants are there as well. But we exist to serve the Cantera membership, make sure that they continue to see value and in the organization and what we do, that our direction is aligned with their priorities as members and attract other similar, similar organizations to become members of Cantera so that we have strong information sharing and collaborative, and I've, I've lost the word, sorry it's late here. But basically to make it a a, a club of peers within, within Cantera.

One thing I'll notice about our membership these days is that we've got quite a lot of members that are identity verification providers and identity proofing vendors. This is not by accident. Through our work with NIST and other national standards bodies, we've come to be seen as really a focal point for implementation by identity proofing practices that are demonstrated to follow the, the requirements in the national standards that are, that we're following. Next slide, please Look at these wonderful faces. Once again, this is the, the board.

Now it may not be obvious from, from the slide, but we've got a, a quite a good representation of different sizes of companies and different industries. We've got good representation from everything from large global companies such as ideia, down to sole practitioners, small companies that do direct consulting with, with companies and government agencies. We've got several full solution providers that do both authentication and proofing services. We've got providers that do only proofing verification services and we've got representation from assessors as well on the board.

One thing that I will point out, of course being Canadian is that we have lots of Canadians in Cantera and on the board. Several of these companies, in fact, 1, 2 2 2 companies are, are located in Canada. And we've got several Canadians on the board. It seems the Canadians are present in most identity organizations and, and play an outsized role. So next slide, please check one out here.

One thing I'll note is that the, the, the board of directors during interviews and during the, the, the process to be nominated and elected to the board, the board members all have a very deep experience in identity credential solutions over many, many years. And we find universally that, you know, their, their outlook, the company's outlook is very well aligned with Ken's vision and mission. So it's good to see that we've got lots of participation and people coming back to serve the industry as a whole through the board.

Okay, some of the goals for 2023, this is from the board focus. So as Kay mentioned earlier, there are overall cantera strategic initiatives and some of them are, are on this slide, but there are particular areas of focus that's I've asked our board members to, to take a look at and make sure it's top of mind as we go through and act as a working board for Cantera.

So the, the first one from a corporation point of view is of course maintain corporate health. So make sure that we're growing, that our members are seeing value, that we're reaching out to other organizations that could use our services and maintaining a healthy balance sheet as we go forward. Kay is doing an excellent job with the business of Cantera and we support her, her work to do so.

Sacramento here is established and, and create and sustain the diversity, equity, inclusion and access initiative really to help guide industry and build up some performance measurement capabilities, metrics, get some reports done, and hopefully work towards eventually an assurance program to assess the practices of of industry pr industry companies. For D E I A, one thing that we take pride in as Cantera is the fact that we're already made a purpose-built for, we have, we have pur purpose-built infrastructure to host work groups and industry innovation.

As any of you know, that's have tried to start up a nonprofit organization or try to start a new piece of work within other associations. It's a pretty heavy lift. There's a lot of details, there's intellectual property rights that have to be managed. Financial considerations reach out into industries, so you get lots of participation. Cantera is, has been running discussion groups and work groups since 2009. And we are, we, we set them up as we need them, as we see the need and we've got a template approach to, to getting new work started.

So bring your projects to us and we, you know, one thing that's, that you may know throughout industry is that each nonprofit, each association has focuses and specializations and principles that they're, that they're built on. So certain pieces of work fit better in some associations or others. So for example, W three C, if you're working on topics for the web, it's the perfect organization to, to bring work to. If you're talking about assessment for trustworthy use of personal information and identity information, Cantera is the place to be for that kind of work.

Another goal for our boards and this, this really speaks to the breadth of representation at our board and our membership. We are an international consortium.

We, we interact with organizations and governments around the world and we also participate in national level consortia and other industry associations. And through those, through that web of connections, we, we exert influence, we spread the message about how to achieve trust and digital identity and information sharing. And we're really making sure this year that we exercise those connections and build stronger networks for the work.

As always, with every, with every organization will be examining and updating and proving improving our governance practices and documentation, their bylaws and procedures and practices needs, updates from year to year as things change. So we'll be taking a look at that in the latter half of the year and, and seeing what, if anything needs to be changed. Kay mentioned, and, you know, we're supporting as we, as we can with the board really extending the US and UK assurance programs.

One of the interesting aspects for our assurance program is that because we are directly focused on commercial enterprises and verticals that provide identity proofing and authentication services, we, we have to find ways to tailor and adjust government issued frameworks and regulations and standards and tailor them to commercial, commercial needs. If any of you're familiar with the NIST 863 guidelines, for example, those guidelines are written for the federal government of the US and federal agencies of the us.

So they talk about things that have no gov, for example, governance structures within requirements within federal agencies that have no counterpart in in commercial enterprise. So we, we tailor and fine tune those governance standards in a way that commercial enterprises can be assessed and demonstrate their adherence to practices and requirements in the, in the NIST standards and others. So we're looking to extend into additional commercial verticals, maybe create profiles for assurance and assurance and assessment and other standards as, as we see fit.

And then again for 2023, we're really pushing hard to, to get those internationally recognized accreditations as conforming assessment body for our US and UK work. Next slide please. Okay. Call to action. And this is action in my last slide. So this has been a quick run through. So if you're wondering how to implement standards and fulfill requirements that you're seeing in your vertical industry or from your government, that's kind of what we do.

So we, as Kay mentioned, we're doing a lot of work with the US health information ecosystem enterprises, governments in the US and we're working on transforming profiling and tailoring guidance like the Nest 863 framework specifically towards assessment of health information companies and services to determine whether or not they meet the requirements specified by n To do this, we engage with their associations and advise on larger scale projects where they're developing trust frameworks in the US healthcare environment and looking to shape the discussion around potential regulations and standards that apply to their members.

By working with Cantera, you make sure that you are represented at the international level, not just at the national level through our liaisons with international standards bodies, you help teach assessors and identity services companies that are our members, what your industry vertical needs are. We, we, we often hear people say that identity is identity across industry verticals and for everyone. And of course that's not true.

There are ways of thinking about personal identity and information sharing that differ based on regulation, the way industry works and other constraints that you face. So teaching us about them makes the programs better and more applicable across the board. And if you're another way to, to engage with us is if you deliver identity services, come forward and talk to Kay and our assurance program about what it takes to get to attain a trust mark in the US or the UK for digital identity practices.

We're adding more companies getting more experience and knowledge with a broader range of service providers. And our assessors are building a strong portfolio of experience as well with, with identity services and how, and how they achieve their fulfillment of the requirements for, for identity and trust. And with that, that's my, that's my slide so far. Okay. How are you doing in the room there?

Well, we're good. We're, we keep getting a few more people trickling in. Does anyone, does anyone have any questions in the room for, for Andrew? I really appreciate Andrew.

You know, I said I'm here for a year and a half. He's been here since, what did you say? 2012 or maybe longer.

So a, a very long time. And so he's really, he was really able to kind of drill down into a lot more specifics.

He's, you can trust when he uses specific words that he knows what he is talking about me, you can't always trust. So, but, but I do try to, to help run the business and as I mentioned, we're, we're doing actually exceedingly well. And one of the things that I would just comment about that, Andrew, I mean, he's been able to flesh things out with more detail, but also I think one of the things that I have seen working with him and with the full board is that much of what, how Contar Contar was structured and our, our bylaws and all that governance and all those important things.

A lot of that was really done many years ago now, almost 15 years ago when it was first started. And I've said to the board a couple of times, you all really aren't a startup anymore. And I think what you see us doing now, and what you'll see in Qatar, and I, I hope that if you are not already involved, you'll get involved, is that we're really moving into a maturity stage where we have a lot of experience under our belt. We know what works and what doesn't.

We've made a lot of, I think, important and significant changes, and we were at a place in the stage to be able to make those changes without fear of going under. And I think that the fact that you see our membership is growing the aser, the certification programs are booming and our revenues continue to go up. All of those things, I think are a sign that as we've moved into a more mature phase of the organization, we're just seeing a lot of positive benefits. So there was a lot of work in the beginning, I'm sure, but we're really at a different place.

And so, again, I I just would really welcome people if you have, if you've not gotten involved, to think about getting involved. And, and for those of you who may have done things in the past, I I, there's lots of opportunities for leadership and we would really encourage you to be a part of that. But I think that it's a, an exciting place in Qatar's history and it's, it's really moved on. Okay. Yes. Just one thing to attempt the crowd. Yes. I clearly these days, digital credentials are the next hot thing.

Well, aside from ai, digital credentials of course, but one of the topic areas that we will be addressing in the work group side is what does it actually take to issue, assure, produce, and verify what are the practice necessary practices necessary to do that well, and to do that without surprising your customers and people that use your things. As we mentioned about the assurance programs, we assess practices. We don't assess the technologies directly, we don't do the technical testing.

We make sure that an organization's practices, procedures, governance is in place and effective for the topic of identity and soon credentials this year. So if you're wondering how you can trust an issue of credentials to do good for holders and how you can trust verifiers to do the right thing with the information they ask for and obtain, that's what we're working on is those requirements which do not exist out in industry today.

You'll hear John and Denny talk a little bit about those in the work group section, but it's one of the exciting things that's, that's coming up real soon in 2023, now that N State hundred 63 version four comments are being drafted and submitted. We have time to think about other things.

Thanks, Andrew. Are there any, any questions in the chat looking to the back of the room? Nope.

Okay, great. An anyone else have any questions or anything? Okay. They're all shaking their head, Andrew. And by the way, you should know that when you started out with your beautiful diagram of, with all the little boxes, I certainly laughed out loud and, and there were other people I saw chuckling behind me too.

So Yeah, I know you love those. So, anyway, okay. Do you have anything else that you wanna add? I know that you have to go to another session here shortly as well. Yes.

As, I guess as part of the participation in many industry associations, it's, it's almost an exciting time at EIC because all of the association tracks run now, so I have to skip across to other, other groups and talk about my roles over there. I Kay. Are you thinking of having a quick break now or is it Yes. Yes. Okay. I thought we'd take a quick break and then we'll start up with the work group reports, but we'll probably take about 15. And My regret for not being able to make it to Berlin, I am definitely feeling missing, missing the activities of this week. So hello to everyone there.

Very good. Thanks, Andrew. Okay. I'll rejoin in probably an hour or so. All right. We'll talk to you then. Thanks.

So, so everyone, the next thing that we would, I would like to do is talk with the work groups, but I thought this might be a good opportunity to take a break. I don't know that it's an official conference break, but you've had a chance to hear from myself and Andrew, and if you have any questions, let me know. You're also welcome to come and talk to me at the break. So I think what we'll do is we'll take about 15 minutes, so we'll come back at 10 0 5 and we'll start to hear from some other folks who are here in person as well as some others who are participating virtually.

And we'll get a chance to talk a lot more about the meat of what the work groups are really doing and what they're focusing on. And hopefully that will be of, of interest and provide opportunities for you also to, to learn more and to get involved if you like. So let's take 15 minutes and I will see you back here then. Thank you. Thank you. Thanks for my technical folks in the back, got us all back on track. Welcome back to the people who are online.

This is the portion in the agenda today where we're going to really start to get down into a lot more details about the work groups, the things that they're doing, the things they've already accomplished, where they're headed, and all of that. And I was hoping that Alec Laws, who is the chair of the Leadership council, which is all of the chairs of each of the work groups who come together once a month to kind of check in and, and work together and make sure they're not stepping on each other's toes, making sure they're collaborating where they need to. So is Alec there and ready to present?

Hi, Kate? Yep, I'm here. Awesome.

Hi, Alec. Take it away. All right, thanks everybody. Who's there? I can't see anything, but I'm sure it's a great, great audience we have today. So for today, I think we have quick sort of summaries from each work group, you know, a few minutes from each just to give you the, the sense of what's been going on. But we're gonna hear from our, all of our current work groups, so iwg, UMMA, P M C group. There's a lot of exciting work going on. So hopefully this gives you just an idea about the breadth and everything that's going on this year at quintara, at the work group.

So I think we're starting with iwg here. Oh, so, so yes, we have, Denny is here. He is the vice chair or co-chair, I'm not sure which of the identity assurance work group, I W G. And you're all set. Can I go to your first slide here?

Yes, please. Okay. Hello everyone. I think the mic is working. Quick introduction. Denny Pervu. I'm from the Royal Bank of Canada. Oh.

Oh, it's a proximity thing. I'm sorry. We have a, we have a very exciting user group.

So, quick history on me, probably. Oh, wow. Close to 20 years ago, the Identity Assurance working group met in a cafe outside of the Moscone Center in San Francisco. And I was reached out to saying, Hey, it'd be really cool if you joined this group as a secretary to start documenting what we're doing and how we interact with other groups. As time went on, I was in the vendor space and I spent a lot of time working with the standards.

And nist, the NIST 863 standard really caught my attention. And it was more because it was all around identity proofing as a vendor, we were always concerned about the best way to have technologies represent our users. Most recently I joined as vice chair for the identity assurance working group w working with, with Kay and Andrew Hughes.

That, that you heard earlier. And, and we have a lot of unique areas of focus. One of the big things in, in, in my opinion, is the assessment scheme and the assessment criteria. So when Kay described how our assessors look after the standards and how we make sure our vendors comply, how we make sure organizations use our technologies and approach our vendors, it's nice to have a set of rules and a set of guidelines. The great thing about them is the participants that we have in the group.

We have assessors, we have vendors in that space, and we have participants from, from a number of different organizations. So we have them from different industries. We have them from, from government bodies, we have them from academia, which are great because my writing skills are atrocious. We also have identity verification providers. So a lot of the people that provide the services for our consumers in the space.

Granted, some of the spaces are a little bit more active than others. I'm physically located in Canada, we don't have a lot of those similar guidelines. But in the US definitely organizations reach out. So we have our authentication and federation providers that participate. And it's great because we have a lot of the standards bodies that reach out and they share experience, they share their alignment. I started becoming more recently involved with our healthcare group, and we have other industries reaching out to us saying, Hey, we, we need to more abide by a series of standards.

We need to follow certain guidelines. So it's nice that we're seeing them reach out. For those that do reach out, they're asking us what are the industry best practices for verification or authentication? And it's nice that we can come up with guidelines and users can share stories. As Kay said, there are our members and there are individual contributors that are part of the working group. And then of course, we get to provide our comments for other industry published guidelines. So Kay mentioned the 863 specification that came out.

It was nice to be able to look at a document or a series of documents and not just say that you're missing a comma on a page, but provide several hundred comments on individual sections from identity proofing to authentications and levels of assurance. And I think that's, that's a great way to, to keep everyone involved.

And it's, it's fantastic. We, we have Lindsay on our team and she keeps us in line for, in a number of areas in the working groups, not, not just the, the publications and, and as we're a secretary, but a, a huge contributor. Next slide.

Oh, that's okay. So some things that we're working on and, and the directions we're going. So the 863 spec that I mentioned, it was a light read for anyone that had some spare time for riveting sections that, you know, required different levels of involvement. So there were areas that the assessors were, were huge contributors. There were areas that the industry service providers were, were, were valuable contributors.

And, and it was great. I mean, we were able to participate, we were able to provide based on recommendations to NIST comments that would, would benefit the industry as a whole. We get to see a lot of things that they probably don't get to see firsthand.

So I, I think that was, that was pretty pretty engaging model for us. Now we've got some goals for the future as well. So we do have to increase the, the, the focus on the assessment scheme. So for our assessors that look at content, we need to make sure they're keeping up, up to date and up up to snuff with their skills and abilities. We also need to make sure that they're asking the right questions for, for their individuals as well. Now there's, there's non n identity assurance markets.

I was just in another group that have reached reaching out to us and they're providing a service that they're, that they feel is a valuable service globally for providing identity credentials. But they are not a verified credential, they are not assessed by anyone, but they want to provide a service for both identity and for payment services. So they've come to us, well, they actually caught me in the hallway and said, Hey, can, do you think we could work together? So I think, I think it's nice to see Quintara has that visibility globally.

The services have taken, taken Norwegian countries by storm. They're not as available in Canada, maybe partially in the US as well. We're also starting to see involvements from other industries where, let's face it, we were just kidding earlier that there's no industry mapping dictionary of, of terms and phrases. And the healthcare industry uses terms that we don't use in government. The energy sector does not use what we use in, in healthcare. So they've reached out and said, can we do some sort of mapping? Can we have guidelines that we can follow?

So that's something else we're starting to work on. And then now with diversity, equity and inclusion component, huge interest to me in the identity space. A little sidebar there, one of my side roles is immersive technologies. So for those of you think that an identity is just a credential or who you are, think about now I'm working in augmented reality and virtual reality. How do I have an avatar that has an identity? So now I have to work on inclusion of those other services. So now this space is really expanding. I thank you.

And we're always looking for other contributors and other people to participate in the identity assurance working group. Any, anyone have questions for Denny? I was looking Oh yes, we need that microphone.

Oh, microphone, yes. So the, the folks I have been corrected about the fact we need it a mic Have one. So the increased capacity to respond to high priority industry trends. I know I'm gonna talk about my paper later, but I wanted to highlight that one of the recommendation sections is very much on future concerns that, that we don't have a solid grasp of. And deep fakes was one, but there was also digital warfare and large language models and metaverse. So that would be something that you might be able to point to as useful when you start those discussions. Thank you. Very good idea.

Yes. Did anyone else have a hand up? Did I miss anyone?

I am, I'm not seeing anything in the chat. I don't think you're not either.

Okay, great. Okay. Thank you.

Well, thank you Denny. I really appreciate it. So I'd like to move on to the next, I'll come up here for just a minute. So the next Rex work group that we'll be talking about, you know, what they, what they've already accomplished, what they're working on, and what the future holds. This is again, with Alec Laws, the person that I introduce, he is the chair of the leadership council as a whole, but he is also chair of the user managed access work group, which we shorten to call umma.

So Alec, do you wanna go ahead and, and talk to us about your work group? Yes, no problem.

Thanks, gay. Yeah, so like Denny, I found Cantara via this work group, and it's been a lot of fun working with these folks for the past five years. User managed access, or UMA is one of the technical specifications that was developed and maintained by cantara. So there's two actual specification documents, but at its core it's really an extension to OC that add some key practical roles that we always see in real live deployments.

First, it extends oof to add a requesting party role. So really trying to get specific about who's trying to access information or data or resource servers in this beautiful spiral picture. And it supports asynchronous authorization. So the idea that a resource owner or a person who has a healthcare record doesn't have to be there when their data is accessed. They can set up delegations, they can set up their policies ahead of time so that later on, somebody else can come along and, and get access their, their information without their direct involvement.

So something like a healthcare practitioner getting access to a patient record at their convenience without the patient present. You go next.

Okay, please. So together these capabilities that UMA is adding to oof. So the ability to separate authorization servers with many resource servers or many different APIs being protected, the separation of the person requesting data from the person who owns that data, the fine greatness of policies.

So getting down to the specific document level or scopes within that specific document, within that specific document really comes together to create sort of a, a new complete breadth of capabilities that really, really are about serving end users, providing agency privacy and those types of controls that are really critical, especially as we get into more government or healthcare use cases, which we'll see are a lot of, a lot of current places that Umma is being used today in industry. One more so health, I mentioned the healthcare use case.

That's something that we worked last year to create and show how Umma is used and can be used within the healthcare domain. It follows a patient, Julie Adams as she is born, grows up deals with health conditions as a, as a teenager and child, and then eventually becomes a, you know, a full, full fledged adult and takes, takes grant of her healthcare journey.

And Umma Umma can help at all of those different sort of points in the points in the care continuum from when she's a baby and no control to a teenager that needs some, some ability to share her record with different practitioners, even though her, her mother's still largely involved with her care to an adult where you're on your own and you, you have to manage all your data and information as you, as you work through the, the healthcare system, especially in countries like America and Canada. One more, but a really exciting use case that we have in the UK is the pension dashboard use case.

And they have UK pension dashboard program from the beginning use user managed access as a sort of central service to the solution that they're putting together. It's the main coordination service. It's the main thing where identity is federated to, and it really makes use of all of the different capabilities that I talked about with uma. If it's protecting many, many different pension schemes provided by many, many different companies across the uk. It has a delegation built right in where you can delegate access to your pension data to different advisors within the ecosystem.

And it has support for many different clients. So many different pension dashboards that have different views or different ways of putting your pension data together into new and exciting solutions for, for UK citizens. So hopefully those last two sort of implementation examples show really where UMA is being used in industry today. A lot of healthcare use cases and a lot of government use cases have come through the the works. And today the group is working mostly on reports that showcase UMA'S use in industry.

So last year's report on healthcare, this year we're working on a report on the UK bench dashboard program and how it's been using UMA successfully to, to implement its service. Go one more I think. So just a quick summary of some of the implementers that exist in, in the world from my company, Identos to pretty large Im players for and and Glue and it's built right into key cloak or Red Hat SSO today.

And a few of the, the major deployments talks about UK pension dashboard, but a couple Canadian deployments, one on Ontario to manage government identity and one in British Columbia, Ontario, British Columbia being provinces of Canada to manage Type one diabetes program at the BC Georgian's Hospital. You got one more. So thank you. Hopefully this is a quick, quick intro to Uma what it can do and what, what we're working on today. And if anybody's interested, we do meet on Thursdays at at 1:00 PM Eastern time, so a little later in Europe.

But it would be great to see anybody who sort of resonates with these use cases or the need for more agency control or delegation within our federations. Back to Kay. Thanks Alec. That was very helpful. I appreciate you going through all of those examples. Does anyone have a question for Alec? Is there anything in the chat? I was having trouble getting on the chat, so I can't tell if I missed anything.

No, no more questions. Okay. Our next speaker is also virtual Sal Dino is part of the leadership of the advanced notice and consent receipt, the anchor work group. I know they have a lot of things coming out now. So is Sal online and is he I'm here. Kay. Yes. Perfect. Thank you very much. Speaker 11 01:34:57 All right, good morning from Boston and yeah, so away we go, I guess. Next slide please.

So the, for people who don't know, the, the, the anchor work group as we refer to it, is sort of the next generation of the consent and information sharing work group, which is an effort that goes back to 2012 around something called open notice resulted in the consent receipt, which is the Cantera specification version 1.1, which has, which then made its way into an annex of the ISO standard for online privacy notices and receipts. It's adoption.

It has been interesting in, in the sense that from mostly what we've seen, it's been internal to people and that as the, the initial purpose of the consent receipt itself was actually something for people to use and not the current kind of consent banners that we're, we're seeing today. So the goal of the work group is actually to try to get to that maybe consent receipt 2.0. Speaker 11 01:36:17 This is a slide about our activity basically covering the last year and what we're up to in 2023.

You know, a lot of the work we do kind of hack ISO standards in the sense that we map to them is trying to make them open and generally available for people, particularly when it comes to standards and interoperability around notice and consent. There's some activity in the US by our Federal Trade Commission, which is where I'm located, and which is also helpful in terms of perhaps interest in providing some legal basis for the, some of the standards that we're developing.

And we provided some comments to them in particular about the, the need online for what we refer to as two factor notice, which is basically there's no possibility to consent unless you understand the risk that you're presented with. And then some way of establishing proof that that notice is acceptable to the parties involved.

Speaker 11 01:37:23 So having worked through that, the work group in 2023 is actually now trying to take a take the step of actually showing how we could create, you know, the human data control and human-centric infrastructure that, you know, where we think is missing out there. In some ways, I think we're trying to obsolete the identity assurance program in the sense that ra rather than sort of assessors assessing the fox assessors assessing the henhouse, maybe what we could have is sort of embedded human-centric technology, which does this for people.

And so in order for to do that, we need to create tools for people and infrastructure for people to do that. And, and what, and I think the, and, and as a work group, the place that we're looking to do that is to start with something which we called an open notice record, which is a record that a individual can use with a receipt in this case, a notice receipt in order to be able to get to a consent receipt. Speaker 11 01:38:35 And then with that, be able to create what we're referring to actually as a notice controller credential. It's in 2023. And even our language evolving.

And we're doing this not only in concert with iso, but in terms of other work that's taking place in other organizations, you know, around the world, there's hyperlinks there for people. So what I wanna do in the remaining time I have is just talk very specifically about one aspect of the work that we're doing, which are transparency performance indicators.

We think, you know, in terms of gaps in current frameworks. In fact, our comments to NIST pointed out that as an example in the federation document in 863 for C, the word transparency did not exist.

Like the, it wasn't in the document itself, the credit to NIST and their framework now that they're publishing of the five bullet points that they want going forward are, are, are is measurement around transparency and cantara as a, as a organization has always kind of prided itself on innovation that's ready to meet the, the needs. Speaker 11 01:39:56 And, and we just so happen to have these transparency performance indicators.

So, which is the next slide, and please and little bit of a, maybe our graphics can move this up and we'll clean it up before we get there, but basically they're four things. The first is when do you get notified about what's going on? Because as we well know more often than not when it comes to surveillance and, and identification and sort of the, the alpha technology that the identity management industry has created a lot is about individuals is being captured. We have any idea about what's going on.

So first we need transparency around what's going to take place, but importantly it needs to take place before any of that occurs. So if we're gonna measure transparency, the first thing to know is when, when is, when are things becoming transparent? So that's one. Speaker 11 01:40:50 The second one is, you know, what, what are the required data elements? And we're beginning to see some progress here.

Again, we're using the ISO standards and most of this again, is about information about the controller. If you as an individual, I don't, I know who I am when I go online, most, most what's missing is, yeah, inform is information for me about who and what and where and how and why and all the questions, right?

So, so to try to answer some of those questions, it'd be nice that we had some basic information. Some of this is akin to things like glee and you know, am I dealing with a legal entity and who is this legal entity and where are they located and what kind of things are they have in place in order to be able to provide me some kind of assurance, right? Speaker 11 01:41:44 Not assurance about authentication, but assurance to me before I share my information, me meaning the data subject. And then again, so, so that's the second indicator.

And then the third indicator is the, the accessibility to that information, right, which is to my rights or, or whatever it is that I have access to, what do I have to do to get it? And if that means I have to like wait 60 days, okay, fine then that's what the law requires. But you know, they could be better, it could be self-service, I mean it could be a lot of things. So you know, how accessible is what are, are, are the, are my rights and the operational requirements that I would like to have in place in order for sharing the use of my data to occur.

And then the last one is, is, is basically is there act and in fact all of these things at the end of the day are, are are actually critical security controls that are often missed in most frameworks. Speaker 11 01:42:57 They to some extent in the X 5 0 9 world where I've done a lot of work over the years, you know, there is this idea of whether something or not something's valid, but it's, it's valid only for the pipe. It's not about what's valid for the use of the data.

And so how do I know that the security that you have and the policy over the security actually matches and, you know, so, so there's an important check here to make sure that the sec the security itself in some ways in a traditional sense, but also in, in, in representing to, again, to my me as the individual, any risk that might occur. Not not about the, whether it's https, but whether about the, the policy that's associated in, in, in about, in the session. And it could be, you know, this could be in a jot, this could be in any of the Jose kind of tools that you might be using.

Is is, is that, are those cryptographic processes actually Yeah, yeah. In sync appropriate with, with with my concerns and, and yeah, any kind of further authorization or delegation or control. So we meet at, on Wednesdays at noon. I didn't keep a close eye on the clock.

Hopefully, hopefully I didn't go over too long. Happy to take any questions. New and eastern standard time east, well now daylight. So thanks. Kay. Thanks Alec.

Yeah, hi to everyone in the eu. Yeah.

Okay, that's it. Bye now.

Oh, Wait, wait, Sal, Sal don't leave. Yes, because I'm pretty sure you have to do double duty today, right? Speaker 11 01:44:47 Oh, you're right. Oh my goodness. I'm gonna go and do, I'm gonna re-up as well as anchor.

Yes, Yes, yes, yes. So I Speaker 11 01:44:55 Almost forget, almost forgot. Sorry. Kay.

No, yes. I get to, I I I get to keep going, right?

Yeah, You do. But let me just give a little bit of introduction before you start moving on right away. No questions in the room for, okay, so, so yes. So the next work group to talk about is the resilient identifiers for underserved populations known. And I'll let you pronounce how you say that acronym Sal is, is not the chair of this group, but I know that he serves on this work group. So that's just an example for all of you. If you'd like to serve on more than one work group, you actually can do that.

So he's got a leadership role in the, in the anchor group that he just talked about, but he also participates with this. And because the chair was not going to be able to be on even virtually today, he stepped up to the plate and volunteered to talk about what this work group is focused on. And so with that sort of explanation, thank you Sal for staying on and I'll let you talk about the work of this, of this particular group of folks. Speaker 11 01:46:03 Yeah, so re-up the, i I guess what we're using as a moniker for the work group. So I guess, is there a slide for this?

Do I see that right now? Oh, there we go. Okay. So this is a slide, this is a slide that was presented for presentation, the cant tower board. So it's referring to the end of last year, but it's a, it is a new work group, but it's the, it's continuing sort of the legacy of what was the D S G where a lot of us were involved.

Kay, as an executive director, myself as a former president chair, and again, sort of looking at sort of not necessarily the mainstream technology identity management deployment aspects of things, but to really look at how we could get that technology much as I was referring to earlier in terms of it's like making available technology for people, whatever that might be. Personal, own personal ai, I guess at some point.

And, and how do we get that technology in this the, in what this industry is focused on in the hands of underserved populations. And, and it combines what was the resilient identifier work group and a healthcare work group that, that previously at cantara. Speaker 11 01:47:38 I mean the, the point, the group is actually very focused on actually trying to, interestingly from other cantara work groups of actually trying to build something and target actual use cases and show why providing identities to certain populations.

It makes very strong economic sense and particularly around underserved populations who are receiving government services and, and, and making sure that those government services are, go directly into their hands. There. There's actually a huge issue in healthcare and, and sort of generally with services to these populations where I identity services actually is a complete win-win. So the work group itself is looking to try to find partners out there such as the Karen Alliance to pursue these things.

And, and, and so I mean, and there are some other examples here as well, looking at some migrant populations as an example, sort of people in need of, as well as people who are in need of particular sort of mental or other health addiction related services. Speaker 11 01:49:09 And so, you know, those are use cases that don't often get much attention. I think it's consistent with what Kay and Andrew were referring to earlier around Ken Harra looking to operate in places where maybe people haven't necessarily gone too far before.

It's not that people haven't gone there, but, and certainly there are people who have, but very specifically we're looking to do these sorts of things with these kinds of populations. And again, in, in these particular cases in the United States where, you know, there, there exists plenty of underserved and I'm sure there are in the rest of the world, but I guess we're just trying to do some work in our backyard here. So I That's okay.

I hope, hope that's a decent presentation for the work group. It, it meets on Tuesdays at one Eastern, if I remember correctly. But everything around Cantara work groups are available on the Cantara calendar. They're there, they're all Zoom meetings. All you need to do is click and you'll be able to join again. There's a very low barrier entry around any of these work groups.

And yeah, please join in. Thank you very much, Kay. Doing the double duty there for, for both of the work groups. So thank you for sharing that information.

Any, any questions for Sal before we move on to the next group? All right, thank you very much Sal. Appreciate your appre your participation. I'm trying to speak, so, okay, so the next work group we have is the Privacy Enhancing mobile credentials group. The chair is John Wonderlic who is here with us at the conference and he will talk about their work now. Speaker 12 01:50:59 Thanks Kay. Just sort of building off a little of what Kay said earlier, I want to talk about my background both in Cantera and cuz I wanna invite people to play.

I've, I've been doing privacy for 20 years on top or in parallel with another 15 years in IT and operations. And I've been really thrilled to with the work that I've done with Cantera, that includes the consent receipt specification recommendation that's been published and Sal talked about that earlier. We published something called the Blinding i Identity taxonomy, which helps developers identify, identify or have a taxonomy of, of things related to privacy or fields related to privacy.

I was really thrilled to participate in the blockchain and smart, smart contracts report, which is another report on the Cantera site and the direct predecessor to the work group that I lead now was, was a report on mobile driving license privacy. Speaker 12 01:52:04 All of this stuff is available on the reports and recommendations page on the cantera initiative.org. Just as a sidelight, I do some work on, I've done some work in ie e on software development lifecycle for di for privacy I p 702 in the I e e, the internet safety lab software safety panel.

And I'm about to publish my fifth edition of my book, your payroll privacy Questions answered. So that's all background and, and when I say come join the cantera, it's one of the things I like to say is the only time I'm the smartest person in the room at a cantera meeting is when I'm the only person in the room. It really attracts an enormously high level of expertise and, and, and industry experience and you'd be well recommended. So next slide please.

So the, rather than go through a lot of text, I'll just walk you through the current state of the, of where we think privacy enhanced I mobile credentials are just looking at the back. If I pointed things on the screen, is that gonna be helpful to the people online?

Will that, will that be okay? So I Think so. Okay. I mean they're okay. They're able to project you and the screen both.

So, Speaker 12 01:53:30 Okay, so at the center of this diagram is the, for if you're coming to this conference, you probably recognize that triangle issuers and holders and verifiers or you, you, your industry might be calling them IDPs, identity providers, relying parties. But we all know that sort of triangle or Frederick identity. And what I, the key thing for me as a privacy guy is the end points, these are all technical endpoints. They're components.

So there's a wallet or an app, there's a software that the, the mot, the Ministry of Transport or the DMV uses to provision a wallet or a phone and there's a reader that the verifier uses to actually read the credential. So those are, that's a technical triangle that's susceptible to technical specifications. But if you think about it, privacy is a lot fuzzier and it sort of sits in this outside where you've got an a verifying organization. Speaker 12 01:54:34 Example, I sometimes is John's Bar and Grill looking, trying to read an identity for, for, for age verification.

The issuer might be a, a dm, a DMV or an MOT depending on the country. You, you are, that's issuing a, a driving license could be a university issuing a student Id, could be a teacher society issuing your credentials to be a teacher. So you can walk into a school, present your mobile credential and say, I'm qualified to teach physics in this school. But it all, from a privacy perspective, it all centers down on the person here. What are they provisioned, how do they use it to get verified and what happens on the back end? And that's all this other stuff.

The contract that the vendor has with the verifier to provide a reader, the vendor that has a contract with the is issuer to provide issuing software. Speaker 12 01:55:32 The issuer, especially if they've got legal authorities, may be issuing terms and policies. So that the, that that the provider of the Waller app has a regulatory requirement. All of that needs to be considered in what I, when I talk about respecting the privacy of the, of the individual in the operational circumstances.

And I specifically talk about respecting privacy or respecting the privacy expectations of the, of the person rather than protecting privacy. Cuz the arrow of causality and accountability is the wrong way. Protecting privacy, if I want to be hyperbolic about it, is paternalistic and takes all the agency away from the individual cuz I'm going to take your identity and I'm going to protect it cuz I know better than you. Rather than, oh, taking the effort to understand in the circumstances what are your privacy, what are your reasonable privacy preferences, and I'll do what I can to respect them.

Speaker 12 01:56:36 So that's what we're trying to do. So the, the roadmap that we're looking at, we have specific requirements that we're doing in our an early implementer's draft report that hopefully should be going to cantera for a vote later this month or early next month. And that that'll be, that'll be published so that you can see the shape of what this looks like in terms of notice and consent or limiting use, all of various fair information practices or privacy principles from the perspective of the verifier, the issuer or the holder that's coming out this month.

Then we're going on to develop the specific requirements that, that the various participants and stakeholders in the, in the, in the space need to have. And then finally, and this'll make k happy, that'll it'll go to profiles that auditors or assurance people can say, if John's Bar and Grill says that they respect the privacy of Kay when she comes to visit, that means they're only ever going, they're not gonna hold onto the picture that they use to verify that it's kay at the bar and they're not, and they're only gonna get a green check mark for age verification and nothing else.

Speaker 12 01:57:58 They're not gonna be collecting the email or other things and sending it to market. I still get emails. I visited my daughter who was in Cambridge, England at the time, a year and a half ago, and I signed into a wifi at a, at a cottage for, for the one day visit. I was in Cambridge. I still get emails from those people and it's really annoying. And why is that necessary?

So pick your poison, but we're going to, we're trying to work out feasible, reasonable ways for verifiers, issuers and providers of wallets and apps to provide assurances to the individuals that their privacy is going to be respected. And what I want to do now, I checked with Kay earlier, is I just want to talk about something that's come out and there's gonna be a keynote on this, I think, right? Heather?

No, I don't think it's a keynote on this particular topic. She's, but she has a keynote presentation. Speaker 12 01:58:59 Yeah, but she's just Heather Flanagan, who was for a while, the technical editor in the P M C group, also for a variety of stakeholders produced a phenomenal white paper for, for US and others on privacy and government issued IDs. I'd just like you to hand it over to Heather.

Yes, probably the next one. I, I don't, I don't have a slide for this, this Nope, nope.

Sorry, I just get to wing it. Yes, you do. But we know you're good at that. That's why you're speaking all over this conference.

No, isn't It gonna be marvelous? So yes, we published last week a paper called Government Issued Digital Credentials in the Privacy Landscape. That paper is not short because the scope of it is global, right? We were trying to talk to what's happening in the US in Singapore, in India, in Africa, Nigeria, specifically in Italy, as well as, you know, looking at the EU more broadly, what, what the targets were.

Of course, looking at something that's really, really big, which the Adhar network in India covers. Look at something that's really, really, really ubiquitous, which Singapore covers look at something that's following an EU model, but that isn't Estonia, Italy is a really good example of that. And then of course, what some of the interesting things that are happening in the United States with mobile driver's licenses and how different states are approaching it differently. That's sort of the, the first third of the paper.

The second third of the paper now starts to look at the technology, what technology and standards exists in the world today that enables identity and privacy. Looking at that, how, how they're not so much how they're being implemented, it's not a technical paper per se, but just saying, well what, what kind of tools do people have in a technical toolbox to use to enforce these kind of privacy concerns when you're looking at identity systems?

And then lastly, we get into recommendations of, okay, so all of that was great and it existed to bring the different stakeholder groups that this paper is intended for, which include government policy makers, civil society members, as well as technologists, all up to sort of a common baseline of understanding of what's happening in the space. From there, the recommendations start with, okay, some of it is really pretty basic.

The, the most, I don't wanna say simple per se, but the, the core components to a solid privacy system is to make, make sure that the system is secure and to do the, just that proper baseline of making sure that your systems support confidentiality, integrity, availability. People can't get in and steal the data that are being collected. Because one of the important things to remember about government systems, and this is often skipped in a lot of material, is the government is the source of some of the most important privacy related information about an individual.

They're the, they are the source of truth, the system of record for dates of birth, for legal names for citizenship. And so you can't necessarily tell them, no, you can't have that data.

Well, they have to have that data. They're the source of that data. The concern comes from, well then when you actually use that data in a digital landscape, what other data is the government than perhaps collecting about you? And that's kind of some of the data that we wanna talk about protecting in systems as well as protecting the, the system of record. From there we move into talking a bit about, okay, so that's your, that's your basics of, of what you need to think about just to secure your systems and to be able to support the fundamental fundamentals of identity systems and privacy.

But then we are looking at what about current concerns? You can't have a paper like this and not talk about the concern of surveillance. The fact that governments would be, in fact be able to track how you use your i the credential that they gave you is an enormous concern for many, many privacy advocates out there. There's also concerns, the d e i, digital diversity, equity and inclusion is a concern.

I didn't dive into it in great detail because that's its own separate paper, but it is another area of concern where there are recommendations to say this is an area that you really need to be paying attention to. It is closely related though, not a hundred percent overlap to privacy. And there were, there were a handful of other other things in that section as well. Making sure that selective disclosure is a thing. Advanced photography has to be a thing.

And the last set of recommendations were focused on the future because there are areas where I, you know, in going through this whole review of the landscape, you could see there are some things coming up that we don't have a good grasp on and that are going to be enormously impactful in this space. Things like digital warfare.

As countries become more and more dependent on digital systems and these credentials that people are expected to have, if you attack that infrastructure, then you're seriously disrupting the ability for people to potentially get healthcare or get, you know, the, the basic benefits that they need to survive in, in the particular society that they're in.

There's concerns about deep fakes, which are improving to the point of, we, we are days, minutes away from scenarios where someone can create a, a video that looks very much like me and then because I am a public speaker, they probably have my voice somewhere. And if anyone's on TikTok, they probably have your voice somewhere too, and your video. And then they can create, they can generate like video recordings and send it to grandma, grandma, I am overseas and I desperately need bunny. Please send me, I I have to have it cuz I'm in big trouble. You know, tho those kinds of things.

That's, that's a deep fake at the end of the day. And it's how do you, how do you consider that? How do you prove that? How do you protect against that? And can government issue digital credentials? Help Metaverse is a very similar kind of concern to, to that deep fake area of what, when you're in a very digital landscape, how do you handle that and prove that you are who you say you are in a way that doesn't get your information then subsequently stolen. And then the large language models are another area of interesting concern. Now overall, the paper's about Stephanie pages long.

We do, we've got a call, wonderful call out box for the privacy enhanced mobile credentials group and the work that's happening there. We've also got an interesting call out on the I ETF's privacy consideration requirements as a model of how some standards organizations try and include privacy considerations in their work. But there's absolutely more that can be done. So I will be talking about it Thursday afternoon at three 30 with Mike Kaiser, the ubiquitous credentials in your pocket. Speaker 12 02:06:41 Thanks very much, Heather. I just wanna wrap up. I was negligent.

The P M C works every Wednesday at one o'clock eastern time except this Wednesday because of this conference and look forward to it. And so, and I saw this news, this is forward to me by one of my members, member of the US House of Congress has put forward a bill apparently to either make optional or mandatory. It wasn't clear to me that on your, this is a very US issue, but still representative, an interesting edge case or a case where the state says we have to put your concealed weapon carry permit on your driver's license. And is that respecting user privacy? Is that a safety issue?

A whole raft of issues that come. So if that is something you think you might want to opine on, please join the group. Very good. I don't, but thanks. Well so thank you John. Thank you Heather.

I, I really, you know, I I sort of called on Heather as you can tell and said, could you please talk about this a little bit? And I knew she was doing a session, so I hope that was a bit of a teaser for you. I would really encourage you to go and listen to the full session. It's really, she's done an incredible job and we are really pleased to have been able to partner with her on that.

But it's, I I think it's insightful if you will, and just really has pulled together what before felt for me personally, felt like a lot of different threads that needed somehow to be, to be pulled together to really figure out what, what is this we're looking at and what are all the implications. Cuz as for all the examples she gave, really, I think there are huge implications. So I'm really grateful and I'm really grateful that you were able to make the time. Cuz I know that you've been asked, as I said, she's very popular, so she's been asked to be in other sessions too.

And so I'm glad you were able to come today. Are there any questions? I looked in the chat and I didn't see anything. Is there anyone in the room that has a question?

Very, this is very great and I really appreciate, I just a thank you to all of the work group chairs who were willing to either stand up front or be online and talk about everything that you're doing. I know that if you get a chance to talk to any of them individually, you know, they're all very enthusiastic, let's put it that way. They're doing things that they really care about and are interested in and we are very supportive and appreciative and you can be a part of that.

And also, I've already had some people talking about some other topics that they're interested in and it's not hard to stand up and create a work group. So if there's some things, issues that you would like to work on, Cantar is a good place for that and we can help support you. And my guess is if something is really a burning issue for you, it probably is for other people. So we would welcome you to come with ideas and, and we would be thrilled to, to begin some new groups.

So the next topic that we'll be talking about, but before we get to that, we're gonna take a break, but to talk about the diversity, equity, inclusion and accessibility is actually another group that is doing a lot of work and there'll be some more discussions about how you can get involved in that. If you're interested, what I'd like to do is take another break for about 15 minutes, maybe, maybe more like 17 minutes. That would make it 1130 here. And we'll come back and reconvene and we'll talk more about this particular initiative. Thank you everyone. My little clicker here.

Welcome back everyone. This is really the last session today, and so we will probably end a little bit early. I don't expect that we're gonna go all the way up till 1230 local time, but this is is an initiative that we are very excited about and it seems to permeate a lot of issues when it comes to identity proofing and authentication and all.

So I, I want to give this over to Jordan Burris. Jordan is a member of the board of directors. So you have seen a picture of him up there. He is leading this initiative and it's not a traditional work group like we heard from the others. This is really a subcommittee of the board because the board really felt like this was a critical issue that we wanted to try to address.

Oh, and there's Jordan on the screen even so, so I, I will turn that over and we'll, and we'll take questions at the end for Jordan and Jordan. Just let me know when you wanna advance, advance the screen there. Speaker 13 02:11:35 Yeah, no, I appreciate that, Kay. And hopefully everyone can hear me.

All right, so greetings. Yep. Glad to be able to join you all today virtually.

So, you know, talking about before we, we dive into to this initiative in particular, I just wanna give a little bit about my background, especially prior to, to joining the QAR board, right? I've, I've worked in what it will say is the digital trust arena for close to 15 years now at this point, holding, holding many different types of roles all the way at the help desk level up to writing a national level policy for the, for the United States in the White House.

At the core of much of my work, my focus has always been around ways in which we can basically enable trust or, or find ways to bring everyone into the digital process. The digital channel, if you will, excited that, you know, I, I currently serve at a company called Secure that specializes in identity verification, frauders management. Speaker 13 02:12:36 And, and as part of that, you know, being able to join the canara board, able to focus really heavily on what does this mean about bringing everyone into the digital channels specifically as we look at identity in particular.

And that is where we come to D E I A and, and the importance for Ken's board and, and moving forward and, and finding ways to make, you know, digital identity broadly more accessible for everyone, more inclusive and really helping to, to redefine what equitability means in that. So k if you can advance the slide please. I think generally you, you've heard, and you know, Andrew Hughes highlight the importance of the board in particular, but, but really our commitment from the board standpoint to D E I or even d i a cuz we, we had the accessibility piece to it.

It is understanding that at the end of the day, humanity is diverse and as such, digital identity solutions or identity solutions for that matter must be intersectional. Speaker 13 02:13:38 They must be able to work for everyone, independent, race, age, class, socioeconomic status, so on and so forth. And that means that it is imperative that the solutions that are deployed in this arena, we're actually starting to take a focus about what, what is being done to, to confirm that more people are able to be brought into the, the online process overall.

This means starting to take a deeper look into the, the attributes that are used to form an identity, the, the methods that, that, you know, are being promoted, whether they be physical documents, whether they be more mobile based, documents based on various standards, so on and so forth. And so for, for us, it's about looking holistically about what, what needs to be done in order to kind of raise the, the, the bar, if you will, for, for digital identity, specifically with a focus on diversity, equity, inclusion, and accessibility. Next slide, please.

Speaker 13 02:14:40 And so, I, I wanna provide a recap of the things Cantara has been up to over the last year. Now, I joined the Canara board towards December of last year, but there was already work underway to kind of seed, if you will, what, what our effort was going to be in this space. More importantly, back in May of 2022, they actually launched a A D E I survey, and the idea was to solicit feedback from service providers, relying parties, others within the identity ecosystem, if you will, about opportunities or where the focus should be in this space.

From that time, they shifted towards the June, November timeframe. Analyzing the results, right, is more things came in, taking a look at what needed to have the most focus on from the, from the, the, the broader group, various highlights that were, you know, that came out of that. Speaker 13 02:15:37 Not only was it responses comprised of those who were CANARA members, but those who were outside, kind of outside looking in, if you will, to see what, what we were up to GE generally, there was a lot of participation from identity service providers.

There was this discussion about whether or not they, the D E I or D E I A rather for organizations needed to focus on the internal concepts about what we're doing with our internal workforce or more externally what solutions could be in order to foster access to those, including underserved populations.

In particular, there was definitely a varying degree of discussion related to what investments look like with, you know, a number of organizations investing anywhere between, you know, 100 a thousand in US dollars, two up to 3 million over the next three years in order to try to improve in this space.

Speaker 13 02:16:35 But I think generally what was highlighted as part of that survey was that everyone was recognizing the orienting around the fact that it had to be cornerstone or centerpiece of business going forward, because it's really the only way in which we achieve our objectives from a, from a company standpoint, organizational standpoint.

And so, a as you know, the signal, the demand signal, if you will, was percolating across the identity community in particular, it was the belief of Qatar that we needed to take action in order to help basically drive the narrative or, or drive the discussion forward about what this should look like in practice.

And so from December, and it says now, but the, the idea is being like the ongoing efforts, if you will, the, the, the main focus was, okay, let's, let's take a look at what we could do to stand up some type of d e I committee or d e i committee focusing on various areas such as these were high level thoughts at the time, consistency in what we're doing as far as framing, creating various reports or do outs, deliverables across the group and helping to drive community engagement, right? Speaker 13 02:17:40 Those are kind of the three pillars that were associated.

And specifically when I joined the board in December of 2022, this is, you know, the, the, the actions, the mandate, if you will, that was highlighted now across the first quarter. If we can actually go to the next slide, we met with actually quite a number of stakeholders within cantara. And these were folks who had basically raised their hand and said that they wanted to be part of, you know, trying to frame what this committee, what this work effort was going to be, of the things that were identified as part of our discussions over the first quarter of the calendar year.

There, there were, you know, four, I'm gonna say four key themes that rose to the surface, right? One being that the, the lack of common terminology across providers in this space, across reliant parties, anyone who talks about diversity, equity, inclusion, and accessibility as it relates to digital identity. Speaker 13 02:18:33 Everyone is saying the words, but they're not necessarily meaning the same thing ultimately, right? And that's coming with conflicts as we look to engage and find ways to really solve this problem for everyone.

The, the nu the other piece that always came up was related to measurement, right? When we're talking about measurement, when we're talking about transparency or even understanding return on investment, there's inconsistency in approaches and a lack of uniformity, which can then lead to better outcomes overall, especially if you're considering kind of the evaluation from a, a relying party, if you will, and their ability to ingest solutions that are, that are meant to bring more folks into increase access to, to more folks as part of their process generally.

There was, there was signals that there was needs for understanding what good looks like, understanding what a mature organization looks like. That takes D E I A and puts it at the, the, the forefront of its efforts in particular, and, and highlighting that that was just, that's just been a gap, right? Speaker 13 02:19:32 It's not something that's been focused on or prioritized generally.

And, and as such, you know, there's, there's this thought that we needed to do more to advance the discussion. And then the, the, the last theme that was highlighted here was that as far as a framework was concerned that ultimately, because, you know, there, there's this piece of folks can say that they are doing things to improve D E I A, but there's also this piece of, you know, attestation or, or kind of proving it, proving that things are, are, are, are moving forward.

And so there's this thought of, you know, what would a framework look like and what would criteria look like, if you will, for assessing those who say that their solutions are more equitable, right? Such that there we can look towards establishing trust at the end of the day with, with anyone who engages as part of the, the, the identity system or the identity solution to confirm that everyone can be included as part of that process. Speaker 13 02:20:28 Now, okay, I think this is a building slide, so if you can just click it once, I think we can, it should highlight the next one. Yep.

And so generally, and I, and apologies for those who may not be able to see the, the words on the screen, but I'll, I'll read through them. But the idea here is that the, the agreement across the group, the consensus, and this is not only across the group, but across Contreras board of directors, as that we needed to establish a, a board subcommittee, effectively, this is something that would be chaired by myself as a board representative and and other individuals.

But the idea is, is that it has board level visibility to focus in on what we need to do to improve and, and, and drive really the, the dialogue or discussion in this space, right? Our target audience is going to include not only service providers or relying parties, but also policy makers, standards, standards, policies or, or bodies in particular, those who are working on that and, and such that we can, you know, increase the, the, the, the dialogue around improvements in this space.

Speaker 13 02:21:34 Things that we're planning to focus on, and again, this is what the outputs were of our, our, our initial discussions include, you know, developing artifacts, if you will, reports on consensus driven language for digital identity taxonomy and terminology, right? Getting to a consistent point, which we're all speaking the same language. And this is something that can translate across different, different industries in in particular developing educational collateral, right?

The idea here being that when we're trying to communicate across business functions within an organization, not everyone is, has the same background, especially those who are more technically inclined. We're gonna work in the identity industry for a number of years.

It, it's, it's sometimes harder for us to get everyone on the same page about what we're we're talking about there. So we, we recognize there's this need to, to raise just the general IQ about everyone who's engaging in this space and particularly understanding what equity impacts there are for what, when digital identity solutions do not go right or they're not implemented right within an organization. Speaker 13 02:22:34 And so understanding that we need to do more to, to drive educational content in that area.

We do believe that is important forar to take a role in helping to define what return on investment in calculators look like and really what measurement looks like overall as it relates to D E I A and, and as such, we're going to be working on those initiatives over this year and beyond.

And so the idea here being is that, again, ultimately we'll be able to get to a point from a data driven standpoint, any organization, any a relying party or service provider should be able to highlight and, and quantify, if you will, their impact to an organization based on the way that they're deploying their solutions or the way things are being or orchestrated to bring more folks into the, into the, the system overall. We, we also want to take a role in expanding our collaboration across external bodies and industry groups. Speaker 13 02:23:27 Now what does that mean?

That means with folks such as the, the, the care and alliance, which Contar already has a relationship with, with folks such as Phyto Alliance with folks such as women iden, women in identity, there are a number of folks who are talking about the impacts of equity in this space. It, it would be shortsighted of us if we believe that this is something that is only for Cantara to be working on.

But we do know that there's areas that I guess we'll say, well, we specialize in, and as such, we actually want to bring more of a, a community wide or, or ecosystem wide discussion and, and, and, and uniform engagement collaboration around what we're doing in this space. And, and, and so with that, we're going to be, you know, spearheading a number of initiatives in order to communicate broadly across those who are engaged to, to make sure that we're all, you know, speaking the same language and they're all able to contribute across bodies.

Speaker 13 02:24:24 So that way we're, we're, we're raising the, the collective bar of the marketplace as a whole. And, and the last thing I'll touch on here is, is related to really getting to the, the piece of measurement or, or evaluating how providers are doing ultimately, right? Understanding that there's this gap of understanding what good looks like.

We, we'll be working towards developing really what is that assessment criteria and that framework for, for how you would assess a service provider that is, you know, saying that their solutions are more equitable ultimately, or that you're able to demonstrate if ultimately, if you will, at the end of the day that they are doing something to, to move the needle forward. Right?

Now, this is not perfect. This will not just be focused on things like identity proofing free, if you will. We'll also be looking at things like derived credentials, mobile driver's licenses, things along those lines. Speaker 13 02:25:16 The idea is that any, any piece of the puzzle that touches digital identity in particular would be in the scope of this work effort.

And what I would encourage is that for those of you who are interested, we're just getting underway off the ground, if you will, with this, this subcommittee, much of what you see here as far as the, the focus was included in the draft charter, which is being of commented on currently, if you will, by a number of our, our our members or, or participants if you will. I would encourage every, anyone who is interested to by all means reach out to Kay who can help get you in touch with, with get you added, if you will, to the, the, the list of folks.

We'll be having regular meetings starting to be established with the idea of working towards building out this collateral and this really this community of practice overall. Speaker 13 02:26:07 And, and so, you know, for us, I think it, it, it again goes without saying that a DIA is gonna be at the, the cornerstone of can's board and, and more or less what we're doing over the coming year, we actually believe it's going to transcend beyond that in particular.

And so with this subcommittee and this focus, the idea is to again, start to, to redefine what this means for, for the industry broadly. I think that's all I had as far as prepared content was concerned. Just generally curious if there's any questions from, from folks in the, in the room today? Yes.

Oh wait, let me get you the microphone. I think this one works. This is Denny from rbc. Thank you for this, this overview. This is great. I'm glad to see Cantara participating in this space.

You, you put out that call to action for people that do wanna participate because you're a subcommittee. Does that mean only members can participate or is it a working group thing? Like how do people get involved with you guys? Speaker 13 02:27:22 Yeah, our plan is actually to open this up. So being that it is important driven initiative, we get to be a little more flexible on how we structure it from a governance standpoint or, so k k is it to slap me on my hands yet? And so the the idea here is that we're actually gonna open it up to anyone who can participate.

Doesn't have to be necessarily a member In particular. The, the only difference in terms governance is concerned is that it's going to be led by effectively the board having a chair role ultimately, so that we can continue, maintain, focus on it for, for at least the, the, the foreseeable future.

But, but generally we want anyone and everyone to participate because we recognize that's the only way in which we're going to improve in this space. And I appreciate the, the, the question, Danny. Awesome. Thank you.

And, and if I could just add, I, I think I mentioned when we were talking with the various work groups that to participate, if, if you're not a dues paying member, you can absolutely do that, but we do ask you to sign a group participation agreement. So I just wanted people to be aware we're still gonna ask you to agree to our IP policy and antitrust and right.

So even, but that said, those are, those are really the only things and that's just so everyone is, we're on the same page and everyone's comfortable and, and I think for some, for a lot of folks, their organization may require their legal counsel to, you know, read and weigh in and you know, what are you gonna say and what are you gonna put my company name on and that kind of a thing. But you know, those are just sort of basic foundational relationship for how we wanna work together.

And I agree with Jordan that we really would like to make this more open and I kind of hope that, we'll, that, that organizations interested in this or trying to figure out what do I do with this? Because I, again, this goes back to some other conversations, purchasers of these services are asking these questions, you know, what are, you know, how are you able to provide for that?

And I, I think we're hoping that we can come up with some really useful information and that might come out in a variety of ways. I mean obviously for Canaria that does conformance testing and assessment we look at could, is there something there we could do, but it, how do I say this? In many ways, the market meaning people who are buying these services do drive a little bit about what Qatar is doing.

You know, we are, we're trying to help the companies that are members and the individuals who work in this space to be responsive to what seems to be needed. And this is clearly an issue that just keeps coming up over and over. And I think to, to reiterate what Jordan also said, what you see at Cantara with this being at the board level where Jordan is actually on the board as a board of directors member is, is leading this initiative. The reporting is going directly to the board. That's just a sign I think of what people felt made this a priority issue for now.

Not that what the work groups do aren't priorities cuz they're important topics, but this was just something that seemed, there was consensus needed to be elevated. So anyway, there was probably more information than he needed. Let me just double check. I don't think I saw anything in the chat, did it? Anybody? Any other questions? No.

Yeah, there's nothing more in the chat, so, all right. Speaker 13 02:31:07 All right. Well then thanks everyone and, and enjoy the rest of the conference. Thanks Jordan. Well that concludes our canara workshop and I wanna thank you who came and stayed for everything and I hope that it was useful and informative and we would love to work with you and have you be a part of the things that we're doing and be a part of the organization. I will be here for the rest of the conference. I know Denny, you're going to be here too.

We're speaking in other sessions so you have the opportunity on when on tomorrow. I'm in a couple of different panels talking about some of the other issues that we're tackling and we would welcome you and thanks to all the folks online, some of the names I recognize and some I didn't. And I am really grateful that you all participated today and we were glad to have you to sit into the workshop. So thanks everyone and enjoy your day and we'll let you go a little early. I don't think lunch is served until 1230, but so you might have about a half an hour.

So anyway, thank you all.