Markus Sabadello & Nat Sakimura, two of digital identity’s leading pioneers in discussion. How decentralized are today's 'decentralized' projects, really? How did we get here? Where do we go from here?
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Markus Sabadello & Nat Sakimura, two of digital identity’s leading pioneers in discussion. How decentralized are today's 'decentralized' projects, really? How did we get here? Where do we go from here?
Markus Sabadello & Nat Sakimura, two of digital identity’s leading pioneers in discussion. How decentralized are today's 'decentralized' projects, really? How did we get here? Where do we go from here?
Thank you very much. It's very nice to be here and to see so much interest in decentralized identity at this event.
I, I remember a time when decentralized identity was something that only a small group of people worked on. Like a few political activists with socialists or even anarchist mindsets, like grassroots hackers thinking about this. And now here we have governments and banks are telling us of what a decentralized identity will look like and what's the reason for that? How does centralized or decentralized identity work? And the answer is the technology, right? We have a lot of new technology now and developments that make a difference in terms of centralization and decentralization.
What you see here on the left side is what open Id looked like a long time ago. It was a very decentralized building block, a decentralized technology where anyone could use their own website, their own identity provider, to log into somebody else's site. And today we have here what's on the right side. That's the path that the Open ID technology has taken towards Open ID connect and mass surveillance and all these evil, evil Google and, and Facebook things.
And I, I see this guy over here, I think he's the chairman of the Open ID Foundation. Let's see what his Excuse is. And I created open, I connect, but that's not the case.
You know, it's not the protocol that's causing this. You know, you could suddenly install, for example, WordPress plugin to run your own open ID connect, provided in no time. That's just fine. The problem is that you don't have anywhere to use it. I run my own open ID connect server. I can use that only to my services.
Those, those, you know, websites won't, you know, accept it for them. What's important is the convergence, right? And it's not about the technology itself or protocol itself. The one of the striking feature of information technology is that it exhibits the decreasing marginal cost and increasing return. And if you have learned economics, you will know that what's going to result in it's monopoly or oligopoly. And that's exactly what we are having now. So NET says it's not about the technology, but I disagree a little bit.
I, I think we are now working on cool things like Dets and very fiber credentials and did comment and so on. And a little bit earlier, Mike Jones said that standards are about making choices. But I would argue that standards are also about the values and world views that are, that are built in.
I, I think the, the values that we want need to be built into the technology. The, the title of the session is The Limits Rubble, right?
And in, in that novel, one of the stories is about revolution. It's about disempowered people to, to empower themselves and to emancipate themselves. And this is also what we've been thinking in self-sovereign identity and in decentralized identity that we want, not a digital slavery, but digital enlightenment, where we have values built into the technology values such as liberty, legality, and fraternity. And I want to show two examples. Don't worry. We don't have to look at the details.
But at the moment, while we are working on wallets and credentials and decentralized identity, there are a lot of discussions about which exact standards to choose. And I would argue that it's not always about the technology, but these arguments have to do with built-in values of certain technologies. On the left side, you see a chase and LD credential in the W three C verifiable credential data model. And on the right side you see an SD shot verifiable credential. But the difference is something that developers can argue about a lot.
But I would argue one of the differences is also that the left one has more freedom, more liberty. Liberty, because it is based on what's called an open world data model. It has decentralized semantics, which the one on the right doesn't have. And semantics the ability to define meaning about what's inside a credential can also be a source of power and power asymmetry.
So here, I think is an example where you can argue a lot about technical functions, but you also have to see the liberty, the freedom. Which one of the choices has more of that?
I mean, just being able to name the name as whatever you want in the, you know, this data format is a liberty. I don't think so.
Well, the, yeah, it, it's kind of liberty. But what's the cost of, you know, making that possible? It's going to make it much more complex and much more error prone, right?
And I, well, I, I really believe in the liberty, but I don't think this gets into something like that. You know, the philosophical, you know, liberty thing like that. Nobody ever said that liberty and decentralized identity is, is easy, right? The the easiest thing is to just log in with Facebook everywhere then, and Facebook defines the schema and says, Facebook defines the protocol. That's the easiest choice, right? Come on. Everybody wants things to be easy. And also we, you know, as a technologist, we need, we have responsibility to make it safe, right?
But this, it's not that. Well, let me give you another example. I'm sure That will, right? Lemme see. I'm sure that will, that will convince you, right? So another discussion that we're seeing a lot in the different communities and standards groups is inside a verifiable potential. How to identify the, the parties, right? You all know the three party model, the issuer, the holder, the verifier. And if you look into a credential, there are also technically different ways how to do that. What you see on the left side is verifiable credentials using dets, using decentralized identifier.
There's a de that identifies the issuer. There's a de that identifies the subject. What you see on the right side is a credential that doesn't use this. And to identify the issuer, it uses an http, SURL, and to identify the holder, it uses a, a public key, A CNF claim inside a, inside a chart. And there's a big difference here, right? This is not symmetrical, this is not, you don't have the, you don't have the equality. And that definitely agrees with that. Huh? It just encoding, come on. It's just encoding, right?
It's, it's semantically the same, the, the right hand side, it just says, you know, it, it, it may look complex, but it's just is pointing to the, it's just one way of standardized expression or public key, and that's it. And the key thing is exactly the same thing.
So I, I don't see why it matters for the quality. I know. Yeah. If you're just a developer, if you just look at it from a purely technical perspective, then yes, it's kind of the same thing, right? On the left side that did key is like a public key. What you also have on the right side and on the left side with the deep web identifier, you look up the metadata about the issue. And on the right side, you also have to do that. But you have to see the values behind that and the, the world view, right?
The fact that on the left side, this is symmetrical, anyone with a de can take the role of issuer holder verifier, everybody is egalitarian. You can switch out one for another. So then would you say that if we encoded that into the same kind of format, it's E equal? I don't think so. Hmm. It's hard to convince.
Well, let me try, lemme try another, another example. Here's the biggest or one of the biggest discussions maybe that's been happening in, in digital wallets and in verifiable credentials. Which protocol do we use for exchanging those credentials? How does a verifiable credential get into my wallet from an, from an issuer? And how do I present it to a verifier? And there have been different ideas did come, or the open ID for VC protocol. Both can be used for exchanging credentials, right? But what's the, what's the difference?
What's, what's really behind the, the standards in terms of values? What you have in DICOM is, is a model where everyone can connect to everyone else in a peer to peer way. You have peers, you have messages that look exactly the same way as they go back and forth. Whereas on the right side, if you use open it, even with the OIT four VC extensions and these profiles, you still have the traditional way of thinking about clients and authorization servers and identity providers. You have this asymmetry and this back and forth. Whereas with dicom, you can establish true relationships, right?
You have the FRA fraternity, the fraternity, a brotherhood, a sense of being connected between all of us. Let me ask you this question. When you are making a connection between two nos, indeed, is it actually the combination? Isn't it actually the combination of server and the client in one place so that it it's, you know, communicating each other that way?
You know, there should be standard receiver. Well, Yeah, sometimes indeed.
Come, of course, you have these mediators, you have certain clients and servers, but it can be your own server. Sure. And the same kind of thing actually was there for something called Mail transfer agent or SM SMTP. How many of you actually run your own SMTP servers? Now?
I do, But the, and the, the, the philosophy behind the SMTP thing was that everybody runs their own server so that it's gonna be equally distributed. Now what happened, it's coming back to that increasing return, decreasing margin, marginal cost thing. What we have right now is a massive email sava called Gmail. And you know, of Microsoft 365, I'm pretty sure like over half of you are actually using something of the sort.
So the, the, just, just the fact that the, or the protocol exhibits, that kind of fraternity doesn't provide the, the quote unquote decentralized ness. So could you go to the next slide, please?
Oh, yeah, go ahead. Yeah.
So, you know, we talk about decentralization a lot of times, but I have to point out a couple of things. First, decentralization is, and decentralization is not black and white. It's a grad gradation of, you know, things. Most of the time it's in between. It's neither completely black, no completely white, right? And you also need to specify what is being decentralized. And without that, you are not talking in a Precisely enough.
So, and when it comes to something like identity provider, you know, the, the decentralized identity people say that identity provider, like open connect provider or someone provider is centralized, right? But how many of them are there? Hundreds of thousands of them?
Well, in the case of, yeah, the, the number of, the instance of IDP equivalent on the, you know, wallet kind of model, the wallet number of the wallet instance, that's going to be even, you know, more than the number of population. That's great. But when you think about the provider, the wallet provider, it's likely to be much less than a hundred thousand.
So, you know, if, unless you really specify what is, you know, being decentralized, you really don't know what you're talking about. And then, you know, often the case, it's often the case that decentralized agents, something just means pushing the centralization point to another thing.
So let's take an example in blockchain or you know, Bitcoin blockchain, it pushed the, you know, centralization point from banks to, I mean, when you're talking of the payment, it said that it decentralized, but it, you know, pushed the centralization point from banks to virtual asset service providers, which is really, really centralized, right? So that's just another, you know, example pushing the things around also in the wallet model, like I just told, told, told, told you identity providers, centralization is pushed towards wallet providers, right? And things like that.
So, you know, It's really relative and we have to look closely about those things. So my point is that it's not only the technical architecture that we have to be looking at, we have to be looking at the operational and legal controls, right? So don't try to solve everything in the technical way, but also think about how to put the controls in the operational legal ways as well. That itself, that by itself is not enough, right?
We've seen things like safe harbor agreement and that that was a wonderful legal construct, but it didn't prevent our, our data to get leaked to mass surveillance and things like that. So we just say that technology doesn't matter and we only need legal controls and all of that.
It's not, well, I think that technology doesn't matter, right? The, if you put, if you are just relying or over relying on the, you know, operational and legal controls, then you know, it would probably be okay as long as, for example, your government is not hostile, but it can turn hostile at any time. And you know, if they started to attack at one of the nose, for example, in this case, all the communication between the, the ending notes will be observed by the attacker. And that's not really good.
So we should actually have an architecture that allows, you know, other, you know, technical provisions that will prevent something like that, Right? And I would agree to that, that we need all of these together, but the technology itself matters and which standards to choose matters which credential format, which protocol, which identifier, because those have inherent assumptions that are often overlooked.
And, and that's important to see through a little bit the technical features and, and see also the, the, the mindset, the, the political ideas that are inside hidden behind the data formats and the, and the protocols. Otherwise, the technical part of this would, would fail.
I think I, Yeah, I agree on that, but so it's the matter of the, you know, balance, right? And what I like about the European digital identity, well the thing is that it's making a lot of technical assumptions or technical requirements, but also they're putting legal and operational requirements as well. So that's a good point. I think the other point I wanted to make was that decentralization actually is not the goal, right? The goal is to make citizens happy, right? The society not miserable. So this QR code is one of the articles that I have done originally in Japanese back in 2010.
It's still applicable and it's talking about the linkability and things like that. So it's probably going to be a good read. It's about all about LeBel and LeBel is a formidable, you know, novel which talks about, you know, identity linking or, you know, unwanted identity linking as well as inability to link the, the identities when you wanted to.
So, you know, have a good read on the article. Yeah, I, I agree. That's something you can learn from the, from the story, the identity linking, right? As you've explained it over, over time and over context.
Another interesting analogy or or metaphor that that's in this novel is the, the picture you see on the, on the right side, Cosette, the, the little girl who is, who lives with not her real family, but a a different family who exploits her and she has to do all this hard work and she experiences only misery, but in her imagination at some point there's this, there's this story and this dream that she has the, the castle on the cloud, right? And I think that's the analogy is that would be a little bit like a, like a personal data store or a personal cloud or a decentralized web node.
It's, it's the only place where she can be herself or she can imagine what person she wants to be disconnected from the, the misery around it. And that, that's also an interesting parallel that I, that I saw. And so this I think is, is interesting to, to look at what are the, the, the technical means also the organizational, the operational, the legal means, but also what are the technologies that, that help us out of a misery of, of mass surveillance and, and help us to realize and be self-sovereign and be ourselves. Yeah.
So the goal for us is not the technology itself, but to how to achieve lib eg. And right. And we have to strive for that for coming days. And don't forget that don't too fixated on the technology itself. I think we can agree on that. Yeah.
We, we all have to come together and achieve it. Okay. Okay. Thank you very much. Thanks very much. It's great to have two pioneers, like such as yourselves on, on the ERC stage. I just wanted to ask you, what role do you think traditional institutions like banks and governance on had to play in the, the decentralized identity landscape?
Well, like, like I said, I I, I remember a time when decentralized identity happened in, in grassroots hacker spaces and governments and banks were sort of the, the, the enemy, right? It was at the time of the Occupy Wall Street movement.
And they, they want our data, they want to, they want to exploit us. But I, I think the idea of self-sovereign identity is, has evolved and a decentralized identity has evolved to not be against something or but to be about modeling in the digital world what we have in the real world, right? And that means that banks and governments, of course, they have important functions and they should also have these functions in decentralized identity. Some people think that self-sovereign identity is about not wanting to pay my taxes, right? But it's not, it's not about that.
It's about having the existing social structures that we have in the real world, also in the digital world, but also the same, the same protections and the same human rights also in the digital world. Identity is what we define ourselves, right?
So, and the, you know, government doesn't own our identity. Government, you know, is accountable for our legal identity, but that's not the identity for ourselves. We as an individ individuals are defining what we are ourselves and we are free to express that.
I re if I can add one more thing, I remember a few EICs ago, a few years ago at, at EICI, I overheard a conversation somewhere on the, on the side of some, somebody representing a bank, I think, and, and they said, oh yeah, this, this new decentralized identity thing is great, we'll just give all our customers a decentralized identity added to their accounts. Right? And that's a little bit not, not the right way of thinking, it's not something that the bank gives me, but it is something where bank can still play an important role.
Now, I know that you said that there, it wasn't a question of being black or white, but I I, is there a question you can ask or a test that you can apply to identity projects that claim to be decentralized, to kind of figure out whether that's true or not? Like I said, you first have to define what you are decentralizing it, right? And then you could actually start, you know, counting number of instances or number of data location or whatever, right? And you could actually parameterize that and measure how decentralized it is.
I mean, the, the one, it's completely centralized and it's going to be one if it's completely decentralized and it's going to be above the number of the population. So you, you have some degree of measurement there.
Okay, great. Thanks. Move on. Thank you very much, gentlemen. Marcus Ello and Matt Sura. Thank you.