The SSI movement: developments and status quo

Well, I'm very happy that Martin just explained the concept of decentralized identity, self-sovereign identity, distributed identity. They're mixed these terms. And my presentation is called the SSI movement because from the year 2017 on, we've seen a growing interest and developments and maturity of this concept. And I'm going to explain a bit about that. It's not that people are having a movement going and demonstrating on the street, we want a centralized identity, but I think movement expresses the fact that it is a sort of ethical sort of, yeah, quest for something good.

And in this way you could say it's a movement. Well, oh, the clicker next. Yeah.

Oh, I have to press harder. So where were we before? And I think Martin has already touched this as well, but digital identity involves registering your same data in this same entry field with a red star where you have to enter the mandatory data again and again and again, returning back, forgetting your, forgetting your account. And then all the time you are distributing your data everywhere. Distributed data, not distributed identities.

And it all started when a technical account for logging on to some that website or some service would grow, not from be just a technical set to log in as a key, but of course some attributes with it and more and more. And building your profile and complete your profile. And before you know, you have thousands of profiles instead of just credential sets. And from there it goes worse and worse. Oversharing everywhere. You don't know if they keep your data safe, you dunno what's doing what they're doing with it.

Well, I don't think I have to go on friction access. Friction in access exclusion, privacy violations, right? To be forgotten, can't be maintained. We have no idea. Broken process flows, broken flows from device to device.

Okay, now that's where we are today. And what is the quest to solve this? Now if we look at the current models of identity, and this is really oversimplifying, siloed identity is where you have a lot of identity providers as they call themselves or around you, silos not interactive with each other and for everyone. You have in your credential set and profile a little bit easier, but mainly on the cost for the organizations.

And the friction reduction for the user could be single sign on where credential sets or profiles are inter working for various domains and you access them by one password or one credential set and yeah, or maybe with all three of them, which you still keep, but at least they work together. And in order to create this identity federation, it's necessarily that these silos have some connectivity with each other because otherwise you couldn't access all of them by the same credential set.

There should be an agreement that yes, you can enter my domain with your, with the credential set from another identity silo. So, and then also of course if that has to be secure, you have to have some oversight. Someone making sure that all the rules are played by and that this one sale, if one silo is very weak and you log on with that credential set to the other silo, then yeah, you want to manage that.

And I compare it to the password, passport Identity Federation, where a passport of the Euro Union, European Union is safe and secure and they have to fulfill standards and there's an agreement. What you do in breaches, this is a big, big job to do this well, but it happens. And then there of course then there is always parties in the middle that think, oh, I'll solve this for you. Come and set, put everything through my par, my platform, and I'll make sure that the user has this ease. And then okay, that helps.

But still you have all the, the, the privacy issues and, and, and you have to set up the agreement and do the governance. And a user in the middle is dealing with all types, all three of them. And the number four is where the user has some impact on the registration where you can reset your own passport password and where you can enter your own data.

You have some self-management, but still you're depending on what the identity relying parties who, who want you to log in with them, they decide what data you're sharing, they, they decide whether this format or that format and how many times and the security is in their hands and you're just depending and you are in the jungle. And that gives a lot of friction. So this is sort of under the hood, the models that we are using today. And now I'm moving over to the decentralized part because a lot of people were trying to make it a lot better.

And I think single sign-on and identity federation were merely for the ease of use and make it easier as as I said, and that exists Single sign-on is, is is of course. Yeah, why not? But it also has bad sides because if I have a weak credential set and I'm doing single sign-on to a whole range of parties, it means yeah, if it's broken, you break the whole set and not just that one silo, eh, so there is also, siloing is also sometimes good separation to, to have separation in silos for security. Kim Cameron, in 2005, he launched his seven laws of identity.

And it's all about user consent, privacy, transparency, anything we want of good identity, user manage access, the CANTARA initiative with the standards on how, how to give users more influence. And then the European Union thought, okay, we want a single European digital market. So we need seamless identity working across borders for the whole European Union. And in order to do that, like the identity federation with the passport, we're going to describe a, a framework for identity federation for digital identities, national digital identities of the member states in the European Union.

And we call this the Eidos legislation. And VER version one was there in 2014. So digital identity, nation origin, government identities to work together cross border for students studying abroad for people going to a hospital in a different country for people moving from one country to another. Another use case would be the farmers on the border between Belgium and Holland. They would have their land in two ends and they had to register their whatever tax things in two countries.

So they could do that with one I, the idea was that they can do it with one identity from one country and do the whole set, the whole registration, but it didn't really fly so well because only few, yeah, many use cases. There were not many use cases. And there's a very small user adoption and it, yeah, it's a regulatory framework and no one knows it and, and the world runs. So then we had Christopher Allen in 2016 publishing his 10 principles of self-sovereign identity. And this was really the, the real movement where it started, it was very famous and still is.

And that's all the good identity principles. I'm coming back later to the what they are and yeah, the whole with the blockchain, emerging networks could be secured or be more secure. So people started to build wallets and have this decentralized implementations.

And the, the European Union had seen this, the Horizon 2020 program, innovation, digital Devi, the digital age, a lot of money they were sending out to innovations for people who were developing academia or companies or just sole inventors. They could get money for innovation, for digital identity on the European blockchain lab. They had a blockchain infrastructure built for people to, and policy makers to learn how it worked. And identity was one of the use cases they wanted to support.

And I used to be in the board of the handing out these grants, reviewing these concepts and these requests for grants. So I've seen 60 infrastructure and use case based applications and some of them were really well advanced, but that's al already 2018, quite long ago. But I think, I'm not sure, but this might have inspired the EI does policy makers to also invite the decentralized identity concept into the next version of the e ida's legislation. But it took a long time. Then I have to mention 2021, that was at Kuppinger called the EIC 2021.

We had the Global Asserted Identity Network where you see all the other people fighting for good digital identity, like the Open Identity exchange and the Open ID foundation. And I pinging identity joined them. Google has joined, the Microsoft is joining. It's really growing. If you want to know more about that, you have to, you can find this. And Nick Shaw, there are lots of EIC presentations with content with more information about this to make it global, not necessarily decentralized, but another quest for good digital identity working seamlessly globally, not just in Europe.

And in 2021 and on the 3rd of June, there was also a proposal to amend the 2014 e IDOs legislation, the Old Fashioned Identity Federation framework, but Digital Passport Federation, we can call it. And then after the E IDOs version two, also during, I think was it during ESC 2022, Daniel Gold Schneider, we have the Open Wallet Foundation launched. So in the sort of, yeah, I think it's it's part of the gang initiative. The same people were there. And I remember being in a big panel with I think almost 10 people, but there was a good and nice big launch.

And they have their meetings still every Wednesday and they've been presenting in workshops also in e IC this year. So really, it it becomes tangible. It's not just talking, it's not just paperwork.

But, and, and the problem is always the standards because to be decentralized, you have technical standards, semantics standards, you have to set up a whole framework, which is like the, the water pipelines. But it, it should. Yeah.

And, and, and I think the SWIFT network, which is the network across the banks, every bank in the, on the globe is connected to that. And it's it and, and it's there. Although there are hundreds of banks, they managed to get one network, one messaging standard. And I've read that standard, you can't read it. It's 800 pages now. It becomes an ISO standard, but it it, I think that took a long time. And the SWIFT was a private company, but it worked. And I think we need to go the same route for digital decentralized identity.

And some legislation does help because it at least raises the awareness and could help raising the standards. Okay, large tax, I was googling some of them and many of them I saw Cyber rock, IBM, Microsoft, they all look at decentralized identity or self-sovereign identity. So they also are aware of the concept and think they have to do something with it. The CTO of digital identity or IAM for Europe of IBM was calling me.

Well, I am now that my boss has asked me what to do with digital decentralized identities as IBM, what can we do? Is there a business case? What should I do? So I know it's, it's, it's also raising awareness there. And in 2024, I think we have the first month, the next version of EAS two for Europe, for decentralized identity legislation will be enforced.

Now if we have self-sovereign identity, I think the word is a bit more ethical than it really is because you, of course, you can't be completely secure, completely privacy friendly, completely seamless and completely sovereign because you need that identity to be issued from somebody. If you want it to be trusted, someone has to issue a good digital identity. But there's, these are one of the, the main properties that a good identity wallet or good identity scheme should have. So you shouldn't be, there should be unlink ability.

You should not be able, there should not be one platform in the middle that can link all your transactions and follow your life and build a profile about you. So the wallet should be not, maybe the wallet could store these transactions, but only for the user to be seen. And of course, zero knowledge proof. You could validate something, a claim that could be true, but you don't need to share the whole data.

And the, the classic example is always, if I want to buy wine, I have to prove I'm over 18, but you don't need to know my date of birth. And even, yeah, so as data minimalization validation, not just data sharing, your whole passport and no data collection, also persistence. This identity should be having a long life with life cycles with attributes to them.

But, and not all the time a new one, you should be trusting that you're, you, you are owning this identity and you can manage it and not be dependent on someone else. That's the existence property that Kim Cameron is mentioning. Control and consent, transparency, you can all find these, the same properties in the GDPR, the genetic generic data protection legislation from 2018 in the eu. Portability, you should use it everywhere. It's a wallet. It's a sort of privacy cockpit wallets that you're carrying with you.

And in it are all these good properties, big money, small money, big data, small made data, personal data, not important data, really critical data. It should all be there and you should decide what's going where. So it would mean that from this setup where all these organizations are deciding about what is needed and what you need to come, what they want from you here, you get the wallet set up where the user is in the center. And if you see the identity, which is issued, the user decides it's now this identity. I loaded into my wallet, my user agent, my device, my app in most cases.

And then it's there. And when some service provider needs my identity from that wallet, I can present it to the other party and I can collect more e aas, electronic at the station attributes, attribute attest stations. Those could be my age, those could be properties of me that I need to present somewhere else. It could be my driving license, it could be education certificate or tickets to some pop concert. It could be anything that I need to show and present when I want to get a service online or even physically. And so I am the master of my wallet. It's just like money. But for money.

You also have these agreements, standards, central banks controls. And I, I, I think a wallet is a very good comparison function functionally. And if you go to different country, you have a different currency. But of course there are exchange agreements. Now if you have to translate this to such a technical thing, like a wallet, you can imagine there's quite a lot of things you have to arrange for that before it works between the European Union countries just for identity and signing and not, and and attributes to set up this whole framework.

But that's all described in the Aidas version two. And I'm now quickly moving a bit because this is actually what happened in the last few years. They started in 2011 with some sort of identity federation, project stork, then stalk two and then E does one in 2014.

And then this SF lab, the blockchain lab of the European Union with the next generation internet and, and, and all these identity innovation grants they were handing out, which then we had ADAS two, the paradigm switch was very large from just federated identity and some nodes with that to an option for digital decentralized identity fires. And so this is really, yeah, I think for European Union, quite bureaucratic, large policymaking environment, I think this is really big step. Really a big leap now. So this is their, the, the definition of the digital identity wallet.

And I like, as I've already explained, this has changed over time in the, since June when the first version of the text was launched, it has been a lot of things changing before they could accept it. But on the 8th of November, it was accepted last week, the parliament, the commission and the council of the European Union agreed they had had their trial logs and their, now there was a lot of discussion, what you need an architecture reference framework, RRF, it's already there.

In the second version, you can just, if you Google that, you find it, you see all the specs, a reference wallet, a a real tangible wallet to be built for people to play and have a look at it. Large scale pilots, I will have them in the next slide, 30, 49 million with granted. And parties could write, write up for getting this money.

These, these are in the next slide endorsement of the member state. And in 2030, 80% of us Europeans would be able to use this. So I have to speed up, this is all new as opposed to I 1.0. It's not just public and government, but it's also for private companies and car private use cases to provide the wallet if they are certified and to also the use cases. So that's a big expansion. Natural persons and legal persons certification of every wallet, not just schemes for a country to be peer reviewed, qualified electronic attestation of attributes.

Those attributes should be, well, they should be semantics, they should be a sort of taxonomy. What is what you have? You need trust lists. If you onboard as an issuer of this data, you should be a qualified issuer in a way. And there should be guardians qualified trust service providers. And one of the difficult things is that any party who is by law or by by contract mandatory to do secure customer authentications, think banks, they have to accept every certified European identity wallet now. And they don't like it because it means it's a lot of troubles.

Ev imagine you have 30 wallet buttons to choose from in the interface of the bank. So my worry, and those are some now these are the pilots and then I'm coming to my last slide. They still have 45 detailed acts to implement, to define, to, to do, to write actually on all these technical details because you don't write legislation with technical details in them because that's old fashioned and outdated when the law is accepted. So that's all in implementing acts, 45 of them with a lot of operational specs.

So before anyone can really be compliant, we have to wait for 12 months before these laws are there. And that's about all the standards and requirements in operating things.

And yeah, there are a lot more practical challenges. Yeah, because you have a lot more work to do to make, make this ecosystem work when you have 40 wallets in a country instead of the only a national scheme. And my fear is if it works well, the question is, will the user be more happy? I think privacy, everything, it would be a lot better. But if it goes wrong, we have a lot of wallets, we have the leg legacy landscape and the user has even more choice.

Although it's, as we saw from Martin Martin Martin's presentation, it's, yeah, a wallet is a lot better than the old schemes that we used to have. But I'm beyond my time. So that's it.