KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
My name is Pamela Dingle. And as you can see, I am the director of identity standards in the Azure identity division at Microsoft.
Now, if I were to meet you in person, the way that you would probably remember all of this information, how you know, what my Twitter handle is, what my email address is, would be because I handed you a business card. So there would be a physical ceremony where I would hand you a piece of paper and you would look at that piece of paper and use it as an aid later on. Maybe you met 25 people yesterday and you can look at your cards and see that I happen to be one of the people that you met. This is a very common identity paradigm.
This concept of an introduction in this case, when you think about what a business card is, it is a very lightweight way to communicate an identity across a domain. And it's a very useful metaphor to look at what in the digital identity world is typical and what is unusual as we pass identity back and forth between domains. So let's just take a look at this business card paradigm here, a little more closely. I did it again. I hit the space bar.
Well, at least you will be entertained by me talking silently. Here we go. Now the identity card paradigm is all about sending data that has low assurance, right?
So, you know, a business card is really, really convenient because it's very portable. It's also long lived.
In fact, you can see the scrapes on my business card because I've had these business cards now for quite some time, I don't give them out very frequently anymore. But the other thing about this card is that presence is assumed. If you find a business card, you know, tucked into your wallet or tucked into your bag, it's probably because you had a physical interaction with this person at some time. If you were just to open your mailbox one day and find 10,000, 10,000 cards in your mailbox, the value would be diminished.
And also the truth is that I could print anything I want on my business cards. I could say I worked for a different employer. I could say I was the CEO. There is no real barrier for me to, to, you know, to prevent me from printing the things, you know, that might be lies. There is also no real easy way for you to verify other than possibly using common sense or maybe LinkedIn, right? So this is, so this is a very much a ceremony that's predicated on convention, right? There's not much advantage to me lying to you.
And so therefore it's, you know, it's, there's really no reason why you have to spend a lot of time making a lot of very heavy verification processes as a result. So that's great. Look at that. I did the slides properly this time. It's fantastic. So great. So let's just talk about what we saw now, if you just watched Kim's presentation, you will be familiar with the roles of issuer holder and verify.
So what you saw there, you know, in our, in our business card transaction is the idea that the holder, meaning Pamela Dingle presented a card to you in this case over a video paradigm that anyone could verify by looking me up and that I basically printed, you know, there's a way that I print business cards at Microsoft, but nobody checks it so lightweight, easy, mostly it's a form fill. It's just easier than you having to remember this data later on. Great. So let's just talk about now what the next version of this paradigm is.
If you're familiar with the concept of roadside assistance, this idea is that you get a card and usually you get this card because you're a member of an automotive club. So in America, that could be the American motor association. This is a Canadian card because I'm Canadian. So this is the Canadian automobile association.
And the idea of this is that because of your membership in this club, you pay dues and part of what your dues get you is the ability to, to break down, to have your car break down anywhere, possibly internationally, and have somebody with a tow truck, be able to come and get you and tow you away. So the interesting thing about this card is that it is, it represents a loosely coupled trust framework. And here's what I mean by that. Let's do that same analysis now for my auto club card, right? So this card is portable.
You can put it in your wallet, you can take it with you anywhere when you break down, you certainly want to have the card in your wallet. You don't wanna go searching for your card. At that time. It is long lived in that. You can see there's nothing in this card that in fact expires in this case, it is verifiable. It's not easily verifiable. So that's a very interesting point about this card. But the other piece is that this is an example of ad hoc trust.
So this card, you know, if, if every auto mobile club in the world had to have a direct trust relationship with every garage or tow truck, or, you know, car fixing location in the world, that would not scale, it is impossible for that to scale. And so what happens instead is we have delegated trust. So these clubs have delegated trust to a network. And that network is what allows you to tell whether you are, whether a given garage or given tow truck is part of the network or not.
So, you know, that that idea that you don't have to have a preexisting trust relationship is really important. There is, there are ways to commit fraud here. You can see it by looking at it. You could see that a garage could, if they got hold of these member numbers, they could create fraudulent claims that a given member with a given number had ha you know, had been towed into town, for example, so that incentive does exist and it does need to be mitigated. The question is what is the correct amount of mitigation to combat the fraud?
So let's do the same, you know, the same analysis here from a, a, a trust and business perspective, right? We know that in this case, the card is issued by an authority. In this case, the auto club, the club, the card is however presented by the holder, meaning that I, Pamela Dingle, the driver of the car and the person who is going to get in trouble is going to hold this car. And then the verify of this card is somebody who is in a network that is trusted by my network, right? So at least two layers removed from any direct relationship that might exist. Right?
And so there's a network of independent businesses that are going to try to satisfy my need based on my membership and the auto club. Now, how is it verified? That is of course a different, depending on what kind of technology it is, it could be a hologram that shows it hasn't been counterfeited.
In theory, these garages could make phone calls to verify the identity of the recipient. Again, the level of verification needs to match the level of business fraud mitigation, right? So now we get to go to what almost all of us are much more familiar today, which I would call federated identity, right? So now we've moved out of the physical world and were into the digital world. And things are very, very different in the digital world for very good reasons. So when we do federated identity, we are just like these last two examples. We are communicating information across domains.
That is what federated identity, and generally, you know, what a large part of digital identity does. So that, so the difference is what we don't have is this concept of physical presence. We don't know that the user is, is right there, standing in front of us. And so we have to, we have to find ways to make it work anyway. So the way that we do this today, or the most common way we do this is by using a browser. So we assume because a browser is what we would call a passive client, right? So there's the browser.
Doesn't do things unless you make the browser, do things, you, the human being push the buttons, you select the menus, you click on things, right? And by doing those, those movements, you are proving your presence in, in some way digitally in front of the browser. And so what we have evolved in the world of federated identity, because we wanna send information across domains, we have evolved essentially what I would call the information in a suitcase for the handcuffs, the, the trusted career method of moving data across domains. So we take all of that same information. I'm Pamela Dingle.
I am the director of identity standards. I, you know, I am a user at Microsoft. We shove that into a structured document. And then that structured document is forwarded across to a new domain, but it's done with some very specific security requirements. It has to happen fast.
So, you know, we don't, we don't want those kinds of structured documents to, to last for a very long time. We want them to be short lived. We want them to be transmitted at a time when the user is provably present in the browser. Right?
So, so you can think of it as a big rush. It's a big rush. We care about the transport. We care how securely that transport has been established. And that's, you know, so that's what we're doing. We're sending these sort of these high security couriers from domain to domain in order to send the same types of claims that you saw in my business card. Now this works really well. There is no real issue with this.
I mean, other than the fact that there are hackers everywhere, and they're really trying to get our data, that's never gonna stop, but you, so you can see that the difference, right? The difference is the time is the difference and the presence, those two things, time and presence are the real difference between the physical examples that I've shown so far.
And the, and the digital example of federated identity that you're probably familiar with. So, alright, so let's do our same comparison. We know now that the issuer in a federated identity use case is again, the authority. So it could be Azure active directory, for example, stating that a user is a member of a company, and then Azure active directory is going to send a Sam assertion, for example, across to say Salesforce in order to have the user authenticate to Salesforce. So there is no holder in this case, the holder, if anything, is the browser, right?
The user doesn't have a say, the user is just clicking between Azure active directory and then clicking between Salesforce and the user is coming along for the ride, right? There's nothing, there's, there's, the presence is assumed. They assumed to be present in the browser rather than participating in the way that you do in the physical world of handing your card over. All right, let's keep going. We're almost there.
So, all right, we've gone through three different digital identity communication paradigms. Here's the last one in my set, and this is verifiable credentials.
Now, verifiable credentials are, you know, again, the thing that Kim has already discussed. So I think you're probably familiar with what they are, but the idea of a verifiable credential is very, very similar to the idea of a federated identity credential, such as a Sam assertion. The difference is who the credential gets issued to in this case. What you're seeing here on the screen is a, a verified student credential issued by Kentoso university to Alice Smith.
So it is not a case of federated identity where Contoso university has created a structured document intended for some destination, some audience like a place that Alice might want to log into this. This credential is simply given to Alice, and it is issued against a, a, an identifier that is uniquely held by Alice. And that unique identifier is not affiliated to the authority to any authority. It is affiliated only to Alice, the human being and therein lies the interesting bit and the disruption.
Now, Alice has her own identifier that she, that she can control any way she wishes. And she has a credential issued against that identifier. So that sounds great. Let's keep going. So now that you have this amazing, I credential, for example, a wallet, what are you going to do with it?
Well, the great thing is you can do anything you want with it the same way that you can choose when to show your roadside assistance card. Maybe you're gonna use it to get a discount. When you walk into a drugstore, you can now do that digitally with a verifiable credential. And so in this case, what you're seeing is a bookstore that is willing to offer a 20% discount to anyone who can prove they are a student. Now is can Toso university ever going to create a direct trust relationship with every bookstore out there that wants to offer discounts? Of course not. They absolutely will not.
This is an example of ad hoc trust. And so in this case, because we're using decent or verifiable credentials with a decentral backing, Alice can actually satisfy this need. And so Alice would scan the QR code that you see, she would be able to then perform what's called a verifiable presentation. So she will be able to pass the information that is in her verified student card. And she's able to prove that the, the entity that this card describes is her because she owns the private keys, the cryptographic keys behind the identifier to which this card was issued.
So you can see that it's, it's a decoupling, right? We've, we've decoupled the issuance of the credential from the verification of the credential. And the reason why it works is because we've reintroduced presence into the mix. So let's go back and look at our, at our analogy here. So in this case, now we have a verifiable credential.
It is again, issued by an authority, just like a federated identity would be just like a roadside assistance card would be, it is now presented by the holder, even though it's digital, because the holder has a set of cryptographic keys and can prove that they are the subject referenced in a credential. All of a sudden we have a way to prove that the user is involved in the process, and that is the step forward that we're making here. And then the last one, you know, you'll see at the bottom here, how, how is this verifiable credential validated?
Well, you know, the word that we're using in the industry is trust framework. All of, you know, many, many of these things are trust frameworks. When you really look at the, what a trust framework is, it's, you know, your trust framework is how, you know, how do you know how to trust a given?
You know, how should a verifier trust a given issuer, right? Well, a network of independent businesses, that's a business relationship that certainly counts as a trust framework.
So, you know, trust frameworks and verifiable credentials are no different than, you know, this concept of networks of businesses that have existed, you know, since time immemorial. All right. So let's wrap this up and talk about what does this mean from a business disruption perspective? The tech is cool. The tech is really cool. Here are the things that I think are really disruptive about verifiable credentials, and that are new, at least in the digital world, if not in the physical world, first of all, Alice can talk about what she, who, who she is, right.
What she can do without having to talk about who she is. So I don't, you know, in federated identity, you generally have to say, I am Pamela Dingle, and I have these attributes with verifiable credentials. You don't have to do that. You can literally say I'm an anonymous student of Kentoso university, if you want to. Right. And so this, this changes the ability.
I don't have to authenticate first, before I apply this card, I can simply hand the card into a verifier, like a bookstore and have them take that at face value because they feel like they can place trust in the trust framework behind it. All right. Two more things. And then we're, we're wrapping up. So we wanna foster impulsiveness. So this allows people to very quickly supply their card without having to sign up for an account.
Huge, right. We've already talked about the decoupling, how it pulls apart, the issuing and the verifying party from a time perspective. And that enables various business models. Obviously it enables scale as well. And then the last piece is as an industry, we are moving towards a world where software has to help us to be successful.
And so, while the cryptography is hard in verifiable credentials, I believe we're at a place now where that does not have to be a barrier, and I will leave it at that so that we can be on time. And hopefully there are some questions.
