KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. So again, I'm Kim Hamilton, Duffy with MIT open learning and, and also co-chair of the W3C credentials community group, and architect of the digital credentials consortium. Okay.
So we'll, we'll go into four parts. First is what is decentralized identity? We'll do a quick covering of the standards, ecosystem and components. We'll highlight a couple of use cases that show, you know, very different scenarios where this can be used and then we'll move on to pitfalls and recommendations.
So, first let's talk about what is decentralized identity it's often associated with self-sovereign identity or SSI, which is also hard to define the way that I describe it is set of standards, technologies, and principles that seek to enable individual control over digital identities and personal data. So it's also easier to think about it in terms of the goals, which is interoperability and portability of data and identity data. And I included a reference at the end of the presentation to a report. I wrote that attempts to describe this in much greater detail.
So we're just gonna do a lightning survey through the standards ecosystem and, and components. Let's start by talking about the roles in a decentralized identity ecosystem, the issuer issues to a holder. And that's really the key difference of the decentralized identity ecosystem is that the holder is at the center of the exchange. And this means the holder can also choose how and with whom they share their data. And so the verifier can take this and due to the unique standards and architecture that that we're talking about here, the verifier can, can independently verify these credentials.
There's also a role, a separate role for subject as being distinct from holder for our, for purposes of this slide deck, they're gonna be the same. And there's also a different role for relying party. The key standards are, and we'll basically look along these lines. The payloads that that get passed along is the standard that covers that is a w three C verifiable credential. And these are camp evident, flexible verifiable credentials, and they're verifiable in a decentralized manner. So these are in italics because we're kind of using circular definitions. We'll talk a little bit about that.
The other key standard that's relevant or foundational standard are decentralized identifiers. And these are secure, flexible, decentralized, again, means of identifying both the issuer and the subject of these credentials. So these are the things that are really transformative in terms of enabling the full verifiability. What is a credential? That term is, is really confusing. So a credential is simply a set of one or more claims made by an issuer about a subject. It can be a passport ID card, a bearer pass, like a movie ticket.
It can be a health insurance card or a diploma, so you can fit any range of claims or assertions in there. And then verifiable credential is the extra part that makes it tamper evident and having cryptographically verifiable authorship. So next let's talk about what is a decentralized identifier, and this is really too much to get into here. So we'll just briefly describe it in terms of its properties. So it's a new type of URL that's globally unique, highly available, cryptographically verifiable, and with no central authority.
I find that a good way to think about it is as a cryptographic key, but with built in lifecycle management. So you can rotate it, delete it. You can do the, the normal things that are part of cryptographic key best practices as a first class notion. And I wanna call it also that it says with no central authority, what it really means is it doesn't require a central authority. There many different did methods.
And one, the one example I'm showing here, which hopefully users should never see is the BTCR did method, which is implemented on the Bitcoin blockchain. There are many, many other did methods and including ones that resolve to well known websites domains. So the other interesting way to think about decentralized identifiers is in terms of what problems they're addressing. So to date, every identifier use online does not belong to you, belongs to someone else. So URLs or lease to you, phone numbers, loan to you.
Government issued identifiers such as in the us social security numbers are often very misused, commercially and management of identifiers is so hard that it gets outsourced and all of these lead to problems of data, data silos, and huge security risks. So these lead to all kinds of pro cost portability, privacy and security. So now let's talk a bit about how this happens. The verifiable data registry is one of the key key parts. So the issuer issues, credentials holders can go around and share them with who they want. And the verifier uses a process to verify the credential.
Now it's important that even though the holder is in charge of who they're sharing it with, the issuer wants to control the life cycle of the credential. So they wanna do things like revoke or suspend a credential and how we accomplish this. And this is where the distributed ledgers come into. The decentralized identity discussion is these verifiable data registries. And these are typically stored on decentralized identifiers or blockchains. Doesn't have to be. And another way to think about this in terms of what kind of data it stores.
So they're generally the things, the aspects of the verification process that are storing credential status and decentralized identifier anchors, which we won't really get into, but it's basically a sort of root of trust for these identifiers and then also list of trusted entities. So it might be a consortium of trusted issuers and things like that.
So, and then the last thing in, in terms of the relevant standards and components, okay, so there's a, a whole big stack of emerging standards and reference implementations based on verifiable credentials and DIDs. So you can largely think about some of the key ones as covering the arrows between parties. So the means by which a holder requests a credential, the means by which a holder exchange is a credential with a relying party authentication and then beyond. So if you focus on the holders specifically, if they have a whole bunch of verifiable credentials, how do they manage them?
So there are standards around secure storage of these and retrieval digital identity wallets. And then lastly, for standard payloads within a verifiable credential, because the verifiable credential is a very flexible, we call it an envelope almost, and you can store all different kinds of payloads.
So, but we wanna promote interoperability. And I called out a few places where the work is happening at the end of the presentation, I'll have some links. So let's talk through some use cases. We're gonna cover some, some pretty different ones. These are very interesting to me because they demonstrate how decentralized identities is being used right now.
So in the, the global legal entity identifier foundation recently announced how they're using these standards. And so I have included a, a sort of rough diagram of what this, what, how this works. So gly accredits, a local operating unit, which allows, and, and there's many local operating units that can then work with different legal entities. So what happens is the legal entity will bring their legal documents to a local operating unit, which the local operating unit will then check.
And then they can ver they can verify that information issue, the legal entity and Lei code, legal entity identifier, and do this all through decentralized identifiers and verifiable credentials. Now, the great thing about this is it's very scalable because the legal entity can then using those credentials, Des designate people in the organization acting an official roles. So this might be a company officer who's authorized submit regulatory filings.
So, and then the, the great thing about this is at the very end of it, the regulator can then walk this whole chain of credentials and verified trust sources to make sure that this person is indeed eligible to do that. So I think what's really interesting about this flow is it's using decentralized identity standards and components to make this process more efficient and more trustworthy. There's some sources at the bottom where you can learn more about this. The next use case, which is quite different from that is the one that I'm involved in, which is the digital credentials consortium.
It consists of 12 universities. And our goal is to use these standards to enable portable lifelong learning records.
So the, the key advantages to us, of course, that the portable standards compliant and learner controlled. So in this manner, relying, so learners can share their credentials with relying parties and the relying parties can establish integrity, authenticity, and learner identity all through this standardized process.
So the, one of the key compelling aspects of these standards is that they enable a very scalable approach. We, our universities are in very different geographical locations and we're intending to add more even. And so different regulations will apply around many, many aspects of this, whether it's identity proofing, identity assurance, or how learner data is handled.
So, so this approach really allows us the flexibility to adapt into these different systems and different requirements. So the idea is that this solution will reduce fraud, reduce friction for learners, who don't have to go back to their issuing institution every time, and then also to improve efficiency for employers and other relying parties. The really great thing about this and really transformative thing is so when one thinks about educational credentials, you may think about the obvious transcript or diploma at first.
But if this, if you have a trusted process that relying parties can use, then you can recognize lifelong learning in all forms, which can lead to more equitable learning and career pathways. So this last bullet is really why we're doing it. There's still a, a lot of work to, to get there, but we feel like this is really the, the, the key change that we need to bring to the world. Okay. So let's talk about pitfalls and recommendations of decentralized identity.
It's important to note to remember that these are new standards and technologies involving risk, and that's one of the reasons why digital credentials consortium exists. We have all, you know, taken sort of commitment on behalf of our learners to, to shield them from the uncertainty of the standards. So we can make that commitment to our learners with any new standards and technologies. It's important that to remember that you have to do security audits and threat assessments of everything.
The other thing which I think fortunately the world is coming around to is that blockchain, even with blockchain responsible, especially with blockchain, a responsible architecture is still needed. So very little typically needs to be on a blockchain. And the failure to recognize that is often where things go wrong and where you hear about blockchain projects failing. So no need to boil the ocean. I think it's important to focus on where to centralize identity components bring value.
And lastly, it's around the origins of these approaches, which tended to be what some people call techno utopian. The idea that cryptography can solve everything and the technical elements are helpful in transformative, but they're just a small part. We still need to answer things like how does it fit into regulatory policies? So fortunately awareness and work around these are underway, and this is one of the focuses of DCC. And then I'll, I'll briefly list some recommendations, but you may think of these as ask your vendor if you're looking into just centralized identity solutions.
So it is important to make sure that, to know that these are not meant to replace existing identity proofing and assurance framework. So things like N digital identity guidelines, EI levels of assurance in, in Europe are still relevant, aligning with data, handling frameworks and requirements.
So this, these standards do allow this, but there are many different implementations of decentralized identity, which, you know, they, they, each of them need to address how they, they handle this or how they intend to handle this. The area where I get really excited is that back to not boiling the ocean is that there are emerging approaches such as what's called, did SIOP, which you can think of roughly as a decentralized open ID connect. And what's really great about that is you can start using these standards and integrate into your existing authentication and identity processes.
Lastly, again, well, second to last with, with security and usability, which end up being one and the same, we don't wanna reinvent the wheel there. So 5 0 2 has a lot of interesting improvements around decentralized storage of biometric material and things like that, which we all know are, tend to be easier than passwords. So there's still a lot of work happening on reconciling how these all work together, but I, I really think we can learn from each other. And then I think the most important thing is that principles of SSI rely on humans and not just technologies.
So if you have an approach that involves a whole lot of new technical components, who might you be excluding, and what happens if any of these pieces fail? So you wanna have the backup plan and you wanna make sure you don't exclude people. And so this is really pointing to that.
It's, it's, it's a much bigger problem and we need everyone's help in across many different sectors. And then I have a list at the end of references and ways to get involved.
