Verifiable Credentials for the Modern Identity Practitioner

Everybody and welcome. Thank you so much for waking up. So early in the morning after a fantastic cruise. I'm told it was very good. I didn't come to come here and spend a good 20 minutes about thinking about verifiable credentials, verifiable credentials as you might have had a feeling by looking at the agenda. Here is a very important topic. As practitioners, we absolutely cannot ignore it.

However, when you listen to the enthusiasts talking about this, sometimes you hear some pretty puzzling statements like centralized databases will disappear or applications will be incapable of saving personal identifiable information. And extraordinary claims call for extraordinary proof.

But again, when you listen to these people, I often get this vibe which is well represented by this meme. I dunno if you're familiar with a series, there's this meme in which there is some drawing instruction and the first step is a silhouette varies. And the second step is the entire thing.

Just like, okay, how did you teach me anything here? And if you, again, not everyone to be fair, not everyone actually, it's luckily less and less. But some of these people when they do presentations, they do one slide saying a centralized databases are bad because a single point of failure. And the next slide is 169 Did methods with nothing in the middle. Like how am I supposed to evaluate VO statements?

So today, today I'll attempt something pretty ambitious. I'm going to try to derive in just 19 minutes from traditional Im primitives the concept of verifiable credentials. And hopefully that will ground us and it'll make us able to actually think about some of our statements and see how that turns out. Now this is a good moment to say that this is me, good old Victoria, I'm not selling you anything. And also you will hear me poke hall in some of those things. But that doesn't mean at all that I don't believe in the technology.

I believe that technology not only is important, it is necessary. However, if we adopted for the wrong reasons, then we set ourselves to fail. And so I just wanted to do my part to try to bring some pragmatism in this topic. All on board, no one left.

Good, good sign. Very good. I'll start by telling you that you have been lied to and there is a very good chance that for many of you I was the one lying to you. If you go back to the days in which you first were introduced to modern identity claims based identity, you probably heard the variant of this metaphor in which you have someone that wants booze and in order to get booze, they have to present some document from some government entity which proves where age and the outcome is your liver fails. And that's exactly how identity works, right? Our claims of be identity works.

No, it isn't Here, there is a how we actually do things and let's speak up. It could take pretty much any protocol. Here you have a relying Friday that sells wine. You try to get to the page that will sell you wine. And this page somehow says, okay, you need to be authenticated. So I'm gonna send you somewhere to authenticate with a list of the things that I need in order for you to perform the operation that you want. And typically here what happens is we get authenticated, you get an artifact, say an add token. These are token, I know it's small, but it's just for giving you an idea.

Contains a number of attributes including for example, my age, which is relevant in here and things like the audience like for whom this token has been crafted. And then I just present it and once again, I abuse of my anatomy. So what happens here is that that's not at all what we are doing in real life. In real life. You don't pick up the phone every time you want to buy wine and call a government clerk somewhere maybe in a different time zone and say, Hey, I'm here in shop X, Y, Z pizza software and I'd like to buy wine and the other, okay, can you tell me?

The client said, okay, what scopes do you want? Of course it does not happen. It does not happen at all. But you shouldn't feel bad about having been lied to because if this is by design, the problems that we solve in modern identity require the identity provider or federation provider anything in the middle there to run business logic, authorization logic, customize the things for the particular transaction that you're doing to give a chance to administrators to do whatever policy they want to apply.

So when people try to guilt you into saying, huh, how dare you having something centralized, don't let them. Because if you are solving those problems, you have to have such a component. Now that doesn't mean that we don't abuse this architecture and sometime use it in situations in which something else would be better. And that doesn't mean that there aren't scenarios but we could better tackle with different primitives that inside today we are limited by the state of current technology. So say that we really want to reproduce online the real documents. What do we need to do to change?

The first thing is we've got to lose the audience. We want to be able to get an artifact. I'll stop calling it a token at this point. We want to get an artifact which can be used with multiple relying parties without having to go all the way back every single time. Not only that, we need to be able to save this artifact somewhere in a place which I will randomly call the wallet in some that we can keep it locally and use it whenever we need without having to call home. So great progress. Now we have a problem. The audience was there for a very good reason, which is to limit the blast radius.

If someone steals that thing, you don't want them to impersonate you everywhere. So what do we do? There is another good trick which is pretty like we've been doing this in identity for a while, which is proof of possession. We can tie the use of that particular artifact to a, to a particular instance. For example, a wallet. So say that I have a key, actually a key there, but I only 14 minutes. So can go into the details, say that I have a key and then identifier of this key and say that when I ask for that artifact I specify the identifier of a key that I want to use.

And so once I cash that thing in there, that thing will contain inside the sign the part, a reference to the key. And now when I use that thing, I don't use it as is, I wrap it in a signature which I've performed with my own system. So now the relying party receives these things, checks internal signature, yes, it's coming from the authority finds the reference to the external key check that the signature is being performed with.

Same key, yes, the sender is indeed the one that got this thing issued in the first place. So we solve the entire problem. Now of course I'm skipping a gargan an amount of details, but this one I cannot skip. Today online we can do things that we cannot do with a paper and plastic. Like when we ask for a token for a transaction, we can completely customize customized with token to the exact specifications of what we need. So we can reduce the number of attributes to exactly what we need.

But with a plastic, you cannot, let's say that if you are buying something that needs to prove your age, you are also going to disclose your home address. But, but here of course we now have a same problem because we have a cash the token. So there is magic that I will not specify in here, but there are very good sessions during this week and I invite you to go and check them out. There is magic that brings us back the ability to do selective disclosure.

Even if we have a tokens cashed in our wallet, just want to make sure, but we know that it's not like verifiable credential, introduce this capability. We always have this capability and now we need to somewhat get it back because of the idea of cashing tokens in our own wallet.

Okay, bad news are not over. Turns out that we didn't invent verifiable credential right now, but someone else did already. And funnily enough, a lot of people did Here there is just like a selection of the most important standard bodies that already publish the documents on this topic. And in fact, like in particular W three C defined the terminology that you normally use in this space, which I'm now going to introduce. Now the user here is the holder, the identity provider or attribute provider is the issuer. The verifier is what perform the function of a underlying party.

What we have in there is a verifiable credential. And what we use when we actually use the thing to perform whatever operation we want is a verifiable presentation. That's the termin knowledge. And then there is the verifiable data registry, which is more magic. It's basically the place where you keep your metadata and your corresponding keys and your trust information. Want to go into the details because we really don't have time. And just to forgive you a feeling of how complicated this space can be like here, where's just like over imposed on the system.

Some of the, how to say what the cooks are doing in here, like for example, very fiber credential is a data format as been defined by the double three C. But the ISO is building an equivalent, like a same outcome credential, which is when mobile driving license and then the way in which you issue it to wallets. There is a open ID for vc. There are things from WC representations we have did come from D I F, we have open ID for VP on VP verda.

ISO has its own ways of presenting things and you get my point like here, this space is dare say remember my opinion, not my employer overs specified too many things, but at the same time I'm biased because I'm on the board. But I think that we open a foundation is doing really good work in here because now it's doing a lot of consolidation, trying to use what's good already out there and actually lead to some interoperable outcomes. So great. And we are only halfway. Fantastic. So now we finally have some pragmatic understanding of what verifiable credential means.

So let's look at some of the most puzzling statements in this space and I I just picked was free because I think that we are very representative. The first one is the centralized databases will disappear. And typically the the first slide that we show in representation is user attributes and user credential stores. So I'll start with that. Let's say that I'm applying for a job in the US and let's say that the job requires a master degree. I have two. So I go back to my university which is in there.

I get a revival credential of my diploma and I can present this and at this point I can just show it. Can we university delete that record from their database? I ask you just to see if you're still awake. Can we?

No, no, no, no. I brought so many ice creams back in the day in Italy for paying for my college. They better never ever delete that thing. So I'd say that that thing is not a candidate. Like maybe they're thinking about a different database. So let's say let's focus on the employer. The employer that receives the verifiable presentation and now knows that yes I am someone with a master degree. Can they delete that information? Also know cause I say that in five years I find myself in some big trouble.

And given that this thing like being hired for a certain position which requires a master degree puts you in a different lane for immigration. I got my green card and then my citizenship faster because of that. So the FBI will come back and say, employer, did you do due diligence? Did you know that this guy was gonna be a problem in here? And so now they needed to show that they did do due diligence and they cannot show a bull saying Si bull. I said this bull five years ago when I checked a couple of signatures. It doesn't work that way. They still need to remember some of this stuff.

Then here the advantage is that if I can do selective disclosure in my particular case, instead of just showing them a photocopy of my diploma, I can select the attributes that I will show. But what is in my diploma that I want to hide from my new employer? So we also needed to look at the practical angle of this stuff. And then just to go back on centralized stuff, there are flows that cannot go through the user. If my health provider has my blood type and I get caught in an accident, I cannot consent to release my blood type, they they better give me a transfusion fast.

So that stuff also is another database that cannot be deleted. Now all the centralized people know that whenever we go to dinner I will ask them, so which database did you delete it today? They never give me an answer, but I'm open to a possibility. So if you hear this and you think of something, please find me. I'm easy to recognize.

Okay, so user is in control of their own identity. Ah, this is such good PR when you say it exactly, yes, look at you. Now the thing here is indeed it's true when you are thinking about the identity provider, the ability of hiding from your issuer when and with whom you use your credentials is huge.

It's very, very important. But it kind of stops there because I hearsay that I have my driving license again, I need to prove that I am old enough to see certain content on the internet and so I can present this thing. And now people feels very empowered because they can use their personal key for signing this stuff. But the authority is still the Department of motor vehicles. And if last week I was driving drunk and they revoked my driving license and they revoked it in my VC and in my presentations, then I will not be able to see the content that I want to see.

So I'm not that sovereign after all. And the other part is like when you look at the things that like you are issuing yourself, you can think of like you are in control of your identity in term of life cycle. You can reoc access once again, not so much because the moment in which the fire sees this anything now they can save it. You can put a bit that says please don't save. But that bit will have the same effect as the stop sign. In my private road where I live in the us that stop sign was placed by the homeowner association. As an Italian driver, I don't recognize it.

I don't stop the thing. Like I don't care. I I just go. And so here the solution is not technology. The solution here is law. You need to make it illegal for the verifier to save things that are not German to the business that we are conducting. But it's not a technology problem. So user is in control a bit like with a provider. Yes. And then finally privacy will improve is another huge one. Here it's kind of hard because again, often people think that this is introduced selective disclosure, but they didn't.

We have, we had very selective disclosure for a decade or more. It's just that usually the asks for as much as they can get away with. And so the fact that if you have ability to shrink, which we already had, the list of attributes that you send doesn't mean that those will be shrunk. It is true that if you are comparing this to plastic, then yes will be able to manufacture a copy of a particular document which is a subset of the things that you'd get from plastic or paper, which is good.

But again, how many times do you do it during the day? It's important, it's high value but it's not like a word changing. And the other thing is today a lot of actually most fires will not ask you to prove your identity by taking a selfie with your Johnny license unless their business requires it. In some cases you do need that level of assurance, but in most cases you don't. Now imagine having a comparable level of assurance behind just the top.

And now think every time you identity people, when you get the dialogue that says, would you like to reject all cookies, manage cookies, acceptable cookies, what do you do? Don't lie, lie to me, but don't lie to yourself. So here basically what might happen is that unless the issuers and some issuers will regulate this and have a lawless of relying parties, but some others we probably won't. And so what might happen is that the total amount of privacy in the universe, if we are not careful, we'll go down because we'll disclose important verified information about ourselves more often.

Again, this is not a given, but it's a danger that we need to be aware of. And let me stress select the disclosure alone won't solve the problem because it's until it's a voluntary act hard to get people to opt, obtain. So that said, I stand by what I said at the very beginning. We need verifiable credentials to happen and there are things that only verifiable credentials can do and those things are very important to me. The top one is that we do need the ability to express our identity, to disclose our verified attributes without the issue knowing.

That is like a civil liberty, it's a right. And today we mostly play transactional games online, but eventually as we get more and more of our life online, we need to be able to express our identity the way we do it offline. And so it is fundamental that for the use cases that requirements that we will do it.

I'm sorry, I'm almost done. Yeah, but I kind of feel anxious if you're, can I finish you about the vulture? Thank you. Thank you. The other is that the moment in which the users will actually have in their wallet in a very powerful credential can be a game changer. Put yourself in the shoes of a very fire. The ability to rely on such a credential that can be actually managed elsewhere that someone else is dealing with recovery and all of that stuff. It's huge. It's really powerful.

But to me, given that I'm a blue collar and an architect, perhaps the most important is this one. If we want to achieve the scale that true use of documents online requires, we really should not rely on an architecture that requires us to call home every single time. Not only is bad for privacy, but it also, and here I'll say a tro, whatever architect says eventually in their career does not scale. So we started here, my hope is that in these little 20 minutes I helped to bridge a bit this and of course 20 minutes are far from enough.

Luckily there are a lot of really good sessions this week about verifiable credential. I invite you to go check them out and now the usual slide that I always use for closing at eic.

Thank you, Thank you, thank you. We have four questions for you, which is quite a lot. So you certainly as long as raised, the awareness for verifiable credentials, I'll just highlight one of those. Verifi credential verifiable credentials may be better used to solve the k yc, know your customer problem, our problems. You're highlighting a result of applying it to different use case authentication. Someone is asking, I'd say that this is actually one of the interesting aspects of all this.

Like very often when I look at what we are doing in this space, I feel like we are doing what to has done. When he wrote the simian, have you ever read? Oh okay. Someone at my age Tokin basically wrote like a middle earth for all of these interesting adventures. And then he wrote basically a Bible with the entire history, very boring history of the entire middle earth and its completely fictional.

None, none of that exists. It's an entire book of fiction about stuff that didn't happen yet. So to me it's important to get to be one of those things in which we don't just have little pilots here and there in the world, but we have large scale use. We have a lot of people with those credentials in their pockets. So we can see what use cases will Emerge.

Large scale pilots like European Union is now starting with maybe, Which for me is another good example of like people keep saying it, but until it's not on the, in the pockets in the front of people for me is just like a lot of nice talk. Yeah. So we need to actually, Okay, we need to go on in this. We could spend all day. Thank you very much. Thank you. And nice to have you.