 So, it's fine to have opinions, but please always make sure that we're respectful of everyone else in our discussions. So, with that, that's a little bit on the background of how we conduct meetings. Let me flip back, sorry, over to the recording. And with that, our topic today is actually an important one. We've got self sovereign identity and government technology for financial and healthcare inclusion. And I couldn't think of a topic that has more relevance for everybody around the world in terms of both the economies and that we operate in the societies that we work in and live in and then finally related to healthcare as well. So, with that, we are now streaming our session live. So I want to turn our session over to the Johnny Mahante, who is not only a blockchain expert, but she's written five books and certainly when it comes to self sovereign identity identity in general. She's recognized as a leading expert around the world. So with that, Johnny, can I turn it over to you. Thanks so much, Jim. I hope my screen is visible to all of you. Yeah, your screen is coming through fine. Okay, great. So good morning, good afternoon, good evening, ladies and gentlemen to the session on next gen. Sorry, self sovereign identity for government technology for financial and healthcare inclusion. So, I believe that I'm already introduced so you can find some of my books over here and my latest book that you can find an imagine in blockchain for self sovereign digital identity, and I have been working in this space for past two years. So first today's session is about digital identity. So let's start with the issue and the need of global identity for every human and not only human also for machines and for animals and future because in coming days you know we are already aware how the IOT works so even every human being would be needing more than one identity each for their devices and even for farming you would be needing identities for animals and future so that is why it's a huge opportunity. So according to a recent report by Mackenzie along with World Bank, there are some 7.6 billion population in the world, and almost one billion people globally lack any form of legally recognized identification, but they are called the invisible who are mostly women and children from parts of Asia, Africa and Latin America, and officially they do not exist even if they, I mean, are living beings they don't have any proof of identity they don't have any passport identity card any kind of birth certificates. So, and also there are 3.4 billion who have some type of legally recognized identification, but they have limited ability to use it in a digital world, and the remaining 3.2 billion who have a legally recognized identity, and they participate also in the digital identity category, but they may not be able to use that identity effectively and efficiently online when I when I say effectively and efficiently, I'll go through it you know how the identity works in later slides. So what the world needs at the moment is an efficient digital identity infrastructure that can help to reduce fraud and protects rights and increase transparency. So digital identity also holds the promise of enabling economic value creation for each of these three groups I just mentioned here by fostering increased financial health and educational inclusion. So first let me introduce you to this digital identity. So what is digital identity, it is any personal data that identifies us online like we use our digital identity for onboarding and registration to websites, any kind of identity management, authentication, authorization and access to online data or deregistration. So basically it is needed for initiating any kind of business relationship online. So why we need to protect our digital identity or our personal data is because there has been you know since it's our digital age in last two or three decades, the number of data breaches have increased many folds, and the maximum number is lying with the breach of personal data so you can see the kind of organizations were affected like Adobe, eBay and Anthem and the kind of people who are affected are not hundreds of thousands but in hundreds of millions. The data that got leaked are as crucial as bank details, credit card details and passwords. Now, why there is a data breach and what are the causes? So the biggest causes are centralized server and weak passwords that we all know. Also, there is a phishing attack, we all know what is a phishing attack and sharing without permission that means you are providing your data to organization to your, even to your bank or even to your healthcare organization but they are sharing that data without your permission or unintentional sharing like let's say that you are sending some pictures on Instagram or on Facebook or Twitter saying that, oh, today I'm celebrating my 25th birthday. So people would know that you know what is your eject data but which is actually a private information and many banks use this information for identifying who you are a security questions and then identity correlation. So what is correlation? It's like, you know, let's say that I'm sharing my healthcare data with my hospital, I'm sharing my financial data with my bank and my educational data with the university. So when sharing this data, then I'm using perhaps my email ID which is common to all or maybe my contact number which is common to all. Then it is also possible that they can use that particular email ID or contact number to know that what is, I mean, it is also possible. They can correlate and trace back to me that I'm the Johnny and this is my healthcare data. This is my bank, you know, financial data and this is my educational data. So this is called identity correlation. So we need a model which can actually solve all these issues which is there in the current digital identity system. Now, how we are managing our digital identity that also has evolved over the years. The first one is siloed or centrally managed identity which has been dead in the market for last three decades or more. Even it's used in many applications today, you are sending a user ID and password, or maybe let's say when you are registering with a website, the website is creating a user ID and password for you. Perhaps you are choosing a user ID, but then the website is skipping that data with themselves. So for each application, you are having a different set of credentials. So they might be using a database or LDAP or Active Directory, but this is the way they are saving your credentials. And then the second one is a federated identity model where the user is actually, I mean, there is an identity provider. So here, the server is not keeping the information, the credential information rather identity provider is doing that job. So you are logging into that identity provider first, it's actually responding with a token, then you are using that token to get access to different third parties. So this model works in SSO, this model works in OpenID and all. So in both these models, we have a centralized server, because here in the federated identity, the identity provider is the centralized server. So these two models are prone to mask hacking and single point of failure. Now coming to self-sovereign identity. So SSI is a new decentralized model to manage this digital identity. Here we have an issuer organization that issues verified credentials. We usually call it VC to the user that is saved securely in the user's mobile device. At the same time, the issuer is also sending a signed reference hash to a public blockchain and it's being signed using its own private key. Now the user can share the full part of the data to the verify organization along with the issuer's public decentralized identity. Now the verifier can convert this data to a hash and check if this hash on the data matches with that on the blockchain to know that if it is valid. So this example can be a scenario where the issuer is the passport office and the verifier is the visa office. So the user can share their data with the verifier. So now how it's happening, the users are sharing in a traditional model, they're sharing their printed copy of their passport and the verifier is again doing a background verification. So there is no direct way to know that whether it's a verified credential or not. So with this kind of architecture, we can do that on the spot. And at a later point of day, if the issuer wants to revoke the verified credential, they can send a new version to the blockchain so that the hash should not match any longer so the verifier would know that it is revoked or maybe the shared credential is not valid. So this is kind of the 60,000 feet view of this architecture, but how exactly it happens. Let's go down a little bit and see that how this entire thing works, step by step, like if some of you want to implement it in real life, how exactly what are the steps that you have to follow. The first thing is the issuer organization has to create a schema or data structure, like let's say that the passport office says that these are the data that I'm going to print on your passport. So similarly, you have to create a schema for the VC creation and the issuer has to create a public and private key pair and a public date associated with it. So this public date is actually public. So this is a bit is a decentralized ID. So this is similar to user ID, but this is public, and it is visible to everyone like they can you can publish it on the website. So what the user is doing for each set of VC, the user is creating a public and private key pair and a private date. So for each VC, there is a separate private data private identifier. Now the user is sending her public key and the personal data like it could be named at a birth and in a different kind of data, personal data signed with the user's private key. Now the issuer what it's doing, it's actually checking that whether the token is right so that you know if what is the actual public key of the user and then converting the VC to a hash and signing it with its own private key and writing it to a blockchain. And the VC is returned back to the user. So that VC is actually a combination of digital data. Now what the user can do the user can share the public key, own public key, as well as the issuers deed or decentralized identity, and a token signed with its own private key, along with the VC. So the verifier would check that from the token, the verifier would know that, you know, because the public key is available. So using the public key, the verifier can, you know, decrypt the token to know that whether this is the, this is the public key of the user. So and then because it's signed by the user. The second thing it would do is to convert that data to a hash and check on the blockchain that whether it is signed by this issuer because the data of the issuer is available so whether it's signed by the issuer, whether the issuer is valid and whether the VC is valid. There are so many things which are verified and ultimately the VC is verified successfully so this is the entire flow. So here, and a later point of time if needed then the issuer can also revoke the VC. So this kind of architecture ensures integrity of the data ownership privacy and security and validity of the data are checked. All right. So there are, it's actually you can see that the SSI network is pretty complex. So what I showed you is only the SSI layer but then there are other layers also which you have to handle. You have to handle the web standards, the authentication standards, so how somebody is getting access to this kind of SSI network that also, you know, you have to think of authentication mechanism. Then also an open blockchain and a decentralized identity network. So all these things you have to handle on the top. Now, let's see how. So there are different layers in SSI. At the heart of it, as I showed you, there is a public nature, then there is a private and identity of storage is there, then agent are needed for message transfers and hubs are needed for, you know, having a replication of the data. And then client devices. So there are so many different layers that you have to handle. Let me show you how. So here. So here you can see that Alice is a user. So C is having a mobile device. So from the mobile device they can connect to a public DLT. And here she is, she is carrying all her personal data here, which is not only alphanumeric it could be biometrics data also. And then there is Bob, who is having his personal data in his mobile device at the same time he is, you know, sharing a copy to a cloud storage so that later on if the mobile device is stolen or broken or large whatever whatsoever, he can create another copy and revive his position there. Then again there is a issuer organization here and the issuer organization is keeping all the data in the cloud storage. So you can keep all your data either in its natural format or encrypted format as needed. So encrypted would work a little fluid, but then it's, it gives you additional security. And then there is a public DLT, which is responsible for creation of all the digital identities, reference hashes for claims and revocation is also handled over here. So this is the system architecture. Now, how the SSI works in real life. So in real life, there are different issuers. So here you can see one moment please. Yeah, sorry. In real life, there are multiple issuers or certifying bodies or organizations. So here you can see there is a hospital where, you know, let's say that Alice is born in a hospital then the applies for certificate or her parents is applying for birth certificates. Then they're producing that birth certificate to the government and the government is creating a national identity for the child. Then she is joining a school and she is producing both her birth certificates and her national identity number and she is getting admission to the school or the university and finally she is joining an organization where she has to produce all the previous certificates depending upon the requirement and then see ultimately she passes out from the college or the university and finally maybe she would be joining a workplace. So here you can see there are different set of certificates are being issued by different organizations. So this actually works like a chain like you are carrying the first certificate to the second organization then the second from the second organization you are carrying it to the third organization like that. So, and each organization can walk dual like each organization can be issued as well and verified. So usually they are verified first and the issuer later. But this is in this kind of chain the responsibility of the first issued is maximum so usually it is good that if the first issuer is a government based organization. So, each of this data the user can carry in his mobile device and as per need the user can share it to different verifiers. And this personal data can be shared in many different modes like traditional data, traditional way of sharing like I'm sharing my name as it is the journey. The second one is selective disclosure like I don't want to share all the data in my passport, perhaps there is some data maybe your marriage status or maybe I mean what kind of information is the certain kind of information which you don't want to disclose. So, then, then there is zero knowledge group. That means that you are sharing your data. Let's say that there is a website who doesn't want to who sells alcohol only to somebody who is evaluating. So, how would I prove that I'm evaluating should I disclose my data part, but data birth is a private information so I would just reply in yes or no or true or false. And the verified using cryptology that can also be checked, you know the verify can change that whether the information that I'm providing is correct or not. So, this is called your knowledge group and then self attested there's some data that doesn't need somebody's attestation like let's say I'm sharing my hobby to somebody. So, nobody needs to certify it. So, these are the three different kind of personal data and then there is an involvement of public blockchain where there are different trust anchors. I'll come to that later on. Now let me go through some use cases. So, the first one one moment. Yeah, the first one is a government of Australia. So, the Australian government is delivering digital identity program that will allow government services to be easily available to people and businesses online at any time. So, so their plan is to cover many services through one national level identity for each citizen of the country. Also, most of the paper based checks would be transferred to digital experiences. So, you can see in the right hand side. So they're going to cover taxation welfare, health, business education, social services, banking, etc. So, so using the users biometrics and life destination test user can be authenticated to use these services. So, they're using a decentralized identity model and this project is still under development. The second one is Singapore if I'm not wrong. This is no longer in pilot. This might have got to production. I have to make sure again, the Singapore is authenticating 4 million of its citizens online with facial verification supplied by there is a organization called I proof. And so they're using simple face biometrics check. So, the users can get secure online access to government services, and private organizations can also take advantage of this national digital identity infrastructure to authenticate customers online. And then, then comes Canada. So in Canada, they are providing this this project name is called Taylor's one so you just can, the citizens can upload their certificates online and the government can use it again and again depending on their requirement they won't ask the the citizens again and again. And on the top of that the government is also providing certificates to startups like let's say, let's say there is a startup in Canada. So this project is actually in British Columbia. So, so let's say that there is a startup and they want to work with with the organization in India. So how I'm an organization in India how would I know that whether that organization is fake or real genuine. So I would trust the Canada government so that's why I would trust any certificate issued by Canada government to that particular startup so this is how even even India is considering a similar project now. Now this is a very interesting use case. This is called I respond. This is again by a sovereign foundation and this they are using Hyperlegia India I'll talk about it later. So here, basically their model is little different and this project is is actually developed by NGO called I respond. And this is the this is developed in a country I think in Africa, where the mobile penetration is quite low. So what it means is perhaps the users of the citizens do not have smartphones, or even if they have phones, they do not have cameras where which can walk to implement that kind of model so in this situation, how they have implemented it. Especially in third world countries. So, so in these countries, the number of kidnapping of young children is quite high. So the children are taken across the border by kidnappers and they are taken to other countries and exploited. So in order to, you know, find a solution what the government has done, they have approved certain NGOs to issue certificates to digital identity to children. So the child, a newly born child or maybe some child which is less than 18 years old, they can be accompanied with their legal guardian and custodian, and the NGO would create first the NGO create a digitalized ID for the parents or the legal guardian, and then one for the child. And that would be associated with their iris because iris is something which is well developed in children. And then because they and their deeds should be connected and or linked, and then they would be assigned a paper based certificate, and, and then they can keep it with them as a verified confidential. Now, if the child is trying to cross the border at the same time, the border officers would check know whether the decentralized ID is a valid one, and whether the biometrics associated with that is matching with the child and the custodian who is escorting the child. And again, there would be a need of a consent by the legal guardian. So if all these things are working fine, then only the child can, you know, it would be able to cross the border along with the legal guardian. So this is the use case which is under development. Now, so digital identity is the hot cave of today's world you can see in the picture how most countries in the world are doing some research or other, like here you can see there are so many initiatives but not all of them are decentralized but like I said, Australia is working on it and Singapore is working on it. And then there are certain countries in Africa, UK, perhaps is working on it. Government.uk is working on it. British Columbia in North America is working on it. Many of these countries are working and not only that, they actually can help to implement the privacy laws like the GDPR, PDPA, PDPV, etc. And by implementation of SSI, you can actually adhere to all these standards. And also by year 2020, 65% of the world's population will have its personal information covered under modern privacy regulation of from 10% today. So if you ask me that what are the, what is the area of blockchain which would be used by each and every person on earth in one day, then it would be, I mean, maybe in five years, maybe then it is digital identity or SSI. Then I'll cover some area of research in SSI. So there are so many SSI protocols available in the market. So Hyperledger has got its own protocol called Indy and Aries. Ethereum has got Civic and U port and Microsoft is coming with Ion, which is still under development and currently working with RTID and we are using Hashtag. So these are the different protocols and there are many more. You can, you can visit W3C site and you can find many more possible SSI protocols. And you don't have to abide by any particular one. You can just see that which one is sitting here. So this is the architecture of RTID that I'm currently working on. So here you can see in the right hand side we are using Hashtag but you can use any. Sorry. So here you can see that in the right hand side we are using Hashtag but you can use Hyperledger Indio here or Ethereum over here depending on your project's needs. And also you can see in the left hand side we are not only creating this kind of architecture only for human beings but also for IoT applications, IoT devices in future. So this is the roadmap and also like I said the user's data, personal data can be saved on device or it might be stored as a copy on IP address. So in that area also we are working. So what are the different SSI success factors? So how do you know that the SSI project is successful? First of all you have to know what kind of technology, what kind of public key infrastructure that you are using. Whether it's scalable, your solution is scalable and whether the throughput is good because unlike B2B blockchains the SSI needs, the requirements of SSI is very different because you are trying to cater to the needs of not hundreds of thousands but millions and billions of people. So that is why it has to be scalable, extremely scalable. The cyber security should be good enough. It should be interoperable so that even if you are on different platforms, somebody is working on Indie or Iris, somebody is working on Ethereum, somebody is working on some like we are working with Hashtag. So that could be different blockchain platforms, identities created on different platforms but still they should be interoperable. What kind of data sharing technology are you using? How effective they are? So like I already discussed about selective disclosure and zero knowledge group. Who are your validated nodes? So what it means that, so the consensus model because this is SSI is associated with the blockchain. So that blockchain should not be something like Bitcoin or Ethereum 1 where we have proof of work which is extremely slow and so you cannot work on that kind of technology. So what you need is proof of stake model which is faster and also you need to make sure that who are the validated nodes or who are your stewards or who are your custodians of this kind of DLT. So that is also is going to bring trust to this network. And then of course, you know how you are giving access to the SSI network to your different users. Again through user login password, you get through OTPs, now how you're doing it. So the best model is integration of biometrics. So like here in our architecture, we are using SHA256 for hashing and ED25519 as public key signature system which is fastest and safest at the moment. In terms of scalability and throughput, hashgraph is tested with 10,000 transactions per second and 1.5 million transactions per day with finality in seconds. Then cyber security hashgraph is a resistance against DDoS cyber lens hooping attacks. Then in terms of interoperability, it can be easily integrated with other data networks and selective disclosure and knowledge proof we are trying to cover each and every possibility like greater than equal to less than equal to greater than less than. So when it comes to valid and nodes, hashgraphs valid nodes are industry leaders in different verticals like Google, IBM, UEPRO, Toshitalicum, FIS, Stratatilicum. So these are the valid nodes or stewards or the students of hashgraph network. So in that sense also this is good. And integration of biometrics, we are trying to integrate with different kind of biometrics which are physiological as well as behavioral. So we are trying with a phase we have already competed. We are also trying by Iris and fingerprint. And in future we have, we have the plan of implementing, you know, palm band and gate and voice. So these are in pipeline. So these are this architecture of SSI architecture of the ID. Now I'll just cover one use case which is next gen authentication and authorization architecture. I think that most of you might have heard of FIDO. So FIDO is on device authentication without the need of OTP or password. So now we are gradually moving towards a password less model. But what I'm discussing is even ahead of it. So I'm going to discuss decentralized biometrics. So first we need to understand a little bit on why this is needed. So what are the different personal data management, you know, methodologies as of today. So how are you getting access to your online data. So there are three different ways. One is knowledge based one is position based and then inheritance based. The first is knowledge based that means you know your password so that is why you are who you claim to be, or maybe you are able to produce a OTP, or maybe you are using a hybrid model. This tool you're providing a password as well as your OTP. Second one is your position. That means you have you purchase a smart card. So that is why you are what you are claiming to be a third one is so because this knowledge and knowledge you know your password can be stolen your OTP can be stolen your position can, you know, your smart card could be stolen. Third one is inheritance basis. So that means something which is what given so your inheritance is your biometrics. So this that is why biometrics is considered safer than any other previous technologies. Again, people are coming with hybrid models like you might have heard about biometric cards for payment. So this, there are banks who have started allocating this kind of cards to their customers. So now biometrics works. I believe that most of you might have some idea how biometrics works. One moment please. Yeah. So first, we use a scanner to scan the users biometrics such as face finger iris retina palm and etc. Then we extract some unique features out of that biometrics that image and map them and save them as biometric templates. The template looks like this 0101 like that. So it's binary and we save it to a template database. This part is similar to registration where we can create a unique user written password. So at a later date, the user can log in using the same biometric and the system matches it against the biometric database it has. So matching is a little different from matching user written passwords. So this biometric actually the matching would come up with a score like what is the probability of matching what is I mean is it 90% is it 50% is it 40%. So on the basis of some threshold value you can you can finalize whether the my metrics is matching. Again, wherever there is biometrics that is fooling. So fooling is a method of fooling the biometrics identity system where an artificial object like the fingerprint mold can be used. Fingerprint mold I don't know how many of you have heard of it you can also create a fingerprint mold out of silicon, and you can present it to the scanner so how would you make sure that somebody is not using a 3D mouse or a photo or a video or others, like So there is a sensor associated with the camera, or maybe there is a challenge which is, which is asked if somebody is asking you to do like the app can ask you to smile or not change your facial expression from happiness to sadness and do some head movements. So this is called active lightness detection test so which you have to do that the mobile device has to do. Then also there is passive by lightness detection test where you know there is algorithm ML based algorithm which would check that it is a real person and not a 3D mask or video or something. So, so there are different and these fooling technologies. So, SSI along with biometrics have been have become very popular nowadays and there are companies like Q ledger, which is a credit union in us they are using this kind of combination but actually it is not decentralized by metrics. They are using biometrics for on device authentication, which is phytobase, and then they are using SSI for data sharing. And then there is Jamal Doenthal's group they are also doing a very similar model for their banking clients. So here in Q ledger you can see once the user is logged into the credit union. Then all the banks which are associated with the credit union they can also give access to the user so it walks on an SSO model but here there is no centralized storage. Now let me show you how we are working on a decentralized biometrics model. So this is pretty interesting. So here in RTID we are handling different kind of biometrics templates. Like we have completed work on special biometrics, but in future like I said, immediate future it would be working on iris and fingerprint, and we have planned to work on behavioral ones. So, in R30, first the user captures the biometrics after active likeness detection check and converts it to a template. Then the user sends the data, the personal data, that means it's and the biometric template. So it could be like your name, your date of birth, all these things along with the biometric template to an issuer organization. Now the issuer organization can optionally do a background verification or de-deplication. If there is a need of de-deplication or there is a need to save the template like something like a national identity program, then they can do it in a centralized biometric template database which is not a mandate. So you can completely ignore this step. And then the issuer would convert that data to a hash and signing it with the issuer's own private key. The issuer can write it to a public blockchain. Then the issuer would send back the VC and a confirmation. So on a later point of time, if the user wants to log in, the user can log in again with biometrics which would again undergo liveness detection test. And then the user can send all this data, the personal data as well as the biometric template, and the issuer details that who is the issuer who has certified this. So now here the verified could be the same organization or a different organization. So now this model would work. Please note that this model would work on the fly. So that means that because there is no centralized database over here, so any organization can come and check. If they trust the issuer organization, then they would trust the user and they can give access to the user to their ecosystem. So then what they do, they might do a passive liveness detection test on the biometrics data if needed. And then they would convert the personal data to and biometrics to hash and match the hash with the one provided by the issuer. The issuer is validated and the VC is validated and the user is also validated that whether the same certification has been allocated to the user who is carrying the same public key as they're sending a token also here. And if all goes fine, then the user is authenticated. So yeah, so this is the model that actually most of the work is done for face as of now where we are also trying with the finger and maybe in future will be coming up with more. So I think I'm done with my presentation, you can read more on blockchain for cell seven digital identity. And yeah, so I'm open for questions right now if you have any. Johnny Jim here I just want to thank you that was an awesome presentation I apologize for not having scheduled you for an eight hour session and only one because obviously the material you covered was a tremendous amount of material in a short amount of time on a lot of different topics related to SSI. But you did a great job between all court covering the sort of the basic concepts of SSI as well as some of the applications and where it's headed so that was really awesome. We did have a couple of questions in chat, you know, one Jim St. Clair. If you want to unmute yourself. I know you had made a comment about GDPR compliance. Yeah, let me lead by saying that was very good presentation I would highly encourage the Johnny to join an earth ID to join the trust over IP foundation which is also part of the Linux foundation as of course is hyper ledger. Because we are looking within the framework for other alternative did SSI architectural implementations to be included as we as we guide an architectural model. And then of course is based on the work with an hyper ledger foundation in Indian Aries. My specific comment was just oriented to the fact that Indian Aries grew up and developed in our and are being developed by both indie chapters as well as a sovereign. Because public did, don't necessarily comply entirely with GDPR requirements in terms of right to be forgotten and associating personnel with your data. Not to say that it can't be and you also pointed out Microsoft moving forward with ion and there's new development work in the ceramic network. And of course what you're doing with had a hash graph but but but it's a it's a great field to be involved in. I am partial just by virtue of being, you know, involved the hyper ledger SIG to the Indie areas configuration. And that's something in, I think, worth noting for this group but but would love to see earth ID, bringing their architecture so we can, we can make you know standardizations stand standards and standardization processes to include consideration for non Indie areas type networks. And that's a great point though about the trust over IP organization. And it's not just trust over IP I know there's other I'll call it identity organization, I other organizations focused on identity itf W3C, DIF there's so many of them but trust over IP I think is the one that fundamentally to me, and correct me if I'm wrong but I look at it is the organization focused on what I call connectivity and usage of identity models more than anything else you don't mean they're not focused on what I call data storage as much as they are on coming up with real world use cases for using identities and credentials in practice. And that's a big deal. I'll just throw out two things. I want one thing that was touched on in the presentation of scale and having led a SSI project that was successful for a state in US that wants to go unnamed at this point. We did a pilot that worked out well, sort of met all the objectives and sort of set the stage for going to the next level of a production pilot. And use in the areas all that work fine. But looking forward with there are many challenges in getting this implemented well. One of the questions that was raised what about blockchain. You know, comparing or communicating between blockchains. If you look at the models that are being used in the areas and the other frameworks, the key for interoperability is really just common protocols and common agents, if you will, and common message architecture and that's it those three things where you store it and what your resources behind that aren't really critical for sure. But those three things the protocol, the agents and the message formats do matter and in the area certainly has done a lot of work in that regard. Try to come up with did they're implementing did com protocols that did message models and then the idea of a more universal wallet so that in effect you wind up doesn't matter where you came from you could exchange stuff. But I will throw it out there to anybody. The thing I looked at my project was successful because we went to, I'll call it the concept of, I'll quote five million potential identities, and our, we could have handled. We can handle that scale. What I couldn't have handled in the way we implemented our project was a scale of greater than five million identities. And it's more than just the speed of storage on hashgraph and finality stuff. But you look at the in an SSI model, you have forgetting the identities of people, as the Johnny said you have devices and you have, you know, you can add animals into that but really devices are much larger in terms of the identity space. But then ultimately credentials credentials aren't just that I graduated from the university credentials could be that Jim said, I can, you know, go into his house on Saturday afternoon to borrow the lawnmower that could be a credential so anything could become a credential. And in that world scale becomes a super challenge so any thoughts. I'm going to give Johnny on scale, going forward. Sorry, can you repeat your last line. I'm not, I'm not concerned about what I call the graph storage model for a blockchain, you know which hashgraph does different than the miracle tree model that fabric uses or, you know, other blockchains. That's more of an internal implementation. And I'm not so concerned on that I'm just looking in the real world, and you pointed out the real world of blame you because you used the term real world. So, following up on that concept scale looks to be a potential enormous challenge, not just on the identity so much, but much more on what is a credential. So, in the traditional world of what you're showing is credentials they're fairly limited they're things like driver's licenses diplomas and so on. And that's really when you start looking at authorization to anything. Like I said, if I'm going to go to Jim's house to borrow his lawnmower on a Saturday afternoon he could issue me a credential that I could get into his house on an afternoon that could be actually a credential so credentials. And that's really, in a sense, much, much higher in concept in the way they're traditionally shown. And that's a represents a big scale challenge I think, for the technology for sure. You know, beyond just the simple storage model. Any thoughts on that. I mean, we are doing on, I mean we have just started doing load testing at the moment. And I believe that is the area that I'm not sure I mean you can update me, whether Indian areas have come up with any figures like what kind of, what kind of Do they have any figures at the moment I'm not very sure, but we are we have started doing load testing and soon will be coming up with some figures, which I believe would again improve like because we are relying on hashtag today but tomorrow it could be something else so we are not confined to I mean, all together. So, yeah, yeah. And you're right, the storage mechanism can change. And actually the storage mess mechanism, honestly, is least critical. It's on stupid least critical in the overall performance of a network solution. What is more critical is in a sense, the network, quote, capacity if you will and I don't just mean bandwidth but more than that, in a sense, you know, what are the devices hoped that are the running the agents. What what is the capability for the protocol. What's the network, what are the nodes I'm going through where's the congestion all of those things are far more critical, where I can just expand on the back end capacity as I needed for storage that's usually and also, in a sense, make that asynchronous as well. So there's a lot of easy things on the back end to handle capacity but on the network side when you're trying to do things you have to decide is this a real time message that needs to be dealt with or is this something that can be asynchronous from a response perspective. We do have different types of message traffic but it's that network congestion capacity and priority for messages that really are going to be the hub I think of where performance is going to come into this and scale and my project just like yours. I didn't have any problem using India areas to scale for everything that we looked at. The challenge is that again I was looking at a state where we might issue roughly in the near term 5 million identities. We would have many more credentials, but the in the areas, the areas wallet easily handled that that wasn't the problem at all. So for what we did the challenge is going forward where I see this thing exponentially increasing from a load perspective I don't see this gradually increasing I think the concept that the strength of what I call the identity and the credentialing for what it's worth and the security around that is so much stronger than the other alternatives that once you in a sense have the technology. It's kind of like the internet you'd expect it to explode in terms of its usage and I think there's a challenge there and the only other thing I'll throw out that I saw in my project when we looked at moving to a full production thing is it's easy to have these digital wallets if you will. The problem is managing in a sense the wallets logically means that you have to have them recoverable. So if I steal your phone, you know, how many minutes are we going to allow before you can in a sense, reestablish your identity to the network digitally. If I have things like key rotation that have to happen as part of security, how am I going to manage automatically things like queries with key rotation so there's a whole bunch of issues that pop up that are what I look like to me anyway in progress on solutions but there are, there's a lot of technology behind it as you pointed out in the presentation for sure. Yeah, yeah, sure. Because you know, these are also the areas that we are working at the moment like how somebody because for every set of VC or separate private and public key pair will be created. So, how would you handle them, you know, and if your mobile phone is stolen broken like I said, then how would you create a replication said somewhere in the, in the cloud perhaps and or maybe IPFS, and how we can do that and how quickly you can do that. And also because we are using blockchain then what is the time because you are writing let's say the issue is writing to the blockchain or issuing the VC to the blockchain and you are reading so in in none of the blockchain you can do it immediately there would be some time lag. So you have to frame your use case as per that like in hashgraph it is a three second time lag. One node is writing it and the other node is trying to read it so there is a time lag of three to five seconds. So you have to, you know, develop your use case in such a way that this kind of this kind of lagging can also be taken care of. So there are so many ideas here. Yeah, good point. I think, but again, I'm never worried ever as an engineer, I never worry about the storage models ever, because I know I can engineer around those every time for use case. The challenge is always more the messaging side of it on the networking piece and the priority of the messages. So, again, an example, I want you to prove me for or I want Jim to approve me for access to his house on Saturday afternoon. And that is not a message that needs to be answered in the next 30 minutes. You know, it's Saturday is the point, you know, maybe I want to know from my calendar, but it's not a critical message but there are critical messages I worked on Moby which is the mobility open blockchain initiative where we're looking at vehicles and trying to do in a sense where does blockchain fit in managing real time traffic issues and things like that, but somebody crossing the street, if I'm going to have an automated driving scenario how do I how do I recognize that person and not get them in a crosswalk. There's a lot on the vehicle technology side but then you say okay we're going to add blockchain into that, looking at those what I call more critical time things in terms of response. Again, it's not the storage side, it's the messaging side and the priority of the messages and handling them that really differentiates everything over there. And the other thing that you brought up well in your model you showed the triangular trust right from the issuer the holder and the verifier. And one and this is going actually more to trust over IP and their, their work I think, but one of the questions that does come up if you you presented all of the what I call the major hacks that are occurred right in traditional stuff, you know for centralized eBay and Equifax and all of those target and everybody else, of which there's quite a few and obviously they've made your problems there. But if you look at an automated trust environment with SSI. On the bottom side of it where trust over IP defines it you really have a governance question right. And that's actually a bigger issue I think I'll say even bigger than regulations like GDPR is the governance models who do you trust, you know, do you trust Facebook to hold your identities. Do you trust Microsoft to be the owner of your identity system, which you do today certainly if you have a Microsoft account or an Apple account, but going forward is that the right in a sense holder of your identity I'm not sure. If that's the case the answer and I do think at least trust over IP is trying to attack that is the government's model. So when you compare as you said all the organizations that are offering SSI solutions today. How would you rate them, one against the other on output governance and trust. You know so there are differences there for what's worth and I haven't really seen anything, and maybe it's just my lack of knowledge that really hits that area very hard. So if I can take that outside and that that would be good. Well if I can interject on the trust over IP side I would agree with the gym I think that's well said and and emphasis on on the utility layer layer one and what type of blockchain decentralized layer that you're using is certainly important. I happen to be more involved at the ecosystem and governance layer where I think, and what we're translating into our work into centralized identity and health care is that establishing a governance framework and establishing an ecosystem framework so you have trusted parties exchanging this irrespective of the layer one below it is really the heaviest lift because you're moving to a model away from a lot of those traditional centralized or federated identity and authorization models that that Deb went over, and to a model where you're being presented a credential as a verifier from an issuer that you have to trust around attributes that the that the holder is presenting without any other characteristics or or identity or binding beyond what the what the credential presents and that's, that's a whole governance right there and just just involves a governance framework and W3C and verifiable credentials models much less you know the supporting did did calm and and and blockchain decentralized layers below that. Yeah, and it's a great point and I really think I really think. Yeah, I'll give GDPR credit and EU European Commission for the work they've done on aqua blockchain regulations and so on and digital assets and all that stuff. But separately, I do think the concept of getting governance right is has not been well addressed. And I do think that is a little bit I know I'll say trust over IP at least seems to be leading in that area. To define that governance is a bigger thing who do you really trust as organizations it's not me Jim the holder who claims I graduated Cornell it's more importantly how do you know that's really Cornell and how do you how well do you trust Cornell to be somebody that verifies that Jim are they a good organization to trust to say that Jim is really, you know whatever strong and child psychology as an example if that's what my degree is and you know what I mean so the whole trust model related to governance I think hasn't been hit hard enough and I do think that at least trust over IP is at least leading the charge in that area for sure. The only other thing I'll complain about is failure. If I had to give myself a title I'll call myself the chief doctor of failure on planet Earth. Every time I go into these groups, whether it be movie or somebody else. I'm thinking of failure combinations, and I'm not seeing what I call the requirements for failure driven hard enough into a lot of these solutions so when I was looking at the SSI model, and we were trying to figure out. Well, for production solution in the state, what do we really want to say, how long should your recovery from losing your digital ID take. It should be you know days weeks minutes where should be and it's like well if your digital ID is your passport to everything. And you're whatever diabetic and you need insulin, you got a prescription at the drugstore and that your digital ID is key to get it how long am I going to make you wait to recover something like that. So I think setting use cases for this stuff. On the top end is really important and again I'll say trust over IP looks like the right organization to drive that. No actually I agree 100% and I appreciate the advertisement I think it was a great summary and especially the emphasis on on the governance side being a huge part of contributing to moving the trust model forward so whether it's Earth ID or Indie Aries or Microsoft I on whatever just just just being able to enable or sovereign foundation for their work just enabling the principles of SSI built on on the trust framework and governance. Yeah. Cool. One of the questions. My client had that. Let's say that is a SSI chain. In most of the projects I have worked in SSI that is a chain that means there is a first issue and then there is a second issue and then that is the third issue. The first issue is having the bearing the maximum responsibility the second issue is actually first the very fire and then they're issuing the second set of certificate and third one is relying on the second. So here, let's say there is some issue in with the first issue maybe by some means the user can, you know, trick the first issue to issue the certificate. So the second and third are actually relying on the first issues. I mean, in a direct or indirect way. So now at a point of time, the first issue realizes that the user actually has tricked them, tricked them. So they revoke it, but even if it is revoked, because this is a decentralized ecosystem, how the the organizations who are coming later to the chain, how they would know that it is revoked because they're not relying directly on the first issue. I'm sorry, I have to ask a question first because I'm not really following so you're saying that you have an issuer of a verifiable credential but you're saying somehow there are second and third issuers associated with what binding identity or attributes or verifiable. They're relying on the original credential that was issued by the first issuer. Right. So I'm a second issuer. So, you know, maybe I'm an employer and I hire you Jim because they say oh you're a Harvard graduate. I'm relying on your Harvard credential. And now I'm giving you an employment credential from that and her idea was that yes there's a chain of quote issuers who are relying on prior issuers. I'll call it integrity if you will, you know, for what they were issued, and there's a risk there, that's all. And her point is that revocation as well. Yeah, and, and I mean just to take a stab at it because it's it's getting into the more complex problems of the SSI that I wish we were working to solve every day. There has to be first as part of that governance framework that you describe so well Jim rules around revocation and then and then how secondary and tertiary implications for attributes so to your model. I'm I'm an employee with my employer, and one of the key aspects of being an employee is I have this Harvard degree. But that credential has some sort of of relationship with that Harvard credential such that if it's if it's revoked that revocation creates some sort of of need for revisit or reauthorization for the employee credential as an example. Yeah, so in our world in the areas world that we implemented the state, we were doing a quote real time revocation checking. And what I realized is, like message priorities for a quote content. You really need to prioritize that you can't just say it's unlimited. So in our world it all worked because we were, we weren't a quote, a massive thing taking planet Earth we had a smaller population. The revocation stuff clearly has challenges and I think you wind up with the idea that some revocations need to be real time, you know the example would be my driver's license. If I'm a drunk driver and, you know, I'm arrested maybe my driver's license suspended immediately and that credential should be immediately a quote verified and checked if it's a driver's license on the other hand. If it's, you know, whatever some other kind of a thing, a credential for some other thing that's less critical, then maybe that credential would have an upload more of an expiration period, as opposed to a real time revocation check. If that makes sense to try to reduce. Yeah, that's a great point and it also differentiates where the, where the credentials being used for binding and identity versus verifiable claims so driver's license is a great example. Maybe a drunk driver and get my license suspended, which means I've lost the verifiable claim to drive, but the driver's license as my means of identity as a credential that I present to get say Medicaid services or show up at the hospital is still is still valid from an identity proofing standpoint. Yeah, yeah, great. Excellent. Johnny, any other critical things I know we're way over time I apologize to the whole audience here for having. I'm glad to have Johnny for actually picking a really great topic that she knows a lot about sharing a lot of information that leads to a lot of interest so it's all your fault not my fault that we're over time. But any other critical thoughts step Johnny. I think I'll come up with more, maybe in months time, like I'm saying that we are doing a lot of load testing as well as this governance stuff is also there. So, and interoperability of course you know because in future we also have the plan of having some other blockchain, not only this one, something else so that no, maybe there is scope of improvement so let's see, and maybe I'll come up with something pretty great alright so I'm going to thank everybody who was here today I really appreciate you, everybody staying out in the great comments Jim and everybody else. And certainly did Johnny, you know your expertise is really really up there in this space and certainly you are a great resource for all of us so I look forward to seeing more of your work and and being able to access more of your content. And with that said, I'm going to push our recording up we did live stream this so it'll be up on the hyperledger YouTube channel. And then finally, did Johnny if you can just email me a PDF of your presentation I'll make sure we posted to our site as well and send everybody the link as well. Sure. Thank you so much. Great. Thanks. Any final comments from anyone before I close the meeting. Great. All right, well thank you everybody it's been a great session again Deb Johnny can't thank you enough and Jim you know certainly appreciate your expertise today as well and thank you all for attending and have a good week. Thank you.