 Good happy kind of lunchtime here. I Am Heather doll and I head up in DCO and with me is Mike Vessie who? Leads ID ramp and together we're here to talk with you about using open source for verifiable credentials Mike and I have been working on this for Long time. I think probably five years We have been in this community together in fact met at a community event and started working together Through multiple iterations on the projects that bring us here to talk with you today And so I think what's terrific about this session is it's actually this community It's hyper ledger and the projects that brought us together and our companies together to partner and collaborate and here We are years on and we're talking when we actually met in a presentation And so what I want to do is bring up an oldie, but goody and we know this slide And that's always a good one to level set Why are we here and that's because we've gotten identity problem on the internet and if anything the last two years? More every time you try to use your username or password You're reminded of this problem and why is it why are we here in this session today? Because we have legacy identity systems and while they were good for a moment in time We are at the point where we need to extend this legacy approach where you have a single privately controlled Database where trust is brought to a single domain, which if you were a hacker this looks fantastic But if you're us and you're those who want to have the ability to Control or manage or share your information without a gazillion direct database Integrations, and you also want to reduce your risk because you're looking at a zero trust Framework, this is not your friend. And so what are we going to do? Well, this is not what we want to do anymore we want to take this world of duplicated identities duplicated username and password duplicated everything that's causing us headaches and we want to move to a decentralized approach and that this is why we're here talking about verifiable credentials That's because think about it is the human or the device or the Organization or the entity sits in the middle and they have the ability to be the conduit of their trusted Verified and authentic data So what we talk about here is a trusted digital ecosystem. This is more than just two parties on a direct integration You have to think about the space of verifiable credentials as a full ecosystem You don't have the full ecosystem you have a one-handed handshake I think for many years in this space We were really really focused on the issuer or we were really really focused on a wallet and Then people are saying well It's not getting adopted and you'd go and have a conversation. They were talking about my wallet my wallet my wallet Okay, you've got a wallet. What can you do with the wallet or the talk was about the network the ledger the ledger? You got a ledger now. What are you gonna do, right? So a trusted digital bring out ecosystem brings all of the components that you need for scale and adoption together and if you were not in a system or you're not thinking about how do all these components and Issuer a holder a verifier a ledger and then like a mediator your schemas Etc. If you're not thinking about it in one Entire picture you got a one-handed handshake and your scale and your production is only going to go so far And so what we see when customers are looking at buying verifiable credentials They themselves are looking at a complete ecosystem These ecosystems are privacy by design the ecosystems are designed to scale and Really solve the problem around security remove direct integrations Businesses and governments are using this model and we can get into some of those use cases and really Mike's going to dive into those So one of the important things I always talk about is in when I became or involved in this quite a while ago, how did I get involved with? Decentralized identity actually got involved with it from security side I was working on security solutions And it was on the very early days when we were developing what is now known as the zero trust Framework I was working with John kinder bag at Forrester who helped drive zero trust forward And when we were looking at that was if you were going to use a Never trust always verify approach to your framework Well, are you going to go trust an identity that's once again on that? Centralized database so idea behind verifiable credentials and decentralized identity in that in that Perspective really drove with the fact if you're never going to trust and always verify You're going to use a decentralized approach to the identity to verify and so if you're developing a zero trust framework Decentralized identity is the salt and pepper you pass them together And so with that I'm going to turn it over to Mike to pick up from here Thank you Thanks, Heather. Great. Yeah, and I'll pick right up from that From that excellent overview. So what Heather was describing was really the Another building block, right? It was another component that we can use in our identity strategies and And decentralization is coming. So let me give you a couple of a couple of market view Ideas first so I'm not sure we had this slide. Let me just get through this All right, so here's where I want to start the market views is great. We're going to get to that a little bit later As Heather was mentioning these building blocks used for identity composition Interesting thing happened this spring at EIC Martin Coupa. Jericole Actually coined this new term Composable enterprise and he was talking about creating these building blocks these recipes that that organizations and enterprises can use to build their identity strategy and their authentication flows and So some really interesting things came out of that We're hearing the same types of of message that we've known and been promoting for a while And now it's being adopted by the analysts the analysts are kind of seeing the value and the opportunity of of having Organizations be able to really tailor their own experience So some of the things, you know plug-and-play obviously any easy to integrate Chain of trust ecosystems as Heather was talking about organizations are looking at creating their own ecosystems Around decentralization, but that's great. We have to be able to integrate that into existing Technologies in existing ecosystems today So it's awesome that that that could be your whole got behind this and really said hey the organizations that we're working with really need a more granular way to deploy their Authentication their access schemes then another interesting thing happened Gardner came out with a quote that reads pretty much the same way They're saying in the very short in the very near future There's going to be these these this notion of decentralized identity and people are going to show up with identities And you as organizations have to figure out how to deal with it, right? So We're seeing this across all different sectors of the it's not just limited to Enterprise it's also public sector fintech health utilities the full the full spectrum so really interesting now that we have two of the major players in the analyst space that are saying hey you guys have to have a strategy for decentralization because it's coming and And so we think it's very interesting to To lean into that with some of the technology that we've been developing So another thing that we have as a benefit here is we're building these trust ecosystems and it helps on every aspect So it helps us with the decentralization sure it helps us following those standards But also when we're controlling that data in a more privacy-preserving way It helps to accomplish all these other things that we hear so much about GDPR is much easier when you involve the holder the user you and I in the transaction So a lot of really good things are going to come out of this and it will make some of the compliance stuff that we struggle with All the time much easier Okay, and now I think I was ready for that market message But we're gonna start talking about some tactical Projects and this is kind of this is fun for me because every time we do a presentation People always look at it and listen and they go yeah, great, you know, we can build this technology But how do we use it? Is anyone really doing anything with decentralized technologies today and the answer is yes They are and I'm actually really happy to talk about some projects that we've been involved in with the Indeco team and others Trying to to put some real rubber on the road and get some real-world transactions out there as of today the state of North Dakota in the u.s. Is Is issuing a verifiable credential to every single graduating senior and Those graduating seniors contain and that that credentials being issued by by the state of North Dakota But if I as a university want to verify the information contained within that credential Which is the student transcript whatever else they decided to put in there I don't have to have any kind of association with the state of North Dakota They're writing this to a public ledger so it can be verified by anybody that has access to that public ledger and has been granted access to to verify against it and And so there are organizations that that are I mean we have universities that are checking those credentials We have employers that are looking for transcript information or high school education Information and they can do that without forming any kind of Federation or any kind of connection back to the state of North Dakota As the actual issue or that credential that's really that that triangle that Heather was showing that that's that is this is it Right, this is the reason we're doing this because it makes the verification so easy To get that trusted source and of course all the you know the the crypto behind that and everything is all just it is What it is right? We it's proven because the technology is solid all built on hyper ledger Indy Aries So and if you want to learn more about that project on Wednesday, I'm doing another thing on that On the as part of OSS at the trust over IP something We're gonna get a little bit deeper into the North Dakota education and actually show Those screens and show that in process and how it's working today in the wild Another interesting project is is a zoom attendee protection application that will actually use verifiable credentials to Restrict access to any zoom meeting that you choose so you can basically put in a filtered list of email addresses The attendees can can ahead of time get that verifiable credential put it in a digital wallet And then as they're entering the zoom meeting that can just scan a QR code and it'll verify whether they are Actually registered for that event or in that event and and of course that can't be spoofed because that credential exists Only one place in your wallet so somebody can't join that meeting Emulating you which is a big problem with with zoom attendee. So that's a that's a Another use case using verifiable credentials. Of course, it's not limited to verifiable credentials. We can use any technology to do private Identification Leading into that but verifiable credentials is a very very easy way to to do that verification and create those those Access control lists around your zoom meetings The third one was an interesting project we work on with the city of San Francisco in California We did a pilot with our partner Oracle to show verifiable credentials replacing Existing authentication for some of their public sites at the time of this project California had a hundred or San Francisco had a hundred and forty one public sites that their citizens could access and Pretty much every one of them had a different authentication process register, you know in our all your information We're gonna give you a password. So imagine being a resident and trying to sort through a hundred plus credentials Just to interact with your state government in about a month we took a System and we issued a an onboarding so that they could generate a city Identity and issue that to to their citizens to be held on a wallet on the smartphone and Then using ID ramp we retrofitted all 140 of those sites to use because they were all traditionally federated Right, they all had the ability to do SAML or OIDC or OAuth or something They just didn't know how to do verifiable credentials We were able to build a bridge between those and retrofit all 140 of those sites to be able to consume that citizen ID Credential that we took and we did that in like 30 days So it's still in pilot hasn't made it into the wild yet You're going to see things like that coming at you in the next few years as as public sector ramps up their use of verifiable credentials They're going to be many of these types of experiences Which give you the ability to not only hold the information needed to authenticate But also give consent right and what it's a very important thing when you scan a QR code or something to interact and log Into a site you are the one that's going to give consent Hey, this particular state service is looking for these three pieces of information. Are you okay with sending them and you can say yes Or you can say no But Google isn't saying yes or no for you, right? That's the important takeaway from this So incredible technology for privacy preserving Authentications it's coming fast and we're thrilled to be in the middle of it and doing some work in that in that area The last thing is really the ID ramp product I've mentioned we use that to kind of put all these things together but ID ramp is just a platform that allows you to plug in any identity source plug-in any service using traditional Federation protocols and And we can you know turn your identity sources into issuers turn your services into our turn Credential-based verifications in front of all your services writing the existing rails of traditional Federation protocols like Samuel Ooth and OTC so All right, so This is the I apologize guys. I have the wrong Presentation because this is going through Many different slides that we cut out. So let me just get through these and hopefully we have our summary Summary slide. So again, that's more detail information that I'm gonna present on Wednesday Not not relevant here So in summary Decentralization means we're ending right passwords. We're ending all of the all of the things that go wrong with that Verifiable credentials continuous authentication the building blocks really for zero trust. I believe have their foundation and Decentralization it's almost impossible to say we're going to create a zero-trust strategy Unless you're doing some fundamental things to remove passwords and give the user more interaction points with with the technology So in my mind the two are really hard to separate If you really wanted to have a good solid zero-trust strategy, you need to understand decentralization and how to leverage it All right, let's see what else we have here. All right at this so Some of the projects that we're leveraging and again This is a lot of work that we're doing with the indiceo team they are much more active in a lot of these projects than than we are and Doing some great work, but these are all the different open-source projects that we're leveraging and working with on a day-to-day basis and Really recommend you get involved in those and and learn more about what is Happening because there are some really cool real-world solutions that are happening today Some meet-ups here's places you can get involved in DCO hold of many and they're brilliant. They're excellent We hope to be doing a meet-up with them I think next month. I'm not sure but we'll be we'll be involved in some of these as well. So really great stuff and I think The the take the final takeaway is decentralized identity is ready for adoption now It's not something that is still being worked on you can you can build your ecosystem? You can leverage it and integrate it into your existing identity strategies today. So with that I'll thank you and we'll take some questions if we have some time Yes, sir No, I mean every app most wallet apps and they vary on how they're protected most wallet apps have a biometric either using the device Biometrics, you know Apple's face ID or Google's face or a biometric sensors, but you can certainly integrate your others I do know there are certain wallet projects that are using More strenuous checks on that, but if my wallet if I handed it to you right now, do you know good? You wouldn't be able to unlock it Because it's protected True. Yeah, but you know, how do we solve that? That's a tough one You're worried about more than your identity. Yeah Yes Sure, so the data in the credential itself is held only on your device That's the only place so the when the credential is issued. It's issued from your data source, right? So you can have it you can either say we're going to generate this based on Biometrics based on whatever or you can say because you're part of our organization's directory We're going to give you a credential for your employee ID when that process happens that information and that credential only lives on your smartphone That's it. It doesn't leave anywhere else. We take an associated record of that We take that that public key and we write it out to a ledger so that it can be verified But the data itself never goes anywhere other than on your device Are they're globally deployed Heather? I'll let you take that because that's more. Yeah, the the projects are globally deployed so within the governance you can also establish for instance if you don't want the data held in the United States or it has to be Held within a certain geographic region on the side of compliance The important thing is we do work with a number of governments and the key there is when they accept Information from a credential they still put it into their systems for the instance of clearing a border They for instance the government of Aruba has to hold your data for six months when you visit the island as a tourist and then their Instructions that they have to remove the data and so they still pull the data, but they're using Selective disclosures. They're only pulling what they need for the purposes of crossing the border They are holding that data within their government systems for compliance in their own auditing and then taking care of it Is their government requirements are but I think that's an important part is that the recipient the verifier Can hold the data that they need to hold for regulatory purposes just because the Holder has the data doesn't mean that there is the verifier doesn't receive it And then the verifier can choose where they're going to hold that data for the purposes of compliance Right, so that or you're a minor and you're trying to travel etc Guardianship custodial and that is work that is being done For instance, and we do a lot of work in travel and tourism So how does a family go on vacation right and you're all in all of you have Passports and who gets to control and manage that and so that is work that is actively being done for the purposes of use cases That they're trying to get deployed But the concept behind that would be the guardianship Component of the credential of the wallet and then what happens when when the minor turns 18 and So how do you make that transition as well? That's a big issue in education that we've had to deal with as well because you know when we're talking about credentials a lot of times Correct Where we see a lot of organizations is what we call start simple and then scale so they often start with the simple You know one person one credential and now they're at the point where they're realizing to scale They have to work through the guardianship challenges and in production deployments Absolutely and one of the areas and we don't have the slide up here, but the Cardia Project Linux Foundation Public Health they focus on Medical health credentials, so that's a group that is often talking about this issue and working through it So that may be a Meeting that you may want to join on Thursdays. It's Thursdays at noon Eastern time Mm-hmm and the interesting, you know kind of the for me the takeaway is It's so easy to get started and I think a lot of people are Really trying to look at the forest, you know, they're trying to get their head around the entire How does this work and the guardianship the great questions, right? This is great thinking But the takeaway that I really want to express is you don't need all that stuff right now You can move the needle right you can eliminate passwords in 20 minutes. It's so easy, right using this technology And you've got to start there and as you start and you build your ecosystem is Heather saying things just naturally evolve And you end up with you end up with this great You're building a better identity, right as you're doing this But but don't think you can't start because it's so overwhelming. You don't know how to solve guardianship You don't have to solve all these problems. You can start right now and make some real differences, right? Peter Yeah, I mean the tough part honestly is is the technology conversations are still happening so We will eventually get to the point where the technology and the soundness of the technology is a given Public ledgers are embraced and and then we move past that and we start getting to the business conversations Right now it's a little difficult some of the conversations Most of the larger enterprise organizations say yeah, this is really great build this one You know build this this thing and and that's what Heather was saying Yes, if they want to build their own ecosystem great because it really doesn't matter We have the ability to you know do some routing. This is just like TCP back in the days You know when TCP IP came out It was earth shattering right and we're working on right now the technology to allow these ledgers to these credentials to really trans transgress all these different ledgers so Doesn't matter if an organization comes in and says hey, we want to build our own great build it Okay, if you're okay with using a public ledger like North Dakota did awesome use it, right? So that's usually at least historically. That's where we see the biggest tripping points Is there so concerned about the granularity of the technology that they They have some paralysis in the deployment because they're they're overthinking it, right? And my to my point don't overthink it just do it and if it doesn't work for you then stop doing it But I guarantee you if you go through a process and hook in an existing directory of something Users of whatever it is and you wish your credential based on that You're gonna find a hundred different ways that you can leverage that in a decentralized way that you haven't thought of Because it's too hard to build those in this in federations and once you do that you're on your way So start small start now Education is a crucial part of this in the business development sales cycle As a result of that and the needing to it's not just one or two conversations You often are in multiple conversations and I would say the majority of that is education. It's not even Showing the comparisons and the value prop, but here's how it work And one way to help shorten the sales cycle is in DCOs created a number of workshops even down to one hour for executives and It's available for anyone to come to the website and engage with those But the idea there was that's what is being used to shits to shorten the sales cycle on this technology and speed up The adoption just simply educating in a consecutive in a consistent manner Hi, yeah, right So I'm gonna say all of the above There are multiple ways to monetize within the system and you can use all or none And I'll talk about why I say none In the monetization for travel there's The the root let's say the the government or the verifier is paying the issuer and for them the fact that At the estimate and when the projects we've worked on is 70 percent of all paper presented was fraudulent They're willing to pay To get rid of that fraud and so in that sense Yes, the other the other component could be the passenger pays But how does the passenger pay? Indirectly because we all know about all those little fees baked into your ticket, right? So even though they're not paying inside the the technology They're not transacting to exchange of value within the system They're transacting to exchange of value to purchase the ticket knowing that they are going to pay the airline for the ability To use this that's the second layer of monetization in the system And then the next part is the derivative credential So the government has said that this person can enter this country Well, there are a lot of other entities in the country that would like to know that that person is there with the government's approval Especially in travel and tourism and so then they're using that credential Maybe to let you into about nightclub or to sell cigarettes or whatever And they're willing to pay the government for the ability to do that So you have like an external monetization of it So from the use cases the monetization can happen in so many different directions It's just who finds the most value and from whom do they get the value from and then when I say in some cases They use no monetization. It's because the cost savings are really for either efficiency Because they're doing so many redundant procedures or there's sheer reduction in fraud They don't need to monetize out. And so that's one interesting way to look at it. Yeah, let me bring the enterprise point and first of all I think We as individuals Will pay for this one public sector picks it up just like we pay for our driver's license credentials and other things We're going to be on the hook for that in the enterprise though. Let's look at that use case if an enterprise is What's the single largest expense that any enterprise has to deal with today? It's the I am right. It's the identity infrastructure. Why is that because Thousands of users come through that for absolutely everything whether they're logging in or they're accessing an application They're all coming through that single point, which means I think it's very dynamic Constantly scaling up scaling down massive amounts of money if I say you're an employee of my organization I'm going to give you a credential and it's stored on your phone and you can now log into all of your applications Using that credential. I'm not that calling that information to the I am anymore I'm saving thousands of dollars every day on the auto scaling that happens that I am in structure I'm insulating myself from outages. So there's cost savings there I'm not calling the help desk to reset my password because I don't have one So there's massive massive savings of the enterprise can realize right now, you know with deployment this technology integration Well decentralization as Heather was referring to there are many public networks now that are work-wide The DCO network is couch. I don't know how many of us want and so and you can jump in and participate on that So it really tears down the borders Where I need ramp comes into it. We're really highly specialized in taking your existing identity, whatever those silos are Plugging them in and really decentralizing those. So eventually we'll start adopting these public sector identities as they come on the market You know, we're looking at the ideas very carefully I know that there's some work to do there yet and there's similar issues going on. So I'm hoping I'm answering your question Yeah Yeah, well, but and there are many many networks, they're European specific networks There's I don't know if the US specific networks, but they're all over the place Yeah, and it's really easy the DCO team. I think we worked on a project that citizen project actually with Oracle and The DCO team cranked out a network running in Oracle's environment for us in 40 hours. I mean it was stomach, right? We went from here's an idea we have to having our own network that we could control and contain in 40 hours So there's really really easy Yes I Absolutely absolutely and We're in DC. We've been putting together interopathons. We've done with Cardia Aries we did work to help support an interopathon. I think it was just last week. It feels like it was yesterday But I encourage you to look for these interopathons if not to participate But just dial in for an hour and and listen and watch what's going on because it's fascinating Just take what you hear in these sessions and actually see it going on in front of your eyes with multiple enterprises organizations Institutions on there showing what they're doing and having their credentials Passed between wallets and being verified by each other even if it's not use case specific They're trying to prove the interoperability of what's underneath The same direction And that's and that's not that far away, right? I mean, I think this is coming fast. So again, how do we expedite it? Get involved, right? Everyone in this room get involved. It's easy. It's cheap There's no heavy look. Just take something you have plug it in and start using it And now you're part of the solution I Think I think there will always be outliers on the question of the Middle East in the last couple months I've been very surprised on the approach from nations in the Middle East Especially those that want to attract tourists They're very sensitive about the outside perception of what governments do with their identity and therefore to open up their Tourism they're looking at moving to verifiable credentials for maybe not their own citizens or residents but maybe for tourists and people visiting their countries, which is very interesting because I wouldn't have expected that even six months ago But maybe that's the crack in the door for countries that may not want to apply it to their own citizens But they're starting to look at this in order to open their economies for travel and tourism I And I'll do an endorsement of your session tomorrow because He's done a tremendous amount of work over the last couple years And you should go look at the UN ICC's project and development They've won awards for it and I watch your work closely so Congratulations on everything in the progress that you've made in your team So definitely encourage you to go to a session and also talk with them in the hall about his team and what they've been doing so I think we've used our time and Yep, so thank you everyone for joining us today and we'll be around for the next two days So come find us