 Hi everybody. Welcome. This session is called From Technology to Business Proposition, Creating the Case for Decentralized Identity. So it's great to have you all here. How many of you are familiar with verifiable credentials and decentralized identifiers? A lot of you. Not all of you. We were prepping for this session and we decided we'd do rapid fire 101 verifiable credentials and dids so that we are kind of level set here because we've found there's lots of misunderstandings that people are hashing PII and sticking it on ledgers and that may happen in some projects somewhere but they don't happen in the projects we're talking about. So we have in our ecosystem model we have issuers who issue verifiable credentials. They do two things. They post a decentralized identifier along with some metadata about themselves including the public keys associated with that did. That's a did doc. Into some place that's lookupable that might be a block chain. It doesn't have to be. Some folks use a method called did web that jams this information into their existing DNS records but generally for public dids you need to look them up somehow. Issuers issue VCs verifiable credentials which is signed packages of metadata to holders. Sometimes the holder is actually the subject. I've heard this also be called the prover. They issue and then the holder subject has the power to share that information with whoever they want a verifier and the verifier goes down here, goes finds this information out and they're able to they share verifiable presentation and they're able to go and figure out using the cryptographic key material here whether the verifiable presentation is what in fact came from that issuer and whether it has been tampered with or not. So it's kind of the core verifiable credentials and decentralized identifier architecture that we're touching on today and considering what the business cases are and how we can move forward. So my name's Kalia Yang. My handle online is identity woman and I run a consultancy now with my partner Lucy Yang and we help businesses figure out what they might do with this fun technology and today on the panel we have Trevor and JP. Trevor is with Indicio and JP is with Trinzik and I'm going to invite them both to introduce themselves and tell us about what their companies do. Hi everybody, I'm JP. So I head up engineering at Trinzik and Trinzik is a platform to basically get going as quick as possible to really build products with this SSI space. So our main goal is to drive adoption. It's kind of whatever it takes to get real world usage adoption going. That's what I'm here for and I think that's what a lot of us are here for. So that's it. Thanks. Welcome all. My name is Trevor Butterworth. Despite what the name sounds like, I'm actually Irish, grew up in Dublin, spent most of my last 26 years in the US. I'm a co-founder of Indicio and vice president of governance there. So Indicio is based in Seattle and we are a global provider of software and infrastructure solutions for verifiable credential technology. All open source. All open source. Great. So let's start off with a question which is, in what industries are we seeing the most activity around verifiable credentials today? Well, as I have the mic, I will start. So just a little bit of background. We launched Indicio roughly around the start of the pandemic and what we've seen in the last two years has been a massive acceleration and interest in verifiable credentials. And I would say that broadly our major customers are in the financial services, specifically KYC in health, in travel, supply chains, and IoT devices. And I think that is something that people forget when they hear the word decentralized identity. They think of the identity information that we're going to carry, but actually the future is going to be dominated by devices that need identities and need decentralized identities if they're going to be trustworthy. Yeah, thanks. I kind of, we see the same general interest, right? I think on top of that, or maybe a different angle, is we see a lot of identity technology companies come to us. So companies that actually themselves, obviously with intrinsic focus as well, want to build an identity product. So we've got quite some interest from companies that themselves want to look at, we are an identity ecosystem and we want to build it out. So a couple of examples are, we have like Density, which is a very interesting one in the US. They are really building their own ecosystem with a lot of retail and other interesting parties to bring identity everywhere. So that's, we've, thanks for sharing where we're seeing the activity. And what do you see when you're interacting with your clients or prospective clients, what the major value proposition that this technology provides? So what we've seen is that our companies started journey through, they begin a journey typically with a training. So we have training workshops and that, the hands-on workshops, so the, for all skill levels, so both the business side, which is critical, and the engineering side can issue credentials. And once they see how easy it is, then that usually leads to a simple use case. And then typically, once they see how a simple use case can be implemented, then there is rapid expansion, they get it. And I, you know, I think that's, I think that is something we're going to, like in the next six to 12 months, we're going to see the end, well, that journey being taken by bigger and bigger enterprises and more and more use cases are going to be turned from proof of concepts and pilots into actual, actual implementations. Yes, so the customers that we're generally seeing and the questions they have, they tend to already know the space a little bit. So once they start to use Strinsic, when we start to talk to them, they've generally already built like a very small internal proof of concept, which is really interesting to see. We've got a lot of some kind of natural product-driven adoption go in where people come to us and say, hey, I've got this. How can I bring this further into the organization? Then at that point, we kind of get the same challenges, right, where we need to start talking to the business people, the legal people to kind of go through what does it do and why does it do it and what does it not do. So what do you tell those business people? That's what we want to know. Right, so one of the things in this journey that when they see how they can use verifiable credentials, it's not just simply about verifying identities. It's about an ontology for verifying data. So they see verifiable credentials enabling immediate actionable data. So that presents a very interesting proposition for, say, in the travel sector. And we have worked with CETA, which is the largest provider of infrastructure to the air transport sector. And their vision, when they originally began or were interested in this technology pre-pandemic, their vision was of an airport with no lines, no, or as we say in this country, no queues. And that, so that was the vision, the pandemic resulted in a divergence to cover, to deal with privacy-preserving proof of COVID testing and vaccination. So we worked with CETA and the government of Aruba to implement a verifiable credential solution for people so that they could open up the island, so people could travel there, and ultimately that they could board the plane and be checked all the way through a verifiable credential. And then, so when they saw how that was possible, of course, nobody really wants to even think about COVID anymore, they began, went back to their original vision. So then they've now expanded that to how can we create a digital travel credential that could effectively replicate a passport for seamless travel experience. So what I'm saying there is that the solve the small, learn the technology by solving a small use case. And then that just brings the realization of how it can be employed in so many different ways. Yeah, it's really like the second that I think that's what we're seeing a lot as well. Like the simplest proof of concept can really like sort of shift the whole industry around. We've seen some interesting things around data portability in and of itself. So rather than especially with big companies right, for example, a lot of employee movement having to synchronize the data everywhere is even the concept of I can just carry that around and prove who I am to different people. Just the fact that other parties don't need to synchronize continuously streams of data could be proven by an engineer spending an hour working and suddenly a whole business can shift its perspective. So I think that, you know, starting super small having that like really, really quick. Wow. That's how it works. And then, you know, the business departments and illegal departments generally will sort of follow as long as you're having a conversation and you're getting into that conversation. Yeah. So, so just before you hand it back to him, I asked what do you tell the business people? So I am personally generally not in those meetings. That's good. Right. But I think overall, the value propositions tend to differ per customer, right? But it can be lowering of compliance. You don't necessarily need to contain the data yourself. So therefore, you know, your regulation, the laboratory requirements are easier. This data synchronization problem, for example, is one where it's like you will literally be lowering cost of storage and difficulty on your back end. But yeah, there are details there. Yeah. Well, so, as I said, the high level concept is immediately actionable data and that covers a lot of ground. That covers fraud. I mean, obviously, the fraud is the huge use case that will drive verifiable credentials into mass adoption. That's what I believe. And along with fraud, you have zero trust. So if you're familiar with zero trust architecture, you know that you need continuous verification to really make it work. And verifiable credentials are a perfect solution for dealing with continuous verification. And let me kind of stop for a moment. In part, the problem is an abundance of riches. Verifiable credentials work on three dimensions, verification, privacy, and security. And sometimes one of the challenges is actually explaining how your business can be transformed in all three dimensions without burying a prospective customer under a massive amount of detail. So in part, one of the challenges we have is communicating. But the notion, what we have found in dealing with our customers, the things that resonate, the comments that resonate, and immediately actionable data is a comment that really resonated. Similarly, we moved away from, I mean, while we still talk a lot about decentralized identity, we moved to describing the ecosystem that you build with verifiable credentials. And we call this a trusted digital ecosystem. And again, you can quibble over the semantics of whether it's a trusted digital platform or a trusted digital ecosystem. But the idea is that you are creating ecosystems where verifiers, holders, and issuers can all realize value through that data because it's immediately verifiable and the governance within that system establishes who you can trust. You can act on it immediately. And I think that's going to have a profound effect on the marketplace. What challenges are you seeing out there in the market? I think it's a challenge that a lot of us have, but the challenge I think we're seeing is this actual real world adoption, right? So there's a lot of companies all over the world that are really interested. They want to run pilot projects, they want to run proof of concepts, everybody wants that. But the real challenge I think that we're seeing is people saying this is what we're going to take into production use case with millions of verifications and millions of wallets that kind of like, okay, the rubber is actually hitting the road. I think that's the challenge that we're seeing is the biggest, at least for transit, to sort of tackle, to help tackle the industry. Yeah, great. I'll just contribute to the conversation and say like last week there was a public presentation by USCIS, Customs and Immigration, saying that they were going to use verifiable credential format to issue digital green cards. So we're seeing some significant entities with millions of people, I among them, I'm a green card holder. And it's exciting. So it's just the beginning, I think you're right. And I think when you start to look at sort of emerging fields like the spatial web, where the proliferation of sensors and cameras will enable digital objects to interact with non-digital objects. How you, you know, everything is going to need an identity. Everything is going to need to prove that it should be where it is at a given point in space. So again, this is not going, this is not what you're going to see in a year or two years. But I think that one of the real drivers is going to be managing devices because there are so many more devices than people. There are a lot of devices, you're right. And if you have a non-COVID cold, don't worry, I've tested several times. It's the old fashioned kind we used to get. So in a few moments, I'm going to open up for audience questions. So if you have questions for any of us, please think about that. You touched on decentralized ecosystem governance. So I drew this little diagram of like the core transaction model. But to actually get an ecosystem going, we need more than just this. Because who the heck is the issuer anyways? And how do we figure that out? So could you talk a little bit about that infrastructure that we need for these ecosystems to work? Sure. And again, this is what we found was needed and worked for our customers. So we developed what we initially called machine readable governance to manage the information flows and the issuer trust in our pilot project with Aruba and CETA. So it's a serialized file that's published by the governance authority and which is propagated at the software agent level. So it's very quickly updated. It has offline functionality. And most important, it was the only form of governance that the government of Aruba would accept. Because they wanted to be in control of who got into their country. And it's able to combine sort of hierarchical jurisdictions. It's able to manage kind of Boolean logic questions. Well, if you see this, then you do that, and then you do the other, et cetera, et cetera. And recently, we're not the only ones that came up with this idea. So I know I think Daniel Buckner at Block has also been working on a similar thing. So quite recently, decentralized ecosystem governances become a project of the Diff, the decentralized identity foundation. So they're working on a standardization for this protocol. But again, the reason, the key thing was that this was, you know, when you're at the cutting edge of the market, you give what your customers want and governments want to be in control. Yeah. So technically, we've went for a slightly different route there. But conceptually, you know, we have the same problem where there need to be sort of issues in verifiers that need to be somehow trusted. So we have a trust registry system. We actually worked with the Asif project to build an open source trust registry following the specification. So, you know, that's where... Is that the train specification? Or like a cousin? It might be a cousin. I don't think they're here. So I need to check on the exact specification that we follow there. But, you know, I think that work is important. Like Trevor mentioned as well, we're really seeing that the basic model that is sort of envisioned there, there's definitely something around it where trust needs to be embedded and readable and usable by not just humans, but also the machines. So one of the aspects of the last two years has been how much you learn by actually solving people's problems. And so all these code bases and the concepts themselves are evolving as each new problem is solved. And so it's a very dynamic area to be in right now. And if, you know, I'm not an engineer, but, you know, or an architect, but, you know, our chief architect Sam Curran is around. If you want to talk to him about how exciting this area is, it is very exciting. But it's, again, the key principle is that at that, you know, there's a virtuous cycle between the more deployments we see and then the more innovation there is and then the more deployments we see and then the more innovations there is. And I think we've seen that especially in the last year. I'll add on top of, you know, registries are a key, key thing that is, as you said, on the cutting edge of innovation. But there's also another problem, which is how do you find the registries. So my colleague Lucy and John Walker have been working on the global COVID certificate network, GCCN, to build a directory of trust registries so that you could go and find the registries from other places and decide whether you want to use that registry because someone is listed in one of them. I think that's a key directory. You have to. Sorry. I think the directories are a key infrastructural part that we will see a lot more of in the coming year. And so it's really, it's a really positive innovation. Yeah. Great. So now it's, we want to open it up for audience questions. So if you have a question for us, please. Oh, great. You're even going to give them the mic even better. So we don't have to repeat it. Hi. I have a question around private key management, because I guess if you issue lots of credentials, you have lots of private keys, often in an audience that doesn't know how to handle them very well. What's your take on that? How do you solve that? Yeah, so that's definitely true, right? You will be carrying a lot of private keys around. I think for actual end user products, that should just be something that's completely invisible. Just like, you know, any other application you're using, you're never thinking about what keys it might use. So anybody, you know, anybody building products will have to think about it, obviously, on sort of the infrastructure point, but end users should never see it. And then there's plenty of, I think, quite interesting technology around keys, you know, distributing keys over multiple devices. So you have to require that multiple device to even just be able to get into these wallets to do the job. There's plenty of quite exciting, I think, research going on at this moment and actually being actualized to still be able to act on these wallets without necessarily needing those keys. So it's an exciting space. But really for end sort of product builders, they shouldn't have to think about, you know, these keys. That should be something that... I just want to clarify something in terms of this architecture. The issuer only has to have one key. One private key. Like, in reality, they might have several dozen or what, but the issuer can issue a million credentials using one key. The holder themselves also generates key material to receive the credential and the holder has key material in a digital wallet. But this issuer does not have to do this each time they issue a credential. They just have to do it once and they can use the same private key to sign millions of credentials. Thanks. I have a question about maturity. This pattern has been around for a long time and it's very elegant and we all like talking about it and eventually we all want to use it. I'm wondering if you could talk about the scale of the deployments you've seen and what key aspect of the architecture needs the most work from a ready for mass adoption perspective? A lot of the deployments we can't talk about because it's part of competitive advantage of the companies that are doing this. I think you will see some very interesting deployments in the next six months. I think one of the major obstacles is UX. So in order to, look, I once gave a presentation, so my background is working on data literacy. And I once gave a presentation to the Bureau of Labor Statistics at the, or rather the congressional, the federal statistical agencies in Washington, D.C. And I hired a UX expert to go use the Bureau of Labor, evaluate the Bureau of Labor Statistics website, and it was a complete disaster. And I think, unfortunately, because so much effort, so much of the effort and money goes into developing the tech, we can forget the absolute importance of modeling UX and UI. So the sooner, you know, the better that gets, the quicker the situation will, the maturity will happen. I would also say, you know, we just released a product which enables, is a complete, it's called proven. It enables you to build a complete ecosystem. It's got all the components, including training and support and upgrades. And it leaves you with a complete open source, you know, if you buy it, you've got a complete open source product that you can build on as you see fit. So we see these kinds of products as, you know, making the open source code basis simpler to use and simpler to adopt as driving the marketplace forward. Yeah, I think maybe a slight addition to that is pre-trinzic. We, I did some work at a previous company really trying to put some volume through it. I think at really high volume there is definitely work to be done at a lower level. But I think the community is sort of aware of that and actively working to get kind of the really high volume traffic going. So I think when the high volume comes, right, then they will be ready to sort of tackle those as needed. Just to repeat for the audience at home, what do you consider high volume? I would say high volume, you know, tens of millions of verifications a month, this kind of stuff at a singular point are relatively centralized places. I think there's a lot to be done in split up areas, but there's going to be these bottlenecks. And governments are a typical one, right? They've got millions and millions and millions of things that need issuing and checking and verifying. So I think those choke points will really, once we get to that adoption, will really start to show some cracks. I think one of the things that to touch on your question, something I actually have never heard our community talk about, but I've thought about in terms of the past between here and large scale adoption is there's a whole universe of people who focus on form filling out. Like the form people, I don't think we've figured out where the form people live. We haven't figured out how to talk their language. We haven't been like, hey, we've got a tool for you. If you have a form and they have a verifiable credential, how do we get it to fill into the form? Forms being the stuff that you fill out on government websites or even corporate, but governments are kind of the queens of forms. So I think there is sort of understanding how VCs fit into existing ecosystems and going and connecting to those other communities that play roles in those ecosystems today and really figuring out how these new things fit in as opposed to just imagining our systems replacing everything. I agree and really where the action is now is the sales. It's sales, sales, sales. That's the, it's marketing, it's education. Again, we can't just build wonderful tech if we don't explain it, if we don't market it and we don't sell it. Great. I saw a hand up over here. Thank you. Well, I totally agree with you, GP, when you say that to verifiers, it's about saving money. But a few times when I'm talking with the prospects and I told them, look, you can save money using verifiable credentials. Oh, nice. It's nice. And sometimes I also says you can generate heavenies. Then I got the notation. But how do you guys think about that? I mean, to generate values, generate heavenies for issuers, this kind of marketing, because generate values for issuers, for holders, we are talking about it. Companies like to talk about that because, you know, company has registered areas with decades of years and they never had generated value before. That's a chance for them to generate values. It's that right, I mean, in terms of self sovereign identity or there is a misconception here. I think the complexity of the market because it's such a fundamental thing is that kind of all value propositions will work, right? So issuers might be paying, verifiers might be paying, holders might be paying or like the value proposition will sort of kind of come to a point at different places. I definitely think that there's places where value can be kind of realized that people didn't realize before, right? There's plenty of places where you need to pay for sort of a paper for accreditation. I am moving to the US, so I went through a government fun period of literally having to file all papers and I've had to pay quite some institutions. My college, I had to go to like my high school and figure out how to get like the certain abstracts. We're not talking crazy amounts of money there, but like if it would be a set up system and everybody would be participating, you know, suddenly my high school might be making, you know, 10 bucks here, 50 bucks there from all these different scenarios. So I think, you know, it's such a fundamental technology and space to be in that whatever value proposition is there or like wherever that value gets crystallized, it will work. I think at least we've seen kind of all touch points of like who gets the most value or who delivers the most value work out. I would just to add one comment that hasn't been brought up. What has been very heartening is like in the companies we've worked with is the explicit non-negotiable desire for privacy, you know, privacy preserving features and consent. So that's, and again that's, we're seeing that with I guess you could say the early adopters who have internalized those values really strongly. But of course there's the legislation, the various data privacy regimes that, you know, force companies into doing this. But I think it's been really heartening to see how enthusiastic they are for privacy. And that, like, so one of the things we did with the CEDA project was integrate with health information exchanges in the U.S. So the 21st Century Cures Act mandated that patients in the U.S. should have access to the health data. But of course the, you know, the HIEs were, and HIEs sort of came into existence fairly recently. And the combination of COVID and has really, I mean, we saw health as being the area that would be the slowest to change. And actually I think that's a market that is now potentially, you know, more advanced than we thought. And it's in part due to legislation and the unfortunate events of the pandemic. Cool. Question. There's back there and then I saw you too. Oh, great. Where do you see yourselves navigating in the context of the big tech companies and what they're doing with identity and what they're bringing to the table? Great. I'll answer this one first. So I think one of the big challenges actually, and there was just some sort of document release with the contracts Apple's been signing with TSA, has been the potential because Apple and Google control the handset operating systems for them to lock out every other wallet and to lock them out by not giving them access to the internal phone APIs to have wallet parity. So I think this issue of the rights of other wallet makers to access the phone hardware is going to be a big one in the next year. And if it doesn't get solved in the next year, I think we're in big trouble. I think governments need to step up and regulate this. I have confidence that the EU is on this problem. I'm hopeful that we can with their latest rulemaking announcement coming from the Federal Trade Commission around data security and commercial surveillance that if you're in the US and you want to comment on that rulemaking about this, the comments are due October 21st, but it's a big deal that they control the handset and each of them have wallets. I think we as everyone who isn't them needs to be like, no, we need access and we need a level playing for wallets. You're not going to do the back in the day. Some of you, well, this audience is old enough to remember, but Microsoft shipped the browser with the OS and kind of drove things. So we're in that very moment where before that moment and we can stop it. So other comments about the two big tech? I think there's a huge competitive advantage for a big tech company to really get into data portability. There's been a lot of sort of messing around. There's been a lot of talk, a lot of excited talk, Web 3, Web 5, Metaverse. But we are potentially entering different paradigms where the walled garden, the silo is going to be challenged. And I think it'll be a question of, I think this technology represents a way for data to be free. And I think that will present a very strong value proposition to tech companies who are not fully sold on the walled garden approach. Yeah, maybe a slight kind of agreeing with both of you, maybe just sort of a different angle on the same question perhaps is sort of how we see it. I think obviously having the OSes implement a certain low level API that would be interoperable would I think for the industry be incredibly interesting, right? So there's definitely something that as a company we will aim to just be compatible with where possible and however quick we can be possible there. But I think there's the penetration level of these smartphones is obviously so big there's just, you know, they should do the right thing which I think that's maybe the question. And I might be biased as an EU citizen that I sort of trust the EU to sort of make sure that the right thing happens. But like if we presume in two, three years that the right thing has happened, then I think for all of us here and especially companies like us, there is also a really potential upward swing when that moves forward that can sort of take us all, you know, the rising tide story to a new level. So I'll say that if you consider Microsoft part of Big Tech, they're definitely a good actor in the verifiable credentials community. They just last week released and Entra, which I, which is, I don't know, I don't use their enterprise products. But I think it's in the active directory part of if you use their products, you can from active directory issue verifiable credentials to employees and others. So that's very positive in terms of a massive, you know, place that identities are managed in the directories of like millions and millions of enterprises that now have this capacity. So I'm going to go to this other person. Yeah, thank you. Actually, a follow up question on the edit value for different participants. It seems like most of the issuers are public companies. How do you look at private companies issuing verifiable credentials because, well, we did the proof of concept and we would benefit a lot if other parties issue credentials, but issuing our own credential, we give away information because a customer using a verifiable credential, we don't know where he uses it. If we use an API, we would know where it's used. One, two, we might be able to monetize. Do we see customers paying for verifiable credentials? Yeah, I think it really depends on the specific use cases. In certain cases, I'm a customer, right, and I paid for certain credentials, so I'm already doing that. And if that would be a digital one that I could selectively share with my lawyer and through my lawyer to the US government, you know, I have done that literally just a paper version. So I think it depends on the cases. It might be one of those, no, it might be. I think there's a certain market dynamic here that once enough people start issuing these, it will become more normal to say, hey, if you want to carry this credential with you, you've got to pay me five euros. I think it depends on the business model specifically, but if currently a customer or user would be able to get a paper version, it would be a similar process, right, where like you can walk around with your credential on paper and show it anywhere, and my university doesn't know whom I'm showing this credential to and what it's used for. If it's more private data and more parties would benefit from it, I think there's a good amount of industry consortiums going on. And I think I was just today at quite an interesting talk with Siemens, for example, actually to also this morning at the keynote where they really tackled with the ID Union project quite some sort of groundbreaking policy and sort of collaboration efforts there to make sure the different parts from different suppliers are operational in the same space. So it's kind of where we are now, I think it will require some collaboration if it's sort of quite competitive space where it kind of sounds like where you're at. Anything to add? So we have a lot of private companies using verifiable credential solutions, but the focus right now is largely risk mitigation, increased efficiency, and fraud reduction. And I think as verifiable credential technology becomes more and more greater mass adoption, especially in the KYC area, you'll see that there will be new ways of creating services and monetizable services and products around that mass adoption if we have interoperability, of course. That's the other key factor. So we got started a tad late, so we'll take one more question and then we'll wrap up into a coffee break if there is one. No, okay, well, there we go, one more. So my question is about public versus permissioned blockchains because few years ago I heard from many businesses they are interested only on permissioned one for identity and they don't care about Ethereum, for example. So is there anything changing in this area? I think there is. At Trinsic, at least, we're sort of compatible with a lot of chains, both permissioned, permissionless, and even chainless forms of doing SSI. I think different use cases or different customers will sort of want certain types of security, someone to be completely public, really accessible visibility, like an Ethereum chain or whatever. But then other customers will want something that's a little bit more permissioned, right? So I think there's, I've at least seen movement in there. I think there's a dead method called side tree, right, that gives capacity for the generation of decentralized identifiers using Markle trees anchored into Ethereum, the Bitcoin one, and there's one called orb, which I'm not sure where it's anchored. It's also a side tree one. So there's new tools if you want to just leverage existing private or existing public block chains and don't want to pay a lot for a dead generation. I mean, many of the permissioned chains have a cost per did to, like, this part of the process, you have to pay every time you put one on Jane. And there's also questions about the viability of the business models of those in the long run, like who's going to keep them running? And do they have a viable business model? So we'll see. I mean, it's going to be really interesting here in a few years in terms of how things play out and what the market really wants and what it actually needs to pay for and it's a journey. So with that, thank you very much, everybody, and we'll see you around at the conference. And yeah, great. Thanks, everyone.