 Tako, sem se počutno zdičnimo in na dvojeh možnogi vrog, da je prvi, da smo tudi trvi, da je vrst, da je vrst in tako, da se začala, da je počutno vrst, da je vrst. In, skazan, je, da smo na vrst, da smo vrst, da se počutno vrst, da se vrst, da smo vrst, da smo vrst, da se počutno vrst, da smo vrst, načine je vsega in pričo kratično. Nič in nič do vsega, da je tako. Zato, da smo v zelo, da je zelo, da smo vsega, kaj smo je zelo, da je zelo, da smo vsega. Zelo, da smo vsega, da smo vsega, in da smo vsega identitira in zelo. Snežijo, da smo vsega, da se naredimo od pilnjih dobro in dobro, kako je zelo, da smo vsega, sainon in so you have a single set of credentials, you have someone who is basically running the authentication and verifying that you are you and telling all the other services that you are you. So of course we already have this now. So of course, I'm sorry for Warren and the Google people, but again we now have basically two big OTTs running this Facebook and Google and it's really good, I mean you see now everywhere on websites you get this, I mean big signing with Facebook, signing with Google, but if you really want, you can sign up with your own account with email. And so this is really a trend and it's very convenient. So it's actually very easy to do and users like it. So it's been growing really fast in the last two, three years. But again we have a problem where since there is no interoperability, so I mean even if all the systems are more or less based on the same protocols, they don't tell to each other. So you have a fragmentation and in the end you have concentration because the problem is that clients, websites would have to implement each and every different provider separately and so they don't do it for 200, they do it for two basically Google and Facebook. And users cannot choose, I mean you can choose between Google and Facebook basically. And then again this creates an issue with privacy and tracking because whoever is running your single sign on will be able to tell all the places where you log into. And so I mean if people try to do it, I mean in a more open way, this is actually a real screen from a hotel, which was the recommended hotel for the ITA for out security workshops, actually the out people were meeting there and since this hotel really tried to give you some choice and so you had eight different login buttons to choose from. So this quickly becomes totally unmanageable and inconvenient. So we need some kind of federation, which is the solution. Of course you could have a very easy to use a single sign on, which is also federated so that you can choose your provider, you can have any number of providers, they can interoperate, you can actually get your identifier, you can even get a domain name and so use a string in your domain name as your identifier. I mean, I will not go into detail. The point I wanted to get to is that if you want to do this kind of federated whatever, then you need some kind of discovery mechanism. So you need a way for the website that wants to authenticate you to know who is running your identity. And so this is what is missing. Actually, I mean, the protocol that everyone is using, which is OpenID Connect based on 2.0, there's also others, but OpenID Connect is most commonly used for this kind of use case. They are not really, I mean, they do support some kind of federation, but they are not deployed in this way. They are just deployed, I mean, it's federation in the sense that you have many websites and a single identity provider and that's it. And so we really need a place to keep the directory of online identities and a way to look into this list. And so where do we keep the public directory for identities? And of course, the web people do it on the web. I mean, since now they are also doing DNS over the web. So there is actually a discovery mechanism, which is already standardized in OpenID Connect, but it's based on web finger, which is based on HTTPS again, and well-known address, URL, and so on. And so it has some limitations. By the way, it uses your eyes as identifiers, which are really inconvenient. But the real point is that if you want to let people have their own domain name, their own identifier, and so you want to apply this on a million domain names for one million customers, then you need to have a web server for each and every domain in one million. So you have a million websites, a million certificates. And so this is really inconvenient for deployment on a big scale in which you want to have any number of names and of providers. And so, well, the web is so uncool. So I'm sure you heard about this. So of course, everyone is talking about the blockchain. You know, everyone is doing the blockchain. You need to be self-sovering, whatever this means, but it's the buzzword. And by the way, of course, there are tokens and ICOs and money going on. This is really a big trend. Maybe it's been slowing down in the last few months, but it's really big. I mean, this is one of the big drivers around blockchain. And so, of course, you see all sorts of different blockchain identity projects. I mean, I took the screens like last summer, so some of them might be older, might have already have folded up or whatever. But you still see a lot of different projects ranging from IBM, which is, of course, very willing to make yourself sovereign. Two foundations or startups. There's all sorts of players here. And so the people do it on the blockchain. These people say, we're going to put your identity in a blockchain so that it's there, it's public. Then you have to protect it in some way, because otherwise it's too public. But then you don't put identities, in fact, because writing data into the blockchain is expensive. And so you put pointers or maybe hashes of the pointers or something like that. And it's not very clear. But the selling point is that this is decentralized. So the nice thing is that we don't need a trusted central authority. We haven't decentralized everything. We don't need government, we don't need ICANN. And there's even some standardization going on, even if it's not by the W2C, but at the W2C as an independent effort. But there is some standardization. So this is, I mean, I went to a conference last year. This was in May 2018. And there was actually a guy that had tried to use a blockchain identity project for his own company. And so he did this survey. He went through a community website, went through the list of blockchain identity projects. He found 91 blockchain identity projects. And 63 of them were already having or planning or announcing an ICO, raising money. But only 17 had a website which was more than, I mean, three lines coming soon. Only three had some software and zero had working software. So, I mean, this is not necessarily bad. The point is that this is really an immature technology. So maybe it could come. I mean, I'm not saying this is all crap. It has some melt, but it's really not there yet, at least. So if you want to build something that can work now, you cannot really use the blockchain. So, I mean, of course, they're talking about this public distributor ledger, but the blockchain is not a solution. So, wait a minute. So we already have a public distributor ledger, because it's an open standard. It has many free implementations. It's widely available everywhere. It's been working very reliably for 30 years. It's secure, at least if you deploy the security extensions. It can scale. We know how to scale it and serve millions of people. It's actually regulated to prevent capture. So, I mean, some people don't like this point. They say, I mean, we want to be self sovereign, meaning we have no governments, and we have no trusted authorities as well. Yeah, we really had already a period in which we had no trusted authorities, no institutions, no states, and it was called the middle ages. So, I think we went beyond that. So, I think that some trusted authorities are actually a good thing. But still, if you're worried about someone capturing the DNS, there's been 20 years developing regulation in checks and balances and ways to prevent someone from capturing the route and making it disappear and whatever. And it is actually decentralized and federated. So, it's a DNS. And so, this is the real point we wanted to make. So, the point is that we have to be aware that DNS is actually a very good public distributor ledger. And we could be using, we should be using for more than just naming the hosts and a few other things. And so, this is really the, I think it's also good for everyone in the DNS community because the more applications we build onto the DNS, the more it stays relevant. But so, actually the DNS is very good to provide a namespace, which is a big problem for identities. Because with identities, I mean, people use natural names. Natural names are really bad as identifiers because they are not unique. They are not uniform. They don't have uniform formats around the planet. They are not even easily passable. So, in the end, it's impossible to use real world names as identifiers for online identities. And so, you need some kind of namespace. And this namespace must be distributed, must be federated so that you can still ensure that every identifier is unique, but you don't have any centralized place where one has to go and register each and every identifiers and make a big database of all the existing identifiers. And again, this is a problem that was already solved 35 years ago with the DNS. It's the same problem. So, of course, it's nice for people to try to develop new technologies to do the same stuff, but still, we already discussed this. We already found a way. And so, if you use the DNS, you can actually assign your identifiers to identity in a namespace, which is already naturally federated. And it's already familiar to users. So, everyone is already familiar with DNS-like strings. You can use email addresses if you wish. Or also, you can, I think, in general, this should be a good trend for everyone. We should really encourage people to get a domain name. It's cheap. It makes you independent in a number of dimensions. So, of course, it's also good for those of us that make money by setting domain names or domain name-related services. But in general, I think it's really good for people to own the little piece of the DNS namespace. So, and also, the DNS gives you a discovery scheme, which is also, as I said, working very well. So, what we need is just a pointer so that you enter your identifier or you provide your identifier to a website, and they can discover who is running your identity, which server is responsible for it. And, again, this is a problem that was already solved for email. It's the same problem. So, now we're doing it. I will show you briefly a little about our project. But we're doing it with a TXT record. We didn't get a new, or try to get a new resource record type. And I already did this presentation at the ICAND DNS symposium last year. And people were like, no, you need to get a new resource record. Why are you polluting the space with TXT? Which is fine. But then if you're an application developer and you need something to do, I mean, you start doing it with a TXT record. And then, yeah, in the future we will change and then you never do it because then you start deploying it. So, I am aware of the problem, and I'm happy to hear your comments. But still, I mean, there's already a couple of independent internet drafts. There's not IETF work going on these yet, but at least there are public documents and specifications that you can see. So, it's very simple. We just created for, I mean, a very simple TXT formatting, which you have the usual underscore name. And you describe, well, a version number and who is the issuer of your identity and who is the claims provider, which is in the OpenID Connect talk. It's the entity that is actually providing the values for your name, your claim for your identity. So, this could be the same or a different entity. So, in the end, this is actually a blockchain. So, I didn't want to bash the blockchain people too much. So, I mean, if you wanted, you could just then replace this with some blockchain mechanism. But at the same time, you have to do something which is available now. So, the project is called ID for me. I will not go really too much into detail on this. I will go very quickly through the last presentation. There are some logos mostly for transparency, but it's basically now a public consortium. So, there's an unprofit association consortium running it. And the point I wanted to make is that let's keep this. If anyone is interested, there's a website, of course. There are public specifications. There's a Java API development. We have an international nonprofit consortium, so we're trying to make this as open as possible. We have a prototype app and running. There's going to be possibly a beta product launch in Germany since many of the original promoters are in Germany, including DINIC, the top-level manager. And so, there will be possibly a beta public launch at the end of March, and we'll start using it and see whether people like it and where it works. So, again, of course, if anyone is interested, this was the advertisement part of the presentation, but I think apart from this, well, of course, this is the website if you want more information. But apart from this, the message I really wanted to give here is that I think it's good for the DNS community to find new ways, new content to put into the DNS and new things to point, because it's really a wonderful service and I think it's good if we keep it relevant and bring it forward with the new technologies. Thank you. This is a bit tongue-in-cheek, I have to say. So, have you thought about maybe doing that with Ethereum DNS? There's actually something. I think there's already something. Yeah, I mean, yeah. I mean, maybe they will succeed. Yeah, I mean, it's nice to see people try and do stuff. I think in the end, and then people will see whether it's useful or not. So, it's not like everything is bad about the blockchain. But I think that the centralized identity problem is also a big issue in terms of privacy and security and a number of things. So, I think that finding a solution that can work immediately would be good. Even if, I must say, it will be, we are aware that it will be very hard to succeed since most users just already use Google and Facebook and that's it. But at least we want to try and make something different and try to keep it open. Could you explain the differences between your approach with the DNS records and webfinger? Yeah, the question was about the difference between the approach we have here in webfinger. Well, basically the operation you're trying to do is the same one because you need to, you basically start from an identifier, you need to do something to get the information of who is the issuer. Well, the difference is that here you just, I mean, the relying party that has to start the authentication flow just does a DNS query, gets the information through the DNS query and then all the rest is standard open ID connect so then it's the normal open ID connect authentication flow. If you do it with webfinger, then the relying party has to do this HGPS connection. But by the way, it has to do a DNS query anyway because it has to retrieve the IP address for the webfinger server it has to connect to. So at that point in time, you just do the DNS query and you already get the information. There is one issue and by the way, in this thing DOH might actually be useful to this project because in the end, one of the problems that JavaScript applications have problems today in doing txt queries. So DOH, by the way, one of the good uses of DOH would be enabling JavaScript applications to do more than a add the square is to. Which could be solved also by just by changing the way the APIs are done in the operating system but still that in this case that might be helpful. So, but in the end, I think it's technically, I think it's simpler as long as you can make this txt query because you just do the DNS query rather than doing the DNS query and then the HGPS connection.