 And we are live and sure it's all yours. All right, great. Thank you so much. Welcome everyone to the Identity Special Interest Group of Hyperledger for October 19th, 2023. Today we will go over working group status updates. That probably won't take too long since a lot of groups have not met for IAW. Last week, and then we will have a presentation from Daryl O'Connell of Continuum Loop for an update on the wallet report, the emerging trust layer, trust registries and interoperability. So really looking forward to that. Since this is a Hyperledger Foundation's call, we are following the antitrust policy. And as a Hyperledger call, we also are following the Hyperledger Code of Conduct which are both written and linked here. And we're of course recording this call and we'll post it on the meeting page later today. We're also live streaming it. I'll send out the Wiki link as well if you'd like to follow along with my screen share. Let's see. All right. Introductions, I think there are a lot of familiar faces on the call today, but if anyone is new or joining the community and would like to go off mute and say a few words about what they're working on and why they're interested in this group, that would be great. I've sent out the Wiki link as well if you'd like to add your name to the attendees list, that would be wonderful. Are there any announcements or anything that anybody wanted to share before we jump into our working group status updates? All right. So in terms of the working groups that we are tracking, we'll just give quick highlights and then feel free at the end of the working group status updates to speak up in a little more depth about any topics or working groups that you are involved in and would like to share about. Also, did anybody among this group go to IAW? If so, it would be great to hear your impressions and experiences, any interesting takeaways from anyone who was able to attend this past one. Oh, sure. I was at IAW. It was very interesting, a lot of big strides have been made and things are really coalescing around open ID, Cary and the W3C all have, their versions of credentials all have a lot of interesting use cases and things are solidifying in ways that didn't always seem like it was when I started getting into that identity community. So it was really cool, a lot of cool projects and that was my overall impression. Yeah. Yeah, thank you. Thanks for sharing that. That's great to hear that there's lots of good progress. Great, any other IAW attendees who would like to share about their experiences? All right, let's see, going through our working group, working groups that we track and the indie contributors working group. Let's see, most recently we talked about, there's a Google form with the questions about whether we want to create a new project or fork from the current projects and naming as well for the initiative, for the indie 2.0 initiative. So there's a Google form linked here, so feel free to pass that along to any interesting and interested parties. Let's see, in the areas working group, like a lot of groups lately, they've been recapping IAW and talking about their takeaways and experiences for their group and as well, they've been discussing credential protocols and unqualified dids. For Aries Beifold, I'm not too sure of their new meeting cadence, now that they're back from hiatus, but haven't met since our last meeting. If anyone does know or have any updates there, feel free to jump in. Let's see, for Akapai, we've been talking about the next release, the Please Act protocol. We had a presentation based on a current BC Gov code with us on load testing Akapai based issuers, verifiers and mediators. And then as well, discussing IAW. Let's see, in Aries Framework JavaScript, they are moving to the Open Wallet Foundation. I should probably create a new section on this for our list. They're also discussing the separating the storage layer, it did come V2 and next releases. Let's see, and then Anon Creds, I think they skipped their most recent meeting in favor of IAW, let's see. So that's a very brief overview of our Hyperledger working groups that we track. In the Trust of our IP Foundation, they had their all members meeting yesterday formed a few new task forces, including the credential exchange protocols task force, issue where requirements task force, and did web as task force. Let's see, in terms of some of these other groups, I, as far as I can tell, they haven't met as recently probably because of IAW, but in the concepts and terminology working group, they've had a lot of progress working on the TOIP Glossary Workspace document, which now contains over 300 terms, and then lots of progress as well on the terminology engine V2. So that's a super brief overview as well of the TOIP working groups. Let's see, we've already reported on the DidCom spec working group because they only meet on the first Monday of the month, had a bit of trouble finding the DidCom users group recent happenings, but I do see Sam Curran on the call. Would you be willing to speak at all to what that group has been working on lately? Sure, we're bad at keeping meeting notes, which is why you're bad at finding them. That's our fault, not yours. The discussion this last time was about IAW and related topics, and kind of what the discussions were and what that was like. There was some discussion of using DidCom protocols to kind of fill in the out of scope gaps around the open ID for VC protocols, things that are not really defined in scope of that. There's some areas where DidCom can help and the use of them together can be beneficial. So that was kind of a quick discussion there. Great, thanks for that update. All right, let's see. It looks like the IoT special interest group had a recent meeting on October 11th with the recording linked there. Let's see, and then had trouble finding too many specific notes on the community credentials group calls, but those are linked there if you'd like to delve more into those. So let's see, from here, if people have other working group updates that they would like to share, and I went pretty quickly through all of these, so if you want to share in more depth about any of these groups or outside of these groups, now would be a great time. All right, well, I think that unless anybody has any, anything they would like to speak up with, I think that concludes our working group progress updates and I will hand it over to Daryl for your presentation. Perfect, thanks, Shar. Thank you. I will share my screen. I believe I have the right screen. Here we go. So I wanted to give a quick update on the wallet report. Folks in the stake reached out and said, hey, where are things? It has been over four years since that thing dropped, so it's timely as we're doing a bunch of work right now. We were looking to do a refresh. We actually aborted on the refresh because we've learned new things. One of the key messages you'll get here today is that the wallet report was really never about wallets. We created it due to a frustration that wallet was being used far too liberally as a term and we needed to understand what it was so that we can make forward progress in the industry. So a quick thing, I'm the founder of Continuum Loop. We work with groups basically to design, build, deploy and grow various different digital trust ecosystems. We created the wallet report back in spring 2019. Later it became sort of a consolidated and slightly updated edition, chapter nine of the self-sovereign identity book. Just give me a quick idea in the agenda of what we're gonna go through here. So I'm gonna give you a really quick update. One slide, actually two slides on wallets and agents. Then I'm gonna jump into three topics if we have time. Warning, this is a new presentation. We try to do things under a timeline, but we'll do our best to make sure we get the last topic of interoperability. As I mentioned, we started to do a refresh of the wallet report and we were going through things and realizing that in the four years since we pumped it out, a lot of things had changed. Some of the details of the wallet reporters are still very, very relevant, but more important is what has happened since then. There's three different trends to consider here. One is the, what we're calling the emerging trust layer. I'll get into what that means. Trust registries as a construct have been consuming a lot of our time just due to the business value that they create. But also if we have time, we actually, this is actually something that this new report we've created, which is hopefully gonna drop next month, had three sections, it now just does have three, but we cut the interoperability section. We actually had a what's new, what's changed, what hasn't changed for the wallet report. That section's been cut completely because we learned so much about trust layers, trust registries, and what we're calling registries of registries. But interoperability is a key theme that I think our community really needs to wrap its head around. But if we don't get there, fine. I will be recording something and share that out, our team will share that out once we get that out probably this month. So quick timeline, 2019 is when the report drops, 2020 is when the book dropped, also the trust over IP foundation was created. I'll cover off why that was, why we created that foundation. I'm one of the co-founders. It was largely about governance and technology. 2021, we got into some interesting work that seemed to go nowhere. The Good Health Pass COVID credentials initiative, I guess technically a good health pass because COVID credentials initiative is a separate thing. Really was created to help say, hey, how do we apply our technologies to solve the fact that we really needed to to be able to prove COVID negative? What I say, it didn't happen. It didn't happen that way. We don't like the format that was used for COVID credentials. It's not part of what we're talking about here with verifiable credentials. It's a very simple, non-privacy respecting approach. But let's remember that the world recognized that particular format of credential. The Good Health Pass way did not happen. So it didn't reach that deliverable. Lots of reasons, but a lot of it is we weren't quite ready as an industry. But lots came out of it. Lots of learning, because it was a concrete problem that actually had real world impact. We got away from a lot of the academic discussions that we tend to do it at various, and in this industry, especially at IOW having just happened last week. And then recently, not a lot happened in 2022 that I mean, it wasn't worth going into, but a big thing happened in 2023 because the Open Wallet Foundation was created. Interestingly, this is kind of an update on the Wallet Report, and I'm not gonna deal too much with the Open Wallet Foundation, other than to say it's an open source organization that is gathering and building up a library to meet generic wallet needs, which to me is fantastic because there's already been a lot of money spent on wallets, more will be spent. We're kind of in a wallet wars, just like the browser wars. And if we can short-circuit some of that fight and some of the waste that's gonna happen, perfect, that's awesome. So I wanna just quickly go through what the Wallet Report got wrong and right given that it's just, it's over four years now since it dropped. Agents, I'll actually deal with a particular slide. We got some of it wrong, but I'll explain why in a moment. We also, we predicted a couple of things like single-purpose wallets at Wallet Apps to our knowledge, the only adoption that we have seen. I'm not seeing any generic wallet apps that have wide-scale adoption and use. They're embedded wallets. These are single-purpose, what am I doing? We deployed one for member pass. Lots and lots of solutions have embedded wallets, many of which we don't even realize are using SSI patterns. Some would argue that Apple Health is an SSI style of solution. Not quite as self-sovereign, but hey, we also were wrong and right on a couple of things. We predicted that there would be a lot of cloud and custodial wallets. We have definitely not seen the ability to get one for me, but we've seen lots of solutions that are using custodial pattern with self-sovereign identity approaches a lot. The one exception being that what was known as the trust hub when we wrote the report now has morphed at diff and is now the decentralized web node, which is kind of getting there. It's getting there, but it's not, hasn't reached a real adoption level yet, but it's starting to happen. We will discuss if we have time, what we were right about, which is that we were being premature on interoperability and on standardization. And that has hampered progress in my opinion. Last one, trust or just if we were right and wrong, right in that we knew that they were needed, wrong in that no one understood what we were saying. No one really used the term trust registries back in 2019. Trust registries as a construct are really coming into their own now, four and a half years later, I'd say started about three years out from the report about a year, a year and a half ago. I wanted to discuss agents specifically because agents were one that we were kind of seeing the future and we're still seeing the future. We're not at all where we thought we would be by now. We're just not seeing the adoption. The only agents we're seeing are mediator agents and issuers verifiers. We're not seeing any of the agents for me. We're not seeing any agents for my personal use, for the enterprise, except when we hear the word agents, we're hearing AI. That's not SSI, but it does come into play. Part of the reason was a naive understanding that in 2019, which I think the whole industry was guilty of, of understanding, where were we really? Where, what needed to happen? What must have, what had to be true in order for adoption to actually happen? We're just starting to see that now, four and a half years later. And this is the nature of technology as you know, whoever, you know, apocryphally attributed to Gates, statements sort of like the following is we under, we overestimate what we can accomplish in one year, but vastly underestimate what can be accomplished in 10. Now, we're almost midway on that line. I'm going to jump into a new topic here, which is what we're calling the emerging trust layer, which if you take a look at the internet, the news any day, pick any day you like, you're going to see the stories that talk about the identity in broken. This one's actually from June, World Economic Forum. We're one of the contributors to this. One of their bold statements was, you know, the internet lacks an ID layer. I think that's actually not the right term and I'll come to that in a moment, but just generally trust is eroding. We're seeing recent study and episodes on Canada, for example, has dropped 15% in over three, just just over three years of people who are trusting the internet. We're seeing things, and that's prior to a generative AI being released. This is just from this week from Singapore that trust in digital space is under pressure. People are understanding that this is just happening constantly. The good news is, and so the statement we're making is that the internet is missing a trust layer. Forget identity layer. Identity is a component that's necessary, but it's not sufficient to create trust. There's a reason we created trust over IP as a foundation. It's trust was the word we were working on, not just identity, identity is well embedded in that, but it's not alone. But my bold statement is that really is, and this is what I think trust over IP is for me at least, that the internet is missing a trust layer, we're fixing that. Jumping over to trust over IP foundation, if you're not familiar with what we do there, one of the big things, really the big thing that we do is we do a dual stack approach. We take governance and technology and we make sure that they work together. We've done this over what we call a four layer model. This diagram is already out of date. It's being revised, but the general idea is there is, I'm gonna just pull this up here. We have things that we need to support the trust in general, both on a governance and on a technology basis. We have to be able to span trust. This is very much like IP was a spanning layer and I'll talk about that in a moment. So you'll understand maybe the concept of spanning. It's not important for this discussion, but maybe it'll resonate. We have these things we do to accomplish to do tasks. And if we do them right, we create what I call trustworthy ecosystems. The background behind this again is without governance, without understanding governance, both in leading it into the technology. So the technology has embedded governance, but also so you're handling the stuff you can't embed is critical. If you try to do tech by itself, good luck. As a CTO of founder of multiple companies, I used to believe that technology was solving 90, 95% of the problems. I am completely upside down on that now. It is 5% to 10% of the problems. The rest is governance, operations, how do you socially make change? That's actually the hard work. But I wanted to talk a little bit about this pattern here. This is called an hourglass pattern. And it's, sorry, let me jump, this is my next slide. So I want to talk about this thing does. What does this trust spanning layer allow us to do if we do this properly? We want to make sure that we have three key things here. Confidentiality is where basically, if I'm allowed to both share information over a channel that is confidential to the parties involved, that really starts to empower me to do a lot of different things quite different from the internet right now. We're starting to use encryption, but that's not necessarily providing the confidentiality, but it is sufficient. The trust spanning layer actually really drives the confidentiality that we need. But then we have this concept of authenticity, meaning, if there's two parties who are sharing information, how do I know that that's really my bank, which is starting to get into SSL and yes, it's their URL and stuff, but really that's not even sufficient now because we see spoofed, the Bank of America is not BankOfAmerica.com. The BankOfAmerica.com could easily be North Korea taking your credentials. But also when we look at that, we have a mutual authentication problem and then that's client server. I can authenticate, I know that's the bank, but the bank really has no idea who I am. Username and password is their default to come back to that. When they wanna add that up, great, they'll text me a message, which as we know is not overly secure. So we don't really know who the parties are in a transaction. That's partly technical, mostly not, and I'll explain what I mean in a moment, but also privacy. How are we keeping that information private so that only the parties involved really know that one, the conversation maybe is even happening, or that we just have those proper privacy concerns are taken care of. Are you gonna honor the agreement that you're not gonna take my driver's license information, put my address in and start mailing me stuff or take my email and start spamming the living hell of me or try to take my identity? This shape though, I wanted to talk a little bit about this hourglass shape because it's a familiar pattern. When we look at the four layer TCP IP model, really if you take a look at it, the IP layer, that address, and there is other stuff in the IP layer itself, in the IP spec, it's really not used, but the magical part is it all we had to do was agree on IP layers. We could then do stuff on top, which was transport related. If you get into TCP, UDP, you'll understand the fundamental difference, but really it is these things that allowed the internet to become what it is. It was properly layered with a simple spanning layer, which is called of IP. That's where we're actually doing the trust work and the trust spanning protocol. I'm not gonna get into that today. That's a big topic onto itself and we're gonna talk about what it means though. This is called the narrow waste of the hourglass. But what I also wanna share here is that we've heard the outside from trust over IP is that people are confusing that we're trying to replace the internet. It's like, no, no, no, it's trust over IP. It's not instead of IP. Really what it looks like is this, where the trust spanning, that this overall trust layer sits on top of, it's an application on the internet itself. So what does it do? We have concepts of two types of trust, technical and human. Technical means we can code it, we can understand it and we can do it automatically. What we can get to a certain level of trust, but if we discount, authenticity and privacy are largely human trust things. They're driven by governance, they're driven by social constructs. What authenticity means to me when I'm having a chat with someone on Discord is wildly different from me having a chat with my banker, my financial advisor, my lawyer. Totally different, same technology perhaps. We may decide that the human trust has, no, no, no, even that technology is not sufficient. We need to go up a level. But authenticity and privacy are human constructs. This human trust really builds on, but also influences technical trust. These are not above each other. They really, the technical trust supports human trust, is that in that, if technical trust doesn't do its job, I can only get to a certain level of trust, even no matter what I do in the human front, or I have Herculean efforts to do something. But similarly, human trust will refine what's necessary. I may say, for example, you need to use a particular crypto suite because that's my rule. And technically, easy to do. I may have other things, but they require each other as a key thing there. They really allow trustworthy digital ecosystems to be created where I can actually believe in and trust in an ecosystem that I'm doing the right thing with the right people. It also enables deep governance. There's not, there's a coincidence here, but not really that we've got human trust and technical trust. Really, if I look at the technical stack, when I look at the trust over IP diagram and the governance stack, really that's the human side of things. Now, underneath this jumping into a new topic is the trust layers supported by trust registries. I'm not gonna explain what that means, but first I'm gonna go back in time. Bunch of us, anyone here who's been doing anything with verifiable credentials will understand this and I will go relatively fast. But the idea behind the trust triangle is that we have an issue or has a public did who issues a verifiable credential to a holder who later shares a proof. And what this does on a cryptographic basis is it lets the verifier know that the holder has not tampered with anything. Things were signed by the issuer and it was as issued at that point in time. And there's an implication that they can trust the verifier. The problem is that this trust triangle is not sufficient. It's not enough because I could just as easily be service Ontario issuing a driver's license from the government of Ontario or I could be a high school student issuing McLovin a driver's license from Hawaii for $25 paid in Bitcoin. We don't know the verifier, also the holder, those are the problems here but the verifier doesn't know that the issuer is actually authoritative. Do they have the authority to issue a driver's license from the province of Ontario? There's no answer there. I'm gonna jump across into one particular credential which kind of shows the problem of trust registries why trust registries are necessary, why we need to be able to access them broadly and simply. But if I take one kind of credential and talk about it in one flavor, mobile driver's license ISO 1813-5. It requires an issuer list. There is no standard way to retrieve this issuer list. It just requires an issuer list. Every country does it differently and can do it differently, will do it differently. It also will vary state by state, province by province, canton by canton, prefecture by prefecture to cover off just four countries, US, Canada, Switzerland, Japan which is some working examples we've actually been applying some of our trusters you work to. There's lots of other ways to look at this. You can have national driver's licenses. In Canada, we have a military driver's license which is issued federally. It gets confusing really, really quickly. So US is managed by a group called AMVA. I can't remember what AMVA stands for but basically it's the DMVs as well as industry players who are saying here's the definitive list. This is it. It's a webpage has a download button has a bunch of download buttons actually because it actually has a URL with a timestamp that's changed depending on when it was issued. So there was an issuance in August 7th, August 8th and the most recent checked on today, earlier today it could have changed since then is a file with the file name of 0816 2023. How am I supposed to know how to get this? If I'm deep into driver's licenses such as I'm supporting a law enforcement or a department of motor vehicles application I'll probably know who AMVA is. I'll probably do the homework. This is a norm in Canada to figure out the Canadian equivalent which will look wildly different but I'm gonna stop here because it's really hard to drive further. I might go as far as Mexico but I'm not sure how rigorous their system is. So I may just say no, it's only US and Canada because keeping track in this is really, really hard in your own country knowing when a province has stood up their digital driver's license program is important. Otherwise you're gonna have a high school kid saying hi, I'm the promising New Brunswick would you like to meet Mr. McLeven? Internationally it gets even harder. There has got to be a business reason for me to do the hard homework of finding out when all I wanted to know was was this a driver's license issued in a country by an authority for issuing driver's licenses? That's actually not a hard business question getting the answers is really, really hard. This is where trust for disease help. As I mentioned, the triangle is not enough. We learned this and part of this came out of this is one of the nuggets of awesome that came out of the world of good health pass that work we did as a community that didn't deploy but the learnings were absolutely utterly invaluable. So the triangle is not enough. Again, you've seen this slide. We don't know the verifier does not know if the issue is authoritative. So what do we do? Here's a hint, it's not a triangle it's a diamond and it's anchored by governance. This top part of the triangle, the triangle really could be done completely technically but if you don't have governance you cannot answer the question, can the verifier trust that the issuer is authoritative? What really happens is in a governance framework a governance authority one maintains a governance framework but they manage the list of issuers who are valid. They may also manage the list of verifiers they may manage the list of wallets that are available. We'll focus in on the issuer and stuff but the critical point is that governance framework and the governance constructs because there's always social and legal mandate that go beyond governance frameworks is critical but how does this work? So if we take a look at a concept where governance authority is running a trust registry they're gonna make sure that the issuers and verifiers if they're doing both are valid whether you have an authoritative issuer and an authorized verifier that they're listed in a trust registry. Later when necessary, oh sorry, let me jump in here. We're gonna use dids here, decentralized identifiers which most of us would already know what that is which also by the way supports X509 so we can handle the other, the PKI realm because there are some amazingly solid trust registries that are X509 based. There are a lot of X509 certs out there that are utterly effectively useless. I would say the CA authorities for browsers have basically just said this is encrypted. You've lost the governance of that but there's a ton, IKO passports, classic X509 based hierarchy that has been working for decades especially digitally over a decade now of digital passports or passports that can be used digitally. Very important to support those, but here's what happens. The verifier when they wanna say, hey, is that really Hawaii or is this a high school kid issuing McLovin driver's license? They wanna confirm that the issuer has the authorization to issuer. Perfect, they ask a trust registry, a simple question. Does this did have this authority? Yes or no, they get an answer. Similarly, I may actually as a holder say, listen, I just was asked to provide my full driver's license at a bar. Is this entity authorized in this province or state? And if not, what am I gonna do? Well, I might report them to the privacy authority. That's a little bit beyond scope of a trust registry though that's quite possible in a trust registry itself because we need to get an answer. Where do I get an answer for a particular ecosystem? That's what trust registries do. Here's a day-to-day example. Even just in the physical or using Apple Pay, here's what their credit card networks have a few different players. They have a bank, which is issues credit cards. They have card holders who are holding these cards in their wallets and we have a merchant who's accepting it. Behind it all is a governance authority, which is maintaining a trust registry of all of the players. This is highly simplified. Maybe initially when Visa, MasterCard, Visa being the first was created. There were only a few players, only three or four, maybe five. There are now over 50 known defined roles in the governance frameworks of credit card networks. And if you take a credit card network and take away all of their technology, they're still valuable. If you take a credit card network like Visa, MasterCard, AmEx, Discover, China Union Pay, whatever, and you take away their governance framework, there is no more value. Their value is in their governance framework and how it becomes instantiated on a technical basis in their trust registry. So these things are critical because they also are the anchor point for digital trust ecosystems. Every ecosystem, if you don't need a trust registry, you probably don't have an ecosystem. Your trusters, you could easily be a simple file that you pass around. That's all it has to be. But largely speaking, any dynamic ecosystem is getting a little more advanced than that. Because these things, as I mentioned, they tie the technical to human trust. They answer the question, beyond even confidentiality, authenticity, and privacy, what do I need to be part of this ecosystem? How do I play? What do I get when I play? What happens if there are problems? Trust parties help us answer these questions. They tie that technical to human trust together into this trust layer. Again, this trust layer is emerging because it brings in the governance to play, brings it to play where it's necessary. One of the things that in a prior meeting, Sam Curran was saying, is that governance is on a technical basis, not getting as much airtime at IOW. Part of that is because the constructs are kind of there to do the technical part, but the governance part is not necessarily, in my opinion, not. It's not a technical problem. There's technical interleave, but it's a human problem to solve. You need to figure out the governance, the operations, et cetera, for that. But you have to remember that you are in many, many ecosystems. Everything you do, the odds of it being single ecosystem are pretty slim. This is an example in the report that we're releasing. I'll describe it verbally, but visually. This is in the report that we're releasing late this month, next month. And it describes simple movement of funds. It's a simplified example of what it takes for me to move money from Canada to the US, from Canada to Sri Lanka, from the US to Switzerland, whatever the movement is between two countries. We're gonna have multiple systems at play. The financial institutions, so the banks that we use, if I'm sending money to Sam in the States, for example, I bribe him regularly. I'm gonna go to my bank, and that's kind of my anchor points. I'm dealing with them. They're gonna also know that it's actually me, and they have dovetailed into the government-issued identity ecosystem at some point in time. This is the KYC Know Your Customer approach, where they've already checked my identity. They may, depending on how much money I'm sending, Sam, he's quite expensive to bribe, by the way. Sam and I have, we tease each other all the time, by the way. She's not that expensive at all. The bank already knows who I am. I've already been onboarded to this, but if I'm doing a large transaction, they may say, hey, listen, I need to check your identity. I need to check more information in the government ecosystem again. They've done that and said, okay, cool. Recipient Bank is gonna do the same thing with Sam. But then we also have to talk to this international system that says, oh yeah, and by the way, here's how we move money. Because it's Canada, U.S., I would probably use the ACH American system, which I'm already tapped into, but if I need to use Swift, SIPA, God knows how many other payment systems, crypto. I'm gonna touch into it. All of these ecosystems have different rules, different arrangements, and different, they're different things. What is required for a financial institution to exist in a country is similar country to country, but different. We have different rules. There's a reason the Canadian banks didn't collapse in 2008, because we have a different approach to banking, not as aggressive. And fundamentally, we're just different beasts. My point here is that simple example is at least five ecosystems. Reality is, it's far more than that. There are AML ecosystems, there's other ecosystems that play here, but if we realize we operate in many ecosystems, trust will just become absolutely mission-critical important. How are we doing on time? I wanted to do a quick time check, Shar. Do we have time to talk a little bit about interoperability, or should we just jump straight to questions? It looks like there would be time. We've got 19 minutes, but it might be good to see if people have questions now, and then there probably will be time for interoperability as well. Great idea. Any thoughts, questions, comments? Sam, you wanna justify the bribes? I was gonna make, I haven't gotten any payments on the bribes originally, Joe, but... I didn't say it was good for it, man. Usually Daryl and I bantered IW, but he wasn't that IW, so we've got to place it somewhere else. I miss you too, man. Any thoughts, questions? Go ahead, Shar. Okay, one of the first things you said was, talked about how the term wallet is overloaded or not well-defined. Can you talk about how you have dealt with that problem? Well, I mean, part of the, let me just jump, I'll show you a slide I have as backup here. What the wallet report did was kind of defined, hey, here's what we're talking about at least as capabilities, and a lot of that has actually, we've seen things break out nicely. In the, you know, a wallet was doing so many different things. This, whoops, this being the long laundry list of capabilities that, you know, wallets were kind of being hand-waved at. That's what the reason we created the report. All of these things have kind of been either handled or at least understood more on a deep enough level that we have a better idea. I don't think we still have a very crisp definition when somebody in the IW community, for example, says wallet, what they mean? Is it, some people are deeply down in the know it's just simply the library that's doing the storage and the crypto, everything else, messaging, nope, not a wallet problem. So we're still not there, but at least we know how to talk about them now. Does that help, Shar? Yeah, yeah, thank you. No problem. So Daryl, you had a diagram, the first one where you showed a trust registry on it, will you zoom back to that? I have a question. Zoom back, that was unintentionally funny. Yeah, we all get to define what funny is, my friend. Oh! So, and then go forward, you had some lines that showed up with the trust registry, you didn't actually draw a direct relationship between the governance authority and the trust registry here. Was that just an accident on the diagram or is there meaning there? Yep, actually, at this point, when I clicked, I went, damn, yeah. So the governance authority is operating, or somebody under the government in the ecosystem is operating the trust registry. So it's definitely, yeah, there's definitely a missing graphic. I'm just trying to keep you honest, Daryl. Well, it's actually, it's kind of good because I made a note in my head to do it, but I know I would forget, but I will fix that for you. Any other questions or should I do a little bit of a rant on interoperability? Interoperant. Okay, not that I'm not foreshadowing or anything. Let me just share. Okay, so we did our time check on interoperability. I don't have a lot of good news. I'm a big believer that anybody who says we have interoperability does not know what they're talking about. They've not defined interoperability. We may have portions of our systems that are interoperable that we can prove, yes, technically, I can send you a credential from this thing, but there's missing information that is ecosystem specific that is not being considered and we're never gonna get to real interoperability until we deal with that. So if I look at the market, this is what was called a wordly map. Wordly map talks about a few kind of different things. Most important is where are we really as far as in our evolution as an industry? When I look at the overall trust layer, sharing credentials, that kind of thing of where are we? We're just a little bit past this thing called Genesis. I mean, the idea came out, what? 2016, 17, 2018, 2017, I think. We've now moved into everything is custom built. There's very few things I can say, I can just go and buy a product and it is exactly equivalent, much like a CRM, for example, customer relationship management. They're all different, but they do the same thing. Depending on what I'm doing, I can look at various different providers and I am not gonna name them because I think they're doing a great job, but they're still different enough that I consider them to be custom, especially when we get into the ecosystem level. Meaning I could take a product that's allowed me to issue, a credential allows me to verify a credential, but when I put it into my ecosystem, I'm all the way back at custom. That pattern has not been figured out. Wordly also goes through another few things that talks about where are we on this chart. So I already showed you to where we are. The first chart is what I just showed you. I need to move this over a little bit more into custom built, but where nowhere near this key thing he points out here is standardization. The doing a standard, creating a standard when you haven't figured out what the product really is. When I say a product, what it is that the businesses need is kinda, it's too early. It's too early to do this. We're still at this stage here on the S curve, which very, very, very early. Standardizing you do it much closer to, the end of the product cycle when I want to truly become commodity and utility, which is way up here on the S curve of adoption. Arguably I'd say we're still really early on the SSI digital trust ecosystem adoption level. The problem we have done as we tried to standardize even earlier, the fights we get into and then the results are, we have what, seven, eight, nine, 17, different credential formats. Great, I don't really care anymore because they all, between them all, I can figure out which one I would want to use for a particular business case, but we don't have interoperability. Interoperability requires conformance, which requires more than just a specification, but here's where we are today. We have multiple stacks out there. We have specifications and the stacks implement a spec. As an example, DidCom is a spec, which came later. By the way, it came later in the stage, which is why DidCom 2, DidCom 2.1 is quite solid and we can start to really, I think it's actually worth standardizing fully and worth setting up conformance, which I'll get to in a second because we've done the hard work of getting past the genesis and custom phase, it's almost a product now. We'd know roughly what these things are. Hyperledgeraries, for example, implements, DidCom. This is a dated slide that I took. I don't know if this is true anymore. I don't even know, wacky pecs exists anymore or if it's been renamed, but my understanding was and it could be wrong on this that hyperledgeraries also did that thing, which is kinda cool because it means that we're looking at things in different ways. We're looking at the, what's the interaction of sharing a generic arbitrary credential? Within another party. I have different ways of doing that. That's really powerful. That means we're getting closer to the product stage on a wordly map, which means we should be considering standardization at that point. Problem is we jumped ahead. I don't know if hyperledgeraries has done the OID for VC for VP and I've seen VE. I don't know what that one is. I don't think it has, maybe it has. I could be wrong. I don't particularly care for this point in this discussion. I mean, I care just not that much because the problem we've got is in order to be conformant and to get real provable interoperability, you need a conformance suite, which reinforces the spec and they reinforce each other because as a spec is ambiguous, conformance will fail and you'll have bunfights over. Well, what went wrong? It was him. It was that vendor knows this. The spec is unclear, which if you go through the W3C VC spec and I can pick any number of flavors and say I am compliant, you are not and you can say exactly the same thing and both of us are right and we're both wrong because the specification is too loose, which means a conform, proving conformance is effectively impossible but these two are a loop. They reinforce each other and it's really powerful. I've been involved in multiple industries breaking this pattern. Biggest one being Geospatial, which went from unbelievably expensive imagery, for example, if you're going to someone's cottage, you can go and zoom in on Google Maps for free. To get an overhead picture of that used to be thousands of dollars, it's now utterly free because conformance is one of the reasons. Here's the key thing about it, is that a stack really needs to prove compliance to the conformance suite. And this has been, I would say largely no, it's been skipped because the industry has been focused on the technical side of what interoperability is and even that is not a great job but I would look at the Aries Test Harness as a good example of the beginnings of a conformance suite. Here's where I'm looking at conformance that layers, for using the model that we have right now, at every layer, I actually would say on the trust tasks, more trust task level, I can do some basic conformance suites to say, hey, listen, I got a Hyperlegger Aries Test Harness, I have a Test Harness over here, I could actually run against and this is actually happening in the Aries community to a certain level. It has not reached what I would call conformance suite level but it is beginning to prove conformance. That's at one layer. Each layer really needs to prove it to itself. When you look at how network test harnesses were done to prove that Ethernet was working back in that four-layer model, is my Ethernet cards from different vendors, are they working, that was done. The IP layer had its own testing, TCP IP has its own testing, just at that layer, okay? Where we're really missing the part, we're starting to make progress on the layer, is that for real interoperability, it's ecosystem level because only the ecosystems have the context, content and the semantics specifically and the answer is not JSON-LD. They're only answer where I can say truly that this pharmaceutical product sheet is compliant with the pharmaceutical product sheet spec. You could have an oil and gas product sheet spec that is utterly different and they're correct in oil and gas realm because conformance is an ecosystem concept. So we have to do the work at that level. So what do we do? We need to be really pragmatic about these standards in interop because they're destinations, we are not there and there was a heck of a journey ahead of us. We need to make sure we're doing it right. Anyone who's been trying to do this, I believe the standards in interop folks, best of intentions, great awesome people. They're trying to control something they can't. The best they can hope for is to influence. My mantra for well over a decade now is control only what you must influence the rest. There's a reason for that. It hurts, it control is unbelievably expensive. A lot of things you simply cannot get to with control ecosystems are one place where you cannot control. There are no control points in an ecosystem. There is only influence, maybe very strong but the ecosystem itself might exert control but you can't. I would recommend still participating in these standards and specs but work with real solutions that understand what standardization interop really means. And don't depend on it yet, you can't. It is not there. Anyone who tells you this system is interoperable is not lying to you because they have a perspective of which they are correct but it's not sufficient to build an ecosystem. It's not sufficient to build any system of any real scale in my opinion. Whoops, I lost my screen. That is it for me. Any thoughts, questions, especially on the rant on interoperability? Oh yeah, I had a, this has actually come up, it came up in a session at IOW in terms of testing where activity pubs sounds a bit Wild West and Aries and OpenID have some good, have the good test. I agree with Aries, test harness is probably the best example of testing for interoperability. And now in Cary, we're having the same question about conformance test suites for, there's a standard and there's implementations and then the implementation is always like some percentage of the standard, right? So, yeah, Charles, one thing I didn't mention here is there's really two patterns that happen. So if you look at this diagram here, which is not huge, but it's sufficient I think to discuss. So we look at trust tasks and trust spanning. This is where both Cary and Hyperledger Aries play. They kind of blend the two right now, okay? We're working to separate those two but imagine them at a trust task layer. I can say, hey, RFCs X, Y and Z, we are compliant, cool. That lets me say, okay, I can share information between disparate systems and be compliant. What must happen though above that is that says, okay, great, you can do generic credentials and see that that generic credential came across, hasn't been changed, works in a different format, beautiful. But if I don't define and refine and limit what I'm doing at the ecosystem level, say, hey, listen, this is a pharmaceutical bill of lading, okay? What does that mean? What I'm doing is refining and limiting the conformance criteria. I'm giving the input to the Aries test harness, for example. It says, here are the three credential types I care about in this ecosystem. This is exactly what I expect. Here's the information. Here's my starting information for a test. You go and do your thing. I'm gonna go compare it later and say, great job. You did it, except you failed on this one particular subtest. Without the ecosystem driving, which is refining and limiting the conformance, you can't answer the question, are you conforming? Does that help, Charles? Oh, yeah, totally. I mean, that definitely seems like the hard problem because that's where it gets fuzzier, right? It's, as those who know me, I'm a very passionate person. It is hard. It is not as hard as you think. It is brutal hard to say at layer three here, we are conformant if you don't have the inputs from layer four because it's the equivalent of me saying to you, dig me a hole. You're gonna, where? How deep, why long? Do I have a shovel? Do I have a backhoe? You can't answer the question because you don't know what I'm talking about. That's why it's so hard to wrap our heads around. If you said to me, hey, listen, we're doing an oil and gas. We have three different things we're worried about right now in that we're gonna get sued if we don't do this. We could nail that to the wall relatively quickly. Does that help, Charles? Oh, definitely. I agree. I'm just, you know, those kind of, those conformance criteria they'll move around a lot more, right? Because they're organic and dynamic social networks, whereas technical things are easy to go, oh, you know, I can do DEADCOM, X, Y, and Z, you know. So let me throw this at you then. If I was to say, hey, I need you to comply with conformance with the pharmaceutical bill of lading conformance version one, your technical problem just got a lot easier because I can revise my conformance criteria. But usually though, the way they arrived at that came from some dynamic process, right? Like the MasterCard, like I have credit for experience. So the MasterCard arbitration rules are organically developed over- There's a reason they're there for years, right? Yeah, yeah. Something bad happened and people were like, okay, we had some fuzziness here. We need to get concrete and revised and go up a level. Yeah, and there's still a lot of fuzziness even after all that. But yeah, I got you. Yep. Lynn, you've got a question, sir. Yeah, so I got the impression from what you were saying that we shouldn't even be talking about standardization right now. And I feel like that there is some value in discussing standards early and getting together as communities to talk about the general direction to head in. And maybe you could clarify that for me a little bit because it really sounded like you were saying, forget about standardization. We're not even at that point yet. But it's... Yeah, no, this is thank you for that. Because again, I come across passionate and very binary and know it's everything is a continuum. There's a reason I named my company Continuum Loop. One, everything's on continuum and things repeat. That's why we named it. The fact that the community started out with the right collaborative approach that said, we're gonna have different ways that we need to figure this out because interop is a horrible thing to bolt on later is a massive benefit. But we're kidding ourselves if we think that that's the way that things happen. So it's this blend of, have we gone too far to standardize it before we really understood the domain? Yes, I would say we have. Do we want to simply do implementation and forget? No, not at all. Not at all. It's that interplay that says, okay, cool. What are the pieces? Because if you looked at the initial SSI role was very valuable credentials. Great, here it is. Here's how it's formatted and I could have, okay, two different slight formats. Perfect. We understood what those two were, JSON-LD and non-crets. Great. What we realized is, okay, we define the credentials but by the way, Darryl, if you want to put them in your wallet you can't touch them. You can't open your wallet. I can't ask for them and you can't ask me for my credential because we never thought about the interactions. The interactions weren't standardized. So we started to decompose things into one what's the payload? Now we're into the what's the protocol how I'm going to exchange that type of thing. So definitely there's this interplay. My thesis is if we don't start doing this at the ecosystem level the rest of it is wasting our time now. We have sufficient interoperability building blocks in place that we can actually start doing real interop at the ecosystem level which will then cause a refinement cycle at the lower levels. If that makes sense, Lynn. Yep, that makes more sense now. Thanks, Darryl. Appreciate your... Well, no, I didn't thank you for the question because again I do come across as way too binary. Any other thoughts? Looks like we're just about at time but if anybody else has questions or thoughts they wanted to bring up in the next couple of minutes that would be a good time. I also wanted to... If you need to get a hold of me one you can probably find me. I just realized my email is not on there but I will put it in and on the screen. I'll add that to the Wiki page. Perfect. So great. Well, thank you so much Darryl for a great presentation and great discussion and thanks everyone for joining and sharing your working group status updates and we'll see you all in two weeks. Awesome. Thank you so much. Thanks, folks. Thank you. Bye. Bye.