 I'll put it in a second. It's going it just takes a minute to go live. I'll put it in a second Perfect. Thank you so much Okay, the live stream link is in the zoom chat now Alrighty If uh, when it hits 1202, I think it'll be time for us to kick this off. So We should be showing puppy pictures right now daniel Daniel and I are Kind of a part of this puppy. Uh, I guess team anyway It's 1202. So why don't we get started? So hi everyone, uh, I'm jeff tenonbaum Daniel yim and I lead the hyper ledger washington dc meetup group I wanted to say thank you for joining our quarterly hyper ledger meetup session And today we are really excited to have with us Heather doll who is the ceo of indigo tech indico tech, excuse me and dr. Chase cunningham who is the chief strategy officer for ericom software As many of you know, zero trust is a topic where we're seeing an increasing level of interest in activity Organizations are looking at strategies where they move from a network perimeter based cyber security approach To a different type of strategy where there is no implicit trust when accessing resources They're also looking at how we solve one of the biggest challenges down the internet today, which is identity Um, some of you may already be familiar with hyper ledger indi project or with sovereign So in today's session, we'll get to learn about both worlds and how they fit together The future of privacy and security Decentralized identity and zero trust and with that I'd like to turn it over to heather and chase Thank you I will kick it off on behalf of chase and myself Um chase. Are you here? I'm here. You see me great. Yep. I can see you. There you are Um, it's really an honor to be here with you today Chase and I have been working on this space for just over 10 years And so we're thrilled that we finally get to be a part of the hyper ledger dc meetup We are both based in the dc area ourselves so Just uh, I'm going to be the professional clicker here On our slide deck for chasing myself but Just a level set about what we're going to talk today is our theme is never trust always verify and Chase and I actually first started our work in the respective areas of the trust and the verify When we work together at new star developing threat intelligence solutions That was back when like eons ago. I feel chase And this is where our paths and lives have taken us But we have always worked together over the past decade On how can we make the internet better and more secure for everyone? So just a level set Zero trust Is rooted in the belief that nothing should be trusted whether it resides inside the network or outside the perimeter always verify Decentralized identity sometimes known as self sovereign identity is a consent based mechanism for using a blockchain enabled Verifiable credentials to prove things about who you are without anyone else managing storing or selling your data So it's privacy and proof of verification What chase and I are going to do today is we're going to kick it off with chase We're going to explore how decentralized identity fits into the application of zero trust Chase and I both here when I talk about decentralized identity I get questions about zero trust and vice versa So we thought coming together to doing this to do this meetup would actually help bring Both models together under one umbrella and one discussion and move this topic forward So what I'll do is set it up here for chase and let me know when to move to the next slide Okay, cool. Yeah, Heather. You just made me feel really old. So thanks We've been at this We started working on this when we were in kindergarten. Yeah, this is uh Thanks. Um, so yeah, what I'm going to cover and I'll be moving quick here because we've only got an hour But I think we got some really good content So I'm going to talk about why we continue to fail in the space around cyber Um, I'm going to point out again, and this is not news anybody the perimeter is dead Like it died COVID COVID did a lot of bad stuff the only good thing COVID did was it effectively eliminated the concept of a secure perimeter So we are all way outside of that. I'm going to give you some concepts on arguments against change like why people fight this Um, we'll talk real quick about why zero trust is what it is Why the cloud is so important and lastly, I'll leave you with one of my References, which is the Mandalorian, right? So this is the way so Follow with me here and we'll be moving relatively quickly Go back one Yep, so everyone in the space in cyber security space always asking about the next attack the next attack What's the next thing? What's post quantum? What's going on in space based in future state malware and whatever in reality? It's the same thing like yes There are different delivery mechanisms that you use to get stuff into an infrastructure and cause compromise Like solar winds which solar winds Honestly was not that different It was basically a further iteration of what already have with risk in norse hydro of using software in the supply chain to cause an exploit But once they got in It's the same thing that's happened a thousand times over like you get in set up your infrastructure removal at early create back doors Use accounts privileges. Da da da da go forward cause bad, you know things and problems It's the same thing if you if you think about it like that we're not really dealing with anything That's that crazy different Next slide I always like to refer everybody to the office. That's one of my favorite shows right solar winds in the picture On the other side if corporate asks you what's different solar winds and where the heck it's not it's kind of the same thing Like it's it's basically the same stuff just slightly packaged differently That's the case if it's always sort of the same thing Then that means the fundamental physics of the problem are being ignored And how do we start to understand that and address with it next slide? That guys continue to say they're coming back Like this is from the guys that were in and use solar winds to cause compromises and said flat out We're coming back and how do they say they're coming back? Why is this a first batch for them? It's because they're preserving access and they're telling you flat out on the underground This is something that we found doing some recon them saying we're coming back because we have more access How do they have more access? What do they use for those? Additional accesses usernames privileges and accounts again not crazy different after they get in This is the same stuff over and over rinse and repeat throughout cyber history If this continues to be the problem Then that means we're ignoring the reality the space in which we operate next slide Andy Ellis who's one of the best CISOs in the business to ask the question I think everybody should really wrap their head around and when we think about what's going on in the space in the future State of where we're going like Heather's talking about the future of this Is it really worried about what's going on right now or should we worry about what's coming in the future? And if it's what's coming in the future, shouldn't we be asking this question of what else is going to be continually showing up in the news? Because we're ignoring the same things over and over and calling it something new like this is a really good question We should be asking what are the fundamental requirements that allow this to continue to propagate next slide It's a really good question You can talk about the cyber kill chain And this is what most people focus on in cyberspace and they say the bad guy always wins All the bad guy needs is one thing to continue to cause compromise etc Oh the bad guy just like the good guys needs continued access to continue to cause compromises like I showed you in that slide prior That's a reality like that's a fundamental flaw in their operating model If you look at the kill chain, which is what everyone references here to kind of ground ourselves in the space It's these things recon weaponized delivery exploit install command and control ex-filtration The reality is we're only in control of a portion of that and the bad guys on the rest if you click You'll see where we have an opportunity to disrupt what they're doing We can't do anything about recon they look outside of our windows and walk down our street All day long. That's how you do recon. They we can't stop it. The internet allows recon We can't stop weaponization. They will find stuff to use to cause a compromise All our solar winds and all 100 other things. We can't stop that We can stop these other things and if you notice we're basically saying the bad guys you got to we'll give you two out of these Seven we own the other five. We can stop delivery. We can stop exploitation. We can stop installation We can stop command and control. We can stop ex-fill. We have the opportunity to disrupt the capability set that the uses to continually access and cause compromises It requires them to have continual access, which is based on what? users identity access Passwords those types of things next slide They have to have access for success the perimeter based model Categorically has failed if you build me a 50 foot wall I will build a 51 foot ladder like it's literally that simple and this has proven itself Time and time again throughout history if you continue to engage in leveraging perimeter as your control plane You are enabling failure and this is not new next slide We've known about this for about a thousand years. Anybody remember the story of troi, right? Remember we used to call them our atrogens. Why did we do that because way back and I I think it was 12 60 bc Was the first time somebody ever slid a piece of infrastructure a piece of malicious code Pass the wall burn things to the ground. I mean, that's exactly what happened. We've known about this for a long long time It's not that we don't understand the problem It's that we aren't addressing the fundamental issues the requirements that will allow us to change the game better for ourselves next slide It's all I mean in reality It's about being Security better for the users better for how we operate in space What we don't want and what causes problems with security technology Is we continue to throw them into the mix and say you have to do these other things You've got to set up a vpn. You've got to have passwords. Well, you have to reset your password every night today Oh on top of that you got to do mfa. Oh on top that you need to make sure your firewall is configured correctly Oh, and well, we need to make sure we have end point running like it just becomes barbed wire wrapped up around the users And who wants to operate in that space? None of us do it's not about having more It's about having the right stuff in the right place to address the right problems with the Technology that will solve the problem and take the power away from the adversary. Next slide Secure perimeter is not an arguable defense like you don't have one anyone that says they do this is what they got They got a high fence You can look through it because it's chain link because that's how you do a recon They can get past it because they'll clip that piece of plastic and walk back in and they'll leave the lock bolted for you But secure perimeter just like we've seen 10,000 times over Is not a referenceable strategy because what do we use to invalidate a perimeter? Access if a user can get past something We've invalidated a perimeter like it's that simple. So that means that we must put the perimeter somewhere else Another thing that people argue about in this space is they talk about being cyber smart Like they're going to make their people better at stopping compromises You can't do that four to six percent of the workforce historically is going to click a link Better what you do you could staple their hands to the desk and people would use their nose to click on a fishing link Like that's the reality of the space in which we operate We can't make people that aren't cyber people Cyber smart all the time every time just to give you an example of how crazy it is to try and think we'll make people better 7% of americans think chocolate milk comes from brown cows If you have grown adults that don't understand that chocolate milk is based on Sugar and cocoa not cows that are brown. You think you're going to train them to stop a fishing exploit? Like that's wrong. We can't do these things and expect the outcome to be any different Next slide You can't continually say we've upgraded our current technology. We've weaponized the firewall We're going to stop the bad guys with this new piece of infrastructure and whatever else It's probably not going to be that much different like it's going to look like this llama with a pkk machine gun on its back Where yeah, it's kind of four-wheel drive Yes, the weaponized But in reality, it's just a sort of frankenstein version of something that might be lethal if used in a very limited sort of engagement Upgrading legacy technology new stuff if it's not applied correctly to the realities of the problem Is just as asinine Lama with a machine gun on its back kind of cool probably sort of dangerous but not necessarily correct Our organizations also say that they don't have enough people They don't have enough people we need more people we need more people. We have a lack of human capital That's wrong We have enough people if we use the right tools to solve the right problems in the right ways Just like this person says I need more stuff. I need more They're using the wrong things You see that they've used everything that they could to take that lug nut off except for an impact wrench I mean if you continue to use the wrong tools to solve the wrong problems Yes, you need more people if you use the right tools an impact wrench One person can remove all six of those lug nuts and you can go on about your day The cloud does not make you inherently more secure We can't move stuff to the cloud and think we're doing anything any better It's just the cloud is someone else's infrastructure and jeff bezos is glad to take your money Because you're putting stuff in the cloud. This is from aws's terms of service 16 to show you They don't care whether or not you're secure in their cloud It says their security requirement for them is of the cloud right compute network storage You are responsible for stuff in the cloud and they don't care if it is or isn't secure So moving stuff to the cloud Fundamentally categorically strategically does not make things any better. It's just you saying Because it's in the cloud not a good way to approach the problem next slide Cyber insurance is not going to make anyone in this space any better any safer any faster any more Realistically defended than it was in the past You ever wrecked your car and had to deal with insurance company Imagine if you wrecked your infrastructure and had to deal with an insurance company paying out that premium Anyone that says that they're better off in the space because of the fundamental issues that they used to drive a decision around cyber insurance Is wrong They should be sitting like Ralph will wig them on the back of the bus and going i'm in danger because all it is Is basically saying i've paid for something that might help me get a response after i've been breached Wouldn't you rather deal with a problem before it becomes a problem? next slide And we all know this like this is not news to us the problems that we face like i talked about back with solar winds and everything else We've seen 10,000 times before we've been warned and it's literally this clear If you hit this sign You're going to hit that bridge and you have a choice you can either smash the gas And hope you bash through that that bridge and get to the other side And maybe your vehicles in some sort of state where i can continue to drive forward or You can say wait, there's a different way to do this I need to approach the problem differently I need to apply strategy and technology in a manner that addresses the realities of the space And make a hard right turn and go around it and actually fix the problem We are all So far outside of the perimeter now that we can't continue to engage in thinking that the old space is going to work Any better it's not you can't live inside of the horde down there and think you're not going to get bit by a zombie It's not going to get better 2021 is not the different 2020 everything still sucks. I mean, we're still here on zoom We're not in a room having a conversation People are not going back to the office everybody likes remote work. BYOD continues to get bigger batter faster What does that mean that means if we don't address the problems correctly? We will have more problems. We have to look at the physics the fundamentally underlying issues That's why there's a movement around zero trust going on That's why you hear it so often It's because it is a big thing that's taking place because people see the value in it and they understand the strategy That can help them enable outcomes, right? 78 percent of organizations globally are moving towards zero trust for security and structure 9 percent of the od 13 percent of financial 14 percent of health care The total addressable market for zt as it stands right now today is about 40 billion dollars That means that there is a valid verifiable market that's in this space The tagline which tether talked about earlier is never trust always verify pretty simple the definition Strategically focused on addressing lateral threat movement within the network by leveraging micro segmentation Granting enforcement based on user context data access controls location application device posture What does that really mean that means you apply very vectored very controlled access controls to individuals to entities within space And you validate and verify that they are who they say they are Before you allow a connection to occur Never trusting always verifying This is not new This has been around for about 12 13 years The first reference you can find to this is all the way back in 2004 with a group called the jericho forum 2010 and john kindervag and analyst at forester before me Talked about what it looked like and how zero trust was strategically focused, etc Password go from there You can see we went from network network network firewall knack to now identity to use to accesses This continues to get more focused around the mechanism with which infrastructure now revolves, which is us the users next slide There are three very basic principles here and this fits very well with digital identities blockchain immutable records verify explicitly Know who you are always using least privilege access and assuming everything is compromised until you prove otherwise You're not coming to my house, right? I like to call this the dating my daughter slide I don't know you therefore you will not get near my daughter period point blank in the story until later on when I can verify that This is okay next slide This is not complicated if it's done correctly. This is how simple it can be This is the way the internet works. It's the way business works today people need access to resources I use o365 for email. Okay, cool How do I do that? I use a device What does that device use to get me to that resource? a network What does that network use to allow that connection to occur? A policy engine some sort of brain that sits there and said this makes sense in the context of that to allow this to occur And it does it at speed and scale with intelligence automation across the entirety of infrastructure with intelligence and automation And the only way that you can do that is with this type of approach Beyond corp is the thing that people reference all the time beyond corp is just google's iteration of zero trust And if you look at what's there, what's the first thing you see identity Context then a rules engine then enforcement The first thing is the user knowing who's doing what where having the ability to control that access that and that's That particular protocol that allows that to occur and making it part of the workflow because it's built around the identity That's what we have to focus on that's where compromises occur. Find me one instance of a machine that's ever been hacked where no human touched it Doesn't happen next slide It's about access. It's about users people on devices using networks to get to resources. You have a policy Control capability in there. Don't call it zero trust. That's fine Do call it something else But the reality of it is this life cycle this chain is how this occurs and as you can control those things back to that earlier Slide I showed you you have five different chances to disrupt exploitation operations Based on the implementation of this particular approach. It's literally that simple You can bring it down and go even further into it, right? So if you said what's the run through that's how it looks an fte me On my domain join device at home on my isp network Going to email on 0365 Nothing is weird. I'm logging from where I'm logging in this time of day The one thing that I do to have an out of band authentication is I do mfa Like that's a zero trust implementation You could add other things into that About the people the users the control space and whatever and continue to make it bigger better faster But ultimately this is what that life cycle looks like And lastly I'll leave you like I said with my man Lawrence like is this is the this is my favorite part of it is This is the way we've tried everything else. We've failed everywhere else We've realized that the reality of the problem mandates a different approach The different approach is a combination Of strategy and vector technology Aligned to solve the realities of the problem for the space in which we operate Like I said with that slide earlier with the sign We have two choices You can either continue to go really really fast and really hard and you're going to hit the bridge and bad things will probably happen or Take a strategic pause Look at how we really deal with the problems and make a hard right turn regardless You can look at all the failure in the past That's what it is The only way to do things different is to change our approach going forward and zero trust combined These types of solutions that heather's talking about is the way and I can tell you flat out From the strategy side of what we're doing at ericom We will be plugging into you and we will be using these types of things for validated verifiable credentials Because we know that it makes a heck of a difference there and I run a node Like I think that this is important that I point important enough that I have helped put up my own time My own effort my own money to run nodes to help this thing go forward So last last thing just remember if you ever question This is the way Heather I think you might be on mute Thank you for catching that um You know it's chase points to identity it comes down to how do you trust? How do you verify the verification is important here? But but how do you do that in a way that protects the privacy of the individual? We all know this new yorker cartoon is the most popular Um cartoon that the new yorker has run and and how do you identify yourself in the digital world? Well, I think a good place to look back to to answer that question is how do you verify yourself in the physical world? And why do we think that valid verification of ourselves offline is stronger than it is online? And that's because we carry around things like drivers licenses passport certificates Notarized documents. We carry them in our wallets our purses We keep them in our safety deposit boxes and we present them at very high value Transactions like buying a home Going to the post office to get at your first passport. But the fact is this isn't what happens online so How do you trust but verify? How do you really know when someone's not a cat? Even though they say they're not a cat And that's what we're going to talk about is how do you do verification in a trusted way? Here's what the digital world is without built-in identity What's happening right now the majority of places digital identities are controlled by large enterprises and social media platforms With that comes an abundance of privacy issues We get um our trustworthy data from third parties, but how can you trust and verify that third party? Ultimately it puts us into this world of complicated integrations I think covet is an example of trying to share data Between one industry to another that normally doesn't communicate with each other How do you provide trust in these interactions? Not only the human trust the trust of legal agreements But also the technical trust that is built in we call it machine learning governance As chase talked about plugins and passwords enough said there It's just not an effective or we wouldn't be having this conversation But then how can you do this in a way that can scale? And it prohibits forgery So let's take a just a two or down the legacy system. We all know about the centralized database approach where everyone goes into one single domain and that one digital authority Decides to be the issuer of your identity And then what you happen since we have here you're everywhere Everywhere, how many times have you entered the same information? And I want to say this is not simply A fill out form right that's not what I'm talking about here verifiable credentials isn't an auto fill tool Because if it were just an auto fill tool You would still have this and you would still have copies of yourself everywhere What decentralized identity is is you very much like you do today is you hold the proof of identity with yourself Like you do with your wallet and you can choose when to Share a credential With a verifier whether that be a school an employer a bank a shop So they can ask you for identity to prove yourself And you get to decide whether you're going to share a credential issued by another entity And you can also share What portions of that credential you want to disclose to that entity for instance Um in an online world to buy alcoholic beverages through A wine shop online. I shouldn't have to share how much I weigh If I were to show my driver's license it would it would do that in this case We employ zero knowledge proof into verifiable credentials. So why does this work? Let's break this down Why does this work in our analog offline length? It's because we have trusted issuers. We've decided We trust the state of maryland for instance to prove our age The shop or in this case if I were going to go um to the grocery store to buy a bottle of wine They trust the state of maryland did the kyc and know exactly how old I am The state of maryland department of motor vehicles don't believe they're in the business of helping people buy alcoholic beverages at the grocery store They're in the business of giving people credentials to drive However, the trust in that credential is why the system works in our analog lives So decentralized identity replicates Just what I talked about And it brings together what we call the trust triangle or you could call it the verification triangle Where you have trust between one entity and another on the issuance of the credential The credential gets issued directly from the issuer to the holder Which can be a person a thing And then that holder decides when and how They are going to share it with the verifier In the system. There's a governance of data. It's scalable. It's available through the hyper ledger open source repositories It's developed with privacy by design It also has built-in compliance by design for those who are implementing it And also allows for data sharing without complicated integrations It allows you to share for instance data from the health care systems with another system That would never have any reason to integrate with health care for instance a concert venue And it can do that with agreements that are Put into the actual digital experience So here's how it's broken down You have the philosophical trust that we have today for instance the shop trusts a credential. It's issued by a bank But that trust just isn't a human to human trust that trust is actually built into the technology With a cryptographic trust So you have a proof of identity a proof of data and then you have a valid You have a presentation of valid data integrity and also provenance So what is a verifiable credential exactly we can hear this turn get thrown around a lot First of all, it's data that's gathered by an entity that has been granted permission By the person that the data is being given to and they have permission to hold it own it verified then The issuer in this case packages that data has gone through their own kyc They cryptographically sign and link this to the issuer as the original source of the credential Then that credential is given to the holder It is accepted by the holder and is now controlled by the holder in a mobile agent or digital wallet When that credential is presented to a verifier a store Your employer a bank another entity that credential can be verified in two ways If the signature and the keys are in order the verifier can be assured that the data is valid And has arrived as it was issued based on the know your customer of the issuer So what you're doing is you're verifying the data source And you're doing that through in this case hyper ledger indie based networks So the verifier why is this privacy the verifier can actually contact the issuer and verify the credential based on the network without a direct Ping or what we call phone home back to the issuer So I can verify this against the hyper ledger indie blockchain But I am not going directly into the issuer's database. In fact, the issuer doesn't even know that the verifier has Verified the credential here using the network This is what it looks like when you break it all down How does a system like this come together and how does it apply to hyper ledger? You're using hyper ledger ursa, which is the cryptography library hyper ledger aries That is the project that's focused on creating the agents and open source quotes So in this case, you need cloud agents mediator agents which helps talk between the devices and the issuer and laptops And then you also have hyper ledger indie and indie is the project that creates the networks and the nodes That make the entire system run. So that's how I just broke down Where are the different hyper ledger projects and how do they apply it directly to decentralized identity? What we have emerging is a network of networks We have networks that have come about over the course of the past year and a half For different purposes and reasons What these networks are all doing is working together so you can have interoperability Where you're going to be able to issue a credential on that one network and verify it on another network So we have at this point six different hyper ledger indie based networks And dco operates a network that is a professionally run network with a main net demo net and test net sovereign runs also a public permissioned main net builder net and demo net Both of the organizations Have international audiences that uses networks. ID union has come out of germany It is also a volunteer community network. We also have fendi, which is out of finland It's a consortium of finished organizations that have come together We have The canadian credential network which should be coming live here and then also the bedrock business utility network Which will be another professionally run network and that one is also pending Going live, but as you can see these networks are beginning to emerge And they all have their own communities involved How do you make A network without the agents on top of it is pretty useless What I like to say is when we started this we created a lot of one-handed handshakes We had a lot of digital wallets where a credential was issued Awesome Now what are you going to do with it? So what we're looking at in the decentralized identity community is creating these full ecosystems Where we're issuing credentials that can be consumed that can be shared and can be verified Which allows trust but very but verify So in in DCO what we have done is we have open source to hyper ledger areas mediator agent We announced a working group for an open source mobile agent. We announced that today That's with the hyper ledger areas working group. And soon we will be open sourcing an enterprise agent Also to hyper ledger communities We offer networks So anyone can use one of the DCO networks in order to test out the agents in the ecosystem You can also go to any of the networks that I showed you earlier to test out your agents In the case of indiceo, this is a worldwide effort. This is not washington or just the united states We have nodes on every continent around We have nodes the light grain ones or those that are in the process of being stood up But what's even more Interesting about this is we have enterprises and communities that have come together from all over the world to solve the same problems Especially now that our coven world has put pressure on our remote work life So our focus on indiceo And why indiceo and why we spend all our time is we are focused on building We have done a few years of philosophical conversation in this space But in indiceo, that's where the rubber hits the road and we have a communities Of doers and builders who are building today who are putting this together Many of those involved in our community are starting by keeping it simple They're creating holder issuers and verifiers in their own ecosystem within their own company Or maybe their own small consortium. They're doing a phased agile approach Where they're going out and building prototypes to prove that the system works to solve one problem And then they're quickly moving into production. And so at indiceo we say Get building today get building now because the tools exist They are open sourced and there are communities that can support and help you whether that's Community like indiceo or any of the other open source decentralized identity communities out there Our advice is just get going And so with that I wrap up my time here talking about decentralized identity I'm going to turn it over to chase to wrap it up and talk about how Decentralized identity can support the zero trust model Yeah, I mean it's it's it's relatively cut and dry to kind of understand what we're getting at there is that It's basically the the principle of never trust always verify has to be applied collectively. I mean I saw somebody talk about the maximization of identity of objects not for individuals etc like What we're trying to do is space where I can verify and validate who you are based on the fact that I I won't say trust because I'm the zero trust guy, but I accept that those are valid Things that I can you know make sure are are realistic and useful And if we do this if we implement it correctly We have an opportunity in the security space specifically To fundamentally change the game no more worries about breaches from bad passwords bad usernames You know stuff that shouldn't cause compromises. This is this is the way to actually have an opportunity to Remove adversary access adversary control and take back some of that initiative So I I've been a big fan of this for a long time Heather and I've been talking about this for like she was saying Like 10 years now, which is terrible But this is where the game starts to change is as this becomes a thing for organizations to adopt What we can do is open it up to any questions that we have here We got one says who determines who are the issuers Um, the issuers any organization become an can become an issuer They would have to develop the issuing agent Do the technology development question is more Should I should I trust the issuer? Right? And so that is something where if you're a verifier And you have a certain level of, um Information that you need Or it's a high value transaction You are probably not going to trust maybe a loyalty card issued by a grocery store because there's lower value trust involved in that credential In this case, you would want to probably You know request a credential that was given by a bank or a trusted institution that has a Department of motor vehicles very much like you do right now I can go in and try to buy a bottle of wine the grocery store Showing a credential or a piece of paper. Maybe that someone wrote that said, oh, yeah She is over a certain age You know, I can trust that but when I pull out my driver's license You will why because that human understands who that issuer is Verifiable credentials and decentralized identity doesn't remove that trust You're going to determine which issuers you are going to accept credentials from because you agree with The kyc that they go through and you agree with the governance that is involved in the issuance of their credential Somebody asked close Verified creds could have stopped solar wind. So let me clarify that Stopping an exploit is pretty much a non Non-issue. I mean, like I said weaponization We can't really stop that however What we can stop is to continue to access the lateral movement the proliferation Shared resources that cause those and that's where validated verified credentials credentials can come into that because You're able to apply those things just like they're talking about right now with the burn down list that microsoft and solar winds Everybody else is using to remove access to remove credentials from that infrastructure So, you know point point being I can never stop an exploit like I even said during my slides right recon and weaponization I can't stop it And technology by its very nature means if I build it someone will find a way to break it However comma what I can do is use technology in the space that will allow me to Limit and remove those things based on a validated verified credential We have a question by our biometrics considered verifiable credentials. Yes, biometrics can be considered verifiable credentials There are a number of projects specifically around biometrics and verifiable credentials Going on in the space. So I would encourage you to take a look at some of those projects to see There's some really interesting things that they're doing Also, that biometrics is being used as a way of offline verification as well. And then there's a question about Can the wallet holding the credentials get stolen? Another one that I get is what if I drop my phone in the pool? What happens? credentials can be stored in digital wallets that are on the device or they can also be stored in digital wallets or Mobile agents cloud agents stored in the cloud. So that allows the backup So if your wall if your phone goes into the pool and never recovers you still have the ability To get your credentials back There is a white paper specifically on this um I That actually is on the evernim library. Um, that is a very good read on this topic Looking here. How are issuers going to get paid? And this is something because this is still Emerging technology. We're still exploring all the different ways of monetization This can be done where issuers get paid to By participating in a network group people buy into the network They can get paid through tokenization of a network issuers may decide that they want to issue credentials because they end up having a cost saving somewhere with other verification Partnerships can be involved But this system does evolve is going to evolve where issuers do Get some type of a renumeration for the effort that they put into the kyc if That is something that they want to do Is it possible to Decertify an issuer you would no longer trust that issuer. You would no longer accept the credentials Someone can have the right to issue credentials But if their credentials that your organization does not trust does not want to accept Then you don't have to accept the verification of it. You go to verify it. It comes from an issuer. You don't trust Into story. You don't accept it Is there a process an appeals process? This is through the governance that you would have and what credentials you accept and don't accept Yes, you would have rules In what credentials you would request And it is up to you just because someone offers you a credential doesn't mean you were forced to accept the credential And then the last question I think we've come to is Any governments in the world currently using blockchain enabled digital identity for its citizens If so, yes, I encourage you to look at the efforts That is going on with bc gov Estonia is one a lot of really forward-thinking pioneering efforts by bc gov. That is the area a lot of projects going on in canada Finland because they are running the fendi network And we also see some countries that are getting ready to Announce digital identity based on verifiable credentials for citizens Also in the next probably three to six months And a lot of those projects are focused around problems that have been created by kovid I think I think we've gotten to the end of the question list Are we seeing any specific use cases on verifiable credentials? What I'll do is talk about some of the credentials I'll start off with bc gov and bc gov is doing business registrations using verifiable credentials But when I talked about the closed ecosystems, what we are doing is we're seeing organizations for instance The the most obvious one is your kovid health status Where an organization is a laboratory or health provider is issuing a credential that gives your kovid test result Someone is holding that and traveling to a venue Or a hospitality and they're providing that Credential is proof of their kovid status so they can enter a nightclub for instance We do see those closed ecosystems emerging as we speak We also see this as far as employee verification if you have Industry where You need to basically contain who is in that bubble We are seeing verifiable credentials being used for health status So you don't have individuals going into those bubbles to infect them Where do I see web apps using decentralized identity? I encourage you to go to organizations like ID ramp like Trensik like Evernam like Cabin or their liquid avatar application Global ID is moved to verifiable credentials. We'll be making that Announcements so there are a number of organizations all these organizations have apps and wallets that you can use and download In your daily life right now I feel like chase i'm i'm getting hit with all the questions here and You're You're getting off three here I'm getting the easy one Yeah, you're answering the important stuff. I mean zt's strategy and whatever But I mean the way that we're you know, we're looking at doing that is is making that part of Part of things I can tell you from um the product that we're launching in april We're looking at integrating the digital id side of the verifiable credential into that whole workflow so that we have Customers that are you know, they want to jump in and not have to do Passwords and resets and all the other crap that we have to deal with and it's just you know You have a valid validated verified set of credentials Do we need and do will control the infrastructure stuff and going about your day like removing the heft Like I said with that barbed wire slide of just do your job You know security is handled because of the way that we've built the system to actually do authentication remove threats those types of of issues Well, where we see the handling of core identity versus an attribute credential like a COVID vaccine as we see organization that are issuing employee Identifications we see organizations issuing a financial institution um identities And those are being used To create an attribute credential the other way that is being used to create an attribute credential like a COVID vaccine Is using existing like a passport and doing passport scans to prove who you are with a biometric um Check against who you are and then issuing a credential like a COVID vaccine and are They doing this using single and multiple wallets. This is a multiple wallet world It's not a one wallet rules the mall type of situations In fact, what we're seeing is organizations have spent a significant amount of time and effort On their mobile applications and their user experience And they don't want to send their customer over to another wallet And then come back into their application And so we're seeing the wallets and agents being built into existing applications But then behind the scenes they're talking to each other There are standalone wallets that are being used and the mobile applications are being developed to talk to those wallets But they're not Sending you between multiple apps or in an app to go to your wallet to come back to your app That's not the type of user experience like global organizations and enterprises want their customers to have I I think I have run at the end of the questions. I just feel like I finished My final exam Heather, I wanted to thank you so so much Both you and chase. Thank you so much and Heather. Also. I wanted to apologize I know I mispronounced in dco before Which is embarrassing, but my please accept my apologies on that No, we we don't care how you say it Just as long as you work towards digital decentralized identity And that's the most important part and and what I say for this particular meetup and Is for chase and I this has been a decade long Journey for both of us and to be here today talking about Something that has matured significantly between zero trust and decentralized identity from where we were 10 years ago When we were looking at it wasn't even called threat intelligence solutions at the time, but realizing Here's the problem with these compromises and breaches that we were working on Trying to solve is it all came down to? Decentralizing and identity and trust and so Working on this concepts of zero trust working on decentralized identity While it may seem like new to some of our audience This has been something that many people have been working towards for over 10 years now now just Again, it's amazing that it's You know, we've seen that because we're starting to see obviously those applications. I'm seeing them around the education space Again around the coveted space Like you mentioned before around health pass and and things of that nature. So We're very excited to see where it goes. We're certainly seeing a lot of interest in the federal space With organizations like dhs and so on taking the leadership role there And certainly I posted a document on NIST around zero trust so looking forward to Seeing where this goes and and more use cases and and more use of decentralized identity And we're also excited To hear what we come up with next What our next topic will be and if folks have ideas or interested in any specific topics as part of our Hyper lecture meetup, we'd love to get those And with that, I'd like to say a big big. Thank you again to above heather and chase and also for everyone joining our call today Daniel anything Yeah, just a quick thing. Uh, yeah I want to echo jeff's jeff's comments here. I want to thank both heather and chase for your time and For for taking this opportunity to share your knowledge with with their members And a lot of good questions came up and a lot of interactive Conversation took place today. So thank you very much We're always looking for interesting topics for For presentation for future events. So if any what if any of you Have any topics or know of someone who is actively Engaged in that space and working on some cool projects Please reach out to either me or jeff or both of us. I've left our contact information In the chat room. So please reach out to us separately. So that's everything I have Um, uh, jeff you have if you don't have anything else we can I think we could go and wrap it up Yep, we'll give folks five minutes back in their day and uh, just uh, Can't wait for spring. So thanks everyone. Thank you. Thanks everyone. Thank you hyper ledger community. Bye