Maximizing Trust and Efficiency: Verifiable Credentials and Decentralized Identity by Char Howland
Exploring Trust in the Digital World with Shar Howland
Welcome to our special guest for this discussion, Shar Howland, who is a software engineer at inDCO and co-moderator of a hyper ledger open source working group. Located in Denver, Colorado, Shar has an academic background in physics, which he has successfully transitioned into software engineering. Today, Shar is going to talk about the important and intricate topic of trust in digital environments, exploring how digital identities can enhance trust and security. So, let's dive straight in.
Establishing Trust Online: The Importance & Challenges
In the year 2022, we live a significant part of our lives in a space laden with trust issues - the internet. With numerous activities such as socializing, banking, shopping, learning, working, and even healthcare, moving online, security and privacy are paramount. Shar points out that despite the convenience of the internet, there are still gaps in verification, privacy, and security that concern average users. The central question is: How can we trust the person, or even the dog, we interact with online?
The Solution: Decentralized Identities
In a bid to enhance the trust and security of our digital interactions, Shar introduces the concept of decentralized identities. Decentralized identity revolves around the idea that each individual controls their own identity information in the same way that they would control their physical wallet.
In terms of enhancing verification, privacy, security, and resilience, decentralized identity offers a viable alternative to centralized systems. With blockchain technology, the secure and private digital equivalent to physical identity documents can be created.
Tackling the Aspects of the Digital Trust Challenge
1. Verification
Shar explains how decentralized identity solves the challenge of verification through the use of verifiable credentials, such as passports, driver’s licenses, or diplomas. With decentralized identity, the cryptographic keys stored on the blockchain confirm that a credential is issued from its claimed source and remains unaltered.
2. Privacy
Then comes privacy — a common concern online. Shar pointed out that verifiable credentials could be adjusted to disclose only the necessary pieces of information. This is known as selective disclosure. Furthermore, zero-knowledge proofs add a layer of privacy by revealing minimum information while verifying if a user meets a given requirement.
3. Security
Security is the third aspect of the challenge. Here, Shar highlighted the paradigm of zero-trust security, which requires everyone to be authenticated, authorized, and continuously validated. Verifiable credentials remove the need for personal accounts, passwords, and logins, thus making the verification process frictionless.
4. Resilience
The final aspect is resilience. Shar mentions that decentralized identifiers and distributed ledgers are resilient systems since they do not have a single point of failure.
Fostering a Trusted Digital Ecosystem
Shar elaborates on how decentralized identity and verifiable credentials can foster a trusted digital ecosystem. This refers to an ecosystem for verifying and sharing high-value information in a trusted manner.
Decentralized Identity in Action: The Cardia Project
To illustrate how this technology is used today, Shar recommends considering the Cardia project. This award-winning project allows travelers to verify their COVID vaccination or test status to the Government Health Representative while protecting their health information and privacy.
Preparing for the Future of Digital Interaction
In preparation for the burgeoning era of interconnected devices and processes, described as the spatial web, Shar posits that digital trust will become more crucial. Decentralized identity positioned at the core of online interactions could enhance the security and privacy of these interactions.
Final Thoughts and Invitation for More Involvement
Shar concludes his insightful presentation by inviting interested individuals to learn more about the technology and even get involved in building it. He also provides contact information for further queries.
With the increasing shift of activities online, Shar’s valuable insights into establishing trust, privacy, and security in the digital world are enormously relevant and timely. His contributions add to the ongoing discourse on making the internet safe, reliable, and user-friendly for all.
Video Transcription
Hello and welcome everyone. Thank you for joining me here today. I'm very excited to be here. My name is Shar Howland and I am a software engineer at in DC O.We are a global leader in building technology for verifying digital information in a privacy preserving way to give a bit of background about myself. I studied physics before moving into software engineering. I co moderate a hyper ledger open source working group and I live in Denver, Colorado.
I'm going to talk to you for about 15 minutes and at the end, I would love to hear any questions or comments that you might have today. I'm going to talk about trust in particular trust on the internet. Trust is fundamental to human community and survival. But by 2022 we live out a lot of our lives in a place with a serious lack of trust, which is the internet. So much of our communication happens online. We do conferences online, we bank and make purchases online. We might do our jobs, school, social media telehealth all online. It is stressful to spend so much time in spaces where we are vulnerable to theft of our information and tracking of our every move. We are forced to sacrifice privacy and security for convenience. This New Yorker cartoon drawn by Peter Steiner was published in 1993 and almost 30 years later, this is still the key problem of the internet that you have no way to verify the person or dog that you are talking to. On the other end, when the internet was created, the small number of original users were all known to each other. And there was not a need for verification. In the same way, billions of users later the trust, the need for trust is still very present and the jury rigged solutions have have serious problems. So there must be a better way to have trust and security in our digital lives.
You should have control over your data and your digital identity. This should not come at the cost of convenience or efficiency or requiring you to spend so much time doing multi factor authentication or memorizing 40 passwords. You should feel a sense of safety, security reassurance being in control on the internet. So we see this digital trust problem in four dimensions. The first is verification. How can you verify who you are talking to? How can you verify that the information you receive actually comes from the source it claims to and that it arrives to you unaltered. The next is privacy. How can you make sure that nobody is listening in listening in on your online interactions. How can you make sure that your data isn't being stored and sold behind your back security? Uh How can you continuously verify digital information as authentic and unaltered in a frictionless way and resilience? How can you make sure that there's no single point of failure and that we are not locked into technologies that aren't future proof? So we will talk about how decentralized identity can solve each of these problems to dive into decentralized identity. We first need to examine our current centralized identity systems. So centralized in this context means that you and many other people's identity information is held by an organization.
So you create a digital identity when you sign up for something like meta, um there are measures for creating trust within this specific domain. Uh But those don't so much extend outside of it. Also meta holds your information. Um your information is in their control and they choose what to do with it. Um If you are not on social media, you probably have an email, this is the same setup. Um Since this is a centralized identity system, your email provider holds all of that personal information and it's not even just that one organization holds your digital identity, you probably have had to sign up for more online accounts than you could ever remember. This means that there are copies of you and your digital information all over the internet all centralized in the control of third parties. So with decentralized identity, you control your own identity information. This is in the same way that you hold your driver's license and your library card and your rewards card to your favorite coffee shop in your physical wallet. They are yours. They're in your control and you choose when to present them. In the previous slide, there were copies of you everywhere. Here you are at the center of all of your interactions. Blockchain technology creates digital uniqueness that allows for the secure private, digital equivalent to physical identity documents. This means that you can reveal certain information when you want to.
But these organizations are not able to store information about you. So I'm going to talk about how decentralized identity solves each aspect of this four dimensional problem of verification, privacy, security, and resilience. So we will start with verification, verification means that information must be able to show definitively that it came from the source it claims to have come from and has not been altered with decentralized identity information is transferred through verifiable credentials. So we'll start with a a credential.
A credential is a passport, driver's license, vaccine card, health test diploma. Anything that proves information about you, these we typically think of as physical documents that we can reasonably trust are unique because of security features like the material or the watermark.
And we have a certain degree of trust based on that when you present a verifiable credential using your mobile device. The cryptographic keys are found on the Blockchain and it is verified that this credential was issued from the source. It claims because only this issuer could have used those cryptographic keys to sign the credential and that this credential is unaltered. Otherwise, this would break the Blockchain. So there are three roles when we are discussing verifiable credentials, the people or organizations who issue credentials like the DMV with the driver's license. Example, this is called an issuer. The holder is the one who holds the credential. So I am the holder when I have my driver's license and then verifier who verify this information, this could be the airport or a concert venue anywhere where you need to prove your identity, your age, any information about yourself. And so when issuers issue credentials to a holder, they put certain cryptographic information on the public ledger. Very importantly, they never put any personal private information on the public ledger. That would obviously be a very serious privacy problem. The information that they do put on the ledger is what allows the verify to cry cryptographically verify that the credential again came from the issue where it claims to unaltered as we mentioned. So the only way in which the issuer and verify interact is through the distributed ledger.
The issuer and verifier have no way of storing, selling, sharing information on the holder behind their back. So the holder can prove exactly what they want to prove without revealing any more information than necessary. This brings us to privacy, we will talk about the privacy enhancing features of verifiable credentials. So, selective disclosure allows for only disclosing certain pieces of information on an identity credential. For example, when you have to present your driver's license to buy an age restricted item, they don't need to be able to see your driver's license number, your eye color, your height, your weight, it is not at all relevant to that interaction. So this is a limitation of a physical identity document. It is all or nothing with verifiable credentials, you can select which attributes in a credential you want to present. And so you don't have to show any irrelevant information. Zero knowledge proof adds another layer of privacy.
It takes this a step further. So in the same example of presenting your driver's license to buy an age restricted item, not only does the verified or not need to be able to see your height or your eye color. They also don't even need to know your age. They only need to know if you meet the age requirement. It's a true false. Yes. No, not a specific value necessary. So, verifiable credentials allow for a verifier to cryptographically verify if you meet a requirement without revealing the actual values in your credential. All they get is the bare minimum. Yes. No, that they need to make a decision and they receive zero knowledge about you. There is an argument that people don't care about privacy or that we are willing to sacrifice privacy and convenience, um or for, for convenience and security.
But perhaps this is because we haven't really had much of a choice. It is also true that enough people do care about privacy that there are laws to make it very costly to violate privacy rights. Um These laws are not going away. And so future proof technology really needs to have privacy at the forefront. The third dimension of the problem is security. The new dominant paradigm for security is called zero trust. Uh This means that you don't trust anything without verification. Uh It is a security framework that requires everyone to be authenticated, authorized and continuously validated. Zero trust is a good framework, but it can't work well unless it's not. Um unless it is frictionless and con and convenient. Nobody has time to spend all day doing multi factor authentication, verifiable credentials, make the continuous verification necessary. Um For zero trust security frictionless because it removes the need for personal accounts, passwords and logins. So currently we must sacrifice efficiency and jump through complicated hoops in order to increase trust and minimize risk or we can choose to skip the hassle. Accept the risk and be vulnerable to theft and tracking. Decentralized identity gives an option where trust and efficiency are not on opposite ends of the spectrum. You don't have to choose between them.
Uh You can have control over your over your identity information and you can have trust because of the distributed ledger while having the convenience of storing and presenting them digitally on your mobile device. The fourth dimension of the problem is resilience. So the centralized paradigm has a single point of failure. If centralized identity systems go down, it's as if somebody shuts off access to the power grid, that actors only need to target one point to bring the whole system down, decentralized identifiers and distributed ledgers mean resilient systems because they are built on decentralized technology.
This does not have a single point of failure. In addition, the foundation of this technology is open source. This means people from all over the world and all sorts of companies are collaborating on this technology and giving a constant reliability testing and constant sustainable innovation.
This also means it's interoperable and easy to integrate with existing systems. It allows for the virtuous cycle in which open source technology innovation helps business innovation and vice versa. And in addition, this means that you are not tied into a proprietary technology that may not evolve to meet the needs of tomorrow or could commit you to expensive upgrades. So we've identified how decentralized identity and verifiable credentials solve the problems of verification, privacy, security and resilience.
And we will now take this a step further and describe the comprehensive solution they create as a trusted digital ecosystem. This refers to an ecosystem for verifying and sharing high value information. So this means that trust extends not only within the system but also outside of the trust triangle. Um This is what creates the ecosystem. There can be trusted interactions between holders, issuers and verifier. Anywhere in the ecosystem, it can scale to involve everyone and covers all parties in the exchange and verification of data. This allows for reusing identity between context. You can take identity information from one institution to another because they are again in your control and do not need a centralized database. So we will now talk about how this technology is actually being used today. The example we will discuss is the Cardia project. I just want to call it that Kla Shatzkin and Heather Dahl gave a gr a great presentation um on this project earlier today. So I hope you were able to join that session. I'll discuss it very briefly here. This award winning technology allows travelers to prove their COVID uh vaccination or test status while protecting their health information and privacy. This again relates to the previous slide connecting different roles across con context. Because health information does not exist in a vacuum.
You don't just need to be able to securely send and receive information to and from one doctor. You probably have multiple providers and you may need to reveal certain information in different contexts such as travel in this case. So on this project in DC O worked with CTA AO which is the uh leading technology provider to the airline industry and the government of the Caribbean island of Aruba to deploy this technology uh with travelers. So Aruba's economy is very dependent on tourism. And as the COVID-19 pandemic started, they had to figure out how to keep residents um safe and comply with health mandates while keeping the local industries alive. They didn't want the costly and risky path of dealing with data privacy and storing health information. And so they turned to verifiable credentials. The Cardia project just won the European identity or an award at the European Identity conference last month, uh which is a great validation of the success of this technology. Um And Ceta donated this project to the Linux Foundation Public Health where it has an active open source developer working group. So just to give a brief overview of this technology, I won't go into too much detail, but you'll recognize this trust triangle. Um Again where the lab technician is the issuer um and he's issuing a COVID credential. So again, they, they put public cryptographic information, no private information on the ledger in order to do this.
Um The, they give the um the credential data to the holder who is the traveler in this interaction, um who is presenting their credential to the government health representative who is the verifier in this case and verifies um that it came unaltered um from this trusted lab technician.
So this allows travelers to use their mobile devices to cryptographically prove vaccine or health status. A simple yes, no. If they're able to enter the island or certain venue without revealing any health care information along with it, they have complete control over their information throughout this interaction.
And in this way, health mandates um can be enforced without compromising anyone's privacy rights to broaden this out from a health care, from a health information management solution. This technology can be applied to information um any information where businesses and people want trusted actionable data.
So right now, this technology is useful in the financial travel and health care, health care industries. But it will also help prepare for the coming technology. Digital trust only becomes more imperative as more of our lives are lived online uh which will accelerate with the rise of the spatial web. This term describes how through the proliferate proliferation of cameras and sensors, uh digital objects will interact with non digital objects.
Um In other words, when there are tiny computers in everything and everything is interconnected, the need for trusted communication will explode. Everything will require an identity and privacy and security. I I'd imagine if you have a Roomba um vacuum robot cleaner, I'd imagine that you don't want any random person to be able to control it. And the risks are far greater when we think about health care devices in our bodies, national security to name a few. So we are at the start of a revolution in how we interact online and we are solving that key problem that the original creators of the internet could not have imagined. So because so much of this technology is open source. This means that if you are interested, you can learn as much as you want about the technology and even get involved in building it. I have linked the information of many working groups here. I moderate the Hyper Ledger Identity implementer working group, which is a great starting place because it is a high level group that keeps track of progress from the majority of the working groups in this space and we would love it if you join us. There are also meet up events um hosted by N DC O and Hyper Ledger as well as custom trainings available. And with that, I will conclude my talk. Uh Thank you so much for listening. Here is my contact information.
Um If you'd like to reach out and uh looks like I have have gone a bit over um the time that I said, but I would love to answer any questions that you might have. So feel free to drop any questions in the chat. All right, I'm not seeing uh any questions. So thank you all for listening and it looks like I'm at time. Um Thank you for listening and thank you to the event organizers and tech support for making this conference possible. And again, please reach out. Um, if you would like to chat about this anymore. Thank you.