It is almost 40 years since the formalization of TCP/IP — fundamental building blocks of the internet. In addition to path-breaking technology, the way different academic institutions, non-profit organizations, governments, corporations came together, to build and manage disparate arms — IETF, W3C, ICANN, etc — of what constitute the internet, has been the one single factor contributing to the success of the Internet.
The global society has evolved from being a diffident user of amusing applications of the internet, to having every thread of its mundane life tightly knit through the Internet. Applications of the Internet, such as e-commerce, communications, social networking, etc have used the same traditional transactional heuristics from the traditional brick-and-mortar economy. However, the trust factors underlying these transactions have several underlying structural problems.
In the past few years, there have been a slew of initiatives such as the W3C’s Decentralized Identifier Charter, Self-Sovereign Identity, etc. While these initiatives are trying to solve the problem of establishing digital trust at scale, there is a need to bring together several different stakeholders in order to establish governance frameworks, technology standards across the industry.
“Trust over IP Foundation” has been created under the aegis of The Linux Foundation, that intends to “define a complete architecture for Internet-scale digital trust that combines both cryptographic trust at the machine layer and human trust at the business, legal, and social layers”. This, IMO, is akin to the TCP/IP formalization effort that was done some 40 years back.
In this post, we explore the reasons for the evolution of Trust over IP, the value proposition of the various initiatives and how it could change the way we deal with the Internet.
- In India, mobile based payments have grown crazily from the past few years. A well known cliche is that even street corner tender coconut vendors, pan-beeda shops accept UPI-based payments across India. However, this has led to increased instances of fraud. A typical fraudulent method involves posing as bank representatives and using social engineering to approve payment requests they would have initiated. There is an implicit trust that is established based on the skilled social behaviour by the fraudster. This flows from the traditional heuristics of social interactions, especially with naive users. The naive user may undergo similar experiences before approaching all transactions with a good amount of scepticism.
- The Internet has brought a very unique and powerful capability — remote working. There are many companies across the world who recruit remotely and get work done remotely. In many a case, most employees wouldn’t have met each other from the time they join, to the time they leave. Both the corporation and the employee, located anywhere in the world establish trust using traditional heuristics — typically exchanging government issued IDs. However, this is where either of players can mount a fraud on the other and there is no good economical way to establish trust between them. Yet.
- Over the past few years, companies have been augmenting or re-engineering existing product lines by using software to dynamically enhance or modify capabilities of the product (popularly called Internet-of-Things). Some examples include Home Entertainment, Appliances, Security products.
Many car makers have also included the ability to update cars capabilities, on-the-air through the internet. However, ensuring total security and privacy of the users is still a challenge that these companies are grappling with.
The Trust over IP project intends to provide end-to-end establishment, verification and maintenance of trust through digital open standard digital credentials and governance frameworks. The Trust-over-IP stack is a four-layer, dual-stack architecture. This stack has the “potential to do for the peer-to-peer exchange of trustworthy digital credentials what the TCP/IP stack did for the peer-to-peer exchange of data packets”. And just like the IETF/W3C, the ToIP foundation aims to bring different stakeholders together to push through standards, governance frameworks, evangelizing the stack.
Layers for establishing machine-to-machine or service-to-service trust (Technical Trust)
Layer 1 — Public Utilities
The W3C’s Decentralized Identifier specification (DID specification) defines the means of ensuring strong crypto and how connections can be set up between machines securely without depending on centralized third party certificate authorities. The specifications define standardizing methods (DID methods) with which one can permanently identify and verify a public key stored on any valid “Utility” or distributed system (e.g. Blockchain, distributed ledgers, decentralized file systems, etc). The governance framework recommends how policies can be drawn under which the “Utility” is implemented and operated.
Layer 2 — DIDComm — P2P Protocol
This layer is akin to the addressing, switching, routing in the Internet Protocol. However, the protocol provides secure, private and authenticated message based communication. More importantly, the trust is rooted in the DIDs and depends on the messages themselves. The security does not depend on any external properties of the transports used. The design also is aimed to support routing and relay messages through untrusted intermediaries. The governance frameworks for this layer tasks the working out policies on privacy, security, and data protection standards against which hardware providers, software providers, and cloud hosting providers can be certified.
Layers which help establish trust in workflows which may require a person’s or entity’s intervention (Human Trust)
Layer 3 — Data Exchange
The Data Exchange protocols provide a way for the issuers, holders, and verifiers to exchange credentials and proofs using credential exchange protocols that run on top of DIDComm (Layer 2). The data exchange in this layer happens where multiple issuers issue credentials to multiple holders which could be presented to multiple verifiers. A credential governance framework that defines what issuers can issue what credentials under what policies to which holders with what levels of assurance. The verifiers can use these policies to make their own trust decisions about relying on a proof from the credential.
Layer 4 — Applications
Several applications that solve some of the trust issues we saw earlier are possible due to the enabling three layers and by implementing their governance frameworks. Applications which can be built on top of the multitude of technical frameworks, toolkits can realise the business requirements easily. This is made possible by the ecosystem governance frameworks which is the most important one amongst the four layers. The ecosystem governance framework provides the contours of the business requirements which has to be realised using the governance frameworks in the other three layers. “This framework specifies the purpose, principles, and policies that apply to all governance authorities and governance frameworks operating within that ecosystem — at all four layers of the ToIP stack”. This can enable a frictionless data exchange between apps and services while providing a consistent user experience of security, privacy, and data protection across the ecosystem.
Though we are in the nascent stages of the realisation of the ToIP stacks, there is a huge surge in the appreciation of the effort and a number of stakeholders are signing up to participate in the foundation. These are exciting times in which we’re seeing the rise of an internet scale digital trust infrastructure which has been a sore gap from the initial days of the Internet.
Image credit: Christian Scheja on Flickr (https://flickr.com/photos/schmollmolch/3388570838/in/photostream/)