Rouven Heck — presentation of uPort and a panel session on identity with Vinay Gupta and Jason Law
Full video and transcript below.
On April 10th, Mattereum hosted the third Internet of Agreements® (IoA) conference at the Google Campus in London. IoA® is a vision for global supply chains and logistics, integrating national laws and regulation with international commerce through the application of technology such as blockchains and smart contracts.
Rouven Heck of uPort, one of the leading self-sovereign identity solutions in the Ethereum ecosystem, talked about uPort’s role within Ethereum accelerator Consensys, notable features of uPort’s identity solution for a public blockchain as well as its permissioned ledger interoperability, and how uPort acts as a secure interface with Ethereum smart contracts, with identity recovery mechanisms in the works.
Rouven was then joined by Vinay Gupta of Mattereum and Jason Law of Evernym. The panel discussion focused on the interoperability of self-sovereign identity solutions and fears of a “balkanized identity infrastructure” that could compromise the viability and rollout of self-sovereign identity systems. After highlighting the commonalities between uPort and Evernym in relation to decentralized identifiers (DIDs), Rouven and Jason mentioned how their respective projects are working together to establish DID standards within the W3C Credentials Community Group.
Video:
Transcript:
Hi! My name is Rouven, I work for a company called ConsenSys, and I’m also here to talk about self-sovereign identity. I haven’t prepared any slides; I usually start with talking about what’s identity, KYC and all of those things, but given that it’s late afternoon and we talked about this all day, I will skip this.
The focus I want to bring into the conversation is the connection with the smart contract world, and that’s part of what we’re doing. A little bit of background on ConsenSys: we are a company focused on Ethereum as an underlying platform, the Founder of ConsenSys is Joseph Lubin, he’s one of the Co-Founders of Ethereum, and he started building an ecosystem for the Ethereum space, tools and applications around this. The company is only three years old and we now have 700 people. The majority of the people are working on different products, we have about 45 different projects already, from the supply chain to poker platforms to energy platforms, music — everything you can think of around use cases, we do it.
We also do consulting, and that was born because the market had lots of questions, so we do consulting as well, we opened an office here around the corner a few months ago, and we do venture investment into ideas which are in the decentralisation space. But then we noticed that there’s just not enough people who really understand how to write smart contracts, so we started our own academy and started to train people, and we already had hundreds of people going through this training, to understand how to write smart contracts. Because identity is so important for all of these use cases, uPort is one of the early companies born in ConsenSys; the uPort team involves 23 people, and we are building all kinds of things around identity in that space.
The way we think about identity and blockchain is there are two challenges. I think everything we talked about here today was mainly around using a blockchain as a trust anchor to build an identity system, what Evernym and others are doing is building an identity solution using the blockchain. But another very important part is you need some form of identity to interact with blockchains. When you think about it, how do you know who the other person is, if you interact with a smart contract? With Bitcoin it doesn’t matter, because you just have an address and a key and you just transfer Bitcoins from A to B, and it doesn’t really matter who the other person is.
But with a lot of the use cases on these platforms, you need to have an understanding of what kind of smart contract you’re about to sign. So the users need to handle private keys, otherwise there’s no blockchain, if you’re unable to give people private keys, and if people are about to sign something which is really immutable on the blockchain, they better understand what they’re about to sign. I think that’s something which often is a detail we need to figure out, but if people don’t really understand that the smart contract they’re about to sign with a key is transferring a certain asset or make an agreement of any kind… I think that’s a key part to get right. Generally there’s friction to use platforms like Ethereum, so one of the other things we’re working on is to make it end user friendly, to interact with blockchain in general.
I think the most important part, where we come in, is we started as a tool to use Ethereum, and now we want to combine this with real-world trust anchors. What Evernym talked about is getting attestations issued from reliable third parties, combining them and being able to prove them in a reliable form to an Ethereum smart contract, and that’s also our focus.
The use cases, whether it’s Airbnb, Uber, all these use cases require some kind of reputation, you need to know that the other person is actually reliable. We have the eBays and the Ubers and others who manage this by building a reputation and solving this for us, but it’s a really key point in order to make a lot of these use cases really useful. We’re working on a journalist platform within ConsenSys, we are doing a real estate tokenisation platform, OpenLaw is one of the other ones which might be interesting for this group here, where you basically connect smart contracts and legal contracts. All of them require knowledge about your counterparty, because otherwise if it’s just an address, there’s always the risk that someone might give you the wrong address or sign-off on something, and how do you prove that’s actually the right person? This combination is where we focus on.
The other part is many companies now explore private chain integration. Big banks, or any other companies with a supply chain, they often say, “Okay, we have private chains, but ultimately who is controlling the keys?” If you want to have a use case where the end users actually hold the keys and actually in control of their assets, then you need to make it really user friendly for them to do this, and I think that’s often a problem. We built is the ability to onboard people onto the uPort identity, and then use this for private chain signatures. At the moment, every company and every bank goes through the process of enrolling users again and again. Imagine that in future you have something which is like your browser, you enrol once, and then you can even use these keys to sign transactions within private chains.
The way we approach this is slightly different than our competitors, we’re going a little bit more bottom-up instead of top-down. We’re not going to governments and big banks to start issuing these attestations; we’re trying to find partners who represent a certain level of trust. We’re focused on the Ethereum market, and in there they basically just need to know that it’s a real person, or that this is not someone coming a thousand times at the same time, so anti-sybil and other things are very simple use cases in the beginning. We’d launched a project in the City of Zug in Switzerland, where they just wanted to experiment with giving people true self-sovereign identity solutions: you create this, there’s nobody else involved other than yourself, you then go to the registration office, they check your passport, and they attest to you that you actually are the person who you claim to be. Then weeks later we noticed lots of projects came to us with “Hey, can we use this as a form of KYC?” Granted it’s not full KYC and I’m not trying to pretend that it is, people here know what KYC is, but at least it’s the first step in a more trustworthy interaction. If you then use it on certain platforms, you can really build some form of reputation with this over time. So we’re really going with the Ethereum market and want to grow with the Ethereum market, rather than immediately getting involved with government and KYC use cases, because I think that’s really hard.
In terms of technical things, at the moment we use the Ethereum blockchain and we use IPFS as the underlying technical solution. Sovrin has a trust framework, its governance model, which has a certain number of stewards to maintain this. At the moment we are using a public blockchain, which has its benefits and weaknesses, having a completely permissionless environment. Because we were designing for a public blockchain from the very beginning, we always tried to minimise the footprint on the blockchain, not only making sure there’s no personal information on the blockchain ever, that’s clear, but also asking where do you really need the blockchain. So I think we have a slightly more simplified approach than some of the competitors, that you have maybe just a handful of identifiers so there is a certain level of correlation possible if you want to, but it makes it way easier for people to actually understand that they might have a legal identity, they might have a gaming identity and maybe others, and it’s up to them to choose this or be completely anonymous. That’s something where we work together with a lot of the partners in the ecosystem, to see what’s the right balance. Interoperability is one of our core objectives.
The other very important part is how do you recover your keys. We’re experimenting with different things, and last year we launched something that’s an identity recovery rather than a key recovery. The main thing we did is we used two smart contracts, one representing an identifier on the blockchain, and the second one was a smart contract which had a certain logic in there, which allowed you to recover, through your social network, not the keys but the access to this identity. How it works is for example the smart contract contains five delegates, and each of them, three out of five or whatever, would need to send a transaction to this smart contract, and then would flip the ownership of this identity to a new private key. That’s just one of these experiments at the moment; there’s some privacy implications, because you can see in the smart contract who the other identities are, but we have some ideas on how to solve it.
The first thing people can see is that we have built a mobile application, but that’s just more or less on the surface. It’s in the App Store, you can download it, you can do this traditional login with Facebook kind of style, you can sign transactions, you can have this private chain, this is already all in there, and lots of other features are coming soon. But our focus at the moment, because we want to make it super easy for applications around us to integrate it, there’s a lot of focus on building libraries, we build services in the background to make it easy for paying gas costs, so the user doesn’t even see that there are keys involved, the user doesn’t see that there’s any Ether paid to create that identity, we stripped all of that away and made it happen in the background. In the future we will likely enable companies, if they want to fund people using their platforms, that these applications can pay the transaction costs for them.
For us, it’s super important to work on open standards, because I think it’s so early stage all of this that we really emphasise a lot of the collaboration here with the community, with W3C and the Decentralised Identity Foundation in the Ethereum space. That was the quick intro, and now we go to Q&A. [applause]
Panel session:
Vinay: There’s so much to talk about on identity, but I wanted to focus on one specific thing, which is identity interoperability. The thing about self-sovereign identity or self-assigned names, however you want to think about it, is theoretically the individual is completely in charge of their stuff. But when you want to use the identity, you need credentials, attestations that somebody else makes that are signed, and in theory these things ought to be property that belong to you, the user, even though they were signed by some third party. My question I wanted to put you guys on the spot about is am I going to be able to take an attested claim from Sovrin-compatible systems to uPort-compatible systems and back again?
Rouven: I think there are multiple components in this whole stack. When you think about it, the first thing you need is an identifier which is cross-blockchain possible. We call it DID, decentralised identifier, which you can register on Ethereum on the Sovrin chain or whatever that’s the same language so that we at least understand who you are.
Vinay: This is essentially a key-payer plus some metadata? Is it any more complicated than that?
Jason: A little bit. It’s going to have an identifier, you’ll have some keys, you can have multiple keys, you can have some service endpoints, but it’s a spec that we’ve been working with uPort and others on, to make… It’s the de facto standard right now for decentralised identifiers.
Rouven: The identifier is the first part, and the second thing is then how do you log in or how do you present this. That’s what we call DID off, that’s where we working on the same thing now. We don’t want to have five more patents on login with Sovrin and uPort and other things; it needs to be hopefully one last thing to replace it. I think that’s something which is easy to standardise, and I think the next level is how do we enable the protocol of the communication, I think that’s where we start.
Vinay: So the hope is that DID is the last name that I need, right?
Jason: Well, you have multiple DIDs… [laughter] But it’s like a phone number though. When you look at your phone, you don’t think of the phone number when you call someone, you see their name, and so who cares what the big, 128-bit number is.
Vinay: Right, here’s your big, scary number. Let’s go back to the pragmatics of interoperability. If we get a set of entities like banks that are willing to sign off on your passport so you could put an image of your passport into your wallet, this kind of stuff, how are we going to make sure that we don’t wind up with 75 different technical standards and the banks just saying, “Sod it,” and winding up with essentially a Microsoft type solution? Because in the long run, if we don’t have a standards-based approach… Google, Microsoft, Oracle, Salesforce, Facebook, SAP, depending on what space you’re in, we might up in a position where we just wind up with a balkanised identity infrastructure rather than interoperability. What are the chokepoints on ensuring that we wind up with global interoperability, and how do we, as the blockchain community, defend those chokepoints?
Jason: There’s a couple of paths. Rouven mentioned DIDs and DID off, that’s a good start. We also have the W3C Verifiable Credentials Working group, which is also a good start, and there’s a number of changes that we’re going to be proposing that will make it easier for people using Sovrin to interop with other people in other ecosystems.
Rouven: I think we’ve now reached, as part of the W3C, the three elements already in terms of the data format; what I think the last missing piece is really how do we communicate between us. We see the W3C as one component. Because of the concern of if we don’t get on the same page, this motivated 50 companies over the last 12 months to come together and form the Decentralised Identity Foundation, where we are both founding members, and we have now not only a bunch of startups who nobody cares about but Accenture, Microsoft, IBM and Intel are the big names in it; everyone except the Facebooks and Googles are interested to build something which could work, so we’re teaming up.
Vinay: The players that don’t have a billion people’s identity on their book are attempting to form something up, so this is the rallying point. Decentralised Identity Foundation is where the action is going to be?
Jason: It’s a meeting place, it’s a starting point, and who knows where it goes from here.
Rouven: There’s a lot of concerns around there’s yet another standards body, but the idea is that that brings us together and we talk about this. If there is another place that is a better suited, W3C or IETF or something else… We don’t want to replicate this,, we’re happy to give this to someone else, and at some stage I think this will be a group coming together, harmonising our thinking, and then we find the right place to really standardise it, that’s the idea.
Vinay: There is something quite interesting here. Back in the day, IETF standards just applied on the Internet, and now we’re getting into a position where whatever is done in terms of standardising blockchain identity is immediately going to smear across into finance and possibly into governance, particularly in poorer countries. If you have things like land registries which have a substantial blockchain component, the obvious expectation is you’re going to wind up with the same identity used for land registry, voting and commerce.
Jason: There is identity and Identity. Identity is where I get to… It’s really everything that I have about me that I get to control…
Vinay: The philosophical identity rather than the transactional identity.
Jason: Right. The identity is a facet of my identity that I share with you, I share with Rouven, that’s identity, and I could use that identity for land records, but I could also leverage the certificates or credentials I get from my land ownership in other contexts.
Vinay: Right, you use the land as the anchor. One of the companies I’m working with is ImpactPPA, and they have this notion of using smart meters as identity verification devices. Because you know exactly where the smart meter is, if you walk up to the smart meter and bang it with your phone, we now know very certainly where you were and when you were there, and that has all kinds of utility.
I want to go back a minute to this notion of the kind of Identity/identity, philosophical identity/transactional identity. Surely the purpose of capitalism is to have transactional identity completely represent philosophical identity — I’ll just leave that there. [laughter] “Is this handbag really me?” Last thoughts on this before we wrap up and hand the stage to the infamous Ian Grigg, who is responsible for far more of this than he’d ever admit to? What happens is a few years, if it all works? Give me some notion of my day-to-day life changes, if the identity revolution that you’re working on succeeds?
Rouven: I think when we talk about the possibilities, we get very philosophical and very crazy. I think once people have the ability to prove who they are and digitally confirm this, I think it will change so many business processes. It would allow not only that you have way less friction in anything, whether it’s boarding an airplane or whatever it is. I think any agreement you want to do if you have a connection to “This is me,” you can just fundamentally change a lot of the interactions with businesses.
Vinay: So it’s a friction-free future, the paperwork goes away and we get back 5% of our lives.
Rouven: That’s one part, and that’s enabled by an identity, the ability to sign something digitally. The other part I think is really the data ownership and the ability to share selectively, and really create a lot of trust in any interaction, peer to peer or with companies.
Vinay: Got it, so much less buying weird, random stuff off eBay and discovering it’s junk when it arrives. [laughter] Well, that’s a future I can believe in. Ian, are you ready to roll? Gentlemen, thank you very much! [applause]
All materials from the conference: http://internetofagreements.com/identity/
Learn more:
https://www.uport.me/
https://www.mattereum.com/
Join the telegram https://t.me/mattereum
