Lessons from the Internet Identity Workshop 2020

Shedding old narratives and building new ones for decentralized identity

This year at #IIW30, Spherity participated in many sessions ironing out narratives about the near future of the market and its stacks. We showcased our secure Indy wallet co-developed with Swisscom Blockchain, while many sessions circled back to the urgency of interoperability, testing suites, co-development, governance, and security as the most urgent priorities to push our market to maturity and our stacks towards convergence.

Spherity , proud attendant and presenter at the 30th Internet Identity Workshop, 2020

Introduction: Increased Demand for Education

For those less familiar, the Internet Identity Workshop is a biannual conference as old as the concept of decentralized identity, founded by researcher and community-builder Kaliya Young, consumer advocate and journalist Doc Searls, and founder of the Sovrin Foundation, Phil Windley. Twice a year, most of North America’s and a substantial amount of the rest of the world’s decentralized identity companies come together and compare notes, openly discussing one another’s recent technical developments and business strategies. Historically, this took place at the Computer History Museum in Mountain View, California, but IIW30 was the first (and hopefully not the last) iteration to take place entirely online thanks to an innovative partnership with collaboration startup Qiqochat. At this particular meeting of the conference, there were a few less representatives of large US tech conglomerates and banks, and more first-time attendees (particularly from Germany!).

Seeing the market, and the community, through the eyes of recent arrivals can be very helpful for grounding you, particularly if you are deep in the weeds of both. For this reason, when tapped last-minute to take over for my former boss and co-author Heather Vescent the role of co-presenting with Transmute CEO Karyl Fowler the “laypersons’ introduction” session (an IIW tradition), I jumped on the opportunity. Preparing the slide deck with Karyl, we divided the labor between my presenting decentralized identity qua “movement” (values and boundaries) and Karyl presenting decentralized identity qua “technology” (including business models and use cases). It was a great session: answering the audience’s questions afterwards did at least as much for my understanding of IIW than theirs, if not more.

As a longtime educator and college professor, I put the most effort into the curation of the “Knowledge bases & Education” slide. Many participants (most of them German!) asked for exactly this kind of curation, preferably in an ongoing rather than retrospective format, in a session called by Kaliya Young and fellow US-based researcher Infominer about educational resources and knowledge bases. In fact, Kaliya Young called multiple sessions: one to gather requirements for an industry-wide knowledge base or news site, another to discuss the blogging & #indieweb landscape now that content creators are fleeing Medium’s new business model, and a third to position her most recent book, which analyzes decentralized identity thinking and traditional identity thinking from a social-system point of view. That this IIW skewed so heavily towards decentralized identity technologies (and that so many first-timers came specifically to learn about them) underscores that there is real traction in the broader IT community, and thus an urgent need for non-competitive and industry-wide educational efforts.

In particular, newcomers need more than just the current technological options mapped out for them: harder to teach are the open source, co-development, and open standards processes by which future technologies are being developed. Indeed, if ours is truly going to be a market driven by open standards, it will move much faster the more of these technologies are co-developed, in dialogues between competitors and across markets.

Having recently participated in conversations between the DIF and various ad hoc Covid coordination activities to map the interactions and boundaries of decentralized identity communities, standards bodies, and market roles, I was sympathetic to the newcomers’ confusion at how many overlapping authorities and discussion forums exist without a clear division of labor between them. Rouven Heck, in his capacity as executive director of the DIF, even held a session (building on work started at a previous IIW session) refining the outcomes of that earlier Covid-specific meeting and gathering feedback from further afield in the community towards clarifying this division of labor in publishable, uncontroversial ways. In the coming weeks, I am optimistic that Rouven’s research can be formalized a bit in public-facing materials that can solidify DIF’s role as an industry association and as a switchboard for the rest of the community going forward.

Blockchains, Wallets and Markets

In an earlier stage of the evolution of decentralized identity as a market, it was common practice to ask of each company or project, “on which blockchain does it depend?” Today, as competition between blockchains is viewed more and more as a vendor lock-in strategy and a way of forcing all shareholders to peg their budgets to a kind pooled-resource infrastructure, this is increasingly going the way of the dinosaur. SSI systems, like blockchains, are increasingly asked to be flexible and not to lock in customers and clients (or their customers and clients) into this kind of dependency; we are evolving to the stage of maturity and autonomy that blockchains are less the focus than architectures and wallets: this will be the pitch on which companies compete to define and defend niches.

In this spirit, most of the live and/or video-based demonstrations were wallets. Highlights included:

• We demonstrated cross-issuance and DIDComm-style request-presentation-verification flows for exchange verified credentials between our Indy wallet and that of Swisscom Blockchain.
• New York-based StreetCred ID and Frankfurt-based eSatus displayed their consumer-friendly edge-wallets, both built in .NET in native compliance with the Hyperledger Aries framework and focusing more on interoperable credentials and on authentication respectively. StreetCred also led workshops on “connectionless” (in the Aries sense) credentials, and an 5-minute proofs of concept on Sovrin.
• Transmute offered a live demonstration of their browser-based, non-DIDComm credential exchange flow, as well as their open-source work on encrypted data vaults (which is now entering early stages of DIF-hosted co-development)
• ConsenSys Identity demonstrated their new WalletConnect capability to quickly deploy SSI functionality for any ethereum-based currency wallet.
• SF/China-based newcomers ArcBlock showcased a developer-friendly SDK for building wallets on their native blockchain.
• California-based JLinc showed their “data exchange” wallet, which abstracts out any blockchain dependencies and focuses on user experience and consent management
• Decentralization hardliners Wireline showed their decentralized alternative to google documents, which will soon be accessible via verified-credential access tokens, thus lending itself nicely to integration with dedicated identity wallets.

There were a few panels on security models and attack vectors, but as yet, there was little discussion of how wallets compete in terms of their compatibility with enterprise architectures and with the variously exacting security regimes of specific industries or government use cases. (Mike Lodder’s panel on malware was a welcome exception to this general rule). To the untrained eye, this could be mistaken for an indicator that wallets competing on security are a ways off on the horizon; more seasoned businessmen would probably interpret this instead as the quiet before the storm.

Governance Matters: Sovrin & Beyond

A number of topics spanned multiple sessions, including a few I’ll mention below in the “Technology” section. The most prevalent theme across the whole conference, however, was governance, outnumbering the usual topics like design innovations, usability, adoption, and bootstrapping. In particular, many well-attended sessions addressed the present and near future of the Sovrin Foundation, which had published something of a “cliffhanger” on its blog a month prior. The short answer is that the token launch will be pushed back as far as needed to safeguard the two core missions of the Foundation: supporting the network of projects currently using Sovrin’s technology, and promoting the educational work and open-source utility of those projects to outside shareholders. As Spherity counts among those projects and supports that network, it was reassuring to hear the Sovrin Network’s work and timeline will not be much affected by this change of strategy at the Foundation level.

Across the many sessions addressing topics related to the Sovrin Foundation, the Sovrin Network, and various ongoing non-profit and social-good projects built on them one common theme emerged. All bore a notable emphasis on governance, For instance, in many Covid-19 sessions and sessions about government projects, everyone agreed that privacy technology and trust technology was meaningless when launched into the marketplace by itself. Instead, in all these sessions people agreed there was great utility in the prior establishment of so-called “trust frameworks,” legal structures spanning private contracts, government policies, and regulators. These have long been a trademark of Sovrin’s work in the financial sector with CU Ledger, and with the Canadian government (starting from British Columbia’s Govbook project and then spreading to various other provincial-scale experiments).

Together with its government interlocutors, including the broad foundation of stakeholders that forged the Pan-Canadian Trust Framework, Sovrin has been a huge influence on many consortia of regulators, private-sector players, and government working together to build infrastructure. Indeed, the European Commission’s ESSIF project has been very influenced by Sovrin’s thought leadership and example, as have Finland’s Findy project and Germany’s own LISSI. The Trust-over-IP Foundation (ToIP), which was officially announced yesterday, looks to continue this legacy into the future, taking an innovative new role within the Linux Foundation to focus exclusively on guidance for what Drummond Reed calls the “governance stack.” Central to the planned architecture of Hyperledger Aries, these real-world hooks might some day be supported by specifications and reference implementations as sophisticated as those that support decentralized identity’s technology stack.

Of course, while IIW has historically been an important meeting ground for the Sovrin community and many outside of it who look to them for guidance, other governance bodies also present twice yearly on their own work. Some representatives of the primarily European MyData community (whose September conference in Berlin was cancelled rather than going entirely online!) presented their new “Operator” whitepaper. This innovative system for pooling consent, grounded in GDPR and some of Europe’s more hardline thinking on consumer and citizen data rights, offers a mechanism for pooling data (and consent) in a community-based way that bears many similarities to a data union. Somewhere in between these two lies the similarly rights-focused and communitiarian Me2B Alliance, which is building a certification practice for smaller and more human-centric technologies.

Working more in the international aid sector, ID2020 launched the first two “graduates” of its certification program (ensuring identity projects have appropriate ethical guardrails); one of the two recipients, Kiva, held sessions on their research into ethical usage of biometrics. Lastly, the US Department of Homeland Security’s Silicon Valley Innovation Project held sessions on the interoperability requirement they impose on all grant recipients, explaining how they were structured and designed to preserve competition while accelerating innovation. These testing suites complement and build on those already developed in the older interoperability project of the DIF, with lots of the heavy lifting done by the same companies.

Technology: Towards a well-rounded market

One noteworthy development on the technology side was the announcement by New Zealand’s Mattr Global that they’d been exploring a elliptical curve previously only used in the Anoncreds2 library of the Aries Framework. Their work explored porting this previously Ursa-only verifiable presentation system to work with JSON-LD-based credentials, allowing Indy-style “zero knowledge” presentations (like those native to the DIDComm protocol). Not only would this allow other SSI systems to more easily integrate DIDComm messaging, it would also allow many new use cases between SSI systems and across blockchains, allowing systems previously outside of the Aries community to adapt more easily to Aries-centric protocols.

It’s early for any definitive testing and modeling at scale, but the Mattr team even has reason to believe this method of generating verified presentations could deliver anoncreds2 privacy features on highly performant non-Indy systems, after all the other requisite parts have been built out (i.e., alternate systems for supporting rich schemata and immutable credential definitions). If the enthusiasm and volunteerism from across the community translates to work items and open source projects being driven to a timely completion, Hyperledger Indy may have zero-knowledge competition by year’s end. In an “equal and opposite” development, there was also some discussed across some technical panels of the Aries’ community’s progress on bringing JSON-LD credentials and schemata into the Aries specifications, so the convergence and interoperability across the LD/Indy divide is gathering steam on all sides.

Another, related game-changing technological leap forward was the mutually illuminating conversation between the “browser pragmatists” and the “browser skeptics”, as I like to call the advocates of the [erroneously named] Credential Handler API and the advocates of a browser-free DIDComm standard. This strategic divide has historically mapped neatly along sub-communities lines and limited cooperation, leading to a lot of avoidable confusion about the exact mechanics and limitations of both approaches and a lack of exploration of approaches mixing the two. The exercise of both sides racing to give 20minute “101 sessions” about their approach and then working out how the two could be combined lead to a serious of “Aaa-haaa” moments all around. (Spherity’s DIDComm-style browser-based solution to the riddle, co-developed with Swisscom Blockchain, might turn out to be prophetic! We’ll know soon.)

Sam Smith led four sessions on the proposal for a shared ecosystem-wide security infrastructure called KERI, which he had refined since #IIW29 by feedback from Spherity, the attendees of the DID working group meeting in Amsterdam, and other interlocutors. The fourth of these, titled “next steps for KERI,” was attended by representatives of over 10 companies and resulted in a blueprint for a reference implementation to which both Spherity and our long-time collaborators Jolocom will be contributing.

Next Steps and Weak Signals

In the tradition of un-conferences and “open space” facilitation, there is a tradition of gathering the “weak signals,” topics that don’t quite rise to the level of overarching themes, and backlog items that need to be recorded somewhere. A few other minor topics also bear mention, if only to remind myself to call a session about them at the next IIW if I don’t hear anything about them in the half year between now and then.

One important topics that Spherity has been following is SSI for insurance and security use cases: not just reputation systems (for individuals or legal persons), but verified credential-based risk assessments and trust ratings. In a noteworthy session, cryptography researcher Will Abramson and telco/SSI veteran and Sovrin Foundation task force leader Nicky Herman presented on the opportunity space for trustworthiness ratings based on privacy-preserving computations of verified data.

Another well-attended session, provocatively titled “Must we call it ‘Self-Sovereign Identity’? (hopefully not),” brought up the somewhat contentious “branding question” of who “owns” the SSI moniker and who benefits or suffers by its generalization. Surprise guests included identity pioneer Kim Cameron, who spoke to Microsoft’s internal and public preference for the phrase “decentralized identity” over SSI. Cameron himself mentioned that neither term was as accurate as “user-controlled proofs” might be, while Balázs Nemethi of Taqanu pointed out that Gartner had launched “decentralized digital identity” (DDID) into circulation recently. The session ended without anyone being able to gather resounding consensus on the requirements for a new name, much less a new name that sounded better to most in attendance. The conversation inspired a few paragraphs of an essay I self-published elsewhere.

In summary, this was a drastically different IIW from previous ones, not just because it was entirely online. The tenor and the tone of all the discussions were different — the first phase of the decentralized identity market has ended, it seems, and we are entering a new phase, where all the concepts have been proven, and the market for them has been proven. Everyone is gearing up for a different kind of competition, a different form of co-development, and a different model for adoption.

Thanks for reading, and stay sphered! If you’d like to schedule a demo of our wallet, please click here; to receive our newsletter, click here.