#670: A Primer on Self-Sovereign Identity Standards with Kaliya Young

kaliyaKaliya Young (aka Identity Woman) has been working on digital identities for the past 15 years including helping facilitate the twice-a-year Internet Identity Workshop. These workshops lead to the Rebooting the Web of Trust workshops and the Decentralized Identity Foundation, which created a W3C specification on Decentralized Identifiers.

I had a chance to catch up with Young at the Decentralized Web Summit where we talk about the Decentralized Identifiers standards and the history of self-sovereign identity.

LISTEN TO THE VOICES OF VR PODCAST

I previously interviewed VR developer Alberto Elias about his work towards implementing self-sovereign identity for WebXR. He was previously named Holonet, but is now named Simbol. He released an A-Frame component for Self-Sovereign Identity during the Decentralized Web Summit.

I moderated a panel discussion at the Decentralized Web Summit about the cross section of VR and decentralized technologies including Simbol’s Elias, High Fidelity’s Philip Rosedale, Venn Agency’s Sam Chase, JanusVR’s James Baicoianu, and WebXR developer Andrés Cuervo where talked about how self-sovereign identity could used to seamlessly traverse different immersive locations on a decentralized metaverse.

This is a listener-supported podcast through the Voices of VR Patreon.

Music: Fatality

Rough Transcript

[00:00:05.452] Kent Bye: The Voices of VR Podcast. Hello, my name is Kent Bye, and welcome to the Voices of VR Podcast. So on today's podcast, I'm going to be exploring all different dimensions of identity, specifically self-sovereign identity. So self-sovereign identity is this concept that you're going to be able to use the latest technologies of the blockchain and cryptographic technologies in order to own your own identity. Right now, if you go and log on to these different websites, sometimes you'll bypass creating a new username and password and use something like either Twitter or Facebook or Google in order to log into these other different websites that are out there. Well, the problem is, is that you don't necessarily have complete control over that identity and you may lose it. And also there's this callback problem, which wherever you use these third party systems to log into these various different software services, there's an interaction there where you're actually telling these centralized companies what you're doing. Just because they're the controller of your identifier, does that mean that they now all of a sudden get a right to be able to see everything that you're doing on the internet? So self-sovereign identity is trying to resolve this problem. And so there's been these open standards that have been created by the W3C in order to create different ways to verify the identity, the ways to store the identity, ways to people to give you credentials. So at the Decentralized Web Summit, I had a chance to talk to one of the leaders in the field, Clea Young, also known as Identity Woman, who has been running these identity workshops. So Kalia will be walking us through a primer of everything you need to know to get started with self-sovereign identity on today's episode of the Voices of VR podcast. So this interview with Kalia happened on Tuesday, July 21st, 2018 at the Decentralized Web Summit in San Francisco, California. So with that, let's go ahead and dive right in.

[00:01:57.646] Kaliya Young: My name is Kalia Young. I'm also known online by my handle, actually online and in real life as Identity Woman. I've been working on how we can support individuals owning and controlling their own digital identity for about 15 years. So a long, long time.

[00:02:18.420] Kent Bye: How did this begin for you? What was the point at which you decided this was a topic to start looking at 15 years ago?

[00:02:25.098] Kaliya Young: Yeah, so for me it began when I connected up with this network called Planetwork. So it's like the word planet and network mushed together into one word. And they, as a network, started thinking about this topic. They convened a conference in the year 2000 called Global Ecology and Information Technology. And at the time they were one of the few groups putting together the environment and tech. It's very common now, but it was not in the year 2000. Out of that event, they held an 18-month-long community think tank thing, asking this question, what was the missing piece of infrastructure from the Internet to really fully enable it to serve humanity and the planet better? And the answer after that community discernment process was missing user-centric digital identity. and that they wrote a whole paper articulating this case called the Augmented Social Network White Paper, Building Identity and Trust into the Next Generation Internet, calling for open standards to be developed. And they circulated this paper to funders that might be interested, like the Ford Foundation and the Open Society Institutes, and nobody understood what they were talking about. 2003 this was published there was barely like there was like Friendster and like Six Degrees and like they're like there's gonna be social networks and people are gonna need to own their own identities and if we don't build open standards and you don't support their development we're gonna end up with giant corporations owning everybody's identity or governments owning everybody's identity and neither one of those is a good option so you need to figure out how people own and control their identities and they're like what are you talking about? I got it. I was going to these monthly forums that Play Network was hosting where different programmers were sharing their stuff around this time, like even before the paper was published, and I completely understood what they were talking about. It was like, oh, this is critical. If we don't own and control our own digital selves, other people will. And if we do own it, then we can support community self-organizing and connecting. I was never interested in it. just because of the me-ness, like, I will own my own, no, I want my identity so I can go connect up with my neighbor's identity and we can go do something together. But if I don't have autonomy over my own digital self, then I can't join other people who also have autonomous digital selves to go do interesting things. And we maybe, maybe, maybe have figured out the autonomous digital self piece finally. So now I'm really hoping From there, we can go and build some really cool social tools and community organizing tools that really make a difference on the planet.

[00:05:09.718] Kent Bye: Well, I know that back in May of 2017, there was an announcement of the initial Decentralized Identity Foundation and start to really draw out the different W3C specifications for self-sovereign identity and decentralized identity. And now that we actually have a little bit more to maybe a 1.0 version of that spec, and maybe you can recount the last 15 years, like what sort of evolved to this point, this original white paper of saying, hey, we need this open standard. Now there's actually some specifications from the W3C actually drawing out what these standards are. So, like, how did that evolve?

[00:05:44.269] Kaliya Young: Yeah, I mean, that's a great question, and there's many narratives that would get us to now. I think the thing that I focus on when I talk is, like, why we need decentralized identity in terms of what the alternatives are. So one alternative is that I could have a phone number, OK, well, I have had the same phone number for a long time, but if I don't continue to pay rent to the phone company every month, I lose my phone number. So it's not really mine. It's an identifier that I rent. It's not something I own. The same is true with the URL. And many people in sophisticated web folks own their own domain name. And they do, in fact, have that little piece of the internet for themselves. Not every human being on the planet is going to own a domain name, and you have to pay rent every year on it. And it was never designed to really hold a human being's identity. It was more designed and is oriented around hosting a page of information, right? So it's not really an appropriate tool to anchor an individual's identity. Another option that folks tried, and there was many attempts in the last 15 years, to create a human-only namespace. So, like DNS, but for people. these attempts all failed i won't go into where those bodies are buried but let's just say you can find them in the cemetery and it's pretty clear that that's probably not gonna work right okay well where does that leave you Oh, you can be in someone else's namespace. So you can have a name, a handle, an address underneath someone else. You can have a Gmail account, or a Yahoo, or a Microsoft, or have a Twitter handle, a URL in Facebook, a LinkedIn account, et cetera, right? So you can have, but in all of that, You are subject to their terms and conditions and they can terminate you at any time. You have no recourse for your digital self that you might build on those platforms for years and years and years. So one of my taglines is independent advocate for the rights and dignity of our digital selves. And when I talk about this, I'm like, well, what rights do we have? I have a whole bunch of rights about my physical body and what's OK that people could do to me. And I have recourse if I'm harmed. And, you know, if someone chose to terminate my physical body, they would have suffered consequences in our legal system, right, hopefully. So I have a bunch of rights. We don't have that equivalent in the online world. And so it gets to this point of how do we own an identifier that no one can take away from us and that we can prove we're in control of, right? And so that's where the decentralized identifier breakthrough came around sort of figuring out a way to leverage the cryptography that's been around for a long time. Public key encryption isn't new, PKI, like it's been around for a long time, but there was sort of this new interest in it coming from the cryptocurrency world and some new thinking that was like, hey, we could create this really long identifier that would be totally unique to a person that they could generate for themselves. We could post this to a distributed ledger along with the public key. And we could even point at endpoints to a service provider where you could go and ping the endpoints and interact with the individual. And you could make PKI more accessible and usable because now it could be resolvable. So one of the challenges with conventional PKI was that you couldn't really figure out where the endpoints, like, where were the keys and they're in these repositories and do you know if it's been revoked and like it was just complicated and messy and not easy for individuals to kind of manage their own keys or even figure out like is that actually the current key for institution X that I might be communicating with. And it looks like the decentralized identifier standard and some of the work around mesh networks of authority that you could like figure out, like, is that really the province of British Columbia's key or not, are coming together really well, and that we will be able to see working networks of decentralized identifiers.

[00:10:15.939] Kent Bye: Well, what do you see as kind of the first applications of this? Where are we going to start to see self-sovereign identity out in the wild?

[00:10:24.368] Kaliya Young: So the most promising and farthest ahead projects, well, I think one of the places where I believe that you can already do this is there is a protocol that precedes our community's work called Bloxarts that was developed with open source code out of MIT. And that community is folding their work into the verifiable claims work. Oh, so this other piece, like really long numbers that don't mean anything aren't actually really interesting. Like, they're cool, but like, who cares? So with the Decentralized Identifier comes a set of standards about how you issue verifiable credentials to individuals using this infrastructure so that I could create a Decentralized Identifier and... So it's like a human-readable interpretation of a very long cryptographic key? No, no, no, something totally different. So you use the DIDs as infrastructure to send digital version of a certificate you might get on paper like your university degree. So it's like Kalia graduated from UT Austin with a master's degree in identity management and security. Okay, so that's sort of like in some human readable file. And the University of Texas would package it up with some crypto, post the public key it used to sign it with its own private key to send it over to me, and it would send it over to my digital wallet where my credentials live, just like, You know, I have a wallet with cards in it, but this is like virtual cards. So it's like the digital version of my university degree would sit in my wallet. And then when I want to present that to a potential employer and say, yeah, I have this degree from UT Austin. they would go, the verifier, the place I shared it with my potential employer, would go check the ledger and go, does this signature of UT Austin match? Like, have I altered the document and did it really come from them? And I missed a little piece, which is like when UT sends me the document, I have also shared with them my own did. So it's like, they're sending it over to me.

[00:12:36.196] Kent Bye: So you're like combining them in some way?

[00:12:38.647] Kaliya Young: Yeah, and so like, I countersigned the thing that they send and so it's like, it's my credential that they issued to me, and that's obvious to the verifier, my potential employer, but no information about me has never, like, my name isn't on the ledger. The credential they issued isn't on the ledger. It's simply a way to manage the keys and make it solve some of the challenges of like, how you would easily figure, you know, where the claim came from. So it's infrastructure for running this stuff. And it's not what people think. No PII is ever put on a ledger anywhere. In fact, blockchains aren't essential, just immutable data stores that aren't going to vanish. I know folks who are looking at a database called Trillion and replicating that for meeting the needs of this types of systems. And another thing that happens is individuals will create hundreds, if not thousands of their own dids and managing them in their wallet so that We can have different identifiers for all the different contexts that we're interacting with, and in that support non-correlation of ourselves across contexts, we don't want correlated.

[00:13:53.210] Kent Bye: So in terms of metaphors to help understand what the power of these decentralized identities might be, one thing that I think of is like, I have an ID card that is issued by the state of Oregon and has my birth date. So if I want to go into a bar, I can prove my age through this official document. So it's almost like flashing a card in order to get access. And so is that one metaphor that you use or what are some other metaphors that you use to really describe the power of what these are going to be able to enable?

[00:14:23.657] Kaliya Young: Yeah, so you definitely could flash your, like, digital version of your driver's license from the state of Oregon at some point, but you could do even cooler things. Like, you could only present your picture and a checkmark that says you're over 18. Wouldn't that be cool?

[00:14:42.068] Kent Bye: Rather than give up your birthday?

[00:14:43.549] Kaliya Young: Well, yeah, and the bouncer can't, like, write the address down and come and stalk you later if you're, like, a cute girl, right? Like, whatever. that there's possibilities to do things with these digital versions of credentials that you actually can't do with a physical version, like hide attributes that are irrelevant to the particular transaction that you're in. The cool thing about decentralized identifiers and verifiable credentials and putting them together in a way that this community has innovated is specifically preventing the phone home problem. This is a problem that if you haven't hung out in digital identity for a long time, you don't even know exists really. But one of the challenges with digital credentials is if you have your identity provided to you by the state, how can the person that you share the identity information know it's true without calling back to the state, without pinging them in the digital sense of phoning home to check like, hey, Is that person really that person and are they really that age and how do we know? How do we know if we don't talk to the actual digital hub of Oregon to prove it's true? Now this was a really hard problem, right? That how did you create digital credentials that were believable by other parties and issue them to people in such a way that they would be believable? without talking back to the institution that issued them. Because that's a giant privacy hole. Do you really want the state of Oregon to know everywhere you present your license? Probably not. It's none of their freaking business. They are the identity attribute provider for certain things. Like if you were born in the state of Oregon, they issued, or the county you were born in issued you a piece of paper saying you were born there and there are the authoritative source for that attribute. Fine. Okay, but should they therefore for the rest of life be the place that everybody calls back to and says, are they really born in the States? Where do you share your birth date? All over the place. Imagine that whichever county issued that, that everybody was checking back. They'd have a record of everywhere you went. We can't build a digital system like that, but we also have to have that attribute be believed. And so this new infrastructure with this decentralized identifier with the the posting of the public keys of the issuing parties, like the county that you got your birth certificate from or the state of Oregon, the verifier, the relying party, the place you present those credentials and want them to be believed, they can go check the ledger and check the signatures and therefore know that they're true and not have to actually speak in the digital sense with a ping back and ask them. And that's this huge breakthrough that When I saw that they'd figure that problem out, I was like, oh, this is what we've been looking for. It's just been incredibly difficult to figure out how you empower people with attributes about themselves and not have the parties that issued those things or who are authoritative over those things see everywhere you would use them.

[00:17:57.425] Kent Bye: So I know that the decentralized identity foundation, as well as these different standards that have been put forth by the W3C by this working group, there seems to be different component parts of those. Like it's not just one standard, but there's like many different things. So maybe you could paint a picture as to like how you make sense of what each of those component parts are and how they all kind of work together.

[00:18:19.438] Kaliya Young: So you're lucky. I'm probably one of the only people who put it all together. I just finished a report called the Self-Sovereign Identity Industry Report and you can go look it up at SSIScoop.com. But the way we've thought about it in that report is there are three key building blocks. So there is the wallet that the individual stores their private keys in that's paired with potentially a hub or an agent that's in the cloud that does more sophisticated things and like maybe holds more data. It works when an individual's wallet might be offline. So it's like a way to like have an always on sort of anchor for yourself on the internet. And then there you have issuers who issue verifiable credentials and verifiers who receive those credentials. And then you have ledgers or other immutable data stores. So the wallet hub agent for the individual, issuer verifier code for the institutions, and the shared ledger, which is where the dids include a public key and what's posted are lookupable and nobody really owns those, so those are open. And then you have to make all this go, you have the decentralized identifier protocol, or standard, which is like what's in a did document, how is it structured. And then there's different did methods. So there's some competition right now for different folks are deciding different things should be in there. Different rules should apply for how you create, read, update those dids and delete them. So There's different DID methods, and then you have DID-Auth, which is proving that an individual or an institution is in control of a particular DID, so different challenge response protocols for doing that. You have the verifiable credentials standard, which is just the format for what a credential looks like and what's in it, how it's structured. You have verifiable credentials exchange, which is how you exchange those, except there's a challenge that that piece of this was scoped out of the W3C work, so it's not clear where that's going to happen. And you have Decentralized key management systems, different ways that people are proposing that people could distribute their core private keys so that if they lose them, they could be reconstituted or recovered. So that's a really interesting challenge when you don't have a centralized certificate authority that's issuing those out to folks like we do now. And then you have another set of protocols that's emerging around data sharing, which is You have XDI, Jlink, and user-managed access UMA, and many of those use JSON-LD underneath, and also JSON-LD is really critical to both, I think, the verifiable claims. But also in the dids so that's the structure of them Underlying like it's a standard that all that work is built on. So yeah, those are all the you are correct there is more than one standard in play here and there's a lot of work going on to both move all of that work forward and really work to support as much of it as can be in sync being in sync, but at the same time build real products in the real world by real vendors with real customers. So all that's happening.

[00:21:55.267] Kent Bye: If someone was to implement this, would they be implementing one of those component parts, or do you actually need all three in order for an entire system to work? Because you're talking about wallets, and it seems like there's different stakeholders that are here. And who's in charge of architecting and building the system? And if each of the stakeholders are involved in co-creating it, or if it's one centralized entity that's going to do it, or if it's sort of like all these component parts that have to use the open protocol, they're able to talk to each other?

[00:22:23.612] Kaliya Young: I mean, there's lots of, I mean, the great thing about where we're at now, we have a lot of coopetition going on, right? Like both large entities and small entities are in the room building the stuff and shipping products all at the same time.

[00:22:36.518] Kent Bye: It's like a, it's like an open protocol in the sense that everybody can be building their own system, but as long as it uses this open standard, they can all talk to each other.

[00:22:45.752] Kaliya Young: Well, that's hopefully where we'll get there. That's why we keep convening them in places like the Internet Identity Workshop, which I didn't even talk about yet. What's that? So this is the amazing community and event that we've been hosting since 2005 every six months. So very, in internet years, it's just a lot happens in six months when you're actually actively building and trying to solve hard problems, right? So we get together every six months. We use a methodology called open space technology where no one presets the agenda. All of the active builders show up and work on solving the next steps that they need to solve to keep making these systems, right? So it's incredibly innovative and it moves the industry forward. I've said that it's like three days at IAW is like a year or six months on a mailing list. Like you can accelerate so much when you're face-to-face, but also because we're not controlling the agenda, we're creating this space. people bring the work that they're doing in their online community spaces, whether it's like Slack or a mailing list or even just like working group calls, like that they can accelerate the work in a face-to-face meeting of the style that we host. And it's really been a major reason why we've had these successes.

[00:24:11.505] Kent Bye: So I know back in May of 2017, there was this announcement at the consensus conference, announcements of the decentralized. Well, that's my sort of entry point. That's my reference point. So I'm trying to, that's how I first heard about it was that this, but there was all these blockchain technology companies that open source what they're working on. You had eventually Microsoft, IBM and Accenture came on board, but what was leading up to that? Like were people participating in this identity workshop or what was the context that was sort of leading up to this?

[00:24:41.812] Kaliya Young: So there's a few things like the Internet Identity Workshop is the backbone of the community that led to this innovation. And then the great thing about our conference is it's very fertile. New things grow and gain traction too. And a complementary conference to the Internet Identity Workshop was spun up in the fall of 2015 called Rebooting the Web of Trust. So that conference took a different approach to supporting all of the folks working in this area, working together, which was to sit down and write some white papers together, and also write early versions of protocols. So that's where some of the first work on decentralized key management, I think the paper's called DPKI, That's where the whiteboarding happened to drive home to get to a dead standard that a whole bunch of different blockchains could agree on, right? And people were really... had foresight in being like, if we have 10 different ways to do identity on 10 different blockchains, that's a bad thing. We should get this common, at least, that there's something we all have in common about how we present decentralized identifiers. And we may not be perfectly interoperable, but we won't be speaking 40 different languages will have a common thing that we can all do a variation on, right? And so that sort of breakthrough, and I was there helping facilitate that event, was Rebooting the Web of Trust 2, which was around the UN's ID2020 conference in 2016, I guess. So now this community has four major conferences a year that are entirely interactive. There is no agenda. There's no talking. There's doing, right? So that's partly why we, you know, that's another reason we've seen this success. I think the politics of the different sort of clusters of groups and who's in what, I think, you know, the Decentralized Identity Foundation has been really driven by an individual who happens to be at Microsoft, I would say, and it's being driven by a strong vision that a particular individual has. And I think it's great. I mean, we need large companies. to get behind this otherwise it's not going to succeed right so people like how can you have it's just on a thread today and they're like well if IBM and Microsoft are there blah blah I was like are you kidding me it's super exciting that they're there now if you're Microsoft What's more disruptive to Google and Facebook than helping people own their own identity? And bonus, you still get to sell enterprise software to enterprises that might help their businesses that they sell software to interact with those independent identities. It's just like a no-brainer for them, potentially. Or at least if you do some thinking, it doesn't seem like a strategic mistake. It seems like an opportunity, right? And in terms of IBM, IBM has built end-to-end solutions for things like digital driver's licenses. Except there's a problem in that scenario. If I happen to come from a state with IBM as a vendor and get my IBM version of a driver's license, and the police departments in the neighboring state happen to have Morpho Trust as a vendor or Oracle as a vendor, whoever is doing that. Oh, my driver's license that's digital is unreadable because it's a IBM. standard issue driver's license that only works on other IBM systems. They're not stupid. They know they're not the only software vendor in the world that's servicing these types of entities with back-end systems that we need for things like driver's license and states and, you know, all of this stuff, right? So that open standards for some of these key things are essential so they can even sell their product because nobody wants to have critical things in digital form only work on an IBM system. That's crazy and it's like totally obvious when you get it. So of course they're involved, right? They want to be able to sell software and they know they're not the only software vendor in the world.

[00:29:13.067] Kent Bye: And so I guess you mentioned both Facebook and Google and their models of surveillance capitalism of basically mining all of our data and harvesting it and coming up with these different psychographic profiles. Is something like self-sovereign identity, does that provide the opportunity for us to actually own their own data and if they wanna do some sort of homomorphic encryption on it where they can maybe do processing on it and not have access to it, then that could be possible, but you say that this is a completely different model by which it's gonna sort of change the fundamental sort of economics of some of these companies.

[00:29:45.704] Kaliya Young: I don't know, we'll see. I mean, I think, I mean, we're a long way away, right? This stuff's gonna take really quite a while to get adopted. Will it get adopted? Yes. I mean, which is something's qualitatively different now. Like I've been working on this problem for 15 years. Now we have businesses showing up who are like, you know, it's cute that people own their own identities in this system, but it's just more secure because the PKI is there and I'm a bank and I want a PKI enabled tunnel between myself and the app of my customer. So it reduces my risk and increases my effectiveness. So I'm going to invest in this new infrastructure. And you're like, yeah, please bring on the money. And bonus, I own my own identity now at the end of it when you've built out all this infrastructure, right? So an innovative forward-thinking governments in Canada in particular are very keen on these things because of the privacy qualities of like we talked about before, the credentials not phoning home. I think in terms of what does it look like when I can collect and manage my own data, sure, we'll see. I'd just be happy if I could see it all in a meaningful way and like touch it, but I really can't because nobody wants me to, right? And I don't know if we'll get there in terms of agency services that do that. I sure hope we do, but we'll see. That seems really far away. It's like a nice vision, but like, we'll see.

[00:31:24.514] Kent Bye: Well, what are some of the biggest either open problems that you're trying to solve or open questions that you're trying to answer?

[00:31:34.496] Kaliya Young: I think right now interoperability is what people are dealing with, and communication across the network of projects that are working on stuff together. I think user experience. So far we really don't have any mainstream products that are in people's hands. I think we will this year. There's a lot of work to do to sell the vision, and to then also have products that fulfill the vision.

[00:32:03.687] Kent Bye: And so are you primarily working as a consultant or are you actually building something?

[00:32:07.528] Kaliya Young: So I am, I'm working as a consultant in the best sense of that word. I think, you know, this is what the great thing about our community, it's really open. You can read the last 20 IIW's notes and see what happened in every session. You can go read all the white papers on rebuilding a web of trust and you can read like 40 people's blogs. You could read all that and still not understand what's going on, right? I have some sense of what's going on because I've been in the middle of it. for a very long time. And so I'm really enjoying the role that I have and how people have pinged me to consult with them, which is to help explain how this technology works and how they can use it to build new products, tools, and services for their client bases, right? Which is like You can pay me for a day of my time and you get up the learning curve ramp pretty quickly. Or you can read about it all. It's all there in the open. And it's just a matter of making a choice about how one spends one's time and resources. And I'm also advising some Aspirationally good projects like I'm on the ethics and risk board for ID 2020 Which is looking at providing and serving the developing world and marginalized communities like refugees and other folks And I'm advising some of the core technical building block pieces. So I'm on the advisory board for various one so, you know, my skill is as a communicator, and I know the whole community, right? So I can help connect the dots and make the introductions that folks will find useful in sort of trying to engage with these technologies and use them for themselves.

[00:33:56.682] Kent Bye: Yeah, for the immigrants that don't have official documentation in any way, how is giving some of these digital identities? Do they put it on their cell phone? Or how do you actually give a cryptographic key to someone who may be seeking assignment and may not have any possessions?

[00:34:14.963] Kaliya Young: Yeah, so I think that there's a lot of questions about how this happens. I'm still trying to figure out how people think it's going to happen. There's actually a cool project that is kind of locking down. I think, I think, I mean this is also where it's like there's projects that get pressed that aren't really real. It's just kind of a big problem. But there's been work being done about how you can create identities for people and basically lock them down with their own biometrics so the records only open up when they present a biometric and are engaging with the system themselves. iRespond is probably the leading project that's doing some really good stuff in the developing world. And it's not quite SSI yet. I think it's like precursors to that. There's a lot of questions about who controls the private keys. There's also some notion of having entities that are trusted hold the keys on behalf of individuals, so a guardianship or stewardship model. We'll see. I get to be on the board that evaluates projects and asks really hard questions about how they really work, and I plan to do a good job of that.

[00:35:29.463] Kent Bye: So it'd be like you go into an official government location, you do an iris scan or draw blood or fingerprint or there's all sorts of different biometrics, but you would somehow correlate those biometric indicators into the database of the cryptographic keys and kind of at that point be able to verify their identity.

[00:35:47.230] Kaliya Young: Yeah, yeah, I mean, it's not so much verify their identity, but have a persistent record that ties back to them, right? So folks are, in our response case, I believe they're supporting medical record persistence for refugees, so that When the person returns, they share their biometrics, their medical record comes up. But other than that, their medical record isn't floating around in a database that's accessible because it's locked by the fact that they hadn't presented their biometrics. So I don't want to hype those projects too much because I think that, like I said, there is a, my understanding is there's a significant gap between what people say is being done in the field and what's actually being done in the field until I have more information. You know, and the guy who leads Iriswan comes to IAW and presents about what they're doing, so I happen to have relatively high confidence they're actually doing some of this stuff in the field. But other projects, it's like, that's nice hand-waving and maybe it could work like that, but how's it really gonna work?

[00:36:47.558] Kent Bye: Covering the virtual reality field, one use case for self-sovereign identity is you have virtual avatar that is your virtual representation of what you look like and High Fidelity with Philip Rosedale as well as Janus VR created the virtual reality blockchain alliance, which is trying to say, hey, there's going to be all these different virtual worlds and metaverses that are out there. and you wanna have a persistent identity and a representation of your embodiment across those. And so if you could tie together your avatar representation and be able to seamlessly go into these different virtual worlds with your identity, that would be a great thing to do. But at this point, a lot of the VR worlds that are out there, you have to upload your own avatar and there's this vision to be able to use the VR worlds to be able to be a little bit of a prototyping for having a persistent identity across these different worlds and different avatar representations. I don't know if you have any thoughts about VR as a realm in order to do some of these different experimentations that may be either similar or different than what we see in the real world.

[00:37:47.252] Kaliya Young: So I think one of the things that I talk about a lot in terms of the problems that we were solving for in digital identity was also not just supporting persistence, but also supporting the freedom to disaggregate and actually use different identities in different contexts, right? So that I, as a woman, do not want my dating life crossing over with my professional life, and I don't want my life and role as a parent crossing over into my professional life either, nor my, you know, Dungeons and Dragons hobby that I have that may not be looked on as a good thing at church on Sunday. Whatever it is, right? Like the part of how in the past we managed these is to just be in physically different places and know that they don't share people. One of the challenges in the digital world is that with persistence, you end up with cross-linking when you don't want it. This is one of the reasons that Facebook's completely It's completely bizarre. It's like being in a room with everybody you ever met all the time. Like, are you kidding me? You can see I don't have a large Facebook presence. I think based on what you just articulated, if I want to take my same persistent avatar with me, and maybe I have more than one, right? But if I have a particular one that I choose to pull with me between many different worlds, then sure, I think there's ways to potentially do that. In terms of the architectures that we're building, I think it would probably be something that you would store in your wallet or your cloud agent, right? And then you would upload from there, but probably automagically, like you'd present a did and then we'd go, where is your avatar? And you'd go, there's the endpoint for my avatar, pull it down, right? Like, instead of a big rigmarole with files and stuff, it would be like embedded in a UI flow that would support an individual just easily sharing those endpoints and then them knowing what to do with them if you're using open standards. Because I think it's, Like I was saying that this is really an infrastructure for service endpoints and persistence if you want it and disconnection if you want it. You know, I would encourage folks who are in the VR world who want to explore how self-serving identity can help in that to actually come to the Internet Identity Workshop. You know, four or five of you joined the conference and said, OK, we're here to figure out how we use this stuff for our set of use cases. Show up and we'll help you. And I'm sure by the end of it, you might have a pretty decent set of potential pathways to go down in terms of making it real.

[00:40:37.958] Kent Bye: Great. And finally, what do you think is kind of the ultimate potential of self-sovereign identity and what it might be able to enable?

[00:40:48.065] Kaliya Young: Yeah. I mean, I'm really, I don't know. That's such a good question. I've been working so hard for so long. I'm really interested to explore how we build new social tools with it, right? If I own my own digital identity and I can get micro, so we talked about big credentials here like driver's licenses and university degrees. What if I just get a credential because I went to one yoga class, like micro credentials? What if I have a whole bunch of those that are just like easy for things to issue me and then now I have some proof about the things I like that I've socially shown up for in the world? And how might we use that for organizing and connecting? How might we build new social spaces that we own and control in our neighborhoods for neighborhood connecting and not next door or the Facebook group? Or, you know, like, how can we use this infrastructure to help people be better people in communities together, and not just be slaves to Facebook.

[00:41:57.143] Kent Bye: Great, is there anything else that's left unsaid that you'd like to say to the decentralized community?

[00:42:03.408] Kaliya Young: Use decentralized identifiers and come to the Internet Identity Workshop. The next one's in October, and the one after that's in May.

[00:42:12.314] Kent Bye: Awesome, great. Well, I just wanted to thank you for joining me today on the podcast, so thank you. Thank you. So that was Cleo Young, also known as Identity Woman, and she's been running the Identity Workshops. So I have a number of different takeaways about this interview is that first of all, Softstar and Identity provides all these new technological means by which you're going to have more control over your identity. So if we imagine a decentralized metaverse by which you're able to seamlessly go between sites, you don't want to have to be logging in and updating your avatar onto every single site. I mean, it's already bad enough that the way that the web works right now is that you have to maintain all these different identities and usernames and passwords. And it's kind of a bad user experience. And it's also not all that secure. And we could start to use a lot more stronger cryptographic tools using something like self-sovereign identity and what's been happening with generally in the larger ecosystem of these decentralized technologies like cryptocurrencies and the blockchain. These are going to potentially have better user experiences and And what it sounds like is that now that there's these decentralized identity, open standards and protocols, that essentially you have these major companies who are wanting to collaborate with each other and provide services that are going to be a better user experience for everybody. That is that coopetition, being able to collaborate with other people. And it's really through these open standards that are really driving that. the fact that the Decentralized Identity Foundation through Microsoft and other people like IBM and Accenture and all of these kind of more upstart blockchain companies, I think there's this realization that in order to really have technology that is going to be adopted, it has to be ubiquitous and it has to be interoperable. And it has to be interoperable between the big giants like Microsoft, IBM, and all these other Upstart companies that are out there providing services and so I think that there's gonna be certainly a demand for this because you ask anybody Whether or not it's a good experience to log on onto all these various different websites. I think people Universally say no, it's not a great experience. And so it has a potential to make it easier but then you have additional problems in terms of managing your keys and other things like that, so there's still a ways to go. And that the fact that these protocols are there, I think are super important because they're just going to be driving new economic and cultural behaviors. And there's also people within the virtual reality community who are actively integrating these types of self-sovereign identity technologies. I know, for example, Symbol, which did an interview with Albert Elias, and he was calling his project HoloNet, but now he's changed it to Symbol, S-I-M-B-O-L. And he's actually released an A-frame component for self-sovereign identity. So you're able to use Uport, which is a self-sovereign identity provider, and to be able to integrate your WebVR experience using something like self-sovereign identity. And I know that High Fidelity and JanusVR are also in the process of cooperating with each other on various different initiatives, and one of them is regarding self-summoned identity, to be able to share avatars and metadata about your identity across different virtual reality platforms. And I think that through the virtual reality blockchain alliance, they're going to start to lay down the foundations in order to have these types of interoperable standards and implemented in each of their different ways. So that's still, I think, pretty far out. Just in talking to both Janus VR and High Fidelity, it's not something that they've actually written much code for. Alberto, however, does have an A-frame component that is available for people to start to check out, and I think he's going to be starting to have more information about his initiatives and efforts to bring self-sovereign identity to virtual reality. So the idea is that you could also start to de-aggregate your identity. Right now, when you go on to Facebook, you basically are having your identity across many multiple different contexts, whether that's professional, personal, your family, they're all kind of in one bucket of your Facebook. You can change different groups, but I think the default behavior for people is just to kind of put stuff out there and to have everybody from people that you went to high school with to people that you work with to your aunt and uncle all have access to your content that you're putting out there. And it's just kind of a weird context shift. And I think that with these online worlds, we may want to have a little bit more granular control in terms of what types of context information that you were presenting to the world and broadcasting to the world based upon a foundation of something like the self-sovereign identity. Just as a more concrete metaphor, if you're dressing up to go out to a Dungeons and Dragons party with your friends, that's going to be different than the context of you going to church or you're going to work or you're going to school. And so you have these various different contexts by which you are presenting different aspects of yourself by different clothes and stuff that you're wearing and I think that just the same when we have different aspects of ourselves and our identity that we want to either make available to the people that are in the same virtual context or withhold different information based upon these different contexts and so this idea of being able to de-aggregate your identity and to be able to have more control over it and potentially have more control over your data just in general. I think there's a larger trend over other companies owning your data and a lot of ways you own your own data. And so what is the architecture by which you're going to be able to hold your own data and then kind of share it in a decentralized way with these different companies? And I think these are the types of architectures that the decentralized web summit are starting to really think about in terms of, well, how can we actually center the experience and one individual and have them maintain more agency and control over their own data and deciding what they want to share as they are moving about on these different virtual contexts in these different virtual worlds. So it sounds like that, you know, self-sovereign identity is using a lot of these blockchain technologies, these different innovations that are allowing you to be able to mediate trust without having to call back and to verify, but there's able to use the cryptographic tools to be able to put public keys on the blockchain, to be able to co-sign these different claims that then can be verified by independent third parties so that you could start to have these micro credentials and these claims that can be verified independently by other people, whether that's, getting a university degree or something as small as doing a yoga class and potentially eventually at some point doing something like community service. Maybe there'll be like these different badges that people get and it can kind of turn the process of different aspects in life into a bit of a video game where you're able to collect these different badges. But those badges could be representative of your values and the time that you spent and that you're able to show those in order to build reputation into various different communities. It may be able to unlock access to different virtual worlds or different other layers of the metaverse that we want to be able to allow people to have. And so I think there's a lot of different applications that can be gamified and to just allow us to hold these different aspects of identity and to be able to create these micro-verified claims. So I'm really excited about where Self-Sovereign Identity is going to go into the future. And I think there's already some initiatives within the VR world. And I'm just super grateful for Kalia to be able to sit down and really try to describe both the history of this process, but some of the major concepts and metaphors in order to understand what's happening in this space. And if you do want more information, then check out her SSI scoop, the Self-Sovereign Identity scoop, and some of the reports that she's been able to do. Or you can contact her directly if you want more specific consulting. So, that's all the light I have for today, and I just wanted to thank you for listening to the Voices of VR podcast. And if you enjoy the podcast, then please do spread the word, tell your friends, and consider becoming a member of the Patreon. This is a listeners-supported podcast, and I do rely upon your donations in order to continue to bring you this coverage. So, you can become a member and donate today at patreon.com slash voicesofvr. Thanks for listening.

More from this show