(Cover image courtesy of the Decentralized Identity Foundation)
Below are my personal highlights from the Internet Identity Workshop #38, which took place between April 16th and April 18th at the Computer History Museum in Mountain View, California.
#1 – Yet another new DID Method?
On day one, I participated in a session hosted by Stephen Curran from the BC government, where we discussed the new DID method they’ve been working on: did:tdw.
It’s essentially an extension of did:web, drawing on learnings from the Trust over IP did:webs initiative but simplifying it by removing some of the components.
One of the interesting aspects is their ability to incorporate historicity of DID Documents without relying on ledgers. They’ve also developed a linked verifiable presentation (i.e. when I resolve the DID I can get a proof), pre-rotation capability, and portability, which are crucial features for real business applications of DID Web.
They view this method as particularly suitable for public organizations and have indicated that similar implementations could be applied to other DID methods. They already have some running code for this, which is promising.
This session was significant for us because these business features are essential as we deploy DIDs in production with our customers. It also reinforced how our work on High Assurance DID with DNS complements theirs, adding an extra layer of security and integrity. I’m excited about the potential of a proof of concept where we can see both the TDW and the High Assurance DID Web in action together.
#2 – Bootstrapping DIDComm connections through OpenID4VC flows
I attended a session by Sam Curren who represented some recent work done by IDUnion to demonstrate how a DIDComm connection could be bootstrapped through an OpenID4VC flow, in a very light touch manner.
By leveraging OAuth 2.0 authentication in these flows, they’ve developed a method to pass a DIDComm connection request seamlessly. This is particularly interesting because the European Union has decided to use OpenID for verifiable credentials in issuing high assurance government digital credentials, leading to widespread adoption.
However, OpenID for verifiable credentials has limitations that DIDComm can address. DIDComm serves as a bilateral messaging platform between entities, enabling tasks like credential revocation notices that OpenID for verifiable credentials cannot handle. DIDComm also offers greater flexibility and modularity, allowing for secure messaging and interaction with various protocols.
IDUnion in Germany aims to leverage the OpenID for VC specification to establish DIDComm connections between issuers and holders, enabling a broader range of functionalities. They have running code and a demo for this, which we plan to implement at Northern Block in the near future.
The work is under discussion for transfer to the DIF for further work.
I also found out about where to get DIDComm swag!
#3 – Apple and Google’s Cross Platform Demo of Digital Credential API
In the first session of day two, representatives from both Apple and Google held a demo to showcase interoperability between Apple Wallet and Google Wallet with a browser, drawing a large crowd. Demonstrations by major platform players like these always mark significant progress in where we are in the adoption cycle of a new industry.Â
My main takeaway is that their demonstration questions the value of third-party wallets. The trend is that government-issued high-assurance citizen credentials are increasingly issued into government-based wallets, both in North America and Europe. While government-provided wallets may be the norm for high-assurance government-issued credentials, for other types of identity credentials, direct exchange from the device via a third-party application seems to offer the best user experience. This raises questions about the future role of vendor wallets, particularly for personal use or specific utility-focused applications.
#4 – Content Authenticity 201: Identity Assertion Technical WorkingÂ
Content authenticity is a pressing real-world issue, especially with the rise of generative AI, which blurs the lines between human-generated and machine-generated content. This challenge has been exacerbated by the difficulty in tracing the origin of content, leading to concerns about integrity, manipulation, and misinformation. The Content Authenticity Initiative aims to address this problem by bringing together industry partners, including hardware and software providers, as well as media outlets, to establish standards for tagging media. Led by Eric Scouten, founder of the initiative from Adobe, they have successfully developed a standard for tagging media. However, questions remain regarding how to manage identity behind content, which varies depending on the type of content creator involved. Whether it’s media outlets or individual creators, maintaining integrity in the provenance of media assets requires trust in the identity process. Discussions around creator assertions and identity management are ongoing, with active participation encouraged through the initiative’s working group discussions. For those interested, here’s a link to a podcast where Eric Scouten and I discuss these topics, as well as a link to the Creator Assertions Working Group homepage (here) for further engagement.
#5 – Trust Registry FACE OFF!!Â
I co-hosted a session with Sam Curren, Andor Kesselman, and Alex Tweeddale on trust registries. The aim was to explore various projects in this space and identify opportunities for convergence or accelerated development. The conversation began with an overview of how X.509 certificates are currently used on the web to establish trust in secure connections. I then introduced Northern Block’s trust registry solution, which offers features to enhance integrity in the trust registry process (https://trustregistry.nborbit.ca/).
We then delved into different standards:
- EBSI Trust Chains: This standard tracks “Verifiable Accreditations” and is used by cheqd. It involves a governing authority for the ecosystem with a DID on a blockchain, tracking DIDs authorized for specific actions.
- Trust over IP Trust Registry Protocol v2: Version 2 is under implementor’s review as of April 2024. It offers a RESTful API with a query API standardizing how to query which entities are authorized to do what in which context.
- OpenID Federation: This standard, particularly OpenID Federation 1.0, is already used in systems worldwide, including university networks and Brazil’s open banking. It allows each entity to provide trust lists, including common trust anchors with other lists.
- Credential Trust Establishment 1.0: This standard, part of the DIF Trust Establishment specification, is a data model rather than a protocol or interaction model. It involves creating a document and hosting it behind a URI, with no centralization. It allows roles for each participant and is complementary to VC-based decentralized trust.
The session was dynamic, with significant interest, especially regarding roots of trusts, a topic gaining traction at the Internet Identity Workshop. We’re excited about our ongoing work in this field.
#6 – High-Assurance did:web Using DNS
I hosted a session to showcase our work with the High Assurance did:web using DNS. Jesse Carter from CIRA and Tim Bouma from the Digital Governance Council of Canada joined me in the presentation.
We demonstrated to the group that, without new standards or specifications, but simply by leveraging existing internet infrastructure, we could significantly enhance the assurance behind a decentralized identifier.
The feedback we received was positive, and all of our presentations so far have been well-received. We believe that organizations with robust operational practices around DNS infrastructure can integrate the security and integrity of DNS into decentralized identifiers effectively. This approach should align well with the planned proof-of-concept using the HA DID Spec in conjunction with did:tdw’s verifiable presentation feature, offering both technical and human trust in one process.
#7 – AnonCreds in W3C VCDM Format
I attended an engaging session led by Stephen Curran from the British Columbia government, discussing their project to align AnonCreds credentials with the W3C verifiable credential data model standard. It was insightful to learn about British Columbia’s commitment to preserving privacy by leveraging AnonCreds, particularly highlighting the unlinkability feature that prevents the generation of super cookies. While acknowledging concerns about potential correlation of unique identifiers in other digital identity programs globally, Stephen addressed market friction from those seeking W3C-aligned verifiable credentials. He outlined the innovative steps taken to ensure compatibility, including leveraging their procurement program to fund multiple companies for various aspects of the project, including implementations. Once again, the British Columbia Government showcased remarkable innovation in the Digital Trust space.
Slides: https://bit.ly/IIWAnonCredsVCDM
#8 – A Bridge to the Future: Connecting X.509 and DIDs/VIDs
I participated in a great discussion about the potential connection between X.509 certificates and decentralized identifiers (DIDs). Drummond Reed provided an exceptional overview of what DIDs entail, offering the clearest explanation I’ve encountered. The genesis of this discussion stemmed from the Content Authenticity Initiative’s endeavour to establish a trust infrastructure for content providers, with a notable push for X.509 certificates due to existing investments by large enterprises. We delved into how X.509 certificates are utilized by organizations like the CA/Browser Forum and browsers, as well as their role in trust registries. However, a fundamental distinction emerged between the two: X.509 certificates are intricately woven into a governance process with a one-to-one correspondence, while DIDs can be self-asserted and are not necessarily tied to specific governance structures. This contrast prompted exploration into leveraging current X.509 processes to facilitate linkage with DIDs, enabling broader utility within the same context. Overall, the discussion shed light on the interconnectedness of roots of trust, trust registries, and the evolving landscape of digital trust.
#9 – State of eIDASÂ + German eIDAS Wallet Challenge
In my final session of note before heading to the airport on day three, we engaged in a discussion regarding the state of eIDAS, alongside updates on Germany’s eIDAS wallet consultation project and challenge. While the discussion didn’t introduce anything particularly groundbreaking, the notable turnout underscored the widespread interest in developments within the European digital identity landscape. Throughout IIW, numerous sessions delved into the technical specifications mandated by the European Union’s architectural reference framework to align with eIDAS 2.0. For those interested, I’ve participated in several podcasts covering this topic (1, 2, 3). The ongoing momentum surrounding eIDAS 2.0 promises to be a focal point in future IIWs.
—
I look very much forward to IIW39 this October, 2024!
–end–