Contacts

Toronto, Ontario, Canada

info@northernblock.io

+1 (855) 665-0833

Podcasts
ssi for identity access management iam

SSI for Identity & Access Management (IAM) with André Kudra [SSI Orbit Podcast]

Transcription:

Mathieu: Okay, we’re now recording. Hey André, how’s it going?

André: Excellent, Mathieu! I’m having a great start to the week already, so I hope you had a good start as well.

Mathieu: Yeah, same thing here. It’s just been busy weeks all year so far, but that speaks to the space we’re in — the whole Self-Sovereign Identity (SSI) space. I believe both of us are quite excited about the direction it’s going and its potential to take off in 2021.

André: Exactly! Same view here.

Mathieu: Awesome! Well, thanks again for doing this. For the folks that don’t know you, would you mind giving a little bit of an introduction on yourself, André, and the company you represent, esatus AG?

Intro

André: Yes, absolutely, and thanks for inviting me to this podcast. I’m André Kudra. I’m one of the board members of esatus AG. I’ve been in the information security space since the turn of the millennium, and esatus is also in that space. We are very active in the domain of identity and access management and everything related to that. In addition, we do governance risk and compliance work in the information security sector and so on. Personally, I’m not an IT guy by way of education, but rather, at heart. So, I have a business degree and a doctorate in business administration, and I’m a long-term advocate of Self-Sovereign Identity. My company has been active in that space since 2015.

We’ve worked in the SSI space with heavy exposure since 2016. We are based close to Frankfurt, here in Germany. I have a strong record of publishing stuff about SSI in German. I went to several conferences here and tried to promote the benefits of SSI quite early on, because I felt it was the path ahead for the mess that we’ve been seeing in the identity and access world. So I’ve been a big fan from the early days, and my company has supported the activities there. We have continuously grown our team for SSI folks, and we have now turned from being primarily a consulting-driven and software development company to a product company. We have developed our own identity and access management solution based on Self-Sovereign Identity technology. So the future for us is well paved with verifiable credentials and all that good stuff.

Mathieu: Awesome! I agree; I think the future is exceptionally bright. Both of our companies have had similar trajectories. Both of us were in the consulting space, and I think we both got excited with Self-Sovereign Identities in the respective areas we were in. You, in InfoSec identity and access, and we were coming from the decentralized solutions consulting space. A light bulb went off in both of our heads a little while back, and I would say you were even earlier if you guys have been thinking about this since 2015. Self-Sovereign Identity, and verifiable credentials, and DID (Decentralized Identifiers) are all needed to take us through the next evolution of Internet transactions, trust on the internet, and trust within systems or an enterprise.

Given your position in Germany and your various contributions to so many organizations, did you ever consider writing a book on this stuff?

André: Yes, in fact, I have contributed a bit to Drummond Reed’s book that’s in the pipeline. You’re probably aware of that as the major SSI book that’s coming our way. I’ve written a chapter about identity and access management. I think it will be available soon in the online version.

Now, I’m not only the board member of the Ottawa office, but I also have many different hats, so I have to be a little cautious about where I’m wearing which hat. I’m a trustee of the Sovrin Foundation. My company has been one of the early stewards, so we are a founding steward of Sovrin, and we are the first one who had a node in Germany. We’re also active in the Sovrin community in many different working groups. One of my board colleagues is now also a member of the technical governance board of Sovrin. We are a founding and steering member of the Trust over IP foundation, which makes us very proud. This is the first year of the foundation, and there are so many outstanding deliverables coming our way!

We’re very active in the MyData community. MyData is a global movement promoting an open and individual-centric data economy. That means that you are in control of your personal data and then have the decision power to decide where it’s going and where not. We are advocating for SSI in this MyData community, and late last year, I became a board member of the German IT security association TeleTrusT. In all these different functions, even if I don’t actively pursue it, the discussion often comes back to SSI matters, the decentralized data economy, and how we can make digitalization work flawlessly. I’m very eager to promote these thoughts in all these different organizations if the topic comes up. I think this is necessary for anything that is related to digitalization.

I’m not only an entrepreneur in that sense in that space, even though the company has been around for many years. More, I feel myself playing a bridging function between all these communities. That is, enabling them to be involved in SSI and capable of integrating it into their own thinking.

So, that’s what I’m up to. And yes, I’m trying to put a couple of these things in writing once in a while. I haven’t embarked on writing a full book. Maybe I’ll look at translating portions of the SSI standard book that’s coming out soon into German. That’s a good idea, Mathieu — we can take it up!

Mathieu: Yeah, maybe you’ll do the German version, and I could do the French version.

I’ve been having similar thoughts here in Canada, with French being one of the two national languages here. There are a lot of opportunities to translate all of the information into various languages. With all these contributions that you’re making, I honestly don’t know how you keep up with all these activities. It’s just incredible what you guys have been doing. I believe both you and I are strong advocates for the need for collaboration and the need for bringing more people into the dialogue.

These decentralized technologies are only going to be as strong as the respective ecosystems that come with them. So, it’s just tremendous work that you’re doing overall to advocate for these topics and to teach people and bring folks into the space. I’m happy to be doing some of this work with you inside of the Trust over IP Foundation, which is one of the contributions that we’re trying to make overall in order to grow the whole space.

Now, just taking a step back: You are in the InfoSec space, and working a lot with identity and access management, and doing consulting. I guess the best way to learn or to think about new solutions is when you’re actually practicing something, and you’re identifying all sorts of problems.

What were some of the triggers inside of the work that you and esatus were doing in identity and access management, where you said, “Hey, wait a second — there needs to be a better way of doing this”?

What are some of these problems that led you towards the centralized identity?

Centralized Identity

André: Yes, I think this is an excellent story to tell.

The customers we usually address are enterprise organizations with tens of thousands of employees. They are typically stuck in a never-ending nightmare of interwoven complex identity and access. To be precise, these companies don’t employ just one solution — they often have five, ten, maybe 15 different identity and access related products that they try to make work together somehow. This usually doesn’t work, so they’ve tried to tailor their own bespoke identity and access landscape to address their very particular needs. Often, in regulated industries like the financial sector, it was necessary to solve a certain audit requirement and try to fix something that was broken in one space. They decided to buy another product for it, and then they realized, “Oh, this is now related to identity and access management.” What emerged was a never-ending circle of trying to solve that identity and excess space for good, which didn’t work out. So, they effectively increased complexity while trying to solve the same problem repeatedly.

I was never happy with this. Being a consultant in that space, I always felt obliged to try to make the life of my client easier, but it was so complicated. Sometimes we were brought in because they wanted to solve something, and they said, “Well, we have bought this product. Can you help us integrate?” We usually said, “Yes, but have you considered doing it with the stuff you already have?” Sometimes, it was too late, and sometimes, they had already allocated the budget. All this you probably know from the work with your own clients. It was cumbersome, and it is still cumbersome. When I ran into SSI early on, my take was, “Wow, with SSI we have the opportunity to cut certain components out of this identity., We can access the life-cycle without making the situation any worse from a feature perspective, but at the same time, cutting so much complexity away.

This may sound very abstract now, but we can make it more tangible. If you go start to work at an organization, you need to be onboarded. So, you have this process called onboarding, which requires you to request access rights to every single system that you want to use or need to use. You often don’t know all the systems or processes that you have to go through to order the access, and you certainly don’t have any idea how long it will take. Otherwise, you would have asked yourself the question, “Am I up for it?”

We have done a lot of these projects, and with SSI, we now have the opportunity to reduce all these cumbersome processes to a great extent, and even remove certain items of the identity access life cycle. For this example that I’ve given for the onboarding, we have come up with a solution where you just formulate a rule which gives you access to the application. The rule can be underpinned by SSI attributes out of verifiable credentials, which basically give you access. If you are in a certain function or role in the organization, the application knows you’re approaching. If you can prove you’re in the function, you will be let in.

The easiest example is: The wiki system we use is a standard product from Atlassian called “Confluence” — you probably all know it. We have equipped it with a rule where anyone who can prove he’s an employee of esatus AG can access the system. When anyone joins the company, they’re equipped with a credential called “employee credential”, which states he or she is a member. The new employee then simply presents this credential to the application, and the application knows, “Okay, I can let her in”. This is the beauty of it. It can be much more complex from a rule perspective but still easy to grasp for people. They know “If I prove to the application that I’m a sales manager, I’m an IT developer, or I’m the HR guy, and I work for the company, the application will let me in because the rule says so.” With this approach, we have a powerful tool at hand to make life easier for everyone involved in the organization because less complexity is required to maintain the systems.

The decision-makers in the companies are happy because they know they have something that is future-proof. And the end-user is happy because he doesn’t have to struggle with the complex processes anymore.

It’s a much more natural approach, giving us the tools at hand to port this scenario in a digital way to access applications. This was a long speech, but the distillation is that we have a great chance to cut complexity; throw out cluttered architectures, and make life easier for everyone involved. In particular, it benefits the end-user because the process feels natural to him.

Mathieu: It’s amazing that this use case that you just described, you use internally at esatus.

I love the stories of companies and organizations that are “eating their own dog food”, at the same time as they’re trying to push these products to market. I’m sure your whole company becomes excellent beta users for this type of thing before it goes out.

André: Absolutely. We obviously started right away to do it for ourselves. We also have solid documentation for people to read, plus videos illustrating how we did that on our own. We’re working with several customers, some of whom can’t be publicly named. Perhaps we can post some links of customers who are publicly known to be at least either experimenting with SSI technology or are rolling it out productively. I think that these types of “lighthouse” projects help us to foster momentum. We’re able to show to everyone: “Look, this is not just a laboratory technology. This can be used and can be practically applied.”

I strongly support what you said in the beginning. I think this is an excellent year for SSI because we see so much movement now. It’s not simply people talking about it and thinking it’s a good idea; they embark on projects, they get stuff going, and they demonstrate the whole technology space’s viability.

Mathieu: Totally. Let’s take a look at the use case of onboarding a new employee that you’ve implemented. I’m sure you’ve implemented the solution with customers as well.

As an employee, if I’m being onboarded to a new organization, I need to request access and authorization to access different functions and features within various enterprise systems. You named Confluence as being one. If I’m a developer, it could be JIRA. If I’m anyone in the company, it could be Slack, for example, if we’re using that as a messaging platform within the company. From the standpoint of a new employee joining your company, what they would do is to use the status wallet, allowing them to connect with the status. I assume it allows them to build a direct connection with each other; it allows them to receive a credential such as the employee credential from esatus. Then, they’re able to use this approach to access the systems.

How does it work? Is the credential that the employee is using to access the system in an outer layer? Do you still need to talk to the existing SSO system or the existing IEM systems that are underneath? How does your team look at that?

Technical Foundation

André: I’ve been omitting mention of some of the technical underpinnings of how this all works. In fact, we haven’t tailor-made solutions for industrial products, or any other products like Slack. We are leveraging existing identity and access protocols. Obviously, some modern applications, and also some not-so-modern ones, usually have some kind of capability to work with existing identity and access management tools and platforms. What we’ve done is we have integrated standard gateways to these common protocols. You can connect an application that has a SAML connector, and you can connect with OAUTH 2 or OpenID Connect. We can also provision to any type of LDAP directory. It can be an Active Directory or any other kind of LDAP directory. We can provision in a database if that’s how an application manages the access rights. We put the solution in the middle, acting as an identity provider, or providing the underlying functionality that the application needs. So, we are not doing something new. You don’t have to go through development cycles for applications; we simply provide the standard mechanism for authentication and authorization that the application knows by default.

This is how we built the bridge. This looks at one side, the SSI side. For the future, we’re looking at credentials and attributes coming out of credentials. On the other side (we call it the classic or legacy side), I think these standard protocols will be around for quite a while. We look from both perspectives: one on the SSI side, and one on the existing side of applications. In the middle, we have set the product which we call “self” ( this name may change). It’s like an IDP in the middle, and at its core, we have this rule engine. As I said, you tell the application if the user “proof season” is a member of Northern Block, or ISA, then he will be let in. These rules are easy to formulate for an admin person or the application owner. They can define these rules, and the rest will automatically happen, so it’s not cumbersome at all. It’s fully configurable; you don’t have to code. You just provide the necessary strings for connecting the application to the “self” back-end, determine the credentials you want to use, and that’s it — you’re all set.

Mathieu: That’s awesome. We definitely see that as well for organizations. It’s great to think, “Hey, I could use SSI and verifiable credentials to do all sorts of processes”. But, it’s also impossible to imagine that an organization that’s invested millions of dollars into their InfoSec systems and their identity access management systems are going to throw that away. I particularly like that there’s an intersection there. Internally, you’re able to talk to what’s there without touching it, but on the outside, when it’s all about the employee or the customer experience, you’re able to make it faster. You’re able to lower friction, and you’re able to make these processes more scalable. Ultimately, it could become more secure.

André: I assume it is more secure as well because, at the same time, we’re also getting rid of user names and passwords. You just don’t need them anymore. The brilliant aspect is that we can even run the classic and the new in parallel. For some organizations, we have equipped certain departments with new functionality, and they download the wallet app. By the way, they can not only use our wallet app but any other ARIES compliant wallet app. At the point where you usually log in, you give the possibility to use an alternative authentication provider. Both can be run in parallel, so those people that are already equipped with new technology can use the new capabilities, and the others can use the old software. Alternatively, a decision can be made to change technology, but I think if an organization is used to having the convenience of the new solution, they will opt for the new solution. It’s even possible to gradually transition from your old setup to a new setup without having a “big bang” approach and all the problems that may come with it.

Mathieu: I don’t know how deep you might want to go into my next question because I’m sure some of this is proprietary. However, you’ve spoken about integrating today into existing systems, and then tomorrow potentially moving away from these systems. When you have more of a direct connection with applications, you’re effectively using the user’s wallet as a decentralized IDP and directly gaining access to systems. One type of organization or industry potentially gets threatened with this, which is the whole identity and access management space and the providers in that space.

I would be curious to know from your experience, because you have relationships with some of these companies coming from the consulting space. Do you work directly with them? How do they see this whole thing? Do they feel threatened? What’s been your whole experience working with these existing IRM vendors?

Working with Existing Vendors

André: Let’s start with the facts. The Information Rights Management (IRM) market globally is a billion-dollar market, so many players earn a great deal of money with the solutions they provide today. These products or services are all based on the fact that organizations have to maintain their complex landscape, so they pay lots of license fees, lots of maintenance fees, and lots of money for people to maintain this whole architecture.

These inefficiencies are creating a very lucrative market. Obviously, everyone who understands that SSI and its benefits are basically sawing at these branches of complexity will see this as a threat. This is exactly what we see from our interactions with the vendors. In fact, we’ve entertained lots of offers and discussions with the existing IRM vendors. Most of them said,” It’s interesting, but we’re not interested at this point.” Basically, they were no-shows in any further discussions.

I had the feeling they didn’t want to incorporate these ideas. At some point, they may have no other choice than to do it, because SSI is ultimately open, interoperable, and is compatible with all the stuff that’s out there. You cannot ignore it forever. Let’s say that an organization or a customer approaches and tells you, “Look, I want to make this work with your product. How do I do it?” If the vendor just objects and says, “It doesn’t work”, then it’s just not the truth. It will work, and it will be integrate-able into existing architectures.

In fact, it’s all there; you just have to do it. It’s all already possible. You can use our approach, or you can also use other solutions. The brilliance of it is, that if it works with your verifiable credentials, you could basically swap the whole underlying architecture with your custom-made stuff, or with another vendor product that does the same. You’re still working with the same data, but now it’s stored in the verified credentials. We’re creating an identity and access solution out of it, but you may use it for other requirements. Sometimes, you only want to do one particular thing, and you don’t need the whole IM solution scope for it. You can make it work with the existing landscape and the existing players.

It’s quite clear that this is coming because if you look at all the conferences and all the articles being published, this is not a niche topic anymore. This approach is going mainstream, and people are talking about it. The IT-savvy folks understand the benefits, and now it’s essentially everywhere. It’s also on the tables of big corporations and for high-level political decision-makers. I believe that we’re seeing the whole movement for centralization in general. The movement gets spearheaded by the whole crypto space, and I think we’re seeing it there in the crypto space. People are thinking more and more about centralization as an option for applications like social media, for example. In addition, people are starting to think about it more and more for business processes within organizations, but also for business processes in and between different organizations, vendors and partners. That’s definitely where Self-Sovereign Identity truly shines.

Mathieu: I echo your thoughts that it is ready to deploy today. I’ve actually seen that there are some larger vendors (Octa may be one of them) who are slowly beginning to discuss the concept of centralized identity. It may be an article here and there, but it’s obvious that people are thinking about it, and its popularity is growing overall. I’ve seen over the past few years that it’s becoming more popular and being presented at conferences. I’m sure if we did a Google trend search on this, it would probably show that it’s been rising in popularity.

Now, for the folks listening, would you mind giving a brief overview of what “Zero Trust” is? Why is this becoming such a popular framework or method that companies are looking to implement? How does SSI play into this model? Does it complement your solution or provide similar functionality?

Zero Trust Model

André: That’s an excellent point. If you’re coming from the security domain, you’re familiar with terms like “perimeter protection.” For example, you want to maintain your firewall and only let information and activity that you approve in and out.

With the paradigm of Zero Trust, it has become evident for everyone within the security industry, and also outside of it, that this perimeter concept is no longer valid. You have to assume that you have an attacker already within your perimeter or within your closed and own shop. If he’s not there yet, he can get there with a reasonable amount of time, just by social engineering. So, the understanding is that you cannot trust anything that’s inside your perceived perimeter, or outside of it. It’s necessary to consider asking for certain authentication before any type of asset data store feature or tool is used. If you think it’s worth protecting, you have to consider increasing the trust level at the point where this decision has to be made.

Before any type of asset of the company is accessed (e.g. a system such as a laptop or desktop computer, or your wiki system), you have to have a reasonable amount of assurance. You need to know the person who is accessing the data is eligible, so this is the paradigm that we are looking at. Essentially, you cannot trust anything. Or, you have to increase the trust level at the point where actually the access happens. This is exactly what we can facilitate now with Self-Sovereign Identity. We have facts about users that are stored in the verifiable credentials. We can use them to make a user present just the right amount of information needed, for the assurance that he or she is eligible to access certain resources. In the easy example that we used in the beginning of our discussion, you have only to prove you’re a member of the company.

Sometimes this might not be enough. If you want to access a certain resource that is just in the wiki system for managing the sales pipeline, you may have to prove additionally that you’re a sales manager. You would need a different type of validation; a different type of credential with a different attribute to prove that. In some cases, if you want to close a contract you might even need more validation, like your name and address. Maybe, you even need a state-issued identity credential, that gives you the power to sign a contract via digital means. You basically step up the authentication, and ultimately authorization, with the attributes that you have to provide. With SSI, we can verify that you have verifiable credentials that contain attributes about yourself that have been attested by another party. The fact that you can use them anywhere shows how this approach is ideally suited to fulfill the Zero Trust paradigm, with this on-the-fly provisioning of information items that give you access.

I hope that it’s transparent that this is definitely not in contradiction but very much aligned. The Zero Trust paradigm is absolutely fulfillable with the Self-Sovereign Identity technology that we have at hand. It’s a mechanism that facilitates achieving a Zero Trust paradigm within an organization. There are others that we see; different identity and access management systems that are trying to fulfill the Zero Trust paradigm, but Self-Sovereign Identity fits quite nicely into there. One advantage with SSI, is that you fill all the requirements on the privacy-by-design principles and the security-by design-principles. It’s just superior in a lot of different ways.

Mathieu: Agreed. We didn’t go into that detail. Obviously, there’s a requirement for selective disclosure, so you don’t present the full magnitude of attributes in a credential. You only present the information that you’re asked for, and then you still have the decision power over whether you want to share more information.

André: You can even get to a level like “Zero Knowledge Proof“. For example, you don’t disclose your birth date if you want to prove that you’re above a certain age. All this functionality is possible with the Zero Knowledge Proof type of credentials. Selective disclosure is probably something that is much more needed and in use these days because this is exactly how it works in our example also. Our employee credential holds more information than just the attribute: employee employed by company esatus. The credential includes the starting date, maybe a fixed end date if the person has a limited-time contract. The credential contains certain other attributes. However, if we want to make a decision on whether the person is able to access the resource, we just ask for this one line: “Are you employed by esatus AG?” and that’s it.

Mathieu: I think that the whole concept of selective disclosure, and the move towards centralization, are tied in very closely with the privacy movement and privacy-by-design solutions. It’s a great selling point on its own, as well, to be able to significantly improve the user experience, whether you’re using this approach with your customer, or employees, or whoever you’re dealing with. You’re able to give them confidence through transparency and through their ability to know and control what they’re sharing.

The world seems to be moving that way. In Germany and within the EU, different frameworks and legislation are being pushed forward. With some of the data privacy laws such as the GDPR (General Data Protection Regulation) and others, Self-Sovereign Identity falls in quite nicely there as well. Based on what I’ve learned from you, it seems like the government of Germany is really buying into this stuff as well.

I’m based here in Canada, and there are people listening to this podcast throughout the world — folks like ourselves, who are trying to push for centralized identity and to significantly grow the ecosystem within our respective countries. There are many government organizations, and many large companies that have joined this whole ecosystem and this mission for decentralized identity.

Would you mind spending a few minutes letting us know why? Is there something in the water in Germany, that people are drinking that is pushing them towards this? How and why has the German ecosystem grown at the speed it has grown so far?

Germany’s leadership in the Field

André: Well, I think there are many aspects to that. Perhaps we should start with the whole crypto developments that have been happening in Germany from early on. I’m not saying that SSI has a huge amount to do with crypto, but I think we have a strong Blockchain Distributed-Ledger-Type ecosystem of people and companies, which fueled the SSI ecosystem as well. In general, there’s a huge drive for innovation even if it’s unevenly distributed in various areas. We have a vibrant ecosystem of innovative companies, particularly in the blockchain and DLT space. This helped to foster the discussion around these topics, and also to build successful showcases early on. In the end, the evolution was also recognized by venture capitalists and political decision-makers. There was an ever-growing communication stream directed towards these decision-makers: “Look, there’s some stuff coming your way, you want to be prepared. Do you want to join?”, and so on.

This resulted in the fact that it was realized and recognized, and some major activities in the space happened in Germany. We have a couple of different streams now underway. The one that is probably most often talked about and widely recognized, is everything that’s coming out of the funded projects by the Federal Ministry of Economic Affairs. These are showcase projects about secure digital identity. The Ministry has issued a funding proposal to basically everyone who’s in that space, and called for a competition of six months to propose solutions in the digital identity space. There were several SSI-type solutions being proposed in that competition phase; there were 11 projects, which boiled down to three or four projects in the end. The successful projects are funded for three years, each with a budget of 15 million euros in the consortium. In the end, now we have four projects that are co-funded by the Federal Ministry of Economic Affairs, and at least two of the three are dedicated to promoting SSI and showing that it works.

One of these projects is called “ID Union”. ID Union originated in the early work done by a company called “Main Incubator”. They are a subsidiary company of Commerce Bank. A couple of years back, they proposed the “lissy” project, which produced one of the first Self-Sovereign Identity wallet apps. This led to the fact that we got together in the competition phase for this Economic Ministry-backed project called SSI for Germany. We formed a small consortium and transitioned all the lissy project work there. Now, we are rebranding again and calling it ID Union.

ID Union is not just the name of the project. It’s also the name of a Hyperledger Indy-based test network that was created in the competition phase of the project. This is one of the top work-streams. ID Union and its test network will be transitional to a cooperative legal entity model and a running production network. In parallel, the state-funded project of the Ministry of Economic Affairs is also being called ID Union, but this is just one of the bigger initiatives.

We have another activity going on, which is driven by public sector organizations. It’s called “Gov-Digital”, and they are planning to provide blockchain and DLT-based services dedicated to the public sector. They also have in the roadmap the creation of a Hyperledger Indy-based network at some point in time. I’m not deeply involved in that — as I said, it’s completely run by public sector players. Datacenter providers and others from the public sector are doing a great job of advocating that, and I think at some point they will also come up with a Hyperledger Indy-based project.

Now, coming to the major activity that’s going on… maybe you’ve heard that the topic of digital identity came up last year in the highest political decision taker circles in Germany. It culminated in a meeting run by Angela Merkel at the beginning of December last year, inviting C-level representatives of 18 companies. There is a public communication on the Bundesliga website to discuss the future of digital identity, and in this meeting, they also covered Self-Sovereign Identity. An outcome of the meeting was that everyone thought “this is a good idea, we need to do something about it”. Maybe this is a differentiating factor for us here in Germany and Europe overall, and to be able to counterbalance what’s going on in the rest of the world. It’s such a good idea, that we are now embarking on a project, together with a pilot, for a certain use-case based on Hyperledger Indy technology, which is currently underway.

I can’t tell you a great deal about the details of that project. We’re looking at it because we are also part of ID Union. Obviously, this aligns with what’s happening in the union, with the other projects, and with what the Chancellor’s office is doing. There is such great momentum with what they started at the end of last year, and there will be huge visibility when they launch and go live with a pilot. I know that there are more pilots planned than just the one that’s underway. So, this year will be full of pilots, driven by the Chancellor’s office and in conjunction with players from the German and European SSI ecosystem. I believe this is extremely important, and the lighthouse for getting SSI on track. Naturally, everyone is looking closely at what these people are doing, and I have very high hopes that this will tremendously fuel the SSI ecosystem and the whole momentum, here in Germany and broader Europe beyond.

Mathieu: Here in Canada, we’re watching closely everything that’s being achieved in Germany. We have a great community here, as well as a big blockchain DLT community. We definitely see a lot of the activity being sped up, and it’s a different way of thinking, especially when you start thinking about the decentralized models. For people that come from the blockchain and DLT space, it makes sense quicker. We’re lucky here in Canada that the governments are making investments into this space as well. It’s highly significant, and people should really look at it. We’ll link some of these projects in the show notes, if people are interested in looking a little more into what’s happening in Germany. Germany’s notably a leader in the space.

For folks listening who are looking to deploy projects in Germany, I think there are lots of resources we could point to. In Canada as well, we could point to a lot of information for people in other countries in the world, who want to push Self-Sovereign Identity or Decentralized Identity forward in their respective countries. If their public sector and various governments aren’t making the same investments or the same prioritizations as Germany or Canada, is there some low-hanging fruit for entrepreneurs or innovators that are looking to really push this forward? Could SSI see traction in a place without government involvement?

SSI Interoperability

André: I think it could. As you see, here in Germany, we have several different streams. We are not all completely aligned, and not everyone is doing the exact same thing. We have Golf Digital being addressed in the public sector, and we have ID Union attracting lots of businesses. With the variety of players, we have all these other activities going on, so I think in the end, we will need some alignment. We’ll need to pull the strings together and bring together what’s happening in broader Europe, such as EBSI and (ESSIF).

You are probably aware of the other initiatives that are going on, in Finland, for example, with the Financial Industry Decentralization Initiative (FINDI), and in Austria. There are different streams going on, but with the recognition that there’s stuff happening in the same areas. Everyone is eager to collaborate and get these things together. For entrepreneurs who want to be active in the space, there’s a significant opportunity to leverage this momentum that’s growing there. I’m particularly looking in your direction in Canada because I know the ecosystem is robust there as well. In fact, I think the political people have made requests to be connected to one another to talk about these projects. I’m very hopeful that this will also lead to something that is beneficial to all of us.

Since SSI is open, everyone can put services on top of it. For Gov-Digital, for example, which is dedicated to public sector partners, they may decide to let private companies offer their services on their chain at some point, or on their DLT. This is the beauty of it, if the ecosystem is as open as it is in SSI, and at a minimum, the underlying technologies are comparable. As most people are aware, I’m a fan of Indy and Aries, so Hyperledger Indy and Aries are our chosen stacks at this point. We put all our development into these technologies. However, in the end, if we have verifiable credentials as the common denominator, you can do anything with any chain and system, as long as it’s based on the paradigm of verifiable credentials. As open as it is, it’s a great chance for everyone in the world to effectively provide solutions with these parameters in mind.

If you think, “Okay, I’m an expert in Indy and Aries, I want to build stuff on that”, this is the best chance to do it. If you think, “Okay, I want to be a little bit broader, I want to work with Verified Credentials”; regardless of what technology is underlying, you can do that. It’s possible to come up with a solution that is tailored around that. There’s great potential, because there are no boundaries between organizations and ultimately countries anymore. If we have the interoperability that we envision with SSI, then we can basically do anything, from everywhere.

I think the chances are very good that we have innovative players in that field who understand these parameters and understand the technology. They can immediately expand their business beyond their so-called “home market” because it’s just something that everyone needs. These kinds of tools have never been available to that extent before. If we have this common architecture and open standards, you can basically deliver services and exchange services without any limitations from an organizational or jurisdictional point of view. We tell people exactly what you said: “If you’re adhering to the standards and norms that people are moving towards, it comes down to you understanding where you sit within the overall ecosystem, whether you’re an individual or you’re representing an organization.” Different public entities have different roles within their existing ecosystem. They will move at their speed, and they will do what they’re doing, but it doesn’t stop you from getting into all sorts of different use cases. What esatus is doing is just great proof of this: using Self-Sovereign Identify, you’re able to drastically improve user experience, whether it’s your employees or your customers. And you don’t necessarily need a government to shoot ID.

Mathieu: It’s going to be great when these developments arrive. It becomes another tool within the ecosystem, it becomes another piece of data that you could add on top of what you have today. There’s so much you can already do today. Again, you guys are early movers in the space and great proofs of concept. We looked up to your company very highly when we first got into the space because we genuinely admired the way you were approaching this.

André: Much appreciated, and it doesn’t stop there. Within the identity and access space, the work we’ve done has been a natural progression. Now with ID Union, we have several different use cases which basically apply the same technology. We have the full stack available. With a little tweak here and there, we can address different types of use cases.

For example, we are building what we call a “Schuler Wallet” or student wallet. In one of the project streams, we’re working with the local community of Langen. They provide groceries to people in need. To perform the validation that people are, in fact, qualified to get this support, we’ve built a complete Verifiable Credential-based solution for them with the technology that we have. One primary objective is also to provide these learnings back to the global community. That’s one of the key reasons we are active in global ecosystems such as Sovrin and Trust OIP. So my clear goal is to get everything that we do in ID Union packaged and deliverable. That way, others can learn from it and leverage the things that we have achieved here. This is also something that is common in the German identity landscape — that people are eager to contribute and make it visible and available to the rest of the world. I think this is a great position, and the outstanding collaboration among all involved has been fantastic.

Mathieu: André, for people that are looking to get in contact with you or your company or looking to contribute to the space, where can people find you?

André: You can look at our website esatus.com (US dot com). We also have a Twitter account for the business, or you can reach out to me personally. I think if you search for my name “André Kudra” on Linkedin, or on one of the other social networks, you come across me. You can also put my email address and my Twitter account in the show notes so that people can have a way to connect. We’re always looking forward to entertaining discussions and to working with you on your solutions. Again, I very much appreciate your invitation to participate in your podcast series.

Mathieu: I’m a big fan of your work, and I very much enjoy collaborating in the space on the Trust OIP initiative and everywhere we run into each other. I think this is a very fruitful relationship, and I look forward to many great projects together, likewise, André.

André: Okay. Thank you very much, it’s been my pleasure.

Related Links:

Author

Mathieu Glaude

Mathieu is the Chief Executive Officer of Northern Block, a leading global provider of self-sovereign identity, blockchain, verifiable IDs & documents and automated business workflow technology headquartered in Toronto, Canada. Connect with him on LinkedIn here