►
From YouTube: Digital Identity WG (September 30, 2020)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
Cool,
so
today
we
have
a
presentation
from
arnott.
I
thought
I
think
I
saw
him
on
the
call
he
is
going
to
talk
to
us
about
self-sovereign
identity,
which
was
a
question
on
all
of
our
minds,
maybe
a
few
of
our
minds,
so
arnon
maybe
introduce
yourself
quickly.
I
don't
know
if
you've
attended
one
of
these.
D
No,
I
have
not,
but
it's
okay.
B
D
So
my
name:
well,
let
me
show
you
my
slides
and
you'll
get
this
from
this
slide.
It's
all
no
loss,
it's
two
words:
l
e
space
horse
space.
I
know
it's
hard
for
americans
to
accept
that
last
names
can
have
more
than
one
word,
but
it's
okay.
D
D
So
I'm
anna
lewis,
I'm
from
ibm
I'm
part
of
the
open
technology
group
in
ibm,
I'm
an
open
source
open
standard
specialist,
which
means
that
I've
been
working
primarily
focusing
on
standards
and
open
source
for
most
of
my
career
and
I'm
part
of
a
group
within
ibm
that
basically
helps
the
different
business
group,
develop
an
open
technology
strategy
and
execute
on
it.
So
over
the
years
I've
worked
in
different
technology
areas.
D
For
the
last
five
years,
I've
been
primarily
focusing
on
hyper
ledger,
I'm
also
the
main
rep
for
ibm
at
w3c.
Where
I
have
a
long
history,
I
used
to
be
at
the
w3c
before
I
joined
ibm,
although
that's
21
years
ago
now,
so
the
I
was
asked
to
give
you
a
presentation
on
hyperledger
so
having
non-self-sovereign
identity,
I
should
say-
and
the
reason
I'm
here
is
because,
as
I
was
saying,
I've
been
primarily
focusing
on
hyperledger
for
the
last
five
years.
D
D
We
actually
have
many
different
projects
that
are
not
always
related
to
one
another,
except
for
that
common
goal
of
you
know
being
like
you
know:
open
source
based
and
blockchain
oriented
for
the
enterprise,
and
so
I
am
actually
a
member
of
the
technical
steering
committee
which
oversees
the
all
the
different
projects
and
tries
to
make
you
know
to
manage
the
different
projects
and
I'm
currently
serving
as
the
chair
of
the
technical
steering
committee,
and
so,
as
you
know,
as
part
of
my
role,
I'm
aware
of
all
the
different
projects,
at
least
to
some
degree
and
it
as
a
matter
of
fact,
self-sufficient
identity
has
been
a
topic
that
I've
had
a
personal
interest
in,
because
I
think
it's
it's
a
very
promising
technology
that
is
bound
to
to
have
a
major
impact
in
the
way
you
know
we
live,
and
so
I
have
given
many
presentations
on
this.
D
I
for
full
disclaimer.
I
am
not
an
expert,
because
this
is
not
what
I
do
on
a
daily
basis.
I
am
not
an
expert
in
security
or
identity.
Of
course,
I'm
a
computer,
you
know
software
engineer
and
I've
been
doing
that
for
quite
a
few
years,
so
I
am
not
immune
to
any
of
those
topics.
D
I
have
general
knowledge,
but
I
can
give
you
a
general
introduction
on
what
self-sovereign
identity
is,
how
it
relates
to
blockchain,
and
you
know
what
it
what's
going
on,
what
the
status
is
in
terms
of
the
development
of
the
technology,
because
it's
a
fast
moving
space.
But
of
course,
when
it
comes
to
standards,
I
mean
some
of
it
is
standards
related.
Some
of
it
is
open
source
related
and
I'll.
D
E
Maybe
I'll
talk
about
this
in
the
slides
is
the
is
what
you're
working
on
is
it?
Is
it
tied
to
any
of
the
decentralized
identity
foundation
work,
or
is
that
a
separate
effort.
D
D
D
D
D
I
guess
I'm
not
being
very
lucky
because
I
use
this
is
a
google
thing
and
I
use
firefox
and
I
don't
I've
never
used
this
app
before
so
it's
telling
me,
oh
no,
you
can't
do
this.
You
don't
have
permission.
F
Yeah,
it
became
a
little
friendlier,
I'm
running
firefox
nightly
and
I
noticed
improved
but
yeah.
It's
tricky.
D
I'm
sorry
I'm
trying
what
else
you
want.
C
D
C
A
Yeah:
let's
try
that
I'll
start
sharing
again.
A
Yeah,
so
we
had
a
couple
topics
on
here
for
today,
we'll
jump
back
to
our
nods.
Once
he
comes
back
the
next
one
was
no.
I
have
to
switch
which
tab
I'm
sharing
immediately
to
talk
to
the
threat
model
stock.
Again,
I
think
we
made
some
pretty
good
progress
on
it
and
gavin
actually
made
this
awesome
diagram
here.
A
So
we
can
discuss
as
a
way
to
think
through
some
of
the
different.
It's
not
quite
a
threat
model,
but
it's
like
a
flow
chart
where
different
threat
models
can
happen
right.
D
D
D
D
E
B
D
D
A
B
D
D
So
without
further
ado,
I'll
just
introduce
general
concept
when
it
comes
to
identity,
how
self-sovereignity
identity
is
positioned
towards
other
ways.
Right.
If
you
look
at
the
history
of
how
identity
has
been
managed
first,
we
had
systems
that
were
fully
centralized
where
you
just
basically
log
on
to
a
system
and
that's
it,
and
then
we
had
systems
that
are
more
federated.
D
It's
like
you
know,
using
facebook
or
google.
Your
gmail
account
to
log
on
to
some
other
system.
With
the
you
know,
the
the
with
the
pros
and
cons
of
doing
this
very
user
friendly
in
terms
of
you
know,
it
makes
it
much
easier,
but
you
don't
really
control
what's
going
on.
Who
knows
what?
So
then
there
are
things
that
are
more
user-centric,
so
things
like
open
id
and
you
know
so
the
advantage
is
the
user
is
more
in
control
of
their
identity.
D
The
there's
still
a
problem
in
terms
of
portability.
It's
not
universally
recognized
and
you
don't
control
your
id
itself.
You
you
have
better
control
over
who
gets
to
see
your
id
and
what
they
do
with
it.
But
you
still
don't
control
your
id.
If
you
have
an
open
id,
you
depend
on
open
id
self-serve
and
any
identity
is
trying
to
get
us
to
the
next
step
where
we,
the
user,
is
in
full
control
of
their
identity
and
it's
universally
recognized,
at
least
that's
the
hope.
Obviously,
it's
not
true
today,
but
you'll
see
they
are.
D
When
I
talk
about
identity
in
this
context
is
important
to
realize
that
we're
not
talking
about
just
a
you
know
simple
credentials,
like
user
id
password,
we
are
talking
about
identity
in
general.
This
is
anything
that
you
know
pertains
to
a
person.
So
if
you
think
about
it
in
your
day-to-day
life,
you
accumulate
all
sorts
of
information
related
that,
basically,
you
know,
pertains
to
your
identity
and
and
together
form
your
identity
right.
It's
it's,
of
course
your
your
identity.
D
In
terms
of
like
you
know
what
your
government
knows,
you
as
and
recognize
as
your
identity,
but
it's
also
things
like
if
you
have
a
driver's
license,
if
you
have
a
university
diploma,
you
know
if
you
work
for
a
company.
All
these
different
bits
of
information
really
belong
to
your
identity
and
form
your
identity
as
a
whole.
Right,
if
you
have
a
credit
card
in
your
wallet,
it's
a
it's
a
form,
identity
that
you
know
recognize
you
have
a
form
of
payment
from
a
certain
bank
and
so
on
right.
D
So
we
have
this
concept
of
verifiable
credentials,
so
this
is
I'll.
Take
you
through
a
very
simple
scenario
and
you'll
see
it's
very
simple.
It's
easy
to
grasp.
So
we
have
a
person
here
who
goes
to
university
and
to
study
to
become
a
doctor
at
the
end
of
which
the
university
is
going
to
issue
a
verifiable
credential
that
states
that
the
person
is
indeed
a
a
doctor
because
they
have
they've
received
the
diploma
from
that
university
right
and
so
effectively.
This
is
done
in
a
form.
That's
electronic.
D
Obviously
that
will
be
stored
by
the
user
in
some
form
of
digital
wallet
right
and
it
has
a
bunch
of
information
I'll
go
more
into
the
detail
of
what
the
information
contains,
but
essentially
it's
going
to
contain
information
about
what
this
represents.
Who
issued
it,
you
know
a
very
an
issuance
date,
for
instance,
that
kind
of
information.
D
D
D
D
With
that
the
hospital
is
going
to
be
able
to
verify
the
credential.
This
you
know
obviously
calls
into
using
some
cryptographic
material.
They
use
cryptographic
method
to
verify
that
the
the
the
claim
is
is
indeed
valid.
Right.
What's
interesting
is
that
the
verification
does
not
involve
the
issuer
right,
so
the
hospital
can
do
that
without
the
university
being
involved.
Even
the
university
obviously
was
the
issuer
that
has
many
advantages
right.
They
they.
This
is
a
blind
verification.
D
You
know
either
so
this
model
obviously
scales
in
many
different
ways,
and
this
is
that
what
I
just
explained
to
you
is
enough
to
come
to
to.
Basically,
this
is
the
foundational
block
for
the
whole
system.
Now
you
can
extend
that
to
anything
you
want.
So
if
the
person
wants
to
apply
to
many
different
hospitals,
the
same
mechanism
is
going
to
apply
by
the
way.
That
means
the
university
does
not
get
into
this
at
all.
D
There
is
no
scaly
issue
from
the
university
point
of
view
just
because
they
should
once
they
have
issued
the
credential
and
stored
the
cryptographic
material
necessary
to
be
able
to
verify
it
on
the
chain.
They
are
not
involved
anymore
and
by
the
way
there
there's
a
privacy
aspect
to
this
right.
So
if
you
take
another
scenario
which
is
you
know
in
the
u.s,
we
have
a
limit
for
drinking
which
is
21..
If
you
imagine
instead
of
university,
is
a
bar.
Oh,
no,
sorry,
the
hospital
is
the
bar.
D
The
university
is
dmv,
they
issue
your
id,
they
say
over
21.
everybody.
You
go
in
they're,
going
to
check
that
you're
over
21
before
they
serve
your
drink.
The
dmv
does
not
have
to
know
you've
been
hoping
the
whole
night
right,
so
the
very
each
bar
is
going
to
make
the
verification
and
the
the
dmv
is
not
involved
in
any
of
this,
and
obviously
this
model,
you
know
scales
to
any
number
of
issuers,
so
I
just
talked
about
a
university.
D
I
talked
about
the
dmv.
You
can
quickly
imagine
how
this
scales
to
many
other
things
once
the
person
has
a
job.
The
next
thing,
they're
going
to
do
is
say:
well,
I
can
go
to
a
bank
and
maybe
ask
for
a
loan
to
buy
a
house
or
a
car
or
something
and
the
the
the
hospital
who
is
employer
can
issue
a
credential
that
says.
Yes,
this
person
is
actually
working
for
us.
D
So
typically,
you
know
if
you're
going
to
to
to
exchange
a
credential,
it's
very
likely
to
refer
to
more
than
one
piece
of
your
identity,
so
you
know
very
phenomenally,
typically
you're
going
to
say:
hey,
I
have
a
you
know
a
driver's
license
or
well.
There
is
license
a
good
bad
example
in
the
us
is
the
same
as
your
id
typically.
But
you
know,
if
you
say,
I'm
an
employee
or
I'm
a.
I
have
a
university
diploma,
and
here
is
my
idea.
D
The
university
diploma
is
likely
to
refer
to
the
idea
and
the
question
is
well.
How
do
I
trust
this
is
your
id,
and
so
you
can
actually
combine
those
claims,
so
you
could
have
a
verifiable
credentials
that
have
been
issued
by
the
dmv
or
the
government
in
general
right
that
that
defines
your
national
identity
and
then
you
have
a
diploma
and
you
can
combine
those
two
so
that
the
the
verifier,
the
party
that
wants
to
verify
you
know,
can
verify
the
different
facets
of
the
information
that
you're
exchanging
with
them.
D
D
You
we
have
this
mechanism
of
supporting
selective
disclosure.
So
going
back
to
the
example
of
the
bar,
for
instance,
you
know
the
naive,
I
mean
when
you
think
about
it.
Every
time
you
enter
a
bar
and
they
ask
you
for
your
id
to
verify
you're
over
21.
D
So
what
we're
talking
about
here
is
a
mechanism
that
will
allow
you
as
the
as
the
or
you
know,
the
user.
D
D
B
B
You're
right,
you
talked
about
showing
only
what
you
want
to
disclose,
but
does
that
require
that
the
issuer
issue
it
in
part,
so
that
each
part
is
signed
separately
or
is
there?
Is
this
something
that's
completely
under
control
under
the
individual?
Because
if
you
depend
on
the
issuer
to
separately
sign
all
these
different
pieces,
they
may
choose,
you
know
that's
not
convenient,
and
then
you
can't
take
advantage
of
that.
D
Yes,
that
that
is
correct,
in
fact,
this
is
why
I
said:
oh,
it
depends
on
how
it's
implemented,
but
you
know,
ideally,
you
want
the
issuers
to
issue
things
in
a
very
small,
piecemeal
kind
of
way,
so
that
you
can
indeed
more
easily
use
them
independently
of
one
another.
D
F
Correct,
but
that's
that's
also
prone
to
abuse,
then
no
could
could
somebody
just
selectively
show
information,
that's
well
say,
for
example,
that
you
have
a
bunch
of
arrest
warrants
or
something
like
this.
D
Yeah
yeah,
I
understand
what
you
mean
and
it's
a
totally
good
question
and,
and
you
know
it's
always
the
same-
it's
like
with
more
power
comes
responsibility
right.
It
comes
down
to
this.
This
is
why
the
issue
or
may
not
want
to
separate
some
some
aspects
of
it
right.
They
they
have
to
be
to
to
be
cognisant
of
the
fact
that
well
can
that
peace
alone
be
misused.
You
know
be,
it
is
representing,
and
you
know,
for
instance,
the
example
is
like
you
also
want
to
know.
Who
is
the
issuer
right?
D
At
the
end
of
the
day?
There
is
always
the
prime
of
the
chain
of
trust.
Can
you
trust
the
issuer?
Who
is
the
issuer?
How
do
you
know
who
the
issuer
is?
Because
you
know
you
tell
me,
hey.
Are
you
a
doctor?
I
sent
you
a
credential
that
says
I'm
a
doctor.
You
go
to
the
chain,
you
find
some
keys
there.
You
know
some
cryptographic
material,
you
check
it.
Hey
it
works.
You
know
the
proof
tells
yeah.
D
This
is
a
valid
credential,
but
wait
who
issued
it
if
it's
my
mom
you're,
not
much
better
off
right.
You
need
to
make
sure
you
understand
who
the
actual
issuer
is,
and
so
there
are
different
aspects
like
this
that
still
are
very
important
to
get
right,
because
indeed,
otherwise
you
can
open
the
door
to
abuses.
B
You
so
far
when
you
said,
identity
always
talked
about
individual
persons.
Do
the
systems
that
you're
talking
about
also
support
identity
of
organizations
and
projects.
D
Yes,
organizations
and
even
things,
it's
anything
that
you
want
to,
because
at
the
end
of
the
day,
and
if
we
move
a
bit
in
a
couple
of
slides,
I
have
what
we
talk
about
deeds,
decentralized,
identity,
identifiers
and
you'll,
see
that
it's
just
the
url
and
you
can
create
them
for
whatever
you
want.
Then
it's
a
matter
of
you
know
who
has
control
over
the
this
identity
and
and
what
you
decide
it
represents.
B
D
So
this
is
just
a
little
bit
more
on
the
on
the
the
kind
of
things
we
do
with
the
those
verifiable
credentials
right.
So,
as
I
said,
it
allows
real-time
verification
and
with
that
the
direct
connection
to
the
issuer,
this
was
the
blind
verification
that
I
talked
about
right.
It's,
however,
revocable.
D
So
there
are
mechanisms
so
that,
for
instance,
you
know
back
to
the
dmv.
It's
important
that
the
dmv
can
say.
Sorry
that
license
is
expired
right
or
you
you're
a
drunk
driver
and
we
suspended
the
license.
They
want
to
be
able
to
revoke
your
license
so
there's
their
mechanism
and
depending
on
the
way
that
the
storage,
different
systems
and
all
this
differently.
But
there
is
a
way
to
say
you
know
when
you
verify,
you
can
also
ask:
has
this
been
revoked
and
you'll
be
able
to
figure
it
out?
D
I
I
talked
about
you
know
how
you
can
combine
different
things.
So
this
is
an
example.
You
know
where
they
have
a
credit
score
or
mortgage
balance
and
income,
and
you
can
have
imagine
you're
pulling
from
different
issuers.
You
know
different
credentials
and
combining
them
to
present
it
to
the
verifier.
D
D
Actually
you
know
seeing
it
and,
and-
and
so
in
this
case
we
can,
even
though
the
issuer
may
only
have
given
you
a
credential
for
a
specific
birth
date,
you
can
still
do
the
verifications
of
whether
you're
over
a
certain
age
without
disclosing
the
actual
birth
date-
and
this
is
the
journalized
proof
has
been
around
for
a
long
time.
I'm
not
a
crypto
expert
by
any
means,
but
you
know
the
difference
is
that
we
have
now
achieved
thanks
to
the
advancing
technology.
You
know
both
hardware
and
software.
D
We
are
able
to
do
that
in
a
fast
enough
that
it
becomes
usable.
You
know
I
asked
one
of
my
colleagues
who
is
a
renowned
expert
in
the
field.
It's
like.
I
said
how
long
does
it
take?
He
said
sub
second,
and
that
was
that
was
the
answer
that
meant
we
can
actually
use
that
on
a
practical
basis
and
the
other
aspect,
as
I
said
earlier,
there's
privacy
involved
is
very
important
right
and
there
are
a
lot
of
systems
around
today
that
fail
in
this
regard,
because
they
there
is
correlation.
D
If
you
do
a
transaction
in
one
place,
then
people
can
kind
of
track
you
and
find
the
other
things
and
correlate
other
things.
So
here
we
can
do
all
these
things.
You
know
so
to
verify
that
somebody
is
over
21.
For
instance,
they
were
saying
you
know
at
the
entrance
of
a
bar,
you
wouldn't
have
to
disclose
your
name.
This
transaction
can
be
anonymous.
All
they
need
to
know
is
that
you're
over
21.
D
and
again
anti-correlation.
It
means
you
know
you
can
go
to
many
different
balls
and
they
wouldn't
know
you've
been
doing
this
all
over
them
all
over
the
town,
the
same
night
and
and
selective
disclosure.
It
means
again
the
the
user
is
in
control.
So,
of
course
you
can't
control
what
the
third
party,
the
verifier,
is,
going
to
ask
and
want
to
verify
right,
but
you
can
choose,
they
will
have
to
say
hey.
Can
you
give
me
that
information?
You
know?
D
Can
you
prove
me
this
or
not,
and
then
the
user
is
in
control
of
saying.
Yes,
I'm
willing
to
disclose
this
so,
like
you
know,
you
want
to
apply
for
a
loan
at
the
bank.
It's
common
that
the
bank
is
going
to
ask
you
to
prove
that
you
have
enough
income
to
you
know
to
to
to
to
back
this
up,
and
so
it's
up
to
you
to
decide
whether
you
agree
or
not,
but
the
the
system
allows
you
to
effectively
decide
that.
E
D
So
one
important
aspect
is
you
know
in
the
end,
so
the
ledger:
that's
the
blockchain
right
that
I've
been
referring
to.
There
is
always
the
question:
okay,
but
what's
written
there,
and
especially
you
know
with
gdpr
in
europe,
but
in
general.
This
is
kind
of
you
know
all
over
the
place.
Now
people
are
concerned
with
personally
identifiable
information.
D
Where
is
does
it
get
stored?
And
obviously
one
of
the
key
aspects
of
the
self-sovereign
identity
model
is
to
avoid
putting
any
personal
information
on
the
chain
or
on
the
yeah
on
the
ledger,
the
chain
and
and
the
this
is
a
very
important
aspect,
because
people
always
are
confused
with
this.
It
seems
like
you
know,
oh,
but
I'm
gonna
have
to
store
keys
or
something
to
verify
the
information,
but
if
you
think
about
it
in
this
case,
it's
the
issuers
that
are
putting
keys
and
information
on
the
chain.
D
They
are
putting
enough
information
that
a
verifier
can
verify
the
credentials.
You
know
the
that
are
held
by
the
the
the
the
user,
but
and
again
user
ntt
right,
whatever
that
is
and
and
the
entity
that
is
issuer
typically
is
an
organization.
You
know
it's
like,
I
said
the
dmv
employer.
D
None
of
these
are
persons
and
therefore
their
data
is
not
personal
information
right
and
so
what
we
store
again
and
I'll
get
a
little
bit
more
into
this.
But
basically
you
know
there's
this
notion
of
decentralized
identity,
identifier
that
points
to
a
certain
record
on
the
ledger,
the
blockchain
and
then,
when
you
pull
this
you'll,
get
a
document
that
has
different
pieces
of
information.
D
It
has
the
keys
to
cryptographically
verify
the
credentials
that
have
been
signed.
You
know
is
that
actually
a
valid
credential,
but
it
also
has
like
service
endpoints,
there's,
like
literally
addresses
of
system,
that
the
the
verifier
will
go
to
connect
to
do
some
transactions,
such
as
you
know,
enabling
zero-related
proof,
verification
and
so
on.
There
can
also
be
information
about
the
schema
because,
all
at
the
end
of
the
day,
those
credentials
they
hold.
You
know
a
certain
amount
of
data
that
is
structured
and
you
want
to
know
what
is
that
data
you
know?
D
Am
I
actually
looking
at
the
driver's
license
or
pilot
license,
or
is
that,
like
a
cooking,
you
know
a
certificate
that
you
went
to
a
class
on
saturday?
You
need
to
actually
know
the
nature
of
the
information
that
is
signed,
the
credential.
What
is
that
credential
about,
and
so
that
actually
calls
on
to
this
notion
of
schema?
That
is
known.
Somehow
you
need
to
be
able
to
verify
not
only
that
the
information
is
valid,
but
that
the
information
is
what
you
want
in
the
first
place
right.
D
D
So
it's
that
part-
and
you
know
I'll
share
my
you
know
my
own
doubts
about
the
system,
or
at
least
acknowledgement
of
the
limit
of
this
whole.
You
know
endeavor,
is
that
there
is
a
registry
which
is
today.
So
you
know
it's
a
it's.
D
Basically,
a
github
document
on
the
the
directory
c
github
organization,
and
if
you
want
to
register
a
new
method,
you
have
to
basically
post
a
new
document
attached
to
that
registry
on
the
r3c
github
website,
and
you
say:
okay,
this
is
the
method
I
want
to
register
and
then
you're
going
to
use
some
resolver
in
your
system
to
basically
say:
oh,
I
ever
did
it's
this
method,
this
method,
I
need
to
apply
this
mechanism
and
you
know
it's
up
to
you
why
you
actually
implement
this,
and
so
typically
the
method
refers
to
it's
an
identifier
of
some
blockchain
network,
so
there
is
one
like
for
bitcoin.
D
There
is
one
for
ethereum.
This
is
solves.
This
refers
to
sovereign,
which
is
another
network
and
there's
a
whole
bunch
of
them
right
and
nothing
stops
you
from
creating
your
own
for
that
matter,
and
then
the
piece
behind
it
basically,
is
how
you
go
beyond
that.
Typically,
it's
the
address
of
a
record
on
the
on
the
the
blockchain
network,
which
will
allow
you
to
go,
find
that
record
on
the
ledger,
and
then
you
pull
this.
D
You
end
up
with
the
what
we
call
a
document,
which
is
this
document
that
will
describe
you
know
what
you
can
do
with
that
identifier
and
again
it
has
like
the
public
keys,
the
service
endpoints,
that
kind
of
information,
but
so
there's
a
there
is
a
beauty
in
this,
which
is
it's
very
open-ended
and
in
fact
there
are
people
who
said
well.
The
method
could
be
http
right
or
https.
D
Therefore
I
can
even
piggyback
on
top
of
http
and
then
the
method
specific
identifier
is
just
the
domain
and
the
url.
You
know
typical
url,
the
http
url
kind
of
thing.
Of
course,
the
problem
is
you
putting
backseat
centralization
into
this,
but
it
does
provide
for
a
bridge
right,
so
you
could
have
a
did
open
id
and
then
you
know
an
open
id
url
after
that,
too.
This
is
really
open-ended.
D
The
whole
premise,
though-
and
you
know
I'm
being
open
on
this-
is
that
how
is
that
more
decentralized?
You
know-
and
people
have
said
why.
Why
isn't
that?
Just
a
url,
a
web
url,
but
then
you're
like
back
to
web
id
type
of
thing,
open
id
type
of
thing
and
the
difference
is
the.
If
you
use
a
blockchain
network,
you
do
not
have
a
single
point
of
centralization
of
control,
and
so
that
means
those
deeds
you
know
cannot
be
pulled
off
you
from
your
control
by
a
single
party.
D
That's
the
only
real
big
difference,
but
of
course
it
can
be
a
crucial
difference,
and
you
know
you
have
to
if
you
believe
this
is.
This
is
important
because
urls
depend
on
the
domain
names
which
depends
on
the
dns,
which
you
don't
control,
and
you
know
you
are
your
your
isp
is
going
to
be
other
say
in
it,
the
dns,
resolver
and
and
the
whole
dns.
You
know
tree.
Obviously,
the
domain
names
are
not
completely
under
your
control,
so
they
can
pull
it
off
and
you
lose
your
domain
name.
D
You
lose
your
all
your
identities.
One
thing
that's
important
to,
and
this
brings
us
back
to
the
point.
The
question
that
was
asked
earlier
is
those
these
are
actually
pretty
cheap
to
create
right,
and
so
nothing
prevents
you
from
creating
these.
For
anything
you
want,
and
for
and
as
many
deeds
as
you
want
and
part
of
you
know,
increasing
privacy
comes
in
this
ability
to
create
deeds
as
much
as
you
want.
So,
if
you
want
to
avoid
correlation
between
different,
you
know
different
operations,
you
make,
you
can
issue
new
deeds
for
about
every
transaction.
D
You
want,
if
you'd
like
right,
and
so
that
makes
it
easier
to
to
kind
of
avoid
the
correlations
throughout
the
history
of
your.
You
know,
you're
using
your
identity,
so
just
to
finish-
and
you
know
that
question
I'm
happy
to
take
them
as
much
as
I
can
answer
them,
but
I
want
to
give
you
an
idea
of
what's
going
on
in
the
in
the
field
there.
There
are
two
fronts
for
the
development
of
self-sovereign
identity.
D
There
are
some
open
standards
being
developed,
and
so
there
are
two
that
I've
mostly
talked
about,
there's
the
deed
that
I
just
gave
you
an
insight
of.
So
that's
the
directory
c
working
group
they're
developing
a
specification
that
defines
the
date
syntax,
but
also
the
document
what
it
contains,
what
you
can
do
with
it,
the
format
etc.
There
is
a
verifiable
claims,
that's
the
actual
document.
D
You
know
that
you
you're
going
to
be
able
to
get
from
the
issuer
and
then
exchange
with
the
verifier,
and
then
there
is
another
piece:
it's
actually
not
in
the
work
yet,
but
it's
it's
dkms,
which
is
a
decentralized
key
management
system
and
it's
expected
to
happen
eventually
to
go
at
oasis.
Although
they've
been
saying
that
for
a
couple
of
years-
and
I
haven't
seen
sign
of
it
happening
yet-
so
I
don't
know
exactly
why,
but
I
think
it's
important
to
realize.
There's
many
facets
to
this.
There's
also
the
whole.
D
You
know
orchestration
of
the
protocol
between
the
different
parties
right.
How
do
you
actually
orchestrate
this?
You
know
connecting
to
an
issuer.
They
issue
the
credentials,
you
store
it
in
a
digital
wallet.
Then
you
go
to
an
organization,
they
ask
you
for
certain
credentials,
you
have
to
exchange
them,
so
they
can
to
prove
them,
and
you
know-
and
I
talked
about
selective
disclosures
like
okay,
but
at
the
end
of
the
day,
how
does
that
play
right?
D
You
have
to
orchestrate
this
exchange
of
information,
so
there's
a
lot
of
moving
pieces
still
not
completely
soldered
out
that
will,
you
know,
come
into
play
over
time
and
then
the
other
facet
is
the
open
source
effort.
So
there
are
several
of
them.
There
is
the
decentralized
energy
foundation
is,
basically
they
they
have.
D
They
actually
have
an
implementation
of
a
resolver,
so
this
is
mostly
what
they
do
and
they
do
a
bunch
of
different
tools,
but
the
the
main
piece
pieces
actually
are
in
hyperledger.
There
are
three
projects
that
relate
to
this.
The
first
one
is
indie,
that's
and-
and
to
be
honest,
the
other
two
were
basically
spawned
off
from
indy.
So
when
we
started
several
years
ago
with
hyperledger
indy,
it
contained
a
whole
solution
stack
for
the
self-sovereign
identity
problem.
So
there
is
a
ledger
where
you
can
store
the
keys.
D
D
So
they
pulled
out
of
hyperledger
indie,
slash
aries
all
the
cryptographic
code
and
and
put
it
into
a
library
so
that
people
could
reuse
it,
and
it's
now
being
used
broadly,
both
within
hyperledger
different
projects,
use
it,
but
even
beyond
hyperledger,
and
so
is
aries.
D
So
they
I
mentioned
there
are
different,
you
know,
did
methods
and
there
are
different
projects
that
do
self-sovereign,
identity,
kind
of
things
and
and
aries
is
actually
being
used
by
people
who
use
ethereum
and
bitcoin
and
other
things,
and
that
have
nothing
to
do
with
the
hyperledger,
but
they
still
use
the
digital
wallet.
D
So
that's
pretty
much
my
presentation.
I
keep
trying
to
keep
it
short
and
to
the
main
salient
point
to
give
you
a
sense
of
what
we're
talking
about.
If
you
want
to
know
more,
I
highly
recommend
reading
this
paper
that
was
published
a
few
years
ago,
but
it's
still
very
much
relevant
and
gives
you
a
really
nice
overview
of
what
this
whole
thing
is
about,
and
so
I
give
you
a
link
there.
You
could
look
it
up
silver
in
the
white
paper
and
there's
a
library
section
on
their
website.
D
So
sovereign
is
a
it
started
as
a.
It
is
basically
an
instantiation
of
fiberless
indie
and
there
is
a
public
network.
So
it's
interesting
by
the
way,
because
you
may
have
heard
that
in
the
blockchain
space
there's
a
two
main
categories:
permissioned
and
and
and
permission
less-
and
there
is
also
public
and
private
and
people
tend
to
confuse
the
two
thinking.
D
This
is
the
same,
but
this
is
an
example
where
you
know
sovereign
is
a
public
permissioned
network,
because
you
only
some
entities
have
right
access,
but
on
the
other
end
anybody
can
read
to
into
the
network-
and
this
is
very
important
because
that
means
there's
an
onboarding
process
for
issuers.
So
not
everybody
can.
You
know,
store
information
on
the
ledger.
On
the
other
hand,
any
issuer.
D
That
means
anybody
literally,
can
go
and
verify
you
know,
get
the
keys,
so
they
can
verify
a
credential
and
if
you
think
about
it,
it's
not
very
different
from
what's
happening
with
the
dns.
Not
everybody
can
write
to
the
yes
right
record,
a
new
domain
name.
On
the
other
end,
anybody
can
do
an
ns
lookup.
B
B
D
Well,
no,
so
you
have
a
deed
and
it
points
to
a
method,
and
then
the
the
I
mean
the
the
resolver
right
you're
going
to
say.
Oh
this
is
a
sovereign
identifier.
I'm
going
to
go
to
the
sovereign
network
to
try
to
resolve
it.
This
method,
specific
identifier,
better.
You
know
and
there's
a
documentation,
there's
a
spec
associated
with
the
sub
keywords.
D
E
D
D
Yes,
that's
correct,
and
so
that
refers
typically
to
a
public
network
of
blockchain
network
right.
So
then
you
have
to
figure
out
how
you
connect
to
that
network.
You
go
to
some
node
and
and
then
you
talk
to
the
sovereign
network,
it's
hard
for
somebody
to
pretend
they're,
a
sovereign
network.
You
know
you
you're
in
full
control
of
how
you
access
the
sovereign
network,
and
so
you
can
trust
that.
F
I
had
a
couple
of
questions.
I
don't
know
if
we're
done
with
this
one.
F
I'll
take
it
yes,
so
one
of
them
is
like
the
usual
blockchain
keys
under
bird
path,
type
of
thing
of
what
happens.
If
I
lose
my
keys
to
my
identity,
there
was
a
talk
about
having
revocation,
which
is
basically,
and
it
was
like.
The
hint
was
oh
well,
an
institution
can
revoke
their
authorization
for
me
to
have
a
diploma.
But
what
happens
if
I
lose
my
keys,
and
I
want
to
keep
my
diploma.
D
Yes,
so
there's
I'll
be
honest
with
you,
there
is
no
perfect
solution
to
this
problem
of
lost
keys,
but
it's
a
known
problem
and
it's
something
that
is
being
worked
on.
There
are
different
solutions
already
being
proposed
to
solve
this.
The
the
most
popular
one
seems
to
be
that
you
know
you're
going
to
depend
on
there's,
basically
a
make
a
mechanism
to
do
key
recovery
and
there
are
different
ways
you
can
get
it,
but
I'll
give
you
a
hint
of
you
know.
D
The
things
that
I've
talked
I've
been
told
about
is,
for
instance,
a
method
that
they're
talking
about.
Is
you
actually
take
your
your
your
key?
You
split
it
in
several
chunks
and
you
share
that
with
several
people
or
systems
that
store
that
pot
and
each
and
every
one
of
them
can't
do
anything.
They
don't
even
know
who
they
are.
Who
else
has
the
other
pieces?
D
But
if
you
need
to,
you
can
go
back
to
them,
say
give
me
all
the
pieces
and
and
then
you
can
put
together
back
your
key,
but
there
are
you
know
in
a
way
it's
this
they're
trying
to
mimic
some
of
the
things
you
can
do
today
in
real
life
right.
There
are
ways
for
you
to
recover.
It
always
depends
on
relying
on
some
other.
You
know
trust
source
that
will
be
able
to.
Basically,
you
know
assert
and
in
a
way
that's
that
has
enough
authority.
D
Obviously
you
know
to
to
that
you're
the
person
you
claim
to
be.
F
So
like,
like
a
secret
sharing
base,
the
exceptional
access
scheme
would
be
like
a
way
to
describe
it
and
another
song
that
I
had
on
the
earlier
one
question
that
I
had
regarding
a
selective
disclosure.
F
It
seems
to
me
that
the
to
avoid
this
potential
for
reviews
there
there
should
be
some
sort
of
pre-agreement
on
the
certifier
about
what
is
this
certification
going
to
be
used
about?
F
So
in
a
sense,
if
I
am
a
university
or
team
visa,
and
I
know
that
this
is
going
to
be
used
for
checking
people's
stages
and
probably,
if
they're
allowed
to
drive,
I
would
have
to
pretty
much
pre-print
this
certificate
certificate
saying
oh
well,
this
is
going
to
be
used
for
checking
ages,
and
this
is
going
to
be
used
to
check
whether
they're
allowed
to
drive,
and
I
know
that
you
can
use
c
snarks
to
check
this
without
licking
the
information.
F
But
what
comes
to
mind
is
the
issue,
the
united
states,
with
like
a
social
security
number
in
which,
basically,
it
was
created
for
one
thing,
it
ended
up
being
this
universal
identifier
that
was
eventually
leaked
to
third
parties
that
have
horrible
aboriginal
security
and
now
everybody's
suffering,
because
of
it.
D
Yeah,
but
so
so
I
mean
this
is
going
to
depend
entirely
on
how
people
end
up
disclosing
that
information
right
and
whether
they
accept
that
or
not
it's
true
that
today
I
mean
as
a
user.
We
often
don't
have
the
the
really
much
choice
right
if
they
ask
you
for
your
social
security
you're
like
okay,
I
don't
know
why.
I
have
to
give
you
that
and
that
problem
remains
I.
I
don't
think
that
solves
this
problem
right.
F
Yeah,
so
that
is
what
I
am
trying
to
see
if
there's
a
way
forward
to
solve
this,
because
it
is
a
little
strange
to
me
that
we
have
this
ability
to
issue
a
bunch
of
different
certificates
to
say.
Well,
I
am
a
university.
F
I
am
certifying
you
as
a
doctor
and
as
a
student,
probably
top
five
percent
of
the
class,
if
you're
applying
to
graduate
school
and
I'm
giving
you
all
of
this
information
that
you
can
use
to
essentially
disclose
selectively
to
different
people,
but
at
the
same
time
there's
the
potential
for
reviews.
So
then
you
say
like
oh,
I
am
going
to
like
create
the
certifications
within
certain
constraints,
but
then
I
need
to
me
as
a
certifier
consider
what
can
a
selectively
disclosing
party
do
with
this.
D
Yeah,
I
understand,
and
again
I
mean
there's
a
social
component
to
that
right
I
mean
technically
you
you
control,
but
then,
from
a
social
point
of
view,
you
know
whether
you
can
enact
that
control
or
not.
I
don't
know
the
future
will
tell
because
of
course,
if
you
apply
for
a
loan
for
instance-
and
they
say
oh,
we
need
this
and
this
information.
D
Theoretically,
you
can
say
sorry,
I'm
not
giving
you
that
information.
It's
irrelevant.
I
don't
know
why.
I
should
what
the
hope
is
if
at
least
the
technology
allows
you
to
select
and-
and
you
know,
selectively-
disclose
the
information
there
should
be
some
competition
and
the
others
we're
going
to
say.
No,
we
don't
need
that
information.
We'll
give
you
along
with
that,
asking
you
that
you
know
whether
you
believe
in
free
market.
I
don't
know,
that's
a
different
story
where
the
competition
always
works
to
the
adventure
of.
A
A
Yeah
really
interesting
discussion,
good
questions
there
in
four
minutes.
I
guess
gavin
could
walk
us
through
that
diagram
and
maybe
talk
through
next
steps
there
in
the
threat
models
doc.
I
really
like
the
way
that
this
diagram
frames
the
overall
scope
of
the
problem
and
everything
that
we're
discussing.
So
let
me
pull
that
up
and
then
you
can
talk.
Gavin.
E
Yeah,
well,
it's
coming
up.
I
I
guess
my
thought
process
was
just
you
know.
We've
kind
of
been
all
over
the
place
on
scope
and
really
it
seemed
like
the
core
question
was
the
areas
where
identity
of
entities
that
want
to
do
something
matter,
so
I
kind
of
just
took
a
stab
at
writing
down
all
the
places
in
a
software
supply
chain.
Where
that
that
could
matter,
you
know
so,
there's
basically
a
box
for
each
place
where
identity
might
make
a
difference.
I
sort
of
took
a
stab
at.
E
I
think,
there's
difference
between
trusted
and
and
privileged
right.
There's
things
that
you
may
trust
to
do
something
because
you,
you
know
something
versus
something:
that's
totally
unknown,
but
it's
not
really
privileged
right.
I,
like
a
code
reviewer.
E
I
trust
review
code
and
I
take
their
feedback
with
some
weight,
but
they
don't
they're
not
privileged
to
you
know,
merge
that
code
or
do
anything
else
with
it,
and
then
I
also
kind
of
tried
to
talk
about
the
you
know,
elements
that
could
be
used
to
establish
identity
of
those
stages
and
the
things
that
could
happen.
If
there's
a
failure
in
identifying
that
entity,
so
that
was
kind
of
the
thought
process,
I'm
sure
there's,
probably
others
so
feel
free
to
mark
it
up.
A
Awesome
yeah
so
we're
trying
to
use-
I
guess
some
of
these
top-level
bullets
to
gauge
interest
and
see
which
areas
people
are
most
interested
in
focusing
in.
I
think
your
diagram
is
probably
a
better
organization
than
we
had
here.
If
I
try
to
turn
these
into
bullets
and
then
have
people
kind
of
stick,
their
names
next
to
the
ones
that
they're
interested
in
to
kind
of
upvote,
does
that
make
sense.
E
Yeah,
I
think
my
concern
with
the
list
was
that
it's
not
that
they're,
not
all
real
problems,
they're
just
not
necessarily
tied
to
right
the
things
that
could
happen
if
identity
is
compromised
right,
there's
other
ways.
Those
things
could
happen
as
well,
so
cool
establishment
of
identity
seemed
to
be
the
focus
of
this
group,
so
I
try
to
pull
it
back.
There.
A
I
can
do
that
and
send
it
out
and
we
can
make
progress
on
that.
Asynchronously.
B
A
Yeah
I
opened
another
issue
too.
I
just
wanted
to
call
attention
to
I'm
not
going
to
try
to
share
the
screen,
but
it's
in
repo,
where
I
wanted
to
try
to
do
kind
of
walk
backwards
through
this
flowchart
guy.
A
An
actual
project
that
I'm
pretty
familiar
with
so
I
took
kubernetes
and
I've
started
with
the
artifacts
that
get
released
with
the
kubernetes
release
and
I'm
trying
to
kind
of
follow
these
arrows
backwards
and
see
if
I
can
get
all
the
way
back
to
the
code
and
pr's
that
were
used
to
then
figure
out
all
the
different
identity,
things
that
you
have
to
trust
when
you're
taking
one
of
these,
you
know
really
release
binaries
and
it's
challenging.
A
I
thought
that
might
be
a
fun
thought
exercise
to
publish
just
all
the
different
people
you
have
and
systems.
You
have
to
trust
when
you
take
a
complicated
project
like
this,
try
to
use
it.
So
if
that
sounds
interesting,
take
a
look
there.
I
can
definitely
use
some
help,
trying
to
figure
everything
out.
C
Just
just
one
last
thing:
the
meeting
on
the
28th
I'm
going
to
move
it
to
3
p.m.
Pacific
time
we
have
a
presenter
another
googler
presenting
on
get
signing
he's
based
in
sydney
so
trying
to
be
accommodating
because
he
would
rather
not
present
to
us
at
2
am
so.
I
will
try
to
figure
out
how
to
send
out
the
one
off
meeting.
Invite
for
that
and
please
come
if
you're
interested
in
learning
a
bit
more
about
git
signing.
C
Yeah
we're
aiming
for
3
p.m.
Pacific
time
on
october,
28th.