Internet Identity Workshop 36 in Review

Guest blog by Mathieu Glaude

I had the good fortune of attending the Internet Identity Workshop 36 in Mountain View, California this week. This event has become a must-attend for me, as it always leaves me feeling both inspired and intellectually stimulated.

The conference brings together a diverse group of individuals working on various aspects of standards, technologies, business, legal, governance, and other facets required to improve how our digital identities are managed today. I feel fortunate to have been able to not only attend on behalf of Northern Block alongside my UX specialist colleague Ariane Bordeleau, but also to have had sponsor the conference alongside many great peers in the field (as you can see in the banner image above).

With over 150 different sessions held across three days, it’s impossible to attend them all, and sometimes tough decisions must be made when multiple interesting sessions coincide. While I can’t provide a comprehensive overview of everything that happened at the workshop, I wanted to share a summary from my perspective, focusing on the subjects that interest me the most:

So, here it is:

1. OpenID4VC has legs – OpenID for Verifiable Credentials (OpenID4VC) has gained traction due to its pre-existing dependency on OAuth 2.0, which provides a sense of safety and security for this credential exchange protocol, primarily focused on personal identity. The majority of the corporate world has existing investments in systems that leverage OAuth 2.0 and OpenID Connect, making it easier for them to use these protocols to adopt verifiable credentials for interacting with their customers and employees. OpenID4VC is a protocol to watch out for as it is agnostic to credential types, supporting various W3C credentials such as mobile driver’s licenses and more. It’s also been included in the EU’s wallet architecture reference framework as a must for credential issuers to use. If you’re interested in learning more about OpenID4VC, I recently recorded a podcast with one of the specification’s authors, which I believe you’ll find insightful. You can listen to it here: https://northernblock.io/open-id-4-vc-openid-for-verifiable-credentials/. On the Northern Block side, we have recently incorporated OpenID4VCI support into our AFJ mobile wallet, and we’re exploring how we can contribute towards the presentation side of the protocol.

2. Digital Trust in the Age of AI – During the second and third days of the event, there were multiple sessions discussing the intersection of AI and digital identity. One session that caught my attention was “Digital Trust in the Age of AI,” led by Wenjing Chu, co-chair of the Trust over IP’s AI and Metaverse Task Force and  Trust Spanning Protocol Task Force. The discussion highlighted the dilemma of content authentication, as voice, video, and biometric authentication are dead. A recent viral AI-generated song showcases how easy it is to now impersonate voices [https://www.thedailybeast.com/ai-generated-drake-and-weeknd-song-yanked-from-streaming-after-umg-statement].  If content authentication is dead, the challenge is now to determine whether the content comes from a trusted source. With the rise of AI-generated deep fakes and the potential for abuse of public identifiers such as email addresses and phone numbers, the need for private and specific identifiers for our different relationships is reinforced. The session also raised questions for me personally about whether AI might incentivize the privatization of data and hinder the open-source movement or protocol-client separation (example of Reddit here: [https://arstechnica.com/information-technology/2023/04/reddit-will-start-charging-ai-models-learning-from-its-extremely-human-archives/]). Large proprietary data owners could have new ways to monetize their datasets through AI systems, potentially leading to more closed platforms – the opposite of what we’re striving to achieve. It’s crucial to engage in conversations about AI’s rapid disruption and its impact on digital trust, as this will help us stay ahead of the curve. I plan to record a podcast with Wenjing on this topic soon, and I believe it will be an insightful discussion.

3. The SPAC Tradespace – During the three days of the event, Sam Smith led a series of sessions on Security, Privacy, Authenticity, and Confidentiality, highlighting the challenges in achieving all these simultaneously. These discussions are closely related to the ongoing work at the Trust Over IP Foundation’s Trust Spanning Protocol Task Force. The aim is to build a layer that enables trust tasks, such as credential exchanges, interactions with trust registries, and secure messaging, to occur between any two clients across the internet. To establish trusted connections, a trust layer is needed. In the world of Hyperledger, our version of this is the DIDComm protocol. However, DIDComm doesn’t encompass every element required as defined by the ToIP specs. These ongoing discussions are fascinating and essential, and Sam Smith’s sessions at the event contributed to advancing the dialogue on these critical issues.

4. Trust Registries are hot – There were numerous conversations surrounding trust registries. Building upon discussions from last fall’s IIW 35, the role of governance in establishing digital trust was a central theme. The trust registry space is witnessing significant activity and innovation. During the conference, I attended sessions that covered the trust establishment specification recently defined by DIF. There was also mention of the trust registry work happening at the Trust over IP Foundation’s Trust Registry Task Force. Interesting conversations took place about how the Domain Name System (DNS) could facilitate the discovery of trust registries or even host them on DNS servers. Additionally, examples of hierarchical trust registries being implemented by organizations like the UN were discussed. A consensus on the best approach has yet to be reached – I also think there will be many valid implementations. Questions remain about using verifiable credentials to determine authority and the legitimacy of the credential issuer within a governance framework. At Northern Block, we are remaining abreast of all innovations happening in this space and have recently concluded a proof of concept alongside CIRA [https://www.loom.com/share/57db10ddc9f448bf8ff2fb7b10138283]. Here are a couple other resources that you may find interesting: video demo of a UN Universal Postal Union use case we worked on: [https://youtu.be/8Lnx-PTzrK0], and a recent blog post: [https://northernblock.io/leveraging-dns-in-digital-trust-credential-exchanges-and-trust-registries/] describing the work above I mentioned with CIRA.

5. Many KERI sessions – There were several discussions about KERI (Key Event Receipt Infrastructure) during the event, and one session I particularly enjoyed was “KERI for Dummies,” led by Timothy Ruff. The main objective of this session was to emphasize that KERI’s primary purpose is to ensure authenticity, rather than focusing on privacy or confidentiality. Authenticity in KERI centers on two main aspects: provenance and integrity. KERI allows for the authenticity of keys during rotations, maintaining the provenance and integrity of the keys. This enables continued authenticity between two endpoints interacting with each other, as they agree on a protocol to exchange keys instead of relying on a central place like a verifiable data registry.
    
6. DNS for digital trust & Creating a credential exchange protocol comparison matrix – During the event, I proposed two sessions. The first one, on the opening day, focused on using DNS for authenticating decentralized identifiers and discovering trust registries. You can find the link to the demo video showcasing our work and its integration into the Orbit enterprise during a credential assurance flow here (same link as above): [https://www.loom.com/share/57db10ddc9f448bf8ff2fb7b10138283]. On the third day, I held a second session inspired by the credential profile comparison matrix created by some individuals over the past year, which is linked here: [https://docs.google.com/spreadsheets/d/1Z4cYfjbbE-rABcfC-xab8miocKLomivYMUFibOh9BVo/edit#gid=1590639334]. The goal was to explore the possibility of achieving similar outcomes with credential exchange protocols. This was a lively session and included a large group of people comparing credential exchange protocols such as Aries AIP 2.0, OpenID4VC, VC API, and ISO 18013-5. The session successfully kicked off the creation of a v1 table with criteria across both issuance and verification protocols. There was a consensus to continue working on this, as we believe it is an important exercise that will be valuable for implementers and decision-makers of digital identity systems. More on this to come!