Different organizations have different purposes.
Some are focused on producing goods.
Some are focused on moving goods from one place to another.
Some are focused on providing intellectual products and services.
Regardless of the types of businesses they are in, they must all have a range of business processes and compliance requirements to adhere to, including the need to document and secure information in their systems.
As the global pandemic disrupts many of our routines in the physical world, more and more business processes that were once done on paper and in person are migrating to digital systems. This trend won’t go backward or even slow down in the near future.
The question is – are we really ready for accelerated digitization? On one hand, we have seen the burgeoning of innovations and tools to support an increasingly digital business environment, but on the other, there has been no shortage of information security incidents that occur due to lack of understanding and consideration of potential issues and risks brought about by digitization. One important issue is how we know “who is who” and “what is what” now that we can hardly deal with the physical being of the who and the what. For example, the simple question of how one is supposed to know someone who claims to be from their bank on the other end of the phone is actually the case. Without a proper level of assurance in our new digital systems and processes about the who and the what, information always flows in a high-risk environment.
This article is going to introduce some of the long-term behind-the-scenes work that is aimed to address the “who is who” and “what is what” – the identity issue in the digital age. It is a set of frameworks and guidelines that we call open standards/internet protocols. Thanks to the advancement of cryptography in the last 25 years, these protocols are now mature enough to support a more secure Internet at the scale of its use today and tomorrow.
Many may be familiar with Internet protocols, such as HTTP for web servers, SMTP for emails, which are built and evolved in the open and free for anyone to implement. In the digital age, we need protocols of the same nature for our digital identities and the identities of things being transacted online so that everyone can build their processes in a way that allows the information of people and things to flow smoothly/interoperably and securely across systems, many of which are not developed or managed by themselves.
A good starting point for both business and technical decision makers new to this topic of internet identity is the two foundational standards, Decentralized Identifiers (DIDs) and Verifiable Credentials Data Model, both by the World Wide Web Consortium (W3C), the main international standards organization for the World Wide Web.
Last month, the W3C approved Decentralized Identifiers as a new standard, which outlines the basics for creating identifiers that can be resolvable and have associated with them a simple JSON-LD document that contains public keys, the cryptographic keys for authentication and an end point to communicate with. This for the first time creates a standard way to have resolvable PKI – because the end points have the keys that can be used to communicate securely with it.
The DID standard can be leveraged broadly to provide identifiers to people, organizations and things that are not necessarily centralized managed as opposed to our paper-based systems or existing digital systems. Centralized management of identifiers can only provide efficiency to a certain extent – when we have a manageable number of systems and when only a small fraction of our activities are digital. However, the trend to digitize everything poses real challenges to this old way – the explosion of digital systems that serve drastically different needs makes centralization at the Internet scale impossible and the use of the few identifiers we don’t even own throughout a growing amount of online activities creates serious privacy and security issues. DID was invented to tackle these challenges by giving digital systems a standardized way to create, manage and communicate identifiers and allowing subjects of identifiers to own and manage their identifiers in a private and secure manner.
DIDs provide us a way to establish our digital presence across systems by giving us unique, standardized identifiers – we also need mechanisms to express who we are and what something is with a digital presence. This is where the Verifiable Credentials standard comes into play. It has a very broad expressive capacity and it was designed to let any entity make claims about any other entity or thing. With Verifiable Credentials, one can have a collection of signed claims about themselves in a commonly recognizable data format across the Internet and digital systems.
Now, let’s look back on the simple bank representative question. With the DID standard, a bank can create DID(s) for itself and its branches without relying on any existing central certificate authorities, and make public the public key(s) associated with the DID(s). By using the private key pair(s), the bank and its branches can sign and issue Verifiable Credentials to its staff that includes information about themselves, e.g. their name, title and branch. So when a bank representative contacts a customer, the customer can use the public key(s) of the bank to verify if the person is from the bank and gain trustworthy information about the person from the credential. A similar mechanism can be applied to goods, whose information flows across organizations and systems.
Both DIDs and Verifiable Credentials are in their early stage of implementation in the real world, but their design and some initial success, as demonstrated through the US Department of Homeland Security’s Silicon Valley Innovation Program, have presented a promising path to a much more scalable and secure digital world. As many businesses have tasted the bitterness of rapid digitization without secure digital identities, you may want to start exploring these emerging standards now and avoid building anything proprietary identity systems that will prevent you from participating in the mainstream Internet interactions down the road.