Versions Compared

Old Version 17

changes.mady.by.user Kelly Cooper

Saved on

compared with

New Version Current

changes.mady.by.user Vipin Bharathan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Agenda

...

Vipin Bharathan
dlt.nycvip@dlt.nyc
Kelly CooperIndependentkellycooper.2ds@gmail.com
Ajay JadhavAyanWorksajay@ayanworks.com
Gowri

Marvin Berstecher esatus AGm.berstecher@esatus.com
Nitingio
Santanu Mukherjee

Sumit KumarCap gemini
Todd GehrkeLuxoft
Kaliya Young

Recordings:

audio

Video

Meeting Minutes:

Introductions

...

Identity paper: Moving to GitHub. Identify specific changes other than 'this doesn't look good'. Need details. Repo is created. Maintainers needed. If not maintainer, please comment create a Pull request if you have a GitHub user ID.

  • Otherwise, please send comments to maintainers. There are unresolved issues on the paper.
  • We need to make a conscious effort to address areas

...

  • -> particularly, PII on the blockchain (deprecated)
  • and tension between people with current or new solutions which may not be in production yet.
  • One aspect to debate is ideas such as

...

  • Aadhaar. The tension needs to be addressed in the paper, ie privacy is a basic right.

...

  • Aadhaar has over a billion users. We have many systems that handle identity. How do we progressively go toward a better system, in the blockchain world and elsewhere? 

Given below is the edited and structured version of the call

Kaliya:

Problems with Aadhaar & solutions:

  1. state as provider of certain root credentials (Birth certificates, Passports etc.)
  2. Issuer (Govt of india) also become IDP, IDPs see every time credential is used ("Phone Home")
  3. People should be able to present credentials without IDP knowing, without authoritative sources knowing
  4. In western democracies there has been pushback against govt providing digital IDP services, but has relegated to Google & Facebook etc. with OpenIDConnect
  5. SSI is a solution since through VC working group we establish open standards for credentials

Vipin:

  • Western countries (at least the US) has the same problem due to centralization of IDPs in commercial interests (Facebook, Google, LinkedIn) etc.

Nitin:

  • Complexity of problem that needs to be solved in India because of mix of people
  • Santanu brings in the problem of illiterate people to buttress this argument- Vipin says it is the edge interaction that can make this bad, since the middlemen disrespect and mistreat the poor users.
  • Aadhaar is extremely useful due to its use in widescale PDS (public delivery system) for food, cuts out middlemen, fraud- Upheld by the supreme court of India
  • Kaliya, Vipin and others concur.

Kaliya

  • Aadhar as a model was written many years ago, but we need to move towards a model which is more decentralized; this is where verifiable credentials come in
  • Verifiable credentials WG in W3C is defining the standards around creation of credentials, any authority can create credentials with cryptographic proofs that can reside in the users digital wallet and can be shown to relying parties without involving the issuers

  • A frame may be to talk about the centralized systems and to not frame it as 'there's an issue with centralized identity models, state-issued or commercial'. This is what's happening in the world today, either one isn't great. They're not good for people that there's a limited choice in who I trust to manage my identity.


Vipin

  • The VC standard is a meta standard; fixing language, format etc. allowing for programs to make sense of data in credential issued by anyone
  • How do we go from here to there (i.e. from centralized systems that leak data ("phone home") to decentralization, what is the path for adoption?
  • Are there systems at scale for SSI

Nitin:

  • Aadhaar does not track use case, it is a log; it used to track location of edge device, now that is not being tracked as well. Some changes for the better.

Ajay

  • AyanWorks created a usecase where an offline Aadhaar XML file can be downloaded in the mobile app using a standard OTP Authentication process, and based on the attributes in the XML file, the App creates a self-attested Verifiable Credentials (VC) which could be presented as a cryptographic proof of  Aadhaar derived Identity. The relying party (verifier) can very well verify whether this Aadhaar derived VC is really issued by UIDAI or not.

Given Below is the unedited free form text of the call created by Kelly in realtime:

Kaliya Kayila: Need to separate out some concerns. One is it's widely accepted practice for local authorities to issue birth certificates, and that ends up being the basis for other documents states issue to citizens, such as identity cards and passports. India created such an identity system. Aadgaar Aadhaar and Singapore systems see everywhere a person uses that identity. 'Phone home' architectures cause issues; yes there's a role for governments to authenticate things such as births. Does that mean the 'state' should be an identity provider? No, in government or with companies (Google). People should be able to act without authoritative sources knowing. 

...

Nitin: India is complex, difficult to compare a western country to India. Aadgaar Aadhaar addresses a major use case the Supreme Court upheld is government benefits. There is a widescale PDS (public description system) for food; one of the biggest sufferings is people living below the poverty line. Once they move from villages to cities, they do not have those benefits. 

Vipin: No one is questioning the usefulness of AadgaarAadhaar.

KayilaKaliya: Spent seven weeks in India to understand AadgaarAadhaar. A good system for India's current stage of development, ten years ago when developed, good decisions. If the centralization model continues into the future, it doesn't necessarily align with what I understand to be the values of the world's largest democracy. Not about critiquing the past.

Nitin: Agree, needs to go toward decentralization. But Identity needs to be derived from AadgaarAadhaar. Then, can use a new focus to utilize. For a new model, it needs to come out of government control. Supreme Court is looking at usage and public benefit. The evolution of decentralization has been restricted and this is the model that has to change.

Vipin: Not roses in the U.S. either; companies like Google and FB have tremendous centralization of issuance architecture. OpenID Connect....

KayilaKaliya: A frame may be to talk about the centralized systems and to not frame it as 'there's an issue with centralized identity models, state-issued or commercial'. This is what's happening in the world today, either one isn't great. They're not good for people that there's a limited choice in who I trust to manage my identity.

Vipin: How do we get to where we want to get to?

Ajay: Whether Aadgaar Aadhaar tracks identities.. if a citizen presents it is tracked. 

Nitin: Doesn't track.. use case is not tracked. But still, there is a centralized audit.

KayilaKaliya: Each terminal that authentication happens has an identifier.

Nitin: Each location is tracked but not at the ID level. Earlier there were coordinates, no longer. Restricted tracking. A possibility you can correlate. 

Ajay: Uses - offline Aadgaar Aadhaar XML available for every citizen (on website). Can get 'my' data for my wallet. Self-attested. Aadgaar Aadhaar based authentication. Credential in my mobile is created offline with this XML tool. Once the credential is in my wallet, I can prove to a relaying relying party, this is my identity. 

Nitin: to Kayila Kaliya - struggle, if we create anonymous identity, perhaps via AadgaarAadhaar. At a point of service, I can't present myself as me.

KayilaKaliya: No one talked about anonymous anything. Confusion. One of the SSIs proposed the capacity, if one chooses, to have derived subattributes (over 18, resident of district x) ZPK work in sovereign Hyperledger Indy ecosystem. If we want to have a conversation about the past, how can we get from where we are not to a cool future, States that currently, issue credentials shift to issuing verifiable credentials into people's wallets. Then people use that credential for whatever they want, in a decentralized world.

...

Nitin: India has a digital locker, DigiLocker

KayilaKaliya: It's not decentralized. This is where language gets into the way. Around decentralized identity, the terms mean any institution can issue any credential to any people it wants. Once issued into the digital wallets that they control. There's an ecosystem possible you don't get from a centralized provider, whether commercial or governmental.

Nitin: This credential would be derived from the base credential of  Aadgaarof  Aadhaar.

KayilaKaliya: Verifiable means it's cryptographically signed, it does not mean it comes from one particular resource. ie University can issue verifiable credentials into their wallet. The local salad shop can issue a verifiable credential every time someone buys a salad. The broad data format that can apply to a vast range of use cases. Think about how to get out of particular use cases. University may want an official government card when you enroll but the salad shop won't care. 

Nitin: Standardized format...

KayilaKaliya: Yes, W3.org. Used across the ecosystem.

Vipin: Buying chai in a shop, nonstandard, but 'I' follow w3 credential group proposal. A program that reads that will be able to make sense of that, to a certain extent. Conundrum, all of these systems, how do we propose a way to transition to this new way of doing things. Sounds great, but no one does this today at scale?

KayilaKaliya: Emergence - this year will be big for production deployments. There have been large scale pilots. British government 1.2m credentials. Kayila Kaliya received white papers she can post.

...

Vipin: Some of the issues are friction in edge devices. For Aadgaar Aadhaar - terminal used to verify biometrics. Also people in charge. Dismissive of poor people. Where is SSI being practiced at scale? BC government is one. Are there other use cases? GDPR is bellwether. How is SSI doing in Europe?

...

From Kaliya Identity Woman to Everyone: 09:48 AM
https://blockchain.enterprisesecuritymag.com/cxoinsight/blockchain-a-us-customs-and-border-protection-perspective-nid-1055-cid-56.html
https://www.cbp.gov/sites/default/files/assets/documents/2019-Oct/Final-NAFTA-CAFTA-Report.pdf
https://www.erienewsnow.com/story/40994526/digital-bazaar-collaborates-with-gs1-us-securekey-and-tradelens-on-global-standards-for-organizational-identity https://markets.businessinsider.com/news/stocks/digital-bazaar-welcomes-tradelens-as-key-organizational-identity-blockchain-technology-participant-improved-business-efficiency-and-identity-security-1028512559
https://www.prnewswire.com/news-releases/digital-bazaar-and-securekey-join-forces-to-develop-global-standards-for-organizational-identity-300919434.html
https://www.prnewswire.com/news-releases/digital-bazaar-and-gs1-us-collaborate-on-a-new-proof-of-concept-exploring-the-intersection-of-organizational-identity-and-blockchain-technology-300923178.html

...

From Kaliya Identity Woman to Everyone: 09:56 AM
https://hackmd.io/HkJOQk_aQOKe-UHAJcz1zg

**/

KayilaKaliya: Significant behind the scenes implementations; only now information is coming out (above links). If I'm reading the call right, we agree SSI and emerging standards "decentralized". The contrast between emerging work (Hyperledger Aries, Ursa, Indy) and w3 (digital bazaar). Difference between centralized, ie, (what is) and to look to the future. 

Vipin: What is better is probably something like SSI.

KayilaKaliya: Does the paper need to recommend or identify.

...

Nitin: There is a centralized entity under India's centralized bank. They have given license to aid consent electors to provide financial information. For all financial institutions, if they want to take data for any user, they need to use this mechanism and get signed consent. There's a sequence, a number of times you can access data, etc. Nitin can do a presentation on this. Telecom service providers implement blockchain to store consent, but more domain-specific for telecom. In production. Use blockchain to store consent from their subscribers. Not part of Aadgaarof Aadhaar.