Let’s talk about digital identity with Michael Palage, co-founder of InfoNetworks.
In episode 77 Michael and Oscar discuss what DNS can bring to identity – what identity problems DNS can help to solve and how DNS fits with TRAIN. Michael also covers how LEIs are part of this solution.
“I see the DNS being in an optimal infrastructure to facilitate identity discovery and look up, and one that can seamlessly integrate with the various identity technology stacks that are in the market today.”
Michael Palage is an intellectual property attorney and an information technology consultant. He has been actively involved in Internet Governance and ICT issues over the last twenty years. During this time, he has been intimately involved in ICANN operational and policy matters since its formation in both an individual and leadership role, including a three-year term on the ICANN Board of Directors. Currently, Michael is President and CEO of Pharos Global, Inc. which provides consulting and management services to domain name registration authorities and other technology related companies in connection with Internet governance issues. He is also the co-founder of InfoNetworks LLC, an information technology company focused on solutions for building online trusted ecosystems incorporating the federation verified data. He has testified before the United States Congress multiple times and as an expert witness in both Federal and State Court in numerous legal proceedings.
Connect with Michael on LinkedIn.
InfoNetworks/Microsoft/DigiCert – Domain Name Credential Use Case:
Go to our YouTube to watch the video transcript for this episode.
The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining to this episode. The DNS is something you might have heard or seen and is an important component of internet. And today, we are going to hear what DNS can bring us about identity.
And for that we have a special guest who is Michael Palage. He is an intellectual property attorney and an information technology consultant. He has been actively involved in ICANN which is the Internet Corporation for Assigned Names and Numbers for operational and policy matters since its formation, and that includes a three-year term on the ICANN Board of Directors.
Palage is President and CEO of Pharos Global, a company that provides consulting and management services to domain name registration authorities and other technology-related companies. Also, he is co-founder of InfoNetworks, which is an information technology company focused on solutions for building online trusted ecosystems incorporating the federation verified data. Hello, Michael.
Michael Palage: Thank you, Oscar. Long-time listener of your podcast, and I really welcome the opportunity to speak with you today.
Oscar: Oh, thank you. It’s great having you. And Michael, let’s talk about digital identity. And as usual, I want to hear a bit about our guest, so please tell us a bit about yourself and your journey to this world of identity.
Michael: Sure. My journey to identity actually started from the world of identifiers, or as you alluded to, more specifically, the world of internet domain name identifiers. In that journey, I still remember that rather specifically occurred in October of 1994. I had already finished up my engineering degree and I was pursuing my law degree at night at Temple University in Philadelphia while I worked during the day at an intellectual property firm as a law clerk.
And in 1994, I read this article by Joshua Quittner in WIRED magazine entitled Billions Registered. And in this article, Joshua detailed how individuals were registering domain names of famous brands and how he had registered McDonalds.com. And interestingly enough, I wrote to him, Joshua’s middle name was Ronald so of course, he used the email [email protected].
And in this article, I would encourage people to go back and read it, he talks about how corporations just were clueless about the main names and online identity. He ended up putting me in contact with the legal, outside legal counsel for Network Solutions, a man by the name of Phil Scarborough, and he basically explained to me the rules of the road or perhaps more appropriately, the lack of any rules of the road.
Just a funny story about McDonalds.com. McDonald’s actually ended up settling that dispute after donating some computer equipment to some inner-city New York schools. And the attorney who handled that matter on behalf of McDonald’s man by the name of David Maher actually ended up becoming a lifelong friend and colleague from the ICANN space.
So, moving on to ICANN, as you alluded to, ICANN is the global coordinator for the unique identifiers. So, this would be domain names and IP addresses. It was created in 1998. And over the last two decades, I have really worked with a large number of multinational companies, non-profits, governments, intergovernmental organisations in helping from both a technical as well as a legal policy and governance standpoint.
Now, my pivot to what your listeners would consider a more traditional digital identity background began about seven years ago. I was doing some work with the Universal Postal Union, the UPU, and this is the UN agency in charge of the postal treaties. They also were the operator of the .POST top-level domain. The UPU at this time was also doing some identity work standards. It was the S68 within the UPU.
And in 2017, UNOPS which is also within the UN structure, they issued an RFI for blockchain and digital identity. And my partner, Frank Cona and I submitted a submission on behalf of InfoNetworks in response to that call. The other thing that was happening that was kind of irrelevant this time with some of the work that I was doing with CUNA, and they were the registry operator for the credit union top-level domain.
And it was through my involvement with that TLD and CULedger that I got to meet Drummond Reed and Scott Perry, who, if you will, kind of introduced me into the world of the self-sovereign and their viewpoint on identity. So that is kind of my, if you will, identity identifier journey to where I find myself today.
Oscar: Yeah, so very interesting. Michael, you have worked with DNS a great part of your career with ICANN found in that organisation. And DNS is super important component, we use it every single day we do something with internet, whatever we do. Please refresh us what is DNS, and if this system, this protocol was initially designed to solve some identity problems.
Michael: Sure. So as many of your listeners to this podcast may be familiar with the work of Vint Cerf and Bob Kahn as the co-inventors of the TCP/IP protocol suite. And this enables computers on the internet to seamlessly communicate with one another. Most internet users however, like my family and friends, could not tell the difference about the TCP/IP suite, or the difference between an IPv4 and IPv6 address space. What they do understand our domain names and how they need to type them into their browser, either on a computer or a mobile device and get to where they want to go to on the internet, whether that’s to Facebook.com, TikTok.com, or Google.com.
So, the original internet had no domain name system. And when a user wanted to access another computer on the internet, they had to rely on a text file called the host file, which basically contained the list of every computer connected to the internet and its associated IP address space. This was sort of like an old telephone book that some of your listeners may recall using back of the day. Obviously, this system did not scale well as the internet began to grow in size.
And in the mid ’80s, Paul Mockapetris and Jon Postel conceived of the DNS, which is a hierarchical naming system, which maps a user-friendly name to an IP address. So, to give you an example, the IP address currently associated with the Ubisecure.com website is the IP address 126.96.36.199. As you could understand, that probably would not look good on a business card. And if you think an IPv4 address space is nonuser friendly, the alternative is 126 hexadecimal IPv6 address space, which is even more painful.
So, what the DNS allows the user to do is to insert a user-friendly domain name and allow the DNS system to do its magic in the background and instantaneously get a user to where they need to be. One of the things that is truly unique, and I think special about the DNS is that it handles trillions, that’s with a T, trillions of queries per day. In fact, Comcast, a large ISP recently announced that their networks alone handle 1.4 trillion queries per day.
And one of the reasons that the DNS can handle this high volume is its highly distributed network. And the apex of the DNS is the root zone, which is jointly maintained by ICANN and Verisign. And this authoritative list of IP addresses and authoritative name servers for each TLD is disseminated across 13 root servers, A through M. Although there’s the use of mirror root servers, which actually provides a much more geographical footprint of several 100.
So that is kind of, again, a very high-level overview of the DNS and how it basically works to connect people. So, I guess getting back to your original question, as originally conceived, the DNS had nothing to do with identity. It was merely a mapping tool to link human friendly domain names to an IP address.
Oscar: Yeah, exactly. So yeah, good analogy. Also, you also did it like it’s a fun books, for instance, having a long lists of numbers and translating today a way to dynamically know who is like mom and you have the number you’re dialling directly. And yeah, so many domains. And it’s actually a lot of work, it’s interesting just how many domain names every person can remember, right? And you use, you go to the browser, and you put Ubisecure.com, or you put a NewYorkTimes.com, et cetera. So, you remember those and that would be impossible than the numbers IP addresses. Yeah.
Michael: Correct. And what’s interesting is domain name has scaled. So originally, there was only a small handful of generic top-level domains. The first top-level domain was actually .arpa. Then there was gov, mil and com, net and org. There were then the TLDs that most people are probably familiar with are a couple of 100 cc TLD, country code top-level domains, .fr, .uk, .de.
But then about a decade ago, ICANN substantially expanded the name space. They did a proof of concept in 2000, 2004, and then in 2012. And currently, there are over about a thousand top-level domains, generic top-level domains for users to choose from. And what has really proved incredibly resilient is that the size of the zone, of the root zone has expanded and there has been basically no interruption or quality deterioration in what people do. So again, it’s really a tribute to a work of Paul Mockapetris and Jon Postel in designing that original system.
Oscar: Absolutely. Yes, and as you said, DNS was not designed for solving identity problems but today apparently, we can do something about. So today, what are problems that – identity problems in which DNS can help?
Michael: So, the beauty of the DNS is first and foremost, it’s global ubiquity. It is everywhere. Not only is it everywhere, but it has the ability to continue to scale. As I said, right now, the system is literally handling trillions of queries per day.
Now, another interesting feature of the DNS is its ability to store additional information through the use of resource records. So, some of the common resource records that your listeners may be familiar with is the A or Address record, which is used to store the IP address associated with a domain name. Or the MX record for the mail exchange associated with a domain name.
However, there are other types of records that your listener may not be familiar with. For example, the TLSA record can store information about an X.509 certificate. The Naphtha record can be used to store internet telephony information. But perhaps the most dynamic or the Swiss Army knife of DNS records might be the TXT record. The TXT record allows text informations for information outside of your domain name. People that have used TXT records, for example, Google uses the DNS TXT record to verify domain name ownership and for enhanced email security.
Early on in our discussion, I mentioned the UNOPS white paper that I co-authored with my partner, Frank Cona. That original white paper focused on the potential of using digital identity frameworks that would leverage blockchain and distributed ledger technology. However, the more we dug into blockchain and DLT, as well as the work of the WC3, the more we kept coming back to the question of why not just use the DNS, or more specifically, DNSSEC?
So, in my original discussion about the DNS, one of the things that I had left out was that the original DNS was not very secure. More specifically, because of the distributed nature of the global DNS infrastructure, it was possible for bad actors to perpetrate man in the middle attacks and hijack DNS traffic. However, through the use of DNSSEC, it is now possible for a domain name owner to cryptographically sign the DNS data associated with their domain name, thus enhancing overall security. A few years ago, I worked with the Ethereum naming service and the .luxe top-level domain to enable registrants have a .luxe domain to actually map that to an Ethereum wallet address.
So that was kind of when the light bulb went off for me personally about just the overall resourcefulness and utility of the DNS. Now, I’m sure you’re aware in connection with your professional experience, there are a lot of people in the identity space that are rather passionate about their particular technology stacks to implement their digital identity solutions.
One of the things in my opinion that has made the internet so great has been the ability to keep the internet’s core neutral and to allow innovation to occur at the edge. I see the DNS being in an optimal infrastructure to facilitate identity discovery and look up, and one that can seamlessly integrate with the various identity technology stacks that are in the market today.
Oscar: Yeah, I can see. And what are the solutions that today have been done and in progress and being cooked, let’s say?
Michael: Yeah, sure. So, there are actually a number of initiatives out there that are looking to incorporate the DNS as part of an overall digital identity infrastructure. I think one of the earliest examples and one that you’re probably familiar with is LIGHTest. LIGHTest was a multiyear pilot funded by the European Union. It sought to leverage the internet’s DNS to create a global cross domain infrastructure.
Ubisecure, actually, in fact, was one of the pilot’s original participants. And in preparing for this interview, I actually recalled that one of your earliest podcasts, I think it was number 11 actually talked about the LIGHTest pilot. So, after LIGHTest concluded, Fraunhofer, which was one of the other participants, those in a group of other individuals have continued that work and that now has evolved into the TRAIN.
Another example of the use of the DNS is some of the work that InfoNetworks has been doing in the domain name space. We’ve actually worked on a solution with Microsoft and DigiCert to solve ICANN’s problem regarding differentiated access to domain name registration services. After the GDPR went into effect, the majority of the whois data that third parties relied upon went dark.
Now, what was interesting in about part of this initiative is not only do we build and implement a full technology reference implementation. We actually submitted a very detailed data privacy impact assessment to a European data commissioner to vet the legal and governance approach to the model.
Over the years InfoNetworks has been active in DRIP. DRIP is an IETF working group that is looking to leverage the DNS to implement a session ID solution for unmanned aircraft or drones. In fact, the InfoNetworks team myself, Frank and Tim, we actually participated in the recent IETF 114 Hackathon.
Another IETF initiative that your listeners may be interested in learning or looking into is work at the IETF in the DANCE Working Group. Jacques Latour from CIRA. This is the Canadian cc TLD operator. He has been doing some work in trust registries. In fact, he actually presented at the recent ICANN 75 Regional Meeting in Kuala Lumpur last month. Jacques, in fact, actually just convinced me to join the Trust Over IP Foundation to help work with him on their trust registry working group. Jacques is very active with Joni Brennan and the rest of the folks in DIACC up in Canada.
And I guess the final example, is some of the work that I have been doing with GAIN, I was one of the original 150 co-authors of the GAIN white paper. Following the white paper GAIN has continued its work through a proof of concept. And David Chadwick from True Trust in UK and Isaac Henderson from Fraunhofer have been active, they’ve actually, in fact, presented a solution on how TRAIN may be able to help in the Federation, in an overall GAIN solution.
Unfortunately, with my crazy travel schedule over the past couple of months, I have not been able to join those GAIN weekly calls. So, this is a good reminder for me to reach out to Daniel Torsten, Mark and Elizabeth to catch up on things. So, as you can see lots of interesting projects in the identity space that are using or leveraging the DNS as part of that overall solution.
Oscar: Yeah, I can see there are several, including, as you mentioned, with TRAIN that is a continuation of LIGHTest. So, for instance, in TRAIN, who runs this infrastructure, so is it, I don’t know, decentralised or it depends on one main actor?
Michael: So that depends, right? So, when you look at some of the stuff that I think Trust Over IP and TRAIN as well as GAIN are doing is I see them often trying to replicate ICANN as a single source of truth or a single source of trust for the identity space, much like ICANN is for the root zone. I think, however, that that is an incredibly ambitious goal. And I believe the better approach is more of a distributed approach much like the DNS.
One of the things I often comment, and I analogise some of the work that we have done here within InfoNetworks is we look at our system much like a credit card payment network moves tokenised and synonymised data. So instead of sitting there saying there needs to be one ring to rule them all in the identity space, I actually think the standards that are being developed and the DNS can actually be used to create a competitive marketplace of credit card process networks, Visa, MasterCard, American Express.
And the beauty of the infrastructure of TRAIN and the others, DANCE as well, is it allows people to choose how they want to interconnect their networks. And what is the internet? A network of networks. And what this can be done here, I think is allowing those networks to interconnect.
And I think over time, as people become more comfortable, there will be a consolidation. But I do not ever see a situation where there will just be a single source of truth, such as the root zone that exists on the internet today. I could be wrong, but I think that there are just a lot of geopolitical challenges on coming up with a single source of truth on something that is so sensitive to so many national governments.
Oscar: Yeah, I think is most likely that’s the way it’s more decentralised.
Michael: Yeah. And I said, you know, before anyone as far as who can provide this infrastructure, what I think is really interesting here, Oscar, is I think this creates a tremendous opportunity for those companies that have expertise in DNS infrastructure to, if you will, take their business models to a whole another level.
You know, one of the discussions I had with a number of registries and registrars at the recent ICANN meeting was I said, “Globally, there are about 370 million domain names registered.” That’s it. You know, across g TLDs and cc TLD, you add them all together 370 million. But when you look at the identity market, you have 8 billion people, 20 billion IoT devices, you know, billions of legal entities, I think it would be incredibly fortuitous for the DNS infrastructure community to look at the market of tens of billions instead of focusing on one’s of a market of hundreds of millions. So that is kind of my effort to get people to think outside of their 1999 business model.
Oscar: Yeah, completely different scale. Yes, absolutely. And you mentioned, one of the ways you enter into the really your last years of your career when you really enter to the identity itself, it was related also to self-sovereign identity. Correct? So, what is the role of self-sovereign identity into this topic?
Michael: So, I tend to take a more agnostic view. I tend to look at the DNS as being agnostic infrastructure. As I said, it can handle X.509 certificates. The InfoNetworks reference implementation has relied heavily upon OpenID Connect. With regard to the long-term viability of the SSI model, there, I think things are potentially a little more complex.
And let me begin by stating I fully support individuals being able to grant and revoke consent to how their data is used by third parties. I think that is critically important. In fact, one of my good friends in Germany, Klaus Stoll, he is the co-founder of the Internet Integrity Task Force. And one of their focuses is to actually take the UN Declaration of Human Rights and extend that into digital identity in cyberspace.
That being said, you know, my partner, Frank Cona, often calls SSI the myth of self-sovereign. Personally, I struggle to see a long-term market viable identity solution that does not rely upon a government-issued ID as that trust anchor. Where I think a lot of the constructive efforts of the SSI community would be best harnessed would be to focus on a lot of the work being done in Europe with eIDAS 2.0 and the European Wall Initiative.
I think that the European Union has the potential to set the bar for digital identity, much like the GDPR set the global bar for data privacy. So, I see most or many of those SSI principles being incorporated into that work. And again, I tried to be more agnostic as far as the individual technology stack.
And just, you know, one other thing that I think is interesting is this year at the Identiverse Conference, one of the keynotes was given by Stephen Wilson, and his talk was trust in a post identity world. I would really encourage your listeners to watch that video. It’s only 10 minutes long, but it really is thought provoking and aligns with a lot of the work that InfoNetworks has been doing.
And instead of focusing in on identity, it’s more about building trusted ecosystems and creating a marketplace for the exchange of verified data. Because I think as you are aware, if you ask 10 experts what their definition of digital identity is, you’ll probably get 15 answers, right? So, to me, again, that’s part of teaching the core neutral, and trying to innovate on the edge. That’s what’s really worked in the internet, and hopefully, is a way of creating innovation within the identity space.
Oscar: And time will tell about the SSI, self-sovereign identity. One thing you have mentioned also a bit earlier in the conversation is called the organisation identities, which is mostly about today, about the LEIs, the Legal Entity Identifiers. So how this fits into the solution?
Michael: Yeah, so GLEIF, you know, for your listeners, GLEIF was spun up, and again, this is another area where Ubisecure is a provider of LEI. So not only did you participate in LIGHTest, but you also provide LEIs as well. So again, it really is interesting, and it shows kind of Ubisecure spot leadership in this area.
But getting back to GLEIF. So, after the economic downturn in 2008, one of the problems that was identified by the G20, was the inability to keep track of some of the derivatives that were owned by different financial institutions. And what they discovered was that they needed a globally unique identifier for legal entities. And this is basically the genesis of where GLEIF came from.
And what they have done with the LEIs I think, which is really interesting is they provided a unique identifier for a global business. One of the projects that GLEIF is working on now, I believe they’re concluding their pilot right around this quarter of this year is vLEIs. So, what they are looking to do is actually take the legal identifier and then actually be able to map that to individual corporate officers or employees within the organisation. And again, they are doing this using the KERI protocol.
And one of the things that I really like about the approach that Stephan Wolf, Karla McKenna, and Christoph Schneider has done is they have similarly taken an agnostic approach. The KERI protocol can interface with a number of different ledgers or databases for what they’re doing. So, I think this is something that is really interesting, particularly their work with vLEI.
The other thing that I think is unique about the work that GLEIF does, is not only do they work, not only at a standards level within ISO and some of the work they’re doing with the Trust Over IP foundation, but they also are very active in ensuring that the LEIs are recognised in individual national laws. So, if you go to their website, they actually have a database where you can see how LEIs have been incorporated or referenced in various national laws.
So, to me, this, I think, is a very important step in the further, if you will, codification of identity international laws. GLEIF was also one of the five founding organisational or institutional members of GAIN as well. So again, they’re doing a lot of great work there. And I think that’s something really interesting to watch.
Oscar: Yeah, definitely, super interesting synergies on all these pieces that help us to have better identity for individuals, for organisations, et cetera. And yeah, thank you so much for yeah, enlightening so much, you are involved in very knowledgeable, so many projects and are super interesting. I have to listen to this conversation again and take note of what you have mentioned, super interesting projects.
Michael: And what I’ll do is I could follow up, and for your show notes, I can include some of the links to some of the standards bodies, some of the work that’s been done to help educate and point your listeners into the right direction.
Oscar: Please, please, thank you, we will add all that to our show notes of these episodes. So please, final question. As usual, for all business leaders listening to us, what is the one actionable idea that they should right on their agendas today?
Michael: That’s a good one. As someone who has come to this space a little later, as I said, I transition from identifier to identity, I think the best actionable advice I could give to them is network, network, network. Identity is an emerging area involving both technology and legal governance that I think is vital to almost every business. Therefore, I think it’s really critical to have a network of friends and colleagues to interact with and to bounce off ideas.
So, I would encourage everyone listening to this podcast today, to find resources in their budget and in their calendar to attend at least one identity event in-person in 2023. This year, for example, I started off with KuppingerCole in Berlin with the European Identity Cloud, then was Data Identiverse in Denver, FedID in Atlanta, and I just finished up last week with Identity Week in DC.
You know, the personal interactions and learning experiences through these face-to-face meetings are truly invaluable. And while I attended some of these events virtually during lockdown, there really is no substitute for that in-person interaction. And, you know, that really has allowed me, if I could just, you know, just thank some of the people that have helped in my journey, you know, Nat, Gail and Don at the OpenID Foundation, Christina and Ankur at Microsoft. Torsten and Daniel at Yes.com, and Mark in GAIN and Elizabeth at GAIN and Jeremy, Grant and Joni.
There’s just so many people. And I think the thing that’s most important here, which reminds me of the original domain name or ICANN community back in the late ’90s, was they were incredibly welcoming. All these people, when I had questions, they answered them, they pointed me in the right direction. And that is a camaraderie that I do not necessarily see in many industries. And yeah, go to an in-person identity conference in 2023. That would be my takeaway.
Oscar: Yeah. Excellent. Excellent. Well, I have to take it also that one and maybe see you in person next year. And many of the ones who are listening to this. So yeah, excellent. Thank you for telling that. It’s definitely great actionable idea. Put it already now that this year is ending and plan it for next year.
Again, thanks a lot, Michael, for a super interesting conversation. If you have something else to close or tell us how people can find more information about you, let us know.
Michael: Yes, you could find me on LinkedIn and – or you can reach me via email [email protected], or my original digital identifier [email protected]. So, any of those means of communication and for someone that’s new to the identity space, you know, don’t hesitate to reach out and hopefully I could pay forward some of the help that others in the community had given to me over the last three to five years.
Oscar: Fantastic. Thanks a lot Michael and all the best.
Michael: Thank you.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up-to-date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.