Let’s talk about digital identity with Heather Flanagan, Principal at Spherical Cow Consulting and David Birch, Principal at 15 Mb, author, advisor and commentator on digital financial services.
This is the 100th episode of Let’s Talk about Digital Identity – in this special episode two of our most popular guests, Heather Flanagan and David Birch, rejoined the podcast to explore what is exciting them in passwordless, identity wallets and digital money.
“Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means.”
Heather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.
“The thing that’s broken in digital money at the moment, is identity, not the payment bit.”
David G.W Birch is an author, advisor and commentator on digital financial services. Principal at 15Mb, his advisory company, he is Global Ambassador for the secure electronic transactions consultancy, Consult Hyperion, Fintech Ambassador for Digital Jersey and Non-Executive Chair at Digiseq Ltd. He is an internationally-recognised thought leader in digital identity and digital money. Ranked one of the top 100 fintech influencers for 2021, previously named one of the global top 15 favourite sources of business information by Wired magazine and one of the top ten most influential voices in banking by Financial Brand, he created one of the top 25 “must read” financial IT blogs and was found by PR Daily to be one of the top ten Twitter accounts followed by innovators (along with Bill Gates and Richard Branson).
His latest book “The Currency Cold War—Cash and Cryptography, Hash Rates and Hegemony” (published in May 2020) “paints a fascinating and stimulating picture of the future of the world of digital payments and its possible impact on the wider global and economic orders” – Philip Middleton, OMFIF Digital Monetary Institute. His previous book “Before Babylon, Beyond Bitcoin: From money we understand to money that understands us” was published in June 2017 with a foreword by Andrew Haldane, Chief Economist at the Bank of England. The LSE Review of Books said the book should be “widely read by graduate students of finance, financial law and related topics as well as policy makers involved in financial regulation”. The London Review of Books called his earlier book “Identity is the New Money” fresh, original, wide-ranging and “the best book on general issues around new forms of money”.
The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.
Oscar Santolalla: This is episode number 100 of Let’s Talk About Digital Identity. And for this special occasion, we have invited back Heather Flanagan, and David Birch.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
We have invited back to the show two of our most popular guests. So, these two guests, let me introduce them is Heather Flanagan. She is Principal at Spherical Cow Consulting and Acting Executive Director for IDPro. Hello, Heather.
Heather Flanagan: Hello, Oscar.
Oscar: Nice having you back.
And our second guest is David Birch. David Birch is an author, advisor and commentator on digital financial services. He is Principal at 15 Mb, his advisory company. Hello, David.
David Birch: Hi. Thanks for having me.
Oscar: It’s a real pleasure having you both for this special episode, a bit different style, so being out of our usual script. But yeah, hearing a little bit more about yourselves.
So, I’d like to hear something in particular, because we want to hear something – a moment in your lives. So, what I want to hear – think of one specific moment in your career in which you told yourself, “Yes, this is why I love working in the identity industry.” Which moment would it be? Who wants to start?
David: Well, and it’s a bit self-centred, but probably when my publisher agreed to publish my first book. I thought I had some interesting ideas about identity – I mean you always think that your ideas are – but when you get that kind of validation that your ideas actually are interesting to other people. That really did change my career. Yeah, otherwise, I probably would have just carried on being a pretty average consultant and carried on in payments and banking. So yeah, it’s – but I put it all down to my publisher.
Oscar: Which one was this book? Tell us which book was this.
David: Identity is the New Money. It was Diane Coyle, the Economist, who encouraged me to publish it. So yeah.
Oscar: Fantastic. Heather?
Heather: I don’t have anything. I’ve been actually thinking about this question for a while, and it’s really hard to point to any one thing, because there were no lightning from the sky moments. It’s just, it’s always been such a foundational aspect of everything that I’ve ever done since I started in tech in the mid ‘90s. Where the first question was always – when you’re taking over something from a bulletin board system to an email server, “Who can access this? What permissions do they need to have? How do you set up accounts for them?” That was where everything always started. So, no one moment, it’s all of the moments.
Oscar: Well, that’s great that there are several exciting moments. I’m sure for all of us, it’s been like that. Several moments in which we feel that this is exciting to be in this industry. But thank you for sharing that with us.
Being already towards the end of this year 2023 – so there are some keywords which were buzzing in the last years. But some of these buzzwords today are more reality, we have access to those. What do you think, what you feel about these technologies or techniques. And let’s get started with passwordless. So, if I ask Heather, what excites you today about passwordless?
Heather: I’m really excited about the fact that the technology itself is solid, the standards themselves are really, really well-done. But as excited as I am, I am concerned. Like at all the new modern technologies, I look at them and go, “Wow, that’s really cool.” and little anxiety making because for passwordless, what I observe is when you actually get out of the tech field and talk to my mother, she doesn’t trust it because it’s too easy.
And so, I do wonder about as bad as passwords are, the friction that they add, it’s something that people can wrap their heads around. Whereas they don’t understand the magic that’s happening behind the scenes that makes passkeys better. And if they don’t trust it, they won’t use it. And if they don’t use it, we lose out on all the benefits. So, one of the things I’ve been trying to think about for you know, the future is OK passkeys are amazing, but how can we make them less magic scary?
David: I’m a bit frustrated with it really, because I’m extremely lazy. And so, you know, like eBay, for example, uses passkeys, the whole thing works perfectly. So as soon as I go to a site, as in fact I just did 10 minutes ago to look at something and it’s log back in. I’m like, “What I have an account? I didn’t even know I had the account.” And then I had to remember the password. And of course, I didn’t get it. So, I had to click on, I forgot my password, and then I got the password reset. And then I put in the new password. And it said, “You can’t have a new password that’s the same as the old password.” And we just go around in this loop. And it drives me crazy. I’m like, “Why can’t you just all implement this?” Despite the fears of your mom, which I mean I can’t discount those because they’re real. The sooner we make people stop using passwords, the better.
I was reading a fantastic story in the Insider this morning. Did you see this story about the Zelle fraud on Insider? It’s typical kind of thing, you know, guys getting some work done by a contractor. The hackers get into the contractor’s email account, they send him a thing to send money to a different account, which is the hackers’ account. And they make off with all of the money. And so, they go and talk to the contractor and said to him, “You know, did you know that your email has been compromised, you should change your email password.”
And the guy, it says in the article, “We may as well have been speaking Romanian.” The guy had absolutely no idea what they were talking about. Because he’s a normal person. He doesn’t care about all of this stuff. You don’t say to people, “Oh, here’s a car, would you like a seat belt with it? Or would you like a piece of string that you could attach in, you know, particularly opt in place.” You know, as a society, it comes to a point where you say, “I’m sorry, not wearing seatbelts, there’s just too many people dying. So, cars have to have seatbelts. And you have to put the damn things on. End of story.”
And I sort of feel we’re getting to that point. Fraud and scam, it’s just so completely out of control. And this thing about whether you know, you need to put people in charge of their own data and so on. I just don’t believe that for a moment. I just don’t. Most people don’t have the persistent competence that – including me, by the way, I’m not casting the first stone, I’m one of those people that lacks the persistent competence to make this happen. There are reservations but passkeys are a billion times better than passwords, and we should make people use them. I’m sorry, you got to stop pandering to populism.
Heather: No two ways about it – Passwords have got to go. As we’re moving to passkeys, I think there’s always room for improvement on – even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means. And when they click this button, why would they click this as opposed to clicking something else that might be a phishing site that they wouldn’t recognise. So, it’s an ongoing education.
David: Then you sort of think of contactless as the, you know, in the early days of contactless people, “Oh, it’s too scary.” And in some parts of the world, it appears to be witchcraft, that you can pay for things by not touching it with your card and this, people are going to come and steal all the cards. And there are going to be people of Eastern European origin on the subway system, putting their hands inside your clothes to read your cards and all this. Remember all of this stuff that was going on?
And now, you walk into a store, anywhere in the world. I’m not talking America, I’m talking about developed countries, of course. You walk into a store anywhere in the world, and there’s that little contactless symbol and you pay, and you go, and no one thinks anything about it anymore. It’s a bit different in America. In America, you have to look for the till and where’s the sign? And then you have to press some buttons. And then sometimes you have to sign something as well. It’s baffling. I don’t understand any of it.
Heather: Oh, the day you understand what happens in the United States will be a marvellous day. Because nobody understands what happens.
David: No, it’s mysterious. But the point is, generally speaking, you know, we came up with this symbol, and everybody knows, you tap your card there, and it works. And guess what? All of your money isn’t stolen by Eastern European fraudsters. So, they’re not all Eastern European, obviously, other fraudsters are available. Because the corollary is going to be basically, people like us will start using passkeys, and so all the fraud will transfer onto people like your mom. That seems a little unfair to me.
Oscar: Yeah, seeing that you are excited indeed with passwordless. But of course, there are some concerns and some things to improve. Absolutely. Interesting what Heather said that, yeah, some people have been using password for so long, but that anything else feels like how do you say the…
David: An improvement? Real security? System-wide integrity? I don’t know, what’s the word you’re searching for there? I don’t know.
Oscar: How you say the…
Oscar: Magic. Yeah, magic.
David: So, I’m excited as Heather is, I’m probably just a bit more militant on how quickly we should be pushing it out.
Oscar: Yeah, we’ll see what comes in the next year as how it really rolls out. But the next one is about identity wallets. So, what excites you today about identity wallets?
Heather: Oh, I have a list on that one. I’m particularly excited over how – as much as I worry about people not understanding the magic, they do understand the concept of flipping through a wallet to get to the right card, the right credential, the right thing they need and then using it and giving them that level of control is a vast improvement, I think over some of the other technology has been going on today.
I’m watching what’s happening in Europe quite closely because I think that – how the governments are handling digital wallets and digital identity is a very interesting model. I will be curious to see how other countries do it. How they do it well, how they do it poorly. And if there’s some way we can actually – I’d love to standardise ‘what’s a wallet’, you know. That’s one of my little pet peeves, there is no standard for a wallet. There’s standard for credentials, but there’s not a standard for ‘what is a wallet’.
David: I mean, it’s interesting to see what the Open Wallet initiative and various other people are doing in this space. I agree with Heather. I think as much as the technology is important, and certainly, in technological terms, the wallet is the sort of crucial pivot between the kind of online and offline world. It’s very central to the next phase of evolution of commerce. A lot of it has to do with – in fact, we won’t even call our wallets now identity wallets, we just call them wallets. But if you actually open up my wallet, I mean, I won’t do it over there. If you open up my wallet, it has no money in it. Everything is in my wallet, it has to do with identity, driver’s licenses and loyalty cards. And my wallet is already an identity wallet, we just don’t call it that.
So, extending that wallet across sort of virtual and real world seems to me, pretty straightforward. But of course, that does rather interestingly open up what I think will be quite a vicious battle about who’s actually going to control those wallets. Because certainly, Heather mentioned kind of the European approach. They’re very, very unhappy with the idea of big tech controlling those wallets. We’re very unhappy with the big tech or big government controlling the wallets. People like me will prefer that it was regulated institutions – banks primarily, that control those wallets. Other people think banks should be absolutely the last people to have any sort of control over those wallets. So really, I’m not smart enough to figure out like the end dimensional gameplay as to how this is going to work out. But it’s pretty serious. It’s pretty serious.
Heather: Yeah, people understand the concept of a wallet. But what we’re talking about in today’s world is that, you know, “how many wallets are you going to have to carry?” Because there may be one that’s issued by big tech, perhaps via your browser or via your mobile device. But then, you know, as governments are saying, “No, we’re going to issue something that’s completely separate and have its own app, and what is that going to look like. And then how are people supposed to be able to find the credential they need across 2, 3, 5 different wallets?
David: No, I agree with you completely on that, Heather. But I think there’s another level of complexity there as well, which is – because is the wallet going to be like if you imagine there’s some kind of standard wallet, is that wallet the app? Or is that wallet, essentially the underlying SDK the apps plug into?
So, my British Airways app and my Barclays Bank app, they’re all actually the same wallet underneath. They’re all plugging into the same wallet. But is it going to be like that? Is there going to be like a travel industry wallet? Or is British Airways going to have its own wallet? That’s really hard to know. I would think, and this comes from kind of what I think is a reasonably rational calculus. The credentials that are going to be in those wallets are the embodiment of individual reputations.
My British Airways credential is the embodiment of my relationship with British Airways, that I want to take and show to other people. It’s not obvious to me that British Airways would benefit from owning the wallet, because they’d have to maintain it and upgrade it and whatever. They’re having enough trouble just with their own website to do that. On the other hand, I can see why they’d be nervous about just handing the whole thing over to Apple and Google, because then they’ll end up paying a tax, which I’m pretty sure they don’t want to do. So, I don’t know how that’s going to work out. But I listen to a lot of smart people about this. It’s a very fascinating topic to me.
Heather: I talked to Don Thibeau and Juliana Cafik and a couple others about “what was the Open Wallet Foundation trying to do?” And they’re trying to work towards interoperability in code and maybe a standard will come out of that someday when they see what works and what doesn’t work. But at the moment, they are not standardising wallets. They’re just…
David: No, that’s true. There’s…
Heather: They’re just putting together a platform to try and make it work together.
David: But as you pointed out earlier on, some of the components are standardised. We have VCs, we have MDL. We’ve got MDL 7 and 9 coming in a few months, a year or something. So I mean, there is some pretty useful standardisation going on anyway.
Heather: Yeah, more in the credential format space.
David: Yeah, yeah. Yeah, absolutely. That might give us enough interoperability to get started.
Oscar: We’ll see. Indeed, it sounds like it’s…
David: I’m a naturally simple and optimistic person. Heather’s looking at all the nuances here. And that’s why she’s so, that’s why my superficial, cheery approach to this – it’s not washing with her I can see it from her face.
Oscar: You seem to be both excited about identity wallets, I think.
David: Yeah, I think wallets are really interesting topic for the coming year.
Heather: Huge potential.
Oscar: You, David, mentioned that as far as I understood, you don’t carry cash anymore, that was my understanding how you have your wallet, your real wallet without cash.
David: No, actually, I mean I don’t carry my real wallet, it’s in the drawer over there. So, I had an interesting conversation with somebody last week about premium cards. That’s how interesting my life is, Heather. I just, I benchmark, I had an interesting discussion with someone else last week about premium cards. This is a tragic trajectory of my life.
But I have this fancy new American Express Platinum Card, which is made out of some sort of metal. I don’t know if it’s actually platinum, but it’s sort of metal. And it’s really fancy and heavy and solid and whatever. And I couldn’t even tell you where it is. It’s in the house somewhere. I haven’t the slightest idea.
Oscar: Don’t activate it.
David: No, no, because as soon as I got it, it’s on my phone. I only ever use it on my phone. I don’t know where the actual card is, I have no interest in that. I’m going into London in a minute, I have a ring. So, the ring I use for getting on the subway and bus because I don’t always want to take my phone out. But if I’m paying in a restaurant so I got to use my phone. I think the days of physical wallets, I mean, lots of people keep saying, well, there’s going to be a backlash at some point, and people are going to want to use cash, sort of the way they want to use vinyl records, I suppose. But I think that will just be like a few hipsters. I don’t think it’ll be the rest of us.
Heather: I don’t trust having network access consistently enough to go without some kind of physical something. Do I use my wallet on my watch and my phone more often than not? Well, when I’m in Europe, yes. When I’m in the US, maybe. I don’t count on it. I don’t think I can count on it yet. So, there’s always the physical components that I think I have to have.
David: Yeah, I mean, I would say that’s an interesting argument in favour of using offline verifiable credentials. And it’s also a crucial argument in favour as to why Central Bank Digital Currency should operate offline. So, I mean, I agree with you about that. As to the state of things at the moment, well, if the transit gates fail and can’t go online, they have to fail open, it’s a public safety issue. You can’t fail transit gate shut. So, they have to, they should have – I can always get home, you know, but it’s never happened. But when push comes to shove, I’ll get home, so I’m fine.
Oscar: Yes, and that related to my last question, but just to hear what you liked the most. So, what excites you about this digital money that we were already starting to discuss?
David: I’d say there’s probably three things. I mean, Heather’s going to disagree with me on every single one of them, which is why it makes for an interesting conversation. But I’d say there’s probably three things.
So, the first thing is digital money, well, certainly digital currency is the subject of irrational delusional comment by conspiracy theorists, which makes for entertainment. So, I get emails, “oh, you know, Central Bank Digital Currency is the mark of the devil. And we know this because Bill Gates implanted microchips in us through the vaccine, and the microchips are going to steal the digital currency from unvaccinated people and send it through the 5g towers to Satan.” Or somebody, I can’t remember exactly, I don’t remember. But you get emails like this, which add to the gaiety of the nation.
So, the first thing is, there are parts of America where non-existent digital currency is already being banned. So, this is all getting a bit, sort of witch trail-y, so that’s quite entertaining.
The second thing is, and I wasn’t joking about that offline point, which is any scale digital currency in any developed country, even where you have networks and infrastructure has to work offline. It’s the crucial design requirement of it. If you’re going to have a cash substitute, it has to work offline. And that, for me, poses very interesting technological problems, all of which I think, have already been solved. But nonetheless, it’s really intellectually interesting, so I sort of like that.
And the third thing is, I think a lot of people look at digital currency as ‘the thing’. Like, you know, we need digital currency. And that’s it. I mean, what we need is a platform for innovation and development. Digital currency in itself is sort of not that interesting. As we’ve just established, I can already buy milk in the supermarket without using physical cash. So that’s not, but this idea of permissionless innovation that you could bring into our space from the cryp– because digital it doesn’t involve any credit risk, you see. So, you could imagine a situation where as long as you’ve got an approved chip in your iPhone, or something, they’re certified as being capable of storing digital dollars or something like that, then you can use the API to do whatever you like, there’s no credit risk involved. So, allowing people to experiment with interesting new things – micro payments, and Escrow and blah, blah, blah. On top of it is really where it’s at. And that’s why, you know, I get it a bit when people say, “Well, what are the sort of key uses?” Well, I don’t know, I’m too old. Give it to some kids in a garage and let them come up with something.
Heather: OK. So, for one thing, I really want to see your emails about this because they sound hilarious. I admit, I’m absolutely a digital currency sceptic. For one thing, as David has said, right, you don’t generally need to carry cash now anyway, so what is it getting you? And everything I understand about it is like, “Well, yes, but then you’ll be able to transfer money quickly without the bank getting in the way.” And I’m like, “Hmm, you say the bank getting in the way and verifying the transaction is a bad thing.” “Oh, but it’s expensive.” And I’m like, “Well, that’s a different problem, not just because the banks are charging a lot.” So that’s like a completely different problem to solve that it’s not a technology problem at all.
So yeah, I’m definitely not convinced. Having the permission to innovate and work with this kind of currency, to me in a way, that’s like saying, “Yup, let’s turn this into a barter system, except you’re bartering these digital currency components.” “OK. Go for it, go to town.” That’s just people agreeing with each other. And it’s a completely different system in the same way that a barter system is completely different with my cash system.
David: That’s a really interesting point. And I don’t mean that in any sort of patronising sense, I really mean that because you’re right, of course. And what that means is, if this stuff worked, then downstream you could imagine an environment where if you and I engage in some sort of transaction, right, I’m going to pay you to write something or you’re going to pay me to come and speak or something like that. My, you know, supercomputer at the end of a wire, it can be a through my mobile phone, my giant killer robot artificially intelligent wallet will negotiate with your super intelligent giant killer robot Terminator wallet to exchange baskets of tokens to an agreed –
The idea that you would need money as an intermediary when you have that kind of barter that works. I think that’s really, that’s as a very interesting point. So, if our super computers could agree on these baskets of assets to exchange, which sounds weird when its people talking about it, but it’s a few nanoseconds for super computers. Why would you turn those assets into dollars or something in the first place? Why wouldn’t you just swap the assets around?
So, I actually rather agree with that point. But I think that’s much further downstream. I think, in the short term, you see the demand for dollar stable coins in particular, as an indication to me that a lot of people around the world and in America, for that matter, wants to hold digital dollars. They would find digital dollars useful to do things with that you can’t do with regular dollars, and I sort of agree.
So, I can see sort of both things. But to me, the short term and the long term are quite different there. Because I probably do drink my Kool Aid, and I’d probably do think that that’s kind of a stupid expression actually it’s, don’t drink that Kool Aid because everybody that drank the Kool Aid died, didn’t they? Or am I getting the stories mixed up?
Heather: I wasn’t going to say it.
David: Yeah, no, I think they did. OK, that’s a bad example. But the point is, I think in the long run, you might well be right. I think in the short term, digital currencies, I think would add to the net welfare. I mean, I can imagine, you and I agreeing to something, and the money just goes from my digital wallet to your digital wallet. It never goes anywhere near the banking system. It just goes over Bluetooth or whatever but yes. It is exciting. That’s true.
Oscar: Heather, what’s not so exciting to digital money?
Heather: We’ll see.
Oscar: We’ll see. We’ll see. Anything else that it’s for you is exciting?
David: What’s not working digital money, you know, these answers are intertwined, because the thing that’s broken in digital money at the moment, is identity, not the payment bit. Like the reason why you’ve got Zelle frauds and authorised push payment frauds and these massive crypto scams going on all the time. It’s because nobody knows who anybody is. It’s not because the payments don’t work properly. It’s because identity doesn’t work properly.
If the identity, you know, I’m going to sound like a broken record on this one for the teenagers there. I’m going to sound like a vinyl implement that used to go around whether it has a scratch in it. So, this sort of needle would prompt up, down and come back to this, I have to talk them through this metaphor. But I’m going to sound like a broken record on this. Because if you fix the identity problem, payments are easy.
If you know the reputation of all of the counterparties in a transaction, then pricing the risk in that transaction is easy. And that’s kind of what we should be aiming for. The next phase of evolution is really about identity. It happens that I think, and I can’t prove this with any kind of actual analysis, this is just my sort of crackpot theory about this. But actually, if central banks do drive forward with digital currency, digital currency doesn’t work unless you have digital identity. You can’t give people wallets unless you know who those people are. You can’t maintain limits on personal holdings unless you know who’s got the wallets. There must be an identity system for the currency system to work. So it could be that Central Bank Digital Currency actually turns out to be a vector for people like Heather to actually get something done about wallets and digital identity. So, there’s an interesting interrelationship there.
Heather: They are certainly tied together. There’s no two questions about that.
Oscar: Anything else that you think that is exciting today in the identity world that we have not covered?
David: Well, there’s two things I’m excited about today. I can tell you what I was doing before I came on this call. So, one is – I’m very excited about only because I’m not a normal person. I’m very excited about ultra-wideband technology. So, all iPhones for a while, you know some of the top end Samsung’s you know Apple Air Tags, things like this, they all have this thing in them called you UWB, Ultra-Wideband which a lot of people kind of overlook a little bit because we focus everything on Bluetooth and Wi-Fi. But when Bluetooth and Wi Fi came out there were actually three wireless standards. There was Bluetooth, UWB and Wi-Fi. And UWB never really got used because the Wi-Fi chips got cheaper much quicker, and everybody just started building Wi-Fi into things. And meanwhile Bluetooth ranges went up.
But ultra-wideband, which is short range, medium speed that uses this pulsed radio. Because of the way it works, it can only tell where things are, this is how Air Tags work. But it can also tell whether you’re moving towards something or away from it. So, this idea of having a phone that knows you’re walking up to the point-of-sale terminal or knows you’re walking up to a door. And the way that Apple are part of this digital car keys alliance, which I’m very interested in with Google, and I think BMW and people like that.
So, this idea that you have one technology like this, which locates you, you’re walking towards the POS terminal, and then it flips to Bluetooth to execute an actually secure transaction with real cryptography, and real keys. I’m really interested in that at the moment for a variety of different ways. So that’s the first thing.
And the second thing is, and I think we have touched on this before, we think of identity as being about people. But actually, everything needs identity. And when everything has an identity, working out how to get both privacy and security in that environment is really rather complicated. It’s very intellectually challenging. And that’s what I’m spending the rest of my time on with another startup at the moment. So yeah, there’s no end of things to be excited about in this space, honestly. And frankly, figuring out how people can log into their bank account without password is the least interesting of the things that’s going on at the moment.
Heather: Probably the most interesting thing that I’m trying to stay on top of right now is watching the standards development space, because that is like one of my favourite things to do. Because I might also be a little bit of a strange person. So, standards development space, seeing how ISO, the IETF, the W3C, as well as some of the smaller standard’s organisations like the OpenID Foundation, the Decentralised Identity Foundation, Trust Over IP, how they’re all circling closer and closer to each other and sometimes hitting each other, bouncing off.
You know, it’s becoming a really dense space to try and follow and understand what’s happening with W3C verifiable credentials? How do those relate to the ISO MDOC standards, and what’s happening with the IETF’s OAuth and CBOR and you know, all of these different standard’s groups are all starting to get closer and closer at nibbling down this problem. And they’re never going to succeed because they’re reaching the point where it’s not a technical problem anymore. It’s a societal problem. And the regulators are starting to move ahead of them and saying, “No, this is what, you know, we need to happen. And it’s not about technology, as much as it is sometimes about the society and the cultural requirements.” So, seeing these organisations tighten up, it’s pretty cool.
David: I was just going to ask you, because I’ve sort of lost the thread on this a little bit, because unless you follow it with minute detail every day, you don’t. I wonder if the whole kind of MDOC thing doesn’t have its own momentum. So, in other words, in a lot of circumstances, you can see why people are going to go to MDOC and MDL part 5, even for something that’s not a driving license, just because. It reminds me a little bit, and here’s another one of the teenagers, it reminds me of X.500. Because having spent part of my young life, she doesn’t even know what X.500 is, how he’s been part of my – X.400 was the ISO messaging standard that existed before the internet and that no longer exists. And X.500 was the directory standard for that. And that no longer exists. An X.509 was the standard for exchanging public keys in that directory. And X.509 version 3 is how everything works on the internet.
So, the whole of X.400 has disappeared, the whole of X.500 disappeared. And I just wonder if MDL isn’t going to be in the same place, like people are going to end up using MDL just because it exists. It may not be the optimum for a lot of the appli– but it doesn’t matter. The format exists. Wallets can understand it. Apple and Google Wallets can understand it. The MDOC stuff will carry on standardising, and I think maybe a lot of stuff will just get sucked into that.
Heather: What’s getting complicated about it – is the MDL standards. They are in their own way the X.509 to the modern world. They’re specifying a credential. This is a discrete concrete, and this is what this is supposed to be used for. It is your driver’s license. It is your identifier. Verifiable credentials using W3 capital V, capital C verifiable credentials. That’s not what they are really, those are much more generic thing that’s actually more an authentication thing. So, the fact that they’re hitting each other in the ways that they are is very interesting and a little disturbing. And the fact that the browser vendors are debating within themselves, which one they’re going to support when ultimately, they serve different purposes, I worry that we’re going to be driven towards…
David: No, no, I… your analysis is spot on. I agree with you completely Heather. I’m just saying that in practice, what seems to be happening is like people like me would say, “Well, actually…” you know, use the canonical example going into the bar, you know, people like me would say, “Well, you should be presenting an ISO W3C verifiable credential that says that you’re over 18 or over 21. So, I’m going…” But that doesn’t exist. The standard for the credential exists, but the contents, whereas on MDL, OK, that’s not really what it was meant for. But actually, demanding to see your MDL driver’s license, I can do because the standard exists. And I, you know, so I agree with your analysis. I’m just saying I wonder if actually, well, Trust Over IP and all these other things are kind of circling around, bumping into each other. MDOC is just steadily progressing, you know.
Heather: Told you Oscar, I told you, you’re going to have all sorts of fun things to talk about.
David: He’s going to get very bored on our – just our island, Heather. Like after the plane crashes, we’re going to be fine. He’s going to be, I don’t know what he’s going to do all day, making those little token at men or something.
Oscar: Yeah, fantastic. Hearing all this from you. You’re definitely super passionate about – many of these things that you’re talking about, frustrated about some of them, but yes, super excited about most of them. So, thank you very much for joining us in very special episode for us. So, thank you very much. And please tell us how people can learn more about you, Heather?
Heather: Oh, easiest thing is – go to LinkedIn and find me there. I check it every day. It’s one of my major social media accounts.
David: Yeah, I mean, I spend more time on LinkedIn now since Twitter kind of went all weird. So, I mean, I’m on LinkedIn too. But it also you can just look up www.dgwbirch.com.
Oscar: Excellent. Well, thank you very much. So, let’s see how exciting comes the next coming months, years and yeah, how all the things we were discussing today will roll out. So, again, thanks a lot and all the best.
Heather: Great. Bye
David: Bye guys. Talk soon.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.