Let’s talk about digital identity with Sid Desai, Director at Remme.

In episode 19, Oscar talks to Sid about what exactly a decentralised ID is, its benefits, use cases and open standards such as the Decentralized Identifiers (DIDs) specification from W3C. They also discuss how decentralised identity will develop in the coming years, and why Remme is building a decentralised model of Public Key Infrastructure (PKI).

[Scroll down for transcript]

“Decentralised IDs give control of digital identity back to the user.”

Sid DesaiSid Desai is a Boston (USA) based IT security professional who’s passionate about user/machine identities, security & PKI. Sid has led the distributed identity front in his work at Remme, helping work with the platform, engineering and partner teams to massively extend the impact of decentralised identity & authentication solutions for the modern enterprise. He consults with Remme’s customers around the world on how to transform their identity & authentication ecosystems thus helping them increase their business integrity & efficiency while lowering costs. Recognised as a well-rounded advocate for identity, digital transformation and blockchain-enabled solutions, Sid is also a regular speaker, contributing author and media commentator. Find Sid on LinkedIn or email [email protected].

Founded in 2015, Remme is building the distributed Public Key Infrastructure protocol and PKI-enabled apps to address the challenges of Web 3.0. Remme Auth is a 2-click authentication solution that allows users to securely access a website without passwords. Instead, the solution uses X.509 self-signed certificates and blockchain technology. Find out more at remme.io.

Remme is a Ubisecure partner, with the companies collaborating to create identity solutions using blockchain technology. Read the press release here – https://www.ubisecure.com/news-events/remme-ubisecure-blockchain-identity-management/

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

[Podcast transcript]

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining today. Today, we will hear our guest talking about Decentralised ID. So for that, I would like to welcome Sid Desai. Sid is a Boston-based IT security professional who’s passionate about user and machine identities, security, and PKI. Sid has led the distributed identity front in his work at Remme, helping work with the platform, engineering, and partner teams to massively extend the impact of decentralised identity and authentication solutions for the modern enterprise. He consults with Remme’s customers around the world on how to transform their identity and authentication ecosystems, thus helping them increase their business integrity and efficiency while lowering costs. Recognised as a well-rounded advocate for identity, digital transformation and blockchain-enabled solutions, Sid is also a regular speaker, contributing author and media commentator.

Hi, Sid.

Sid Desai: Hey, Oscar. How is it going?

Oscar: Very good. It’s nice talking with you. Welcome to the show.

Sid: Thank you for having me.

Oscar: A pleasure. Sid, let’s talk about digital identity and I would like to start hearing how was your journey to this world of digital identity?

Sid: I think it began around 2011. I was working on some energy smart grid projects for a large US-based smart metering company. And it was during that time where I was exposed to concepts of identity, especially something that’s got to do with Active Directory. I was also exposed to things like PKI and very early versions of single sign-on. And this applied not just for users at the company but also for machines, for the smart meters. So, concepts of machine identities were very early on at that time and was very much exposed to machine identities.

So, after a couple of years in the energy sector dealing with those sorts of concepts, I joined a Global Certificate Authority who, at that time, I believe was the second largest CA in the world. And this Certificate Authority, or CA, will issue millions of identities for things like websites or users, or servers and computers, essentially in the form of digital certificates. And this is where I had my first important lesson on learning how to manage identities or digital identities at scale. And at that time, I got to help organisations of all sizes deploy PKI and IAM-based solutions. So, if you just want to fast forward five years at that company, I found myself then getting more closer to the bleeding edge of identity technology, in this case it was blockchain. And I have been dealing with decentralised identity since.

So, at Remme, as you mentioned, I currently help companies transform their identity and authentication ecosystems through our non-blockchain as well as blockchain based enterprise solutions. That’s essentially my journey in digital identity.

Oscar: Excellent. You have gone through different type of technologies all of those related to identity. And now, you are into something really hot, blockchain and decentralised ID. So, that’s the main thing I would like to talk today, about decentralised ID. And at this point I would like to hear what it is. Conceptually what is that? But even before that, I would like to hear what the problems are out there, what are the challenges that made that some people create this concept of decentralised ID?

Sid: I think in order to understand that concept, it’s important to understand what exactly a decentralised ID is. And in order to keep the definition as non-complex and non-technical as possible, essentially, a decentralised ID is a type of digital identity that lives in a distributed database architecture. And a blockchain is essentially a type of a distributed database architecture.

So, a decentralised ID in this case would allow you, not just to interact or transact with a single database of records but, in fact, cross pollinate across multiple such records and all the while ensuring that there’s a trace of those transactions that are available in this blockchain which is non repudiable. And then we’ll talk a little bit about what that is in just a second but, think about your online digital login IDs that we use today for most common websites we use. Think about Google, Facebook, Twitter… so in essence, a decentralised ID would allow you to perform a very similar login and authentication function as you do today but offers a far better scalability and security factor by allowing you to use that single identity or single secure distributed identity across multiple functions, across multiple web resources.

And the reason why a lot of people started to look at decentralised IDs as something very important is: think about how many digital IDs that we all have today for each website that we access. I personally have over 35 or 40 different user IDs and passwords that I have to maintain and manage myself. And the digital world is ever so connected. So, if I’m to create a new user ID and password for yet another digital service that I’m consuming, that’s just not scalable and it opens up a lot of issues around identity theft. So, we feel that a single identity or single robust distributed identity that you control, that you manage, the attributes of which you control is the way of the future, especially as more and more things become digital, or our interactions become more digital, and I think that’s one of the real reasons why decentralised ID was created.

Oscar: Yes, that’s a big problem. A new service that you have to use, you have to create another identity – and very often that’s a username and password. So, you said around 40. Actually, I was expecting even a bigger number and I was thinking of course there may be like 40 that are important. Let’s say 40 important identities and there might be another hundred that are less…

Sid: Yeah, there are probably 20 or 30 I have forgotten about because I just don’t use those services as often as I used the top 40. So yeah, you’re right. There’s probably more.

Oscar: Yeah, others that are not so important, but your data is there in some of these service providers.

Sid: Yeah.

Oscar: So decentralised ID breaks the pattern of having a main organisation who is handling your identity such as in the past that there was only, let’s say, the government having that role or your bank. But nowadays, there are so many, both public and private institutions that do that and it’s getting a real mess.

Sid: Right.

Oscar: Yes, so I understand the need of the decentralised ID, of this solution, and the use of blockchain is part of that. So blockchain is –you gave us some explanation already– it’s like a distributed database somehow. Is the only way to do this decentralised ID with blockchain?

Sid: Yes. So, the underlying architecture is definitely possible only with a blockchain. And, if you look up the textbook definition of blockchain you would find something like that it’s an open distributed ledger of a peer-to-peer network that can record transactions between two parties efficiently and can verify those transactions and store those records in a permanent way. And obviously, this definition is very convoluted and not so easy to understand. So, the best way to talk about blockchain is to talk about centralised networks like we just talked about in the earlier question and compare that to a decentralised or a peer-to-peer network. By learning it through this example, people will understand why blockchain is the important bit in decentralised IDs.

So, if you think about a centralised network, all parties rely on a singular central entity to verify and perform transactions. You have a central database where every user’s username and the password and other data or attributes that belong to that user. Think about a bank. A bank is a good example of this. So is any website. So, if you have websites such as Facebook that maintains a central database of all its users that’s also a good example. But this design, if you think about it, has a very massive drawback.

For starters, if you invest as a consumer all your trust and reliance into a single party, that is a massive central point of failure for not just your security but everybody’s security. You’re dealing with things like consent, data breaches and we’ve all seen our fair share of data breaches in our life where essential database gets hacked and then again, all the user IDs and passwords are released out into the dark web.

But in a decentralised network every involved party manages their own independent ledger –database in this case– and then tracks all the transactions and works of everybody else’s ledger and then essentially forms your consensus. So, in this case, the records really can’t be manipulated in a very easy way. And I’m saying not in an easy way because if the majority of those involved in the group and distributed group and be corrupted then in that case, yes. But it’s very hard to corrupt an entire group of people in the consensus.

So, in essence, this blockchain piece replaces your traditional trust by authority with trust by computation. And that’s the single most important difference between centralised systems and decentralised systems. It removes threats of manipulation by a single party, data theft by a single party, and offers the users more control and influence into that digital transaction.

Oscar: Sure. It’s relatively new, the concept, I don’t know exactly how many years ago it started but it’s still relatively a concept in implementation in mainstream solutions. So, I would like to know at this point if there are already some standards, open standards in decentralised ID.                                                                                                                

Sid: Yes, there are definitely some standards that the industry is working on together. You do have some industry heavyweights who are working on creating these open standards. The most well-known among these is the W3C foundation. So, the World Wide Web Consortium who is essentially working on building the web standards that we use today since the early 2000s. So that organisation has been around for a while. They have a spec called Decentralised Identifiers or DIDs. I think they have a working group that promotes a globally unique distributed identifier that’s highly available and cryptographically verifiable in a blockchain. That’s one to look at.

They also have the WebAuthn which used to be a group. Now, I think it’s a standard as far as I remember. And essentially, it’s an API to create and use public key credentials – so PKI concepts, in web applications and browser to promote a stronger authentication for users. So that WebAuthn is definitely also another powerful standard in this space.

And then you also have another organisation called Hyperledger, which is run by the Linux foundation and they have also multiples specs in this space and standards around key management and digital identity blockchains. And you may have heard of them obviously with their various projects they have ongoing.

And then you have the OpenID Foundation with its OpenID Connect that helps build an identity layer that builds authentication on top of OAuth 2. They obviously are not in the whole decentralised ID space but the concepts that the OpenID Foundation have come up with its OpenID Connect are definitely helping pave the path for future standards in the decentralised ID space.

So there’s definitely a few of them around and I think there’s a list published that you can access if you just do a quick Google search for Open Standards in DIDs, then you might be able to find all these lists.

Oscar: Good. So, there are some standards that are specific for decentralised ID and some others that are being used as building blocks and in specific solutions. As you mentioned, there are few of those so there might be some more consolidation in the future related to data standards.

Sid: Yes. I definitely expect that.

Oscar: Excellent. So, I would like to hear now some more concrete examples in which use cases, being more specific, can benefit with decentralised ID.

Sid: Yes. So, when you’re talking about use cases, whether you’re talking about decentralised IDs or centralised IDs, the use cases have always been pretty much the same. You have things like authentication, enabling secure connection between two parties – whether those two parties are just users or machines or perhaps a user and a machine combination. You also have applications around the verification of identity attributes, use cases around key management… These applications sort of cross pollinate, as I said, between the centralised world and the decentralised world.

One of the major advantages that decentralised IDs can offer is that it gives that control of that digital identity back to the user. And that’s an important concept in decentralised ID, you may have heard this whole concept around self-sovereign identity.

And that’s definitely going to be the way of the future because as data breaches become more and more common, even large organisations would actually benefit from essentially outsourcing their identity management piece and giving the control back to the users. Because they don’t want to bear the burden of maintaining the security behind these identities. So I think those are some of the use cases that might pop up.

And there’s obviously some pain points associated with how we approach this and obviously the industry standards are helping to solve these pain points. But there’s right now just way too many standards out there as I talked about, so we just have to figure out which of the standards are ones that are very much universally applied all around the industry and used across the board.

Oscar: Going a bit more into what Remme is doing. I know that you use for instance a PKI – Public Key Infrastructure– in part of your solution. So that’s something that we recently talked about in one of the previous episodes, we had DigiCert talking about the world of certification authorities. PKI is one concept that is common between Remme and also them. So why and how Remme is using PKI?

Sid: Yes. PKI or, as you said Public Key Infrastructure, is very core component behind identities. If you think about it, PKI is what enables a digital representation of identities today. And it does that primarily in the form of digital certificates. The certificates are issued by a bunch of organisations called Certification Authorities, as I said, I used to work for GlobalSign and I think you mentioned in your last episode you spoke with DigiCert. These are Certification Authorities, and these are organisations who work with the web standards to make our websites secure for us for the longest time. So, every time you see an HTTPS page or that padlock icon on your browser, you know that there’s some kind of PKI at play behind the scenes.

So Remme’s ultimate goal is to make the entire model of PKI itself decentralised. You see that current PKI model is very much centralised in nature with its pyramid hierarchy structure. You have that single entity on top, which is the root CA, then they have multiple intermediate CAs, and then you have some issuing CAs underneath that and then you have the certificates coming off those issuing CAs. So, it’s very much like a pyramid structure. And I’m not saying it’s anything wrong but the design itself is very old. And if a single entity in that hierarchy is compromised, the entire network trust is actually broken down in an instant. We’ve seen a lot of this happen in the past with CAs. Examples include CAs like DigiNotar or even recently Symantec.

We believe that if you could use a more decentralised model of PKI, the one that we are building currently, then this trust can essentially be distributed across a network of nodes in your blockchain network. That’s what enables that decentralised trust model that we’ve been talking about. And that allows you to scale across billions of digital identities that we’re seeing pop up every day. And the traditional PKI model with the traditional standards were very good for the old, centralised economy when the world was not as connected. But we believe that, as the world sees more connectivity, the decentralised use cases will definitely be more popular and the decentralised PKI model will also have to evolve accordingly. So that’s how we use PKI.

Oscar: Those nodes that have some decentralised role or access Certification Authority, how many would it be?  Would every user need that? Who would be in practice those?

Sid: Yes, there are multiple design models around this. And some of them are around underlying blockchain provider creating essentially a network of trusted authorities. So, in this case you’re not relying on a single trust authority, you’re creating a network of trusted authorities. And these networks of trusted authorities are the ones that will be part of essentially a node that would be part of that peer-to-peer network. So, the number is not as relevant. We obviously would want to have definitely more than a few dozen but not anymore that it reduces the speed at which transactions can be performed. Because full consensus within a given blockchain network can also be reached as low as 21 nodes for example. So, the number is not as important as long as it has that distributed nature.

Oscar: Who would they be in practice? I guess it depends on which network we are talking about.

Sid: It all depends on the network. It could be- in certain networks, it could be banks −because people inherently trust banks. So banks could be set up as one of the nodes. In the digital identity world, CAs could actually be one of the nodes, IAM companies who have been dealing with identities at scale for a long time could be one of the nodes. So, anybody who would like to participate in that network and be that node could essentially be one as long as they have a genuine reason behind it and a way to help the community.

Oscar: Government institutions or education institutions as well?

Sid: Yes. Obviously there’s certain blockchains where certain government institutions would also be part of that node network. But the traditional idea behind government is also very much a centralised design in nature. So I’m not entirely sure on how that would work out but in certain countries, I think in Finland or even in Estonia, there’s a lot of focus on government issued IDs, so in that case yes, certainly. But in certain countries like the US where each state has its own regulations around identities, I don’t think the government would play a huge role especially because we have different governments for federal and state.

Oscar: Exactly. Very interesting. To understand Remme’s solution, could you give us an overview of what is Remme’s solution?

Sid: Yes. So, what we focus on Remme is really multiple things. The first thing, as I said, we’re trying to build out a decentralised PKI system. That’s the underlying blockchain layer that would allow us to, essentially, create transactions and verifications in our blockchain and allow the distribution of distributed decentralised PKI certificates out to entities. And these entities could be users or could be machines and whatnot.

But we understand that managing all these certificates is also a bigger pain point for most companies so, at Remme we also have a non-blockchain product that we call Keyhub. And Keyhub allows organisations to manage their digital identities, essentially certificates, all in one place for machines and users and that allows them to keep track of these certificate assets within the company and perform automations on the renewal of those identities behind the scenes.

And we also have another product called Auth which allows people to perform user decentralised identities to log on to different applications using a single touch of a button without a password.

Oscar: Passwordless authentication service.

Sid: Yes, essentially.

Oscar: Excellent. So, you also combine the centralised identity with a decentralised identity for some of your customers when they’re required.

Sid: Yes, exactly. We have worked on a few pilots and few projects where we’ve combined the traditional IAM systems together with our decentralised Auth application and that allowed us to create a use case where we still ended up using some traditional technologies because of compatibility and also tied them into the decentralised world. That’s how we believe that most projects will be handled at least in the next few years until blockchains can be independent.

Oscar: Yes. So you also have this authentication service. And a potential problem that comes to my mind for blockchain based identity is the identity recovering. What happens if I lose my credentials?

Sid: That’s interesting. That was actually one of the questions that one of the projects we worked on was with BMW and one of the questions they had asked was that. The way we envisioned a recovery process for a blockchain based identity to work is through a concept of social recovery.

Let’s just assume for a second that a digital representation of your identity, your digital identity, is stored on a secure chip on a mobile device which, by the way, is one of the use cases that we have had quite a success in. So, during the registration process you as the user of this decentralised identity would assign a certain board of trustees, essentially a network of family or friends as somebody who can enable you to recover your identity in the event of loss. And whenever that event is triggered, because loss of mobile device or maybe theft, then the nominated users or trustees –that you as the user assigned– would help you essentially recover and replace your identity in the system.

That’s how we envision this happening and then obviously once your identity is restored, you can go back and enable your new identity on the new device and start using it with old applications. This concept has also been described in the DID spec from W3C. So, for those who are interested in learning in a bit more detail how this might work, the spec has a bit more information about this.

Oscar: Now, we would like to think of the future, because decentralised ID is still not mainstream at this point, but as you see in internal standards – there are few standards or organisations who are trying to lead the standards in parallel and that will converge at some point. What else would you see in the future? Let’s say three or five years from now. What would you say about decentralised ID?

Sid: In the future, obviously our digital interactions will evolve quite a bit. Because the world is becoming more and more connected, so trust will play a huge role in this. And the use of digital identity in such disputed world would be very fundamental. So, the way the decentralised ID would work in the future is by having a digital identity that’s owned – essentially managed or controlled– by the individual themselves. And then, allowing that individual to interact with participating third parties, where the user can use that identity while still keeping control of the identity and the data associated with this identity with themselves.

We envision a world where people and their devices will seamlessly interact with other devices and organisations with trust established easily and where people can actually gain access to services just by showing their digital IDs whether their services are financial services or government services or e-commerce, health or any other service.

I talked about the BMW use case –and let me talk a little bit about that because that might give an idea on how this might end up working. BMW wanted to work on a use case where they wanted to enable a decentralised ID use case for their car owners. The pilot that we did with them showcased essentially a couple of digital interactions that BMW wanted to prove. And one was essentially assigning a digital ID to each car owner so that in this case, not only the car itself has a digital ID or digital passport, but the car owner also has a digital ID.

And the second was enabling the car sharing economy and then allowing digital interactions to happen with this ecosystem. And the way Remme helped out was by provisioning a distributed identity for each user – for each car owner – and then allowing that car owner to create separate digital IDs or distributed IDs for the car sharing concepts. So, if I wanted to, for example, rent out my car to my friend for a weekend, I can create that decentralised ID for him just for the weekend. My friend can come to my house, pick up my car – because that ID would enable him to essentially authenticate with the car – and then drive it around for the weekend, come back, park it back at my place and then go back to his place. So these are concepts that BMW wanted to work on. And these are concepts that I’m talking about. The future digital interactions will be very seamless like this.

And obviously, as far as the co-existence of standards and authentication methods that we have enabled in this digital identity ecosystem so far, those will continue to exist. You’re probably familiar, Oscar, with standards like OAuth and OpenID Connect, and FIDO. Those will still continue to coexist along with DID –or distributed identities– because not all systems in organisations will just seamlessly jump to the newer standards overnight. So backwards compatibility is very important and will continue to exist.

We’ll continue to see this standard secure communication with third parties very well into the future whether we’re communicating to a user or a machine. Obviously, the design, the architecture, and the way we do that will evolve over time and so will the standards. But it’s important for organisations to keep an eye out for these updated standards so that they can understand how things within their organisation might also have to evolve in the future.

Oscar: Yes, I couldn’t agree more. The standards are so important in order to have any of these initiatives, any technology to be successful and widely accepted. I also like the example you gave about car sharing, that was very illustrative, I would say. You can share your car with your friend for the weekend and not just as is today –I give you the key and I trust, good luck, don’t break it, etc., – but also with this accountability of creating an identity for him with a specific timeframe and the authorisation. That’s an excellent example and I definitely like a lot all what you have told us about decentralised ID.

Final question for you is if you can give us, to anybody, a tip to protect our digital identity.

Sid: I can definitely go on and on about this question because we’ve all been following the tips from our governments on proper social distancing protocols during this COVID-19 crisis. We all need to practice very similar protocols when interacting with anything digital these days.

I think the first thing I recommend to anybody is just start making a list of your interactions with identities. Just make a list of all areas in your personal and professional life where digital identity might be at play. Obviously, it goes without saying when you are making this list do not write down your passwords on a piece paper to keep track of them. Just make a note of these identities and how many websites and places where you use these identities.

And then you can then group and sort this list by keeping the items that are of the most importance on top of the list. Things like bank IDs, government IDs, tax IDs and stuff like that and the login credentials associated with those. Give those definitely higher priority. And maybe, you can also filter out your login IDs for your news website for example, where you don’t have a lot of data, you don’t have credit card or potential information that the bad guys can actually steal, you don’t have all of that. Separate those out and what we’re trying to do here is essentially separate your high-risk identity or interactions with your low-risk interactions.

And the third tip I have is: if you are still using passwords, think about switching to a two-factor authentication method. Most of these are offered by websites today and you can also see if you can use some sort of identity and access management system. Most organisations, if you’re working for one, have some sort of IAM system enabled for users to access their applications with. So definitely, try to see if you can use some of these.

There are also password managers. People use them a lot. I know a lot of people that use them. I’m not a big fan of password managers, to be honest, I don’t use one. But if you do use one just ensure that your master password is absolutely strong. It has to be kept very, very strong. And there are also concepts or tools like FIDO-based Yubikeys that you can use for two-factor authentication.

There are a lot of these available out there in the market. And remember, protecting your identity is at the end of the day your responsibility. Sure, you use all these digital services and you expect them to protect your identity for you but I believe that organisations can only do so much. You take the necessary precautions on your end so you can definitely minimise the damage the data theft can cause for you as a user.

And if you don’t know how to still go about this, you can always reach out to a professional within your network. Perhaps somebody on LinkedIn who is talking a little bit more about digital identities, perhaps send them a message on how you can make these concepts work for you. That’s some of the tips I can offer anybody today.

Oscar: Quite a lot. Thanks a lot, some are very simple but we are reminded that we humans are often the weakest point behind this amazing technology that we have. Again, thanks a lot, Sid. It was great talking with you. Could you tell us how we can find you if someone wants to get in touch with you or learn about what you are doing?

Sid: Certainly, thank you Oscar. This was a very informative session. And yeah, for those of you who have any questions for me or want to reach out to me you can either email me at [email protected] and you can also find me on LinkedIn, just type in Sid and my last name, Desai, and I should pop up on the list under Remme. Those are the two ways you can reach out to me.

Oscar: OK. Fantastic. It was great talking with you Sid and all the best.

[Outro] Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]