Vittorio Bertocci, Principal Architect, Okta, shares valuable insights to enhance your understanding of the relevance and potential impact of verifiable credentials in the realm of identity management.
I have a background in computational geometry, which had no connection to the field of identity. Following the completion of my studies, I found employment in a scientific visualisation company. Unfortunately, this company faced financial difficulties during the dot-com bubble period in the US. Struggling to cover my living expenses in Milan, I sought employment at the only company still hiring, Microsoft.
At Microsoft, I collaborated with IBM on an interoperability project centred around the use of the SOAP protocol. The key to achieving interoperability, of course, lay in the realm of identity. During this time, I worked with a beta product that supported SAML tokens. My role involved catering to the needs of my customers. However, when Redmond* decided to release the product in its general availability version, they removed the SAML feature. This presented a challenge for my customer, and I had to start coding SAML support from scratch. Throughout this process, I gained extensive knowledge about identity, ultimately earning recognition as an identity expert in Italy.
In those years, I became an early pioneer of digital identity in Italy. Back then, identity was likened to broccoli—an essential but unappealing aspect. It was primarily seen as a concern for system administrators, and identity solutions were considered elusive. However, when faced with the need for an active directory and IBM WebSphere to communicate seamlessly, relying solely on infrastructure was no longer feasible. This is where developers began to play a crucial role.
In 2003, I found myself at the intersection of identity and development, blogging about this emerging field. As one of the few individuals with hands-on experience in identity, I garnered positive attention from Redmond. Recognising the value of my skills, they invited me to their headquarters, given that I hailed from Italy.
Transitioning from a subsidiary, where tasks were mostly dictated, to the headquarters granted me proximity to the decision-making process. I engaged in conversations with those who held decision-making power. Over time, my career progressed, and I became the one making impactful decisions. This shift brought immense meaning and satisfaction to my work, making it a mission that motivated me to rise each morning.
For the past 18 years, I have resided in the US, and it has been a rewarding experience. I feel that I have made a positive impact through the subjects I have discussed.
Verifiable credentials act as a representation of our real-life identities and the attributes we hold in our relationships with institutions and companies. Traditional technology allows us to use these relationships and express our rights and data online, but they are typically tied to specific transactions that need to be set up in advance. With verifiable credentials, we can package the relevant information in a format that users have control over. Previously, every time users needed to conduct a transaction, they had to retrieve information from both the place where they wanted to prove their identity and the source of truth for their identity. Now, we have this independent format that eliminates the need to contact the issuing institution every time.
Soon, we can expect to see widely recognised and powerful credentials such as the mobile driving license (mDL) in the US and the eIDAS in Europe. The widespread adoption of these credentials means that multiple service providers can rely on their existence. They can assume that users possess these credentials, making it easier to validate the information they contain.
You're hitting upon one of the most crucial aspects. It's a multi-party cold start problem that requires reliable credentials from trusted authorities. As more processes transition from the cloud to devices, a significant level of trust becomes essential. We need powerful wallets that are universally accessible and trusted by issuers and verifiers. Creating these wallets goes beyond interoperability; we also need robust security measures and the ability to revoke access promptly, for example when dealing with transactions from countries under embargoes.
Verifiers need to invest in validating these verifiable presentations. However, until there are viable credentials and wallets with compelling features, they lack the incentive to do so. This cold-start problem creates a deadlock, and it can only be resolved by introducing a non-profit entity into the equation.
Enter the government—a force that must empower its citizens to exercise their identity without invasive surveillance. Governments have already handled this process on paper and plastic, so it's only natural to extend it into the digital realm as our lives increasingly shift online.
To address this, a metaphorical comparison can be made to railways built by the government. They bear the initial cost and run the first trains, but private companies are allowed to operate their wagons on the same rails once built. The private operators wouldn't have built their rails; they exist because the government laid the foundation.
People often make grand proclamations and slogans regarding this topic. The popularity of this subject lies in its susceptibility to catchy sound bites, such as ‘the user is in control’. However, the reality is more complex. It's important to remember that government comprises multiple institutions and operates at various levels. This raises questions: do we need to duplicate information across multiple agencies, or can we consolidate it in one place? Once people have access to information they can use as verifiable credentials, we can enhance the overall system. Nevertheless, it depends on the context.
Regarding multiple government agencies, the approach depends on the situation. For example, when I visit a government institution to get married, sharing my birth date and place with them is reasonable, as it is relevant to the transaction. However, if my internet service provider intercepts my traffic, determines my age, and serves targeted ads based on that information, it becomes an unjustifiable party in the middle.
Consider the ability to obtain government credentials and use them outside of governmental contexts without the government's knowledge. For instance, in some countries decision-makers call for stricter age restrictions on adult content. The current method of a simple checkbox to confirm age lacks due diligence, allowing minors to easily access inappropriate content, potentially leading to legal consequences for companies.
Verifiable credentials offer us the opportunity to be more specific about whom and when we share information without involving the government. However, we must also be realistic about the data we share. Take the property of unlinkability, where I can visit two entities using the same credentials without enabling collusion between them. While this is possible when sharing something as simple as my age with a different identifier, most online activities require more data. For instance, if I buy shampoo from one place and a comb from another, I need to provide both places with my address for shipping purposes.
Therefore, if we put immense effort into making a protocol unlinkable but end up with a recognisable identifier in the pipe, it defeats the purpose. We can make use of this principle if it doesn't impede our abilities or hinder deployments. It requires a level of pragmatism that is currently lacking as people tend to think in theoretical terms. That's why it's crucial to expedite the development of a practical wallet that people can use, allowing us to learn what works, and what doesn't, and identify potential risks.
I always enjoy attending EIC; it's one of my favourite events. During the KuppingerCole presentation, they shared insightful perspectives on decentralised identity. As you might have gathered, I approach some of the grand claims with scepticism. However, it was fascinating to learn that individuals are interested in learning about this technology, while companies seem more reserved. In fact, 45% of companies ranked it as a low priority, mainly because many consider it to be principled without a clear business model.
I don't have a blind allegiance to any technology. My involvement extends beyond discussions—I actively assist customers and product teams in delivering practical capabilities. Instead of adopting technology simply because it's deemed ‘hot’ by Gartner or others, I believe it's crucial to identify specific problems and assess whether technology can genuinely address them. This mindset ensures a more effective approach.
Over the years, I've witnessed numerous instances where technologies rise and fall. As a reminder, my car license plate bears the name ‘WS Star’, which refers to the collective term for all the security protocols we once used. Now, they're mostly forgotten. This serves as a reminder that what appeared to be revolutionary at the time eventually becomes obsolete. These technologies eventually faded away because many assumptions were made by experts conversing amongst themselves, without considering market dynamics.
I'm not here to convince anyone. My primary focus is to empower users to navigate their lives securely and privately. We, as security experts, may believe something is essential, but until we put it in the hands of users, we won't truly know its impact. That's why I strive to maintain a neutral stance and allow the real world to have a say. It's not just about making money; it's also about developers' comfort, understanding, and the security threshold we need to meet. If we approach it recklessly, we risk breaches and natural selection in the competitive landscape. While we must engage in thoughtful analysis, we can't assume we know everything. We need to release solutions to the market and observe their outcomes.
* The city is well known as a centre of technology and the location for a number of nationally known high-tech companies. Among these are Microsoft, Nintendo of America, Amazon Kuiper, Meta, Astronics, and Stryker.
This interview was recorded during the European Identity and Cloud Conference 2023 (EIC 2013). To delve deeper into the event and gain a comprehensive overview, we invite you to explore our detailed event summary.
About Vittorio Bertocci
Vittorio Bertocci is a Principal Architect in Okta and host of the Identity, Unlocked podcast. A veteran of the identity industry, with more than 20 years of hands-on experience, he helped usher the claims-based identity era with his work on identity for developers in Microsoft, Auth0 and Okta. Vittorio is a speaker, educator, and published author. He serves on the board of directors of the OpenID Foundation.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now