00:00:05.319
Thanks everyone. My name is Thomas Carr, and I'm a consultant and software developer with CGI Federal. We're a US government-focused IT contractor and a clear defense contractor, housed under a much larger global IT consulting firm called CGI. More specifically, I work on a product team in the Emerging Technologies division called Secure Data Fabric. It's a cross-domain data sharing solution using some Web3 technologies.
00:00:18.000
As a web app developer, I've had to dive into some of these technologies for my day-to-day work. I'm here to present to the Ruby community that my fair assessment of Web3 is that some of it can be considered nonsense, though there are interesting aspects to explore. This presentation is titled "Digital Identity, or: How I Learned to Stop Worrying and Love Web3." It will serve as a Ruby-flavored introduction to concepts surrounding self-sovereign identity.
00:00:43.600
A little about myself: I went to the University of Tennessee, but I did not study computer science or anything related. For about five years, I worked in various non-tech roles, such as sales, marketing, and operations, before doing a software boot camp in 2020. I ended up in a Ruby on Rails API development role at a regional textile manufacturer called MWW. Shout out to the MWW past and present in the room! Eventually, I managed the IT department there for about six months during the company’s transition to new leadership before landing at CGI Federal in Knoxville, Tennessee.
00:01:43.079
This will be the only slide I specifically dedicate to the term 'Web3' because it’s not a term I'm passionate about defending. Simply put, it advocates for a new architecture for web applications, utilizing technologies like decentralized protocols, blockchains, distributed ledger technologies, and token-based economics. However, I find that two out of the three of these aspects are largely suspect and overhyped. Starting with things like blockchains, they certainly have some use cases, but we’re using them for specific purposes, which is not the focus of this talk.
00:02:13.240
In my view, a term like 'Web3' belongs next to 'Cloud' as a buzzword that consultants and institutional capital use to hype their products. These technologies tend to be oversold while attempting to push into the hands of everyone, even though they may not be suitable for everyone. Over time, the right use cases will emerge. What I'm discussing today is digital identity, an element extracted from the Web3 stack that I believe could be particularly useful for Ruby web app developers.
00:02:48.000
We'll look at some basic definitions regarding digital identity, why I think it's important, and how we can improve digital identity systems within our Ruby web applications. So, what is digital identity? To be upfront, I sourced this definition directly from the first paragraph of Wikipedia on digital identity: it refers to information utilized by computer systems to represent external identities like people, organizations, apps, and devices. Digital identity systems often need to be machine-readable, meaning that the attributes we provide to software systems must be readable and parsable by software.
00:03:29.680
This entails having some sort of endpoint to verify authenticity and ensuring secure handling of personal information or confidential company data. Throughout this talk, I'll advocate for new standards for digital identity, which include using open interoperable standards that enable portable digital identity, employing privacy-preserving protocols, and facilitating context-dependent digital identity. The latter means users can provide attributes based on the context they are in.
00:04:06.520
I want to break down what I see as four major categories of digital identity, particularly relevant for us as software developers. First, we have personal identities, which pertain to human users of our applications in a one-to-one relationship, where the source of trust derives from government organizations that issue physical identifiers like birth certificates and driver’s licenses. Digital verifications may also utilize unique identifiers like biometrics.
00:04:40.200
There’s also organizational identity, which may refer to a business or simply a group of people. For businesses, digital identifiers might look like tax IDs, while physical identifiers could include office locations and employees. A business without employees or physical spaces raises suspicion of legitimacy. Digital identities can also encompass the digital marks and branding of the company.
00:05:21.799
Next are two important categories for digital workers or software identities. On one end is software bots that automate processes on the internet, where trust might be established through open-source code that can be reviewed. If not open-source, then trust is placed in the organization operating the code. For less secure systems like CAPTCHAs, users submit their form data directly.
00:06:05.760
On the other end, we have AI agents, a category that is gaining prominence. These generative AIs work autonomously online, performing tasks similar to traditional software bots. Trust in this context comes from underlying algorithms and data, though currently, users do not have visibility into how these systems identify themselves on the internet.
00:06:32.760
As developers, we commonly deal with human identities, particularly in consumer-facing applications or enterprise systems. Enterprise identities are stored in systems like Active Directory, incorporating authentication identifiers, roles, team allocations, and HR information. Additionally, people have multiple social identities across various online platforms, presenting complexities around privacy and what information is shared.
00:07:00.960
Thus, why is digital identity particularly important for web app developers? Looking at my GitHub profile, it contains information about my name, unique username, workplace, location, linked websites, and the content I interact with and generate. This information can be linked back to forms filled out during sign-up processes—forms we, as web app developers, frequently create. The convenience of these forms allows users to provide their information repeatedly across different platforms, but it often leads to user frustration as they fill out the same details multiple times.
00:08:02.679
Moreover, the tendency for web applications to create unique user experiences relies on identifying users—typically using email or, in enterprise applications, mechanisms like SSO. These unique identifiers enable session management and data personalization for users. As federal IT contractors, we often think about identity and access management (IAM), which determines user privileges within systems, crucial for maintaining organizational security.
00:09:01.199
As applications expand, user data scales significantly, presenting a dilemma with increased cyber threats, especially regarding data leaks across web and enterprise applications. I highly encourage developers to sign up for services that help them monitor if their own information is compromised online; often, users find their personal data is being sold on the dark web. This raises security concerns and demonstrates how essential it is to consider safe practices regarding user data management in our applications.
00:10:05.599
The implications of digital identity systems are paramount. We can improve digital identity in our Ruby web applications by introducing concepts like self-sovereign identity, which means empowering users to manage their own data through new protocols, typically using what's called digital credential exchanges. This novel approach fosters a change in how digital trust operates on the web.
00:10:37.800
One concept is the Trust Triangle model, which involves an issuer, holder, and verifier. The issuer (a trusted authority) might utilize something like a digital driver's license. For example, when you go to a DMV, you provide proof of residence and identification, and they give you a signed digital credential. You can store this credential in your digital wallet and present it wherever necessary, such as in a bar when you need to prove you are over 21.
00:11:17.799
Digital credentials offer unique advantages, allowing users to choose what data they share. A verifier, like a bartender, can independently verify the credential's validity using digital signatures and cryptography. The W3C is developing an open specification called the W3C Verifiable Credentials Data Model, which has matured significantly. It enables a theoretically tamper-evident and verifiable structure for claims regarding an individual's identity.
00:12:00.520
For example, if a university issues a digital diploma as a credential, that student can store it in their Apple Wallet. When applying for a job, they don't need to reach out to the university for verification; the employer can verify the credential independently, reducing friction in the hiring process.
00:12:39.798
In the wild, developers might implement these verifiable credentials using JSON-LD. These metadata frameworks help well-structured and robust claims ensure the verifier understands the credential structure. For example, a simple claim might assert, 'I am an alumni of a given university.' This claim would include the necessary cryptographic proof to establish its authenticity.
00:13:23.200
Decentralized identifiers (DIDs) are also an essential part of this evolving system, allowing users to create and manage their own identifiers independent of centralized authorities. DIDs, defined by a global URI-like structure, resolve to DID documents, providing users with control over their digital presence.
00:14:01.799
With these protocols, users can choose how and where their data is stored and accessed, meaning less burden falls on developers to manage sensitive user data. There are numerous applications of self-sovereign identity, including data exchanges between federal agencies or proof of identity in peer-to-peer communications on platforms like LinkedIn.
00:14:45.000
In my work, we're leveraging this model for secure inter-agency data sharing. We aim for verifiable and secure data exchanges among federal entities, improving the overall efficiency while preserving user privacy. Additionally, AI is a new frontier for digital trust where users demand to verify the authenticity of who they're interacting with—whether it's a bot or a human.
00:15:30.799
One exciting aspect of emerging digital identity protocols is that they facilitate the verification of identities for both bots and humans. This enhances the security and accountability of interactions, thereby drawing more users to digital platforms. As developers, it is vital that we remain aware and proactive regarding digital identity systems to ensure we are prepared for future demands in this space.
00:16:20.760
To assist Ruby developers, I'm working on libraries to facilitate this transition towards implementing self-sovereign identity in applications. My goal is to create solutions similar to existing libraries, integrating self-sovereign identity capabilities into Rails or Rack applications seamlessly. This initiative, dubbed DIDX, (DID Exchange), aims to offer tools for parsing decentralized identifiers while preparing a separate gem for managing verifiable credentials.
00:16:58.240
Although the field is still in its infancy, experimenting with existing tools like Microsoft Authenticator’s identity wallet can provide useful insights on how these systems could be integrated. The future of digital identity in Ruby applications looks promising with the right resources and collaboration.
00:17:39.020
Thank you for listening, and I encourage everyone to think critically about how we manage user data and enhances privacy and security within our systems. By exploring these ideas and engaging with new protocols, we can pioneer an evolution in web applications, pushing towards a digital landscape that values both user autonomy and security.
00:19:45.000
That's all for my talk. Thank you.