Thomas Mann
Digital Identity or: How I Learned to Stop Worrying and Love Web3

Summarized using AI

Digital Identity or: How I Learned to Stop Worrying and Love Web3

Thomas Mann • June 08, 2023 • Asheville, NC

Digital Identity in Web3: An Introduction by Thomas Mann

In this presentation, Thomas Mann, a consultant and software developer at CGI Federal, provides insights into Web3 and its implications for digital identity, particularly for Ruby web developers. He introduces the concept of self-sovereign identity and advocates for new protocols that empower users while enhancing data privacy and security. Mann's analysis critically assesses Web3, suggesting it often features overhyped technologies but also uncovers valuable opportunities.

Key Points Covered:

  • Understanding Web3: Mann explains that while Web3 promotes a new architecture for web applications through decentralized protocols and blockchains, it is essential to approach the term critically due to the hype surrounding it.
  • Definition of Digital Identity: Digital identity refers to the info that different systems use to represent identities of individuals, organizations, or devices. Mann emphasizes the need for machine-readable attributes for verification and security.
  • Importance of Digital Identity: For developers, digital identity is crucial for enhancing user experiences, managing identity and access, and ensuring organizational security in an environment laden with cyber threats.
  • Categories of Digital Identity:
    • Personal Identities: Trust derives from government-issued physical identifiers.
    • Organizational Identity: Related to businesses and incorporates various digital identifiers.
    • Software Bots and AI Agents: Trust for software bots relies on open-source code review, while AI agents operate with autonomy in task execution.
  • Digital Trust Models: Mann introduces the 'Trust Triangle' model involving issuers, holders, and verifiers that enhance accountability and verifiability of identities (e.g., using digital credentials).
  • Decentralized Identifiers (DIDs): DIDs allow users to create and manage their own identifiers, reducing reliance on centralized authorities and enhancing user control over their data.
  • Emerging Tools for Developers: Mann is developing libraries like DIDX to simplify the integration of self-sovereign identity protocols within Ruby applications, aiming to enhance privacy and security effectively.

Conclusions and Takeaways:

  • Developers are encouraged to be proactive about digital identity systems, ensuring user data is managed with enhanced privacy and security considerations.
  • Mann highlights the potential for digital credentials and self-sovereign identity to revolutionize how users interact with services across the web, paving the way for a more secure digital landscape.
  • The talk advocates for collaboration within the developer community to embrace and implement these emerging standards and protocols effectively.

By understanding and utilizing these concepts, developers can lead the evolution towards safer and user-centric digital environments.

Digital Identity or: How I Learned to Stop Worrying and Love Web3
Thomas Mann • June 08, 2023 • Asheville, NC

Thomas Mann demystifies Web3 through a Ruby-flavored introduction to the concepts around self-sovereign identity. Break through the hype and get value from decentralized protocols, blockchain technologies, and token-based economics.

Blue Ridge Ruby 2023

00:00:05.319 Thanks everyone. My name is Thomas Carr, and I'm a consultant and software developer with CGI Federal. We're a US government-focused IT contractor and a clear defense contractor, housed under a much larger global IT consulting firm called CGI. More specifically, I work on a product team in the Emerging Technologies division called Secure Data Fabric. It's a cross-domain data sharing solution using some Web3 technologies.
00:00:18.000 As a web app developer, I've had to dive into some of these technologies for my day-to-day work. I'm here to present to the Ruby community that my fair assessment of Web3 is that some of it can be considered nonsense, though there are interesting aspects to explore. This presentation is titled "Digital Identity, or: How I Learned to Stop Worrying and Love Web3." It will serve as a Ruby-flavored introduction to concepts surrounding self-sovereign identity.
00:00:43.600 A little about myself: I went to the University of Tennessee, but I did not study computer science or anything related. For about five years, I worked in various non-tech roles, such as sales, marketing, and operations, before doing a software boot camp in 2020. I ended up in a Ruby on Rails API development role at a regional textile manufacturer called MWW. Shout out to the MWW past and present in the room! Eventually, I managed the IT department there for about six months during the company’s transition to new leadership before landing at CGI Federal in Knoxville, Tennessee.
00:01:43.079 This will be the only slide I specifically dedicate to the term 'Web3' because it’s not a term I'm passionate about defending. Simply put, it advocates for a new architecture for web applications, utilizing technologies like decentralized protocols, blockchains, distributed ledger technologies, and token-based economics. However, I find that two out of the three of these aspects are largely suspect and overhyped. Starting with things like blockchains, they certainly have some use cases, but we’re using them for specific purposes, which is not the focus of this talk.
00:02:13.240 In my view, a term like 'Web3' belongs next to 'Cloud' as a buzzword that consultants and institutional capital use to hype their products. These technologies tend to be oversold while attempting to push into the hands of everyone, even though they may not be suitable for everyone. Over time, the right use cases will emerge. What I'm discussing today is digital identity, an element extracted from the Web3 stack that I believe could be particularly useful for Ruby web app developers.
00:02:48.000 We'll look at some basic definitions regarding digital identity, why I think it's important, and how we can improve digital identity systems within our Ruby web applications. So, what is digital identity? To be upfront, I sourced this definition directly from the first paragraph of Wikipedia on digital identity: it refers to information utilized by computer systems to represent external identities like people, organizations, apps, and devices. Digital identity systems often need to be machine-readable, meaning that the attributes we provide to software systems must be readable and parsable by software.
00:03:29.680 This entails having some sort of endpoint to verify authenticity and ensuring secure handling of personal information or confidential company data. Throughout this talk, I'll advocate for new standards for digital identity, which include using open interoperable standards that enable portable digital identity, employing privacy-preserving protocols, and facilitating context-dependent digital identity. The latter means users can provide attributes based on the context they are in.
00:04:06.520 I want to break down what I see as four major categories of digital identity, particularly relevant for us as software developers. First, we have personal identities, which pertain to human users of our applications in a one-to-one relationship, where the source of trust derives from government organizations that issue physical identifiers like birth certificates and driver’s licenses. Digital verifications may also utilize unique identifiers like biometrics.
00:04:40.200 There’s also organizational identity, which may refer to a business or simply a group of people. For businesses, digital identifiers might look like tax IDs, while physical identifiers could include office locations and employees. A business without employees or physical spaces raises suspicion of legitimacy. Digital identities can also encompass the digital marks and branding of the company.
00:05:21.799 Next are two important categories for digital workers or software identities. On one end is software bots that automate processes on the internet, where trust might be established through open-source code that can be reviewed. If not open-source, then trust is placed in the organization operating the code. For less secure systems like CAPTCHAs, users submit their form data directly.
00:06:05.760 On the other end, we have AI agents, a category that is gaining prominence. These generative AIs work autonomously online, performing tasks similar to traditional software bots. Trust in this context comes from underlying algorithms and data, though currently, users do not have visibility into how these systems identify themselves on the internet.
00:06:32.760 As developers, we commonly deal with human identities, particularly in consumer-facing applications or enterprise systems. Enterprise identities are stored in systems like Active Directory, incorporating authentication identifiers, roles, team allocations, and HR information. Additionally, people have multiple social identities across various online platforms, presenting complexities around privacy and what information is shared.
00:07:00.960 Thus, why is digital identity particularly important for web app developers? Looking at my GitHub profile, it contains information about my name, unique username, workplace, location, linked websites, and the content I interact with and generate. This information can be linked back to forms filled out during sign-up processes—forms we, as web app developers, frequently create. The convenience of these forms allows users to provide their information repeatedly across different platforms, but it often leads to user frustration as they fill out the same details multiple times.
00:08:02.679 Moreover, the tendency for web applications to create unique user experiences relies on identifying users—typically using email or, in enterprise applications, mechanisms like SSO. These unique identifiers enable session management and data personalization for users. As federal IT contractors, we often think about identity and access management (IAM), which determines user privileges within systems, crucial for maintaining organizational security.
00:09:01.199 As applications expand, user data scales significantly, presenting a dilemma with increased cyber threats, especially regarding data leaks across web and enterprise applications. I highly encourage developers to sign up for services that help them monitor if their own information is compromised online; often, users find their personal data is being sold on the dark web. This raises security concerns and demonstrates how essential it is to consider safe practices regarding user data management in our applications.
00:10:05.599 The implications of digital identity systems are paramount. We can improve digital identity in our Ruby web applications by introducing concepts like self-sovereign identity, which means empowering users to manage their own data through new protocols, typically using what's called digital credential exchanges. This novel approach fosters a change in how digital trust operates on the web.
00:10:37.800 One concept is the Trust Triangle model, which involves an issuer, holder, and verifier. The issuer (a trusted authority) might utilize something like a digital driver's license. For example, when you go to a DMV, you provide proof of residence and identification, and they give you a signed digital credential. You can store this credential in your digital wallet and present it wherever necessary, such as in a bar when you need to prove you are over 21.
00:11:17.799 Digital credentials offer unique advantages, allowing users to choose what data they share. A verifier, like a bartender, can independently verify the credential's validity using digital signatures and cryptography. The W3C is developing an open specification called the W3C Verifiable Credentials Data Model, which has matured significantly. It enables a theoretically tamper-evident and verifiable structure for claims regarding an individual's identity.
00:12:00.520 For example, if a university issues a digital diploma as a credential, that student can store it in their Apple Wallet. When applying for a job, they don't need to reach out to the university for verification; the employer can verify the credential independently, reducing friction in the hiring process.
00:12:39.798 In the wild, developers might implement these verifiable credentials using JSON-LD. These metadata frameworks help well-structured and robust claims ensure the verifier understands the credential structure. For example, a simple claim might assert, 'I am an alumni of a given university.' This claim would include the necessary cryptographic proof to establish its authenticity.
00:13:23.200 Decentralized identifiers (DIDs) are also an essential part of this evolving system, allowing users to create and manage their own identifiers independent of centralized authorities. DIDs, defined by a global URI-like structure, resolve to DID documents, providing users with control over their digital presence.
00:14:01.799 With these protocols, users can choose how and where their data is stored and accessed, meaning less burden falls on developers to manage sensitive user data. There are numerous applications of self-sovereign identity, including data exchanges between federal agencies or proof of identity in peer-to-peer communications on platforms like LinkedIn.
00:14:45.000 In my work, we're leveraging this model for secure inter-agency data sharing. We aim for verifiable and secure data exchanges among federal entities, improving the overall efficiency while preserving user privacy. Additionally, AI is a new frontier for digital trust where users demand to verify the authenticity of who they're interacting with—whether it's a bot or a human.
00:15:30.799 One exciting aspect of emerging digital identity protocols is that they facilitate the verification of identities for both bots and humans. This enhances the security and accountability of interactions, thereby drawing more users to digital platforms. As developers, it is vital that we remain aware and proactive regarding digital identity systems to ensure we are prepared for future demands in this space.
00:16:20.760 To assist Ruby developers, I'm working on libraries to facilitate this transition towards implementing self-sovereign identity in applications. My goal is to create solutions similar to existing libraries, integrating self-sovereign identity capabilities into Rails or Rack applications seamlessly. This initiative, dubbed DIDX, (DID Exchange), aims to offer tools for parsing decentralized identifiers while preparing a separate gem for managing verifiable credentials.
00:16:58.240 Although the field is still in its infancy, experimenting with existing tools like Microsoft Authenticator’s identity wallet can provide useful insights on how these systems could be integrated. The future of digital identity in Ruby applications looks promising with the right resources and collaboration.
00:17:39.020 Thank you for listening, and I encourage everyone to think critically about how we manage user data and enhances privacy and security within our systems. By exploring these ideas and engaging with new protocols, we can pioneer an evolution in web applications, pushing towards a digital landscape that values both user autonomy and security.
00:19:45.000 That's all for my talk. Thank you.
Explore all talks recorded at Blue Ridge Ruby 2023
+2