An Introduction to Self-Sovereign Identity with Northern Block CEO Mathieu Glaude
Jessica Galang: Hi, I'm Jessica Galang, the content editor here at Georgian. Welcome to the Georgian Impact podcast, where we explore trends that matter to tech startups. To that point, we'd be remiss if we didn't talk about Web3, an idea for the next generation of the internet, based on blockchains. It's getting a lot of buzz right now, if you haven't noticed. A big part of Web3 is giving users control over their own data, including their identity. Today, we're going to break down this concept of self- sovereign identity. Sovereign, a leading organization in this area, explains that SSI is the idea that an individual should own and control their identity without intervening administrative authorities. Digital wallets, for example, could let people prove their identities securely without sharing more data than they want with other parties. What does that mean, and why does it matter, what needs to happen to make it happen? We'll be chatting with Mathieu Glaude, CEO of Ontario based Northern Block. Northern Block enabled organizations to build digital trust platforms, a key building block for SSI use cases. Mathieu, thank you so much for joining us today. Let's jump right in. For our listeners who may not be familiar, could you explain exactly what is self- sovereign identity?
Mathieu Glaude: Yeah, sure. Thank you very much for having me here today. I really appreciate you having me on and hopefully the discussion today will be a good primer and a good introduction for folks that have been hearing about self- sovereign identity or SSI, the acronym is starting to become more and more tied to self- sovereign identity, but I'll say just off the bat, I think people tend to focus a little too much on the tech. Myself, coming from the Web3 crypto blockchain space, I think it's true in all these spaces where people just tend to get too caught up on the tech, but really what we're talking about when we're talking about self- sovereign identity, it's about enabling digital trust, right? Which, and digital trust is a subset of digital transformation for organizations. It's a piece of that, right?
Jessica Galang: Tell me more about what you mean by that.
Mathieu Glaude: It might make sense just to take a step back and talk about digital trust in general. And that in itself is a very high level idea so let's just break it down a bit. And so when we talk about trust, generally speaking, we're going to focus on a relationship between you and I or a relationship between two parties, two entities, could be a person, a business, it could be an IOT device, but a relationship between two parties. And so for example, I have a full- time job at Northern Block, and there's a trust model between Northern Block and its employees like myself. And so I'm talking about the relationship here between two parties. And so in case of a business to business transaction, we typically tend to develop relationships through human interaction, okay? We find each other's businesses, we're going to either become a supplier or a customer, then we tend to have some mechanism by which we formalize a relationship. And this mechanism, we call it contract, and contracts are everywhere in life, right? That's one of the key mechanisms we have in society for establishing formal relationships and defining the boundaries of these relationships. And if something goes outside of those boundaries, it's governed by the contract. That's kind of the first point here and I'm just shifting topic a little bit and still under of the digital trust umbrella, but shifting a little bit, the concept of personal identity. Personal identity is given to you by the government in a lot of ways. That is in the administrative sense, not your philosophical sense of being in who you are, rather, the fact that I could say my name is Mathieu Glaude than this is my age and so forth, right? These attributes or characteristics of myself have been attested by the government based on their administrative process of registration and their authority to manage all of that. In the same way for businesses, we have business registries and they have a process for creating legal entities. It's these sources of truth or these administrative authorities which allow us to enter into contracts. And so back before these things that we use every day to do everything, we call computers, before these were around, it was difficult to create or recreate these documents, right? Because printing presses were big and expensive and there were techniques that could be deployed to prevent fraudulent copies of these happening, copying a driver's license, or are doing stuff like that. And because everything like your credentials, your documents, your interactions were all in the physical world, on the physical edge. And because things happened at paper speed, the risks were kind of low in terms of wide scalability to defraud, right? You didn't have access to kind of one source or one database or so forth. And then in turn with the web, the web introduced a new actor to help facilitate these things that we actually don't have the equivalent in the physical world for. On the web, we have this idea of logging, right? And so there's an intermediary between me and another person or between me and a business that I'm trying to do something with and so forth. And this is intermediary back to the legal structures and the contracts, this new intermediary has no defined role in our legal structures. There's no such thing as the login service and the Business Corporations Act of Ontario, for example, but because we have this login service, there's now sort of this middle person in between our relationships, right, which has some significant consequences. And one of those consequences is it means that none of my relationships online are confidential, meaning that they're not only known by me and the party I'm trying to interact with, which was true in the physical paper based world. If I go to the gym or I rent a car, or I go to the doctor or lawyer or whatever, that interaction happens in private, it's not known generally speaking. And you know what, if all of my relationships were known, then I think I would be very unhappy. I'd for sure be very unhappy. And we call that stuff surveillance, and that would be a privacy erosion. As a result, we don't have the same conditions on the web, on internet for privacy. And by the very architectural structure of it all, there must be this login service for me to connect to another party. And by definition, it means it's not confidential. And so often as we see the information or data I exchange with the other party is subject to loss, the other party I'm talking about may gather a lot of information about me and they may not protect it well, and then it gets stolen at times. And so just wrapping up here, the whole concept of digital trust, so there's this trust model that applies to the physical world with transactions and with self- sovereign identity, we're creating the equivalent digitally now. And so we often talk about this thing called the trust triangle, you'll hear it a bunch the more you go deeper into self- sovereign identity. And we use this jargon called issuers holders and verifiers. And they kind of make up this trust triangle, but you know what, that's exactly how it's mapped in the real world today. And we often play the those roles at different times and various interactions.
Jessica Galang: The issuer, verifier and holder are the three entities that make up the trust triangle. Can you give a real world example of how this might work?
Mathieu Glaude: To give a simple example, let's use the process of onboarding a corporate customer to a financial institution. Basically just try and open a business account with a bank. And then I use this one, because this is a lot of work that we do at Northern Block is around onboarding so this one's familiar here. In this case, the trust triangle, the issuer, the holder, and verifier, we're going to say the bank is going to be the verifier, right? Because I'm going to show up at the bank store and say I'd like to open up a business account. And so they'll say great, give me some things about yourself so I could understand who I'm doing business with or who I'm working with. And so the next step, I provide my personal ID, that comes from a reliable source, this could be a driver's license, it could be my articles in the corporation, et cetera. And because they need to verify me, they need to also verify that I have delegated authority from the company. They start verifying this information and they have a business process to approve it, and when they approve it, they become an issuer. They've now turned from being a verifier in a specific use case to becoming an issuer and they'll issue me credentials to a bank account. All the while, me the individual, and me the individual representing the corporation, is what's called the holder. Again, with the issuer, the holder and the verifier, and we could play all these roles in different scenarios, but the key thing here is you'll note in this model, there's no mention of logging or intermediary at all, right? My interaction with the bank is a direct and a private one, just as my relationship with whoever issues me credentials that I'm presenting to the bank is private as well. The bank doesn't know about that relationship, but I'm able to present credentials that I received from another relationship to the bank. And so at no time, the other party knows of the other relationship at all. And so this new digital mechanism that I've been discussing here ensures that the authenticity and the origin of the digital credential being presented to the bank in this use case can be verified and verifiable without a third party being involved. And I can have a direct relationship with the entity I'm interacting with. And so this process of digital trust and self- sovereign identity of exchanging verifiable credentials is now all doable digitally. I hope the explanation kind of gives a good understanding of seeing kind of how things from the physical world were previously not possible to do online, but now through verifiable credentials, wallet technology, and blockchain technology, they're doable online.
Jessica Galang: Thanks for run down Mathieu. I think it's important to get a sense of these foundational concepts of digital trust to really understand the impact of SSI. Through SSI solutions, you can verify your identity directly with your bank, for example, without third parties knowing about that relationship, but how can a bank trust your information without actually verifying it themselves through traditional methods like driver's licenses?
Mathieu Glaude: Yeah, good question. And I started off my explanation kind of talking about people tend to focus too much on the technology and so that's why I like giving kind of a primer on digital trust to just frame the whole thing, but really you need a mechanism to receive credentials from an issuing body. And the most common kind of ways that, we call these our wallets or digital wallets, right? And so there's a whole market of digital wallets that are growing, and there's a whole movement of digital wallets that is growing that aligns to emerging standards and principles because we want to make sure that in the sense of this, we're really trying to promote control and ownership of data in the hands of the holder. For that to be true, we need to move away from the previous model of, we call it often vendor locking where you can't really switch between platforms, right. We kind of see a little bit with the whole crypto space, how that's possible, right? If you own your private keys, you're able to kind of move your crypto around and easy example of that is just, if I have a wallet on one crypto exchange, I could do a transaction and send some crypto to another wallet exchange, which I could use on another platform. I kind of don't have that lock in anymore and it's similar in self- sovereign identity. And so I'm able to move my credentials between wallets if I want to, right. The big difference here between, I use the comparison with crypto, but in crypto, which I'm sure a lot of listeners here are familiar with, your crypto is sitting on a blockchain, on a distributed ledger, right? And you have the private key associated with the public key that's sitting on that ledger and that allows you to conduct transactions with that address. The architecture in self- sovereign identity is a little different. The way we use a blockchain is a little different in this architecture than crypto. Similar to crypto, I have a wallet, in self- sovereign identity I have a wallet. I'm able to store my crypto in the wallet, right, on the crypto side, although my crypto is still on the blockchain, I'm just storing my private keys. The key difference here that in the self- sovereign identity world, my credentials aren't sitting anywhere. Because it doesn't make sense for my information to be sitting anywhere, that's what we're trying to get away from, right? And we often talk about blockchains being decentralized. There's certain aspects of blockchains that are decentralized like the governance of the platform and the operation of the nodes and so forth, but a blockchain at the end of the day or a DLT is still a central place to store information. It makes sense for certain use cases like crypto, but for identity, it makes no sense at all. It would be a big privacy issue to want to store my PI and my personal identifiable information on a blockchain, so what do we do? We actually store it locally in a private data store in the wallet. I'm using my wallet, I have my credentials in there, I have my wallet on my phone. There's plenty of them for smartphones, Northern Block is a solution provider of wallets, we have our own wallet technology as well. I'm able to use my wallet and I'm able to have my credentials in there. My credentials are sitting on my device itself. No one sees it other than me, no one could access it other than me, no one can transact with it other than me, but they're cryptographically verifiable and they're verifiable through the blockchain infrastructure. The difference here, I was saying, it's a different model with the blockchain and the infrastructure is that when I'm presenting my credentials to a verifier, so in my first example it was the bank, the blockchain is used as a root of trust. What that means, to simplify it a bit, is when I present my credentials, like I was talking about my driver's license or my articles in corporation to a bank, they'll be able to query the blockchain and they'll be able to find out that what I'm presenting to them, if it's valid or not, or if it's been tampered with or not. Right. And so we source certain info information on the blockchain, such as information relating to the issuer of the credential, some revocation information. It's really used to decentralize a certificate authority, which is back into the federated identity kind of sense of things. When we talk about that intermediary Mr. Login sitting in the middle rather than having Mr. Login or this intermediary, the blockchain is acting as kind of that root of trust, okay. That's kind of one piece of it. And there's technology on the other side of it too, based on the use case, if I stick with my bank example, when I present a credential from my digital wallet to the bank, I need to build a peer to peer connection with the bank. It's a direct relationship, as I previously described, between myself and the bank. And we each have to have software agents acting on our behalf that is enabling these peer to peer connections, and that's enabling us to exchange credential proofs or issued credentials between each other. The other big piece here, and we're doing a lot of work within the trust over IP foundation here, is to build governance models across the technology stack. Because in any the centralized architecture like this governance is half, it's not only technology, the whole governance aspect is half and I would say the most important aspect here to make anything work. That's what we're doing at the trust over IP to manage business, to manage legal, technology and social governance frameworks. And so just a simple example of governance would be here is that, well, if I'm presenting a credential to the bank, we all need to be working within a trust framework where bank trusts the issuer of my credentials, right? If I'm presenting a driver's license, they want to have assurance that when they're checking the blockchain, that it was in fact Service Ontario, for example, that issued that driver's license to me. That's where the governance kind of comes in and there's multiple layers to that, but that's an important piece to make all of this happen as well. But it all comes on to the user experience at the end of the day and so it's just... People are going to have wallets, people are going to seamlessly connect with each other and exchange credentials just like they would... Similarly they would be using another wallet app or any phone application. The user experiences are getting pretty good around that for people.
Jessica Galang: There's a lot of organizations from governments to nonprofits, to the private sector that are trying to build this ecosystem of digital trust. Are there any challenges with interoperability between these different groups?
Mathieu Glaude: Yeah. I think, again, I kind of... When I talk about governance and interoperability and all these things, the technology's not the hard part here, right? There's a lot of really cool innovations that continue to happen that are bringing more privacy respecting and secure interactions for people, but the toughest thing is outside of kind of these self- sovereign identity basics. And so there's a lot of differences, but then a lot of considerations to take when looking to kind of deploy this type of strategy, but there's generic wallets that are out there. Things are early right now, it doesn't mean that things can't start going live more and more over this month and the next month and things are going live. There's tons of activity that's happening in the travel space and the COVID vaccine verification space, but there's also on the other side, there's a lot of folks that are seeing digital transformation opportunities with digital credential solutions by being able to enable digital trust in their specific ecosystem. We're starting to see a lot more... We're working with a lot of different ecosystems here, education space is one of them, where it's very easy to understand how digitizing transcripts, for example, or grades could really help in people getting jobs or having more accessibility to things. And so there's kind of two streams, and that's what we're seeing at Northern Block is that on one side there's the public sector, which is looking to really deploy national digital ID strategies. They all tend to be leaning now, a lot of them are leaning towards the same stacks that we've built our stuff on, the Hyperledger stacks. Hyperledger and the Ares and ERSA, the government's looking to be an issuer of credentials, they're looking to enable more business to happen digitally using these trusted credentials, they're looking to reduce fraud that happens. They're looking to create value for other countries and there's significant value that could be unlocked by having a trusted digital credential ecosystem in a country. You have the governments on one side that want to issue and want to enable these ecosystems, and on the other side, you have the private sector and there's a lot of folks, they're looking to create their own networks, or they're looking to create own solutions for their ecosystem. And each ecosystem is different, the participants in each ecosystem are different. You're starting to see a lot more specialized use cases and specialized wallets and platforms for specific use cases that are popping up right now. And they're both going to benefit from each other. The private sector use cases that are taking off, once the governments start issuing reliable sources for government issue IDs, they'll be able to benefit from that. There's a lot of different stuff happening. I can't talk true too much about a lot of the work we're doing because I think a lot is under nondisclosure, but there's some interesting sectors. I think the ones that we're seeing the most of just generally right now, the COVID stuff is definitely real and there's a lot of governments that are mandating these checks now to get into restaurants and bars and gyms and stuff like that. There's a lot of companies building solutions for that space, specifically. Education, as I mentioned, is another space that's big. We're starting to see some more activity in the financial sector. There's also a lot of use cases of using decentralized identity or self- sovereign identity with crypto. We could get into that, that's a whole topic on its own, if we're interested in doing that.
Jessica Galang: As we've mentioned, there's a lot that needs to happen to get some of these solutions off the ground, including some participation from governments. What are some of the key challenges in getting SSI solutions into the mainstream?
Mathieu Glaude: I think having the governments involved is going to create even more momentum than exists today, but there's other considerations and I mentioned again, it's things that just fall outside of the technology. There's a lot of work and alignment that's still happening to enable, for example, interoperability between different protocols or different systems. And so that's a big thing. I think there's a lot of work happening and we're seeing this with some of the larger private sector companies that we're working with. It's just, the self- sovereign identity aspect is one thing, but then how do you scale these systems and how do we start kind of figuring out how we could create scalable and sustainable infrastructures beneath these digital identity networks or systems, right. Because if we use the vaccine checks again, we don't know how much this is going to happen, or even if you use a driver's license because it's so distributed and it's paper based, there's no data underneath it. Once this moves digital, how are we going to be able to support this and what benchmarks are we able to use to sort of plan accordingly? The whole concept of onboarding to trust networks is a whole area on its own. And we spend a lot of time on onboarding, both on the onboarding people and onboarding organizations in a federated kind of identity model or federated system. We would be relying on kind of a bank saying yeah, I am who I am or relying on some reliable party to make a claim. In a peer to peer distributed model, how does that work? And one of the key things with this whole paradigm switch is that these protocols that we're building are kind of removing the need for APIs. That's a big thing. There's been a lot more flexibility with cloud systems, but also with APIs that you can actually just integrate services into your existing systems, but with the self- sovereign identity technology, you don't even need APIs. We have messaging protocols that allow people to kind of connect between each other. And so if someone is able to come into my trust network, I don't have to onboard them through some onboarding process. They could just come in, they could connect with me and we could build a connection and they could maybe request something. And so how do I manage that? How do I build trust in that way, right. There's challenges in the way we design workflows. Workflows and self- sovereign identity are asynchronous, kind of like an email, that I need to do something right now, issue a credential or request for verification or stuff like that. And other thing's kind of a constant flow. There's work that's being done there, too. Pretty much any serious implementation of this technology is also going to require integration to traditional IT. There's a lot work we're doing there, too, where it's great that we're able to use wallets and credentials to do authentication or access purposes. For example, I could log into my online banking platform using my wallet and a credential, but once I actually pass that authentication, we need to be able to work downstream because enterprises have their infrastructure and we need to be able to compatible with that. There's a ton of different things, cybersecurity is another one, data standardization is another one, data storage standards, the list goes on. Things are launching right now, but there's still... There's a lot of considerations like these that need to be taken into place when kind of designing your own solution or your own trust network. And you have great network and great connections in the SSI space, so we're lucky to be learning from the best in the space.
Jessica Galang: I'm trying to look at this from the perspective of a tech founder, what kind of opportunities could this create?
Mathieu Glaude: Sure. It is a broad question, there's a lot of stuff that we could go into on this, too. I think I'll focus on two things here. One is just the flexibility that it gives people and I'll get into that. And the second thing you kind of mentioned is the convenience or also how this could be a value creating opportunity for the regular person. And so if I kind of jump into that first one, as the world continues to migrate to these digital first solutions, COVID has definitely accelerated that. And kind of, as the common saying goes, software is leading the world, so that's true. It's leading the way at every industry. And so when attempting to kind of innovate around identity, it's common for organizations to simply create kind of replicas or replicates or physical identity methods or documents without kind of asking ourselves questions around how the properties of these digital utilities or internets could allow for a new way of doing things, okay. And so if we just use a dated example, although these are still used today, if we take the fax machine, for example, there were a lot of businesses that were... If we just go in the early days of the internet, there were a lot of businesses that were attempting to disrupt by enabling faxes to be sent over the internet. That was a thing that people were raising money and trying to do, rather than understanding what are we working with here? What are the new tools that we have? What are the standard protocols that now allow us to move bits across the internet? That maybe if I looked at that, kind a first principal approach, I would likely have opted for far different approach than a fax on the internet. I may have thought about chat or email or some of these other things, right? And so if we go back to this digital innovation around identity, so in the physical world, trust is often built around government issued photo IDs. Personal identity is given to you by the government, which is why it explains when I go to a doctor's appointment, they'll identify me through a government issued health card. And so the thing is, does the same have to be true online? And there's a lot of companies that offer kind of OCR services that allow you to scan your driver's license. You may have had to do it before for a banking app or something like that, right? They help companies digitize driver's licenses, passports, through KYC and stuff like that. But in reality, these government IDs that we're talking about, they simply contain identifiers with some legal PIA on it, but are these the same kind of identity attributes that need to be at the center of our online interactions, where I think we're seeing big movements towards anonymity and pseudonymity online?
Jessica Galang: As we move towards SSI and decentralized solutions, are we talking about building a brand new internet that people interact with or should it connect to our already existing infrastructure and networks? I know this is something you've covered in your own SSI orbit podcast, which I encourage our listeners to check out, but I was hoping you could share some of your thoughts with us here.
Mathieu Glaude: Yeah. It's important in any new product and any time you're looking to go to market and trying to enter a space, it's always important to not try to... You're not going to throw away what's there, right? I think the benefits that the internet give us, you could have different arguments about if they outweigh the negative stuff, but there's so all much value on the internet and the ability to access information and create information and build connections. And it's caused the tearing down of kind of legal boundaries and it's creating borderless opportunities and it's enabled a whole new economy and it's continuing to grow. I said software is eating the world, that's not stopping. And so it's important not to look at this as hey, we're going to kind of tear away the old world and build a new world. I think there's a lot of kind of crypto anarchists in that space, too, that seem to have that sentiment, which you meet all sorts of people and all sorts of different opinions, but really what we're doing here... We're not building a new internet, we're building another layer of digital trust on top of the internet. That's the way it should have been built from the start. And it wasn't built that way. Certain innovations weren't there that allowed us to do this and cryptography and distributed ledger technology and stuff like that. There's a lot of that starts to work in parallel to existing systems. The majority of systems today are federated in some way or another. It's not necessarily bad, there's use cases for federated. It doesn't all have to be self- sovereign and decentralized. You should have the opportunity to choose what you want. And so we could start in parallel, really the deploying self- sovereign strategies alongside existing infrastructure. They play together and it's the way to get options, too, in this stuff. It's not to tear down everything, it's just to run stuff in parallel. And so it's really not about creating a new internet, it's just that, Hey, we've come up with this now, we have the technologies do it, we have the business, the legal, the different governance frameworks to be able to do this. We're building now this layer on the internet that is going to enable digital trust, which is not possible on the internet of yesterday.
Jessica Galang: I know we could talk about this forever, but we'll definitely have lots to cover in future podcasts. Mathieu, thanks so much for sharing your thoughts with us on SSI, it's been a really insightful chat.
Mathieu Glaude: Thanks for having me.
DESCRIPTION
Shouldn’t you own and control your identity? It is yours after all. That's the idea behind self-sovereign identity — the idea that you control your own data without intervening administrative authorities. Mathieu Glaude is our guest on this episode of the Georgian Impact podcast. Mathieu Glaude is the CEO of Northern Block and helps enable organizations to build digital trust platforms. He also has his own podcast on SSI, called SSI Orbit, which informs a lot of our conversation here.
You’ll Hear About:
● What is self-sovereign identity?
● Digital trust and what falls under that umbrella.
● How issuers, holders and verifiers make up the trust triangle.
● Similarities and differences between SSI and crypto.
● The challenges with interoperability when establishing an ecosystem of digital trust.
● What it will take to get SSI into the mainstream.
● How this might create opportunities for tech founders.