Self-Sovereign Identity: Interview with Tim Bouma

An interview by SSI_Ambassador a Twitter account with educational content about self-sovereign identity with a focus on the European Union. The SSI_Ambassador account is managed by Adrian Doerk and the interview was conducted as part of Adrian’s Bachelor’s thesis. I have asked Adrian’s permission to post this material and he has graciously granted me permission. The post is a lightly edited version of the interview transcript. The interview took place in September 2020.

Note: All views and opinions expressed are mine only and do not represent that of my employer or organizations with whom I am involved.

Photo by Lili Popper on Unsplash

The growth factors of Self-Sovereign Identity Solutions in Europe”

Adrian Doerk: My research question is concerned about the growth factors of self-sovereign identity solutions in Europe. You as somebody who is very familiar with the topic of SSI, what would you think about, when you read the term growth factor of self-sovereign identity, what comes to your mind?

Tim Bouma: I believe the main growth factor is going to be adoption by users and it has to be really easy. Another growth factor is that SSI will need to be part of an infrastructure. I’m not sure if SSI is viable being marketed as a separate product because I don’t think end-users really understand it. The growth factor is going to be similar to plumbing — some additional standardized capabilities that we need to build. It will be as exciting as buying a 1/4 inch washer and bolt. It will just be part of the infrastructure and the demand will be from higher-order products not for SSI itself. I’d say most people won’t even know what it is, nor should they know about it. It’s not that different from the markets in the early days of PC networking. Remember you had your choice of drivers and different companies providing those things and after a while, it just gets baked in the operating system and people don’t even know that they’re using it. As it for being a discrete market, I see very quickly being subsumed by a higher-order products and like subsumed into mobile operating systems, into desktop devices, tablets, etc. It’s not that different from how a lot of other products or technologies evolved over time.

Adrian Doerk: We as SSI for German consortia we want to build infrastructure for Europe, so you might have read our press release. Probably not — no worries. So basically, our idea is to come up with a base layer infrastructure which is used as a public utility as defined in the Trust over IP stack level one with a European scope in terms of the governance and a worldwide usage. So considering this plan as public private partnership. What would be your recommendations for the governance for this network?

Tim Bouma: Well, you are totally aligned with my thinking. In fact, we’re about to announce a challenge. There’s a couple of things going on within the government, Canada. We’re launching a technology challenge (note: since this interview the challenge has been launched.) to figure out exactly what layer one would be for the digital infrastructure with the standards, and also what specifically is the scope of layer one and I can point you to that link afterwards, but that’s what I’ve been working on. We were just awarding the contracts as we speak. We’re getting six vendors to help us out. I think to answer your questions, I have some good ideas, but I’m not 100% sure because it is relatively new area and I think we need to be quite open on having our assumptions challenged and change during the course, but I see a very clear differentiation between the technical interoperability and the business interoperability, and in fact the challenge that I’m doing We’ve got six different use cases ranging from government security clearances to issuing of cannabis licenses to name a few. I’m not concerned about the content of the credential because that’s more business interoperability. I’m concerned that whatever credential, SSI credential or whatever is being issued into the system can actually be verified from the system irrespective of what’s inside. I hope I’m not losing track your question here. I see a very clear division of the private sector operating that system. I don’t see why government needs to build it and operate it. We don’t do that for networks, we don’t do that for payment rails. It has to be done in a way that governments have optionality that if a new operator comes along that’s more trustworthy or has different characteristics, there’s no reason why they can’t be used. There’s a risk. Maybe it’s not a risk for this to turn into a natural monopoly if we aren’t careful to make sure that we don’t have the standards 100% right? We have to be very, very careful that we want to have a plurality of operators. But that doesn’t mean a whole lot of them. I see that there were probably only for national infrastructure that maybe one or two domestic operators. And then probably, you know there’s going to be some international operators, but they need to work together so that’s a choice.

Adrian Doerk: Who exactly do you mean with operators? Do you mean the Stewards?

Tim Bouma: OK, so there’s two different things. There’s a steward, the governance which and again this is going to be a tricky and I’ve noticed that the Trust over IP Foundation revised their model that you could have governance at each of the layers. And so the question is governance at which layer and then what’s the composition of that governance? I would see at layer one. It’s largely a technical issue. It could be just part predominantly private sector players, maybe some government or nonprofit, but I just don’t know yet. I think where a government really will play is not in the infrastructure itself, but how that infrastructure is used and relied on for doing administration of programs. Provision of services. You know it could be passports. It can be currency. It could be educational credentials or whatever. I think government needs to be concerned at that level, but less so at the lower levels. But having confidence in those lower levels.

Adrian Doerk: When we speak about adoption, one of the big topics is use cases in general. We think that more or less the low hanging fruit, which is really easy to implement, is where you have the issuer also as a relying party. For example a University, which issued a student ID and then checks it again to issue him some other credentials. What would you think would be good for the start for different use cases? Let me reframe the question shortly. What are your recommendations for use cases to start with? What is the best one?

Tim Bouma: We had six vendors propose to us and they came up with six different use cases, and they’re quite varied, and I don’t think I can say which one is going to take off by adoption or not, but there is a government security clearances, there’s a cannabis licensing, there’s one for having your digital birth certificate, there’s one for a job site permit, it came from oil and gas. I’m not so sure which one is going to play out. I think what’s more important is really having a crystal clear understanding of what’s the digital infrastructure that can serve all of those use cases. That’s where my thinking is. What’s the absolute minimum that needs to be built? That could be an infrastructure so I think any one of these use cases can take off, but I think that model of issuer Holder verifier and we’ve generalized it to methods. It doesn’t have to be a blockchain. It could be a database. It could be different ways of doing it. There’s a super pattern there that will just serve all the use cases and this is where I’ve been putting a lot of intellectual effort just on my own time just to understand what the parallels are to digital currency and digital identity. It all boils down to kind of the similar idea is that I need to independently verify something. And I need to do it in a way that’s as flexible as possible, and then I need to have some additional functions. Digital currency. You need a transfer capability for digital identity or digital verification. I don’t think you need that. What are the absolute minimal requirements for this digital infrastructure? And it’s kind of like standardizing on paper and ink for doing contracts. You know you need paper and you need ink. What should we all standardize on? 8 1/2 by 11 or 8, four and a special type of ink that you need to use or just ink. Can’t be pencil or graphite or crayon and that’s good enough to move on to all the other very use cases. I don’t know what use case is going to take off. I think the important thing for us to do is do the critical thinking to figure out what are the common patterns on underneath there that are going to apply in all of those use cases. And as I said my working hypothesis now is that the issuer, holder, verifier with some ornamentation will do the job.

Adrian Doerk: Considering you your knowledge with the pan Canadian trust framework. You, as a policymaker, what will be your recommendation for policymakers in the European Union which work for example at the European self-sovereign identity framework?

Tim Bouma: It’s interesting. ’cause I actually had a call on this very same issue. I think policymakers actually have to go back to the drawing board and take a look at all the concepts and see if they have the right concepts to actually build out a framework and regulation, and that’s what we’ve been doing with Pan Canadian Trust Framework. We’ve recognized that what we tried to do is ingest all the latest concepts, such as issuer, holder, verifier credentials and express them in a way that does not limit them by assumption, like you don’t assume the credential is a document for example, or physical document. Or it’s just manifested only as a physical document. A credentials is a claim that can be independently verifiable and coming up with those concepts. So when you’re actually building up the frameworks and regulations you have a robust and a framework that doesn’t constrain you to a particular technological approach. There may be new technologies that come along that you didn’t even anticipate, but if you’ve done your critical thinking up front, there should be no reason why you can’t adopt that, so I think we’re just at this interesting point right now. I think we have an opportunity to go back to the drawing board. And this is just not an issue of just updating like eIDAS or other regulations and just tweaking a bit. It’s like going back to the drawing board and just say do we have the right policy constructs, which then could become regulatory requirements or legislative requirements. I think that we’re building a next generation of solutions here, and I think it’s really important that that we have the right constructs going forward, and I think we do have good confidence because I’ve looked at my evolution of thinking. You know I really started to get deep in the space in 2016 and really spend a lot of time internalizing the concepts. And it’s just a lot of iterations, but I feel like we’re in a good spot now to actually have a conversation of what these frameworks and regulations might be. It’s not just taking a paper analogue and saying, You know, just let’s do a digital equivalent of that, or a document analogue. We have to think about it differently.

Adrian Doerk: Then I would like to come to my last question. What do you think will be the negative sites or the danger sites of SSI?

Tim Bouma: Aside from all the hype and blue-sky stuff that has no merit. You see this often with any type of new technology, for example that SSI will solve hunger. It will solve society’s problems. First of all, just making sure it doesn’t get implicated in outrageous claims and that it has nothing that those are deeper problems to solve. So I think, as Gartner calls it, there’s the hype cycle. Of course, when you have the hype cycle, you get the what I call the allergic reaction that people will say, “We’re not going to use it because, you know, it’s got a bad name.” The other thing that we need to be concerned with or cognizant of is that we could build some capabilities that are outside of the states control. And I don’t know how that would manifest itself. All right, the great example is the Bitcoin Blockchain. It basically is a system that just runs on its own and no one can stop it because the way it’s structured, there’s no Corporation or operator that you can actually like take down and the algorithms, proof of work, and that it’s all open and permissionless. People are valuing like whatever is associated with their Bitcoin address because they value it. And there’s basically no way that a state or large actor can actually control that. And also not really bad thing. You know the way I’ve been describing it is that in the Bitcoin context from the economic context, we may have a new macroeconomic factor coming on the horizon that we need to work into our models around a proof of work turning energy into a digital assets and how that plays out, don’t know. So I, I think some of the downsides might be is. There may be some key capabilities that could be built. That could be viewed as illegal or unlawful in certain contexts, and so they they ban it outright. So I think we have to be very careful with this new technology to make sure that we bring the stakeholders along so we can embrace the positive side of the technology. Every technology is a two-edged sword, gunpowder, guns, you know anything? There’s an upside and there’s the downside, right? And I think that’s something that we have to be very cognizant of just like you know. In the mid 90s you had the crypto wars with the clipper chip. You can only have expert with certain key strengths and that caused a reaction and so we have to be careful that we don’t get caught into those same traps of us against the government or government against them. I think we have to figure out how to work this out together.

Based in Ottawa. Does identity stuff. My tweets are my opinion but they can be yours too!