This piece by Ian Grigg was originally published in January this year to the R3 membership and we are excited to share this piece publicly.
Two tweets allowed me to formulate a vision as to why it is we're heading in a slightly different direction for identity in the future. The first is this one:
Bingo: Identity is an edge protocol.
In order to understand this at a technological level, we have to go way back in time to a failed little invention called web of trust, invented in the early 1990s by PGP, the original email security program. In this concept, we want others to send us encrypted email, but the others don't know our keys.
So we all sign over the keys of anyone we've met, thus creating a graph of interrelationships, or as they called it, a web of trust, which we can use to navigate from key to key. The web worked, but the trust did not, in part because nobody said what the trust meant so people imposed various but incompatible versions of their own truth.
In the mid 1990s, a Certification Authority (CA) called Thwarte melded the PGP concept to the CA concept by using community members called Notaries to do that 'meetup' and report back in a more refined fashion - to a standard that loosely said "I saw Bob's passport". However, this process also didn't work in the long run, in part because the CA was bought out (and no longer had appetite for community) and in practical part because their mechanism wasn't auditable.
Yet! The same mechanism was found to be auditable in CAcert - another community CA where I worked as auditor for a while. Ill-fated again, as the barriers to be an 'acceptable' CA ramped up as we were watching, but we did in the process build an auditable community that self-verified. Strongly, through many weak relationships. The upshot of this was that we now know how to do a web of trust.
And out of this process came the observation that the centre (in this case CAcert) knew practically nothing about the person. But it knew a lot about what people said about people. Indeed, its entire valuable data set was less about what it knew about me and you, but more what you said about me, what you and I said about others, what Alice says about Bob. With enough of these relationships captured, we had an impregnable graph.
So when AA above said identity is an edge protocol, this crystalised in my mind a technical way of describing the new identity. Which brings us to tweet #2:
OK, so for the non-technical folk apparently the words don't present the picture. Hence, let me see if I can describe it in three pictures. Firstly, the word 'edge' just means the lines between the nodes, or vertices, in a graph of relationships.
Then, let's go back to the classical or IT method for thinking about identity. We know Alice, we know Bob. We have a HR department that says this. We have CAs out there that will sell use certificates to say Alice is Alice. We have states handing out identity cards that say this too, and corporate IT departments are built in this sense - let's on-board the node known as Alice, let's add permissioning to the node known as Bob, let's figure out whether the node known as Carol can trade with the node known as Bob.
Yet, this isn't how people think. It also doesn't scale - work in the on-boarding department sometime and calculate the loss rate and the cost rate. Blech! Accounts and activity is shrinking around the world. What crystalised then is that we - the entire IT, infosec and compliance world - have got it backwards.
Identity is an edge protocol, and not a nodal protocol. What is valuable is not the node but the relationships that we can examine and record between any two given nodes. It helps to think of the node - the person - as a blank circle, and then imagine in your mind's eye tracing the relationships between the circles.
When we've got that far, we might need to fall back to nodal thinking just for analysis sake. But that's easy - imagine taking a subset of the relationships and painting them temporarily over a blank canvas.
You end up with very similar information as the old nodal method. But this time it's scaleable. We haven't really got a limitation on how many relationships we collect and analyse, as long as we collect them and analyse them as dynamic, weak links that are independent apart, and only then create a vision for us when painted together. But we've definitely got a complexity limit if we try and shove all the information into the node, and manage it as static data that reaches the one binary truth that you are you.
And that's where the problem lies - we're too focused on the identity thing being the one person whereas actually, identity is a shared social context, inside us all, over each of us. Ergo:
Identity is an edge protocol!