.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
What is Decentralized Identity?
In this episode of Unspoken Security, host AJ Nash sits down with Paul Ashley, Chief Technology Officer at Anonyome Labs, to explore the intricacies of decentralized identity. Paul explains how decentralized identity offers stronger security and better privacy compared to traditional centralized and federated identity systems. He emphasizes the role of identity wallets, which store user identities and verifiable credentials, ensuring users maintain control over their personal information.
Paul dives into the historical evolution from centralized identity systems in the 1990s to the current decentralized models. He highlights the limitations and privacy concerns associated with federated identity systems, such as data aggregation by large identity providers like Google. These concerns underscore the need for decentralized systems that empower users to manage their identities independently.
The conversation also covers real-world applications of decentralized identity, including mobile driver's licenses, which offer selective disclosure and zero-knowledge proofs. These innovations allow users to share only necessary information, enhancing privacy and security. Paul predicts a significant impact of decentralized identity on the security landscape in the coming years, marking a transformative shift in how personal data is managed and protected.
Unspoken Security Ep 18: What is Decentralized Identity?
Paul Ashley: [00:00:00] From a privacy point of view, it's actually much worse because what you're doing now is you're setting up this relationship between this big identity provider.
Let's say it's Google and all these other services you're using and behind the scenes they swap data amongst themselves. And so your personal data is being aggregated within one of those identity providers. They know all the services you're going to. They can see when you're interacting and they get information that you really aren't even aware or given permission about.
So Federated was good from a convenience point of view, but from a privacy security point of view, very questionable.
AJ Nash: [00:01:00] Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I've spent about 19 years in the intelligence community, mostly at NSA. I've been building and maturing intelligence programs in the private sector for about eight years. And I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga university. And the point of that, I'm telling you, my background for those who haven't tuned in before is to let you understand what this podcast is about here. We're trying to bring all of those elements together along with some incredible guests.
Like we're going to talk about today and have authentic unfiltered conversations on a wide variety of topics. It's not your typical podcast. This isn't gonna be all polished and edited up. My dog makes occasional appearances. I actually have two around here. Riley's been on a few [00:02:00] times. Myrtle is yet to make an appearance.
She's a very loud hound. So I try to keep her further away. People argue and debate on this show. Sometimes we may swear. I certainly do. That's all okay. Think of the podcast that we're doing here as a conversation you might hear at one of the bars after a long day at any of these large cybersecurity conferences we go to, these are the conversations we usually have when nobody's listening.
So today, I mentioned all these great guests. Today I'm joined by a fantastic guest. His name is Dr. Paul Ashley. He's a Chief Technology Officer at Anonyome Labs. It's a company that brings technology to empower everyday users to interact online and offline in safety, privacy, and control. Paul's responsibilities at Anonyome include product development, emerging technologies, and IP protection.
That's patents. He's worked extensively in software product development for over 30 years. He's been providing technical leadership across a range of cybersecurity, privacy, and identity products. And you might notice when he speaks, he has a bit of an accent. He is not probably from the central United States.
I [00:03:00] believe he may be a little further away. Paul's actually from Australia and he's fantastic. So, with that in mind, with your intro, Paul, did anything I left out anything you want to add?
Paul Ashley: No, that's great, AJ and I'm really happy to be here today to talk about probably my favorite topic at the moment. Decentralized identity.
AJ Nash: Well, and I appreciate you being here too. This was, for those, we don't know how guests show up on the show. Some are planned well in advance and some just pop up. And this falls in the latter category. Somebody reached out and had a discussion and said, Hey, Paul Ashley, this guy's brilliant.
He's got a really cool topic. I think you guys should meet. And we chatted and Paul told me what he wanted to do. And so the topic today is what is decentralized identity and why does it matter? And I gotta be honest. I pride myself on not being on script, not being very scripted for the show.
I try to keep it as unscripted as possible, which means I don't do a ton of research. Now, part of that's because I like this to be authentic and part of it is because I'm notoriously lazy. But the challenge was this was when we started talking, I was a little worried about this one because I was really unfamiliar with the concept of decentralized identity until we met.
So I've done a little bit of research and [00:04:00] I understand some of it, but the truth is it's a, it's an interesting concept. It's pretty new and I'm not sure everybody knows what we're talking about when we say decentralized identity. So we didn't bring you here to listen to me. Can you talk to us about what decentralized identity is?
Paul Ashley: Sure, AJ. So I'll probably have to give you the history first. So where, where all this really began is back in the nineties. So if you, if you think about the internet in the 1990s, right, we had this model called centralized identity and access management. Identity and access management being the term used for how you get authenticated and authorized to get access to services on the internet, for example. So back in the 90s, there was only this model called centralized and, and, and we're all still familiar with it. It's still probably the main model that's used out there, which is, I want to use a service, Uber or something, I go and create an account on that service. I give them, create a username password.
They may even do two factor. They'll [00:05:00] ask for a bunch of personal information. And then once I've done all that, I can login and start to use the service. And that's what they call the centralized approach. And there's a lot of problems with that. One, one problem is, is that, we often have, and if I look at, my password manager, I have over 200 accounts across the internet, so I'm essentially distributing my personal information all over the internet to all these different services, and each of those services is liable to sell my data or have my data stolen from there.
And we see every week different media talking about 1 million accounts just got stolen from this company and, and it's all your personal data. And that's a decentralized approach. The other side of it is it's very much password-based, which has all its own problems that you would be aware of. So that takes us up to about the 2000s. And then in the early 2000s, there was a new technology called. federated identity management. And I can remember way back in the early 2000s, we talked about these protocols like [00:06:00] SAML. And then there was OAuth and there's OpenID Connect. And OpenID Connect is what's most commonly used now.
But most of your listeners are probably familiar with something called social login. And social login is rather than going up to a new service and saying, create a new account, it has a little button on there that says, log in with Facebook, log in with Meta, log in with Twitter. One of those, one of
the identity providers. And for the user, the reason why a user would do it is because it's more convenient because you go, Oh, I don't have to create another password here. I can just use my login from Google to get there. And that was the federation stage. And if you look at that compared to centralized from a privacy point of view, it's actually much worse because what you're doing now is you're setting up this relationship between this big identity provider.
Let's say it's Google and all these other services you're using and behind the scenes they swap data amongst themselves. And so your personal data is being aggregated within one of those identity providers. They know all the services you're going to. They can see when you're interacting and they get information that you really aren't even [00:07:00] aware or given permission about.
So Federated was good from a convenience point of view, but from a privacy security point of view, very questionable. and, and
So,
today, Oh,
AJ Nash: So if I understand that, no, no, this is good. So just, I'm a little slow, so I like to make sure I keep up on these things. So we started with this whole centralized concept, And as you mentioned, breaches are a huge issue, All these databases get breached. We hear it all the time, millions and billions.
And I've been breached more times than I can count. I'm sure most people have. The idea with federated, I've, I've experienced it. We all have the login with Google or login with Facebook or whatever, which is really convenient, but it sounds like it's, as you said, it's worse now, I don't just have to worry about threat actors who are going to break into databases and steal stuff, but the companies themselves have all my stuff now and they can swap around.
Is this when we started seeing more targeted approaches, even from corporations in terms of advertising and that pushing things at you. Cause they know your, they know your history, They know, they know your, pattern of life on the internet, so to speak, where you're
Paul Ashley: That's exactly Exactly If you look at a company like Google, [00:08:00] virtually all of their revenue is derived from advertising and what they, why they get that is because they know the most information about users, they know 95 percent of what you'll do, what your interests are, what you're reading, what accounts you're going to, and so it's the ability to know you in a lot of detail, which is their value.
So they can then target the right advertising to you. So that's why that's even a little bit more insidious than the centralized. It's more insidious because without really you giving any permission, there's this exchange of information between what we call that identity provider and those service providers that you're going to. And so personally, I never use federated single sign. I'll never do a login with Google login with Facebook or anything like that, because I understand that it's really just a way to aggregate more data about you, And so
That's, really
AJ Nash: That's a really good, that's, sorry, that's a really good educational point. I want to make sure people hear that one. This guy's an expert on identity management and he just said, I don't ever use federated, which I'm not gonna lie [00:09:00] to you. I use it. So I'm gonna have to make changes now, cause I use it sometimes.
I don't like it mostly because I don't know which one to use. So some I've got logging in with Google and some I have logging in with LinkedIn or I've got all these different ones. So it doesn't help me cause it's just more complicated. But, I hadn't really thought of it until we started, having this discussion and I did a little bit of research and now I'm like.
I'm an expert theoretically in something, I don't know, security, Intel, take your pick. I know things at least, I've been around a while. And this, this hasn't really occurred to me. So I want to make sure people are hearing this point. Like, the expert we have here is saying, Yeah, I don't even use that at all.
I think that's, I think that's something to note. That's why I wanted to make a point here because when we get into decentralized, you're gonna talk about next. I think people need to know why we're going here. And I think that's a really big point. The expert says I don't use that because of, as you said, this insidious challenge that we have.
It's not just threat actors, but companies know things as well. And you just lose control of all your privacy essentially. So I'm sorry to interrupt. I know you've got to talk about decentralized here in this
Paul Ashley: Yeah, that's, that's,
AJ Nash: But it's huge.
Paul Ashley: Yeah. And that history is important to understand [00:10:00] because you've got to understand where this came from. And so if you said centralized is phase one, federated is phase two, we're now entering a new area, a new era, which is really a disruptive era called decentralized identity. And that's why I want to talk about this because I think this really is going to have a big impact over the next five years, and it may be one of the biggest impacts in the security area that we see. And so let's talk about that. So decentralized identity has been around probably for 5 to 7 years now, from the very first days when it started. And it's very much like federated identity management in that Most of the development work is happening in standards groups. So when we looked at federated identity management, when you looked at OpenID Connect and iWorth and SAML, they were all developed within these standard organizations and, over literally a decade. So the same things are happening in decentralized identity. They've been, the work's been going on for about five years, but now it's starting to get mainstream. So let me talk about what the theory behind it is. So the idea is, from the ground up, [00:11:00] it's designed for stronger security and more important privacy.
So they are the two aspects that were designed from the ground up and everything that's about that, about decentralization is to have those concepts. So what, the way, the reason it changes is it introduces this new concept of an identity wallet. Now we're, we're all to some extent. Familiar with wallets.
Like I, I'm an iOS user. I use my Apple wallet when I go and have a flight, I often put the boarding pass in there and it's used as it's almost like a database of different items I could have membership cards in there or my flight tickets or whatever, and. And it's fairly static data.
I think they can update that data in real time. But the wallet is a fairly simple thing, more like just a database and storage. Think of an identity while it is something that's much more sophisticated and it's holding your identities and what they mean by that your identity is things like What's called a decentralized identifier. It's holding things like cryptographic keys. It's holding things called verifiable credentials. So think about [00:12:00] having an identity wallet where your identity is really living. And of course, you have more than one identity in there, but that's really where it's living in the wallet. And the concept is instead of you going and creating an account like centralized or federated like federate identity management, you're actually just connecting from your wallet to these services.
So you create a connection. Okay. It's called a didcom connection, and you've got this continuous end-to-end encrypted session that's existing from there. You do things like I present to that service a verifiable credential. I get issued from that service, verifiable credentials and those verifiable credentials themselves. We can talk a lot about providing a lot of security and privacy capabilities that you don't have today. So I think the core of it is, is this new idea of having an identity wallet where your identity is really living rather than your identity, really living at the service or at those who are big identity providers.
AJ Nash: Okay. So it's putting more of the control and the power back in the [00:13:00] user's hands. Instead of me having to give things to corporations that I obviously don't have any control over how they protect anything, good, bad or indifferent. That's just how it works. And then trusting they're not gonna either share it with other people, which they will.
Or they'll protect it. Well, You sell it or that they'll protect it. Well, which they probably won't. it, it goes to me. So now I've got, as you said, this, this wallet, So, as an Intel guy, as a threat guy, I, my only concern with us, one of many, but one that comes to mind is, I've now centralized all of my identities and like I said, there could be multiple identities.
So if I'm trying to be in a position where you don't know that this username and this email is associated with this real-world person or this credit card number, all these things. I've all these different identities. I've blended them all in one place, which is, it's a gold mine for threat actors right now.
I've got taken away from the corporate side. So now they've got to attack me personally, but then I know, I know we'll get into this, So I don't want to get too far ahead, but I am concerned about that. I'm going to plant that seed for later in the discussion. Of [00:14:00] now, somebody just has to target my wallet and they own everything about me and all my different entities.
I've, I've centralized it for them into one repository. So again, just planting the seed. You don't have to answer that yet because I know that comes up later in our conversation, but I am interested to hear more about how we're protecting against that risk. But I like the idea of putting it in the hands of the individual.
In general, I like being in control of my own privacy and my own data. I have to admit the challenge we have is a lot of the individuals aren't really tech savvy. We'd like to think the companies that have been protecting our stuff are more tech savvy, but the trade off there is they just don't have the motivation.
I'm more concerned about protecting my data and my identity and my PII than anybody in the world. I just am not very capable of doing it. And most users aren't. The companies that are capable of doing it don't necessarily care. So I'd love to find a place where, where both of those things are true, where somebody who's really capable also cares, which I think is where you're headed with this, actually.
So I like the history of this. I appreciate it, by the way, for anybody who really understood, decentralized identity before you tuned in for this, [00:15:00] apologize. It's probably been 10 minutes of your time that you'll never get back and you knew this, but for the rest of us, the 99%. I think this was nice to understand how we've gone from this centralized to the federated.
To the decentralized, but for me, it helps. And I'm sure a lot of people will see it in like real-world terms. So, can you talk about real-world examples of decentralized identity? How's this working today in, in, concepts people go, okay, I get it. I use that.
Paul Ashley: And so, so it's a really good point because the best way to understand it is where it's being used. And it's literally just the last year or so where you're starting to see some projects going to production and being reused by normal people. So first, before I get into that, let me just talk about the concept of a verifiable credential.
So think of a verifiable credential as a digital document, something that was in your wallet. So you've got a driver's license, or membership card, or it could even be your passport, whatever you, whatever it is, this document that's in a physical form. Let's convert it into an electronic form.
So let's take the driver's [00:16:00] license. An electronic version of your driver's license. The point of verifiable credentials is not just a copy of your driver's license, It is a protected copy. So it's, you can't change it without. It's got digital signatures on it. You can't change it without that being detected. But it also has these other properties and one of them is called selective disclosure and the driver's license is a really good example. When I go up to a bar. And I sometimes do when I'm in the US and Salt Lake City and where there are other offices. What happens is they'll say, I just need to see your driver's license.
And so you pull out your plastic driver's license and what they're really after is I just want to know that you're over 21 and so they don't really want your driver's license. I just want to know you're over 21. But what happens is you show them your driver's license. They now know your name, your birth date. They now know your home address. They now know where you are, what type of cars you can drive, whether you wear glasses and all this. So what you're doing, unintentionally is giving a whole lot of personal information about yourself. So, [00:17:00] I'm a lady, I turn up at the bar, I give the bouncer a look at my driver's license, then all of a sudden they know that person's home address and think, it's not very good. So let's think about verifiable credentials as this signed document that's living in your wallet, but it has selective disclosure. So when you talk, when you walk up to the bar with this driver's license, what you're doing this time is you're from that credential, but you can do things like I'm only going to prove that I'm over 21.
So it says, all I'm going to do is show to the bar my photo that's in the driver's license and my birth date, for example, and that's what they call selective disclosure. So rather than showing all the 20 fields on your driver's license, I'm only going to show two fields and it actually gets even more sophisticated than that. Verifiable credentials also support this term called zero knowledge proofs. And a zero knowledge proof says. I'm going to prove I'm over 21, but I'm not even going to give you my birthday. I can prove to you that I'm over 21 without, without, giving you my birthday. So I've even given less information.
What I've done is maybe given [00:18:00] my photos so they can see it's you. And then I can prove I'm over 21 and I haven't even given you my birthday. So these are some of the underlying concepts and it also has other concepts like revocation, so if the credential is revoked, when you go to present it, they can tell that it's revoked and things like that. So let's put that as the underpinning. So. And I particularly pick driver's licenses because that's one of the areas of decentralized identity is really becoming advanced. So if you have a look at the U S for example, 20 states will have electronic driver's licenses to put inside a wallet by the end of this year. And it's usually two options they'll give you. One is, I'll give you California as an example, they'll give you an application. That's your mobile driver's application, which is really just a decentralized identity wallet, and they'll put your driver's license in there. That's one option. But the other option is that Apple and Google are becoming what they call MDL enabled in their wallets.
I talked about how their wallets have been pretty simple, just databases. Well, both Apple and Google are increasing the [00:19:00] complexity of their wallets to be able to support the standard called MDL or mobile driver's license. And what that means is they can accept a driver's license from say the California DMV into their wallet, and you can present it from their wallet.
So that's it. That's just a second alternative to using an application. and in Australia here already, I already have an MDL, what's your mobile driver's license. That's a decentralized identity wallet here as well. So I would say in terms of what decentralized identity technology is most pervasive already, it's mobile driver's license.
And I would say most of your listeners within the next year will have an electronic driver's license called an MDL, which again, they'll either store in an application, a mobile wallet application, or they'll put it into their Apple or Google wallet. And that's just one example. And there's plenty of others I can give as well.
AJ Nash: That's really interesting. And yeah, that's a perfect example because everybody, almost everybody at least has a driver's license. I'm going to ask and hopefully this isn't a difficult question or a gotcha question, but this is a big topic right now. This is an election [00:20:00] year. All
So, and, and there's a lot of discussion around, I don't really want to get into which side people are on. It doesn't really matter, but there's a lot of discussion about validating who can and cannot vote. And in the U S driver's license is often a part of that, one of the identifiers that we use.
So I guess the question is going to come up repeatedly. I'm sure this is how this is going to be more or less likely to be compromised and have people have opportunities to have fraudulent identification. If I have a hard card, certainly we know people fake IDs, but they've spent years and years trying to improve those technologies, try to make them harder to counterfeit with holograms and all these different technologies. And, I don't honestly know how hard they are, but, but there's efforts to try to make that happen. And perhaps even more importantly, there's efforts on the other side of the people who are supposed to be verifying to know what to look for.
So with the technologies now, I guess the two questions I would have on it is, is what, what are we doing if there's a way to say it in simpler terms for folks like me, frankly, [00:21:00] how are we protecting to make sure this is a valid driver's license? I'm not taking your digital wallet. I'm not manipulating it in some way.
And then the people that have to look at it, are they going to be trained to know what they're looking at? Because if I'm a bouncer at a bar, I know how to look for a driver's license. I've been taught how to do that. And probably for multiple states, even, but maybe only a few. And I've seen if you've ever been to a bar in the US, if you've got a license from too far away, they don't have any idea if it's real or not.
And sometimes they accept it. Sometimes they'll throw you out whether it's real or not. But how are we going to get that? Part of it also. So the people that are supposed to be validating these things know what they're looking at.
Paul Ashley: Very good question. Is it, and it's a couple of different questions there. The first is how does the verifier know that this is a legitimate driver's license? So the way that happens is the issuer, It could be a Utah DMV, California DMV. When they issue your driver's license into the wallet, they sign it.
With what's called their issuer private key. The public key is then made available to the verifier. So the verifier [00:22:00] will have a list of all of the public keys, for example, of the DMVs around the US. So they'll have 50 odd, public keys. And so they immediately know that from a cryptographic point of view, know that. It was issued by that DMV, the California DMV, for example. They know that it hasn't been altered because it's digitally signed. And then there's another side of it is like, what's to stop me giving you my driver's license and you presenting that? Well, there's a photo on one side of it, but there's another concept called a secure enclave.
I don't know if people are aware, but just about every iOS phone and every Android phone has a secure enclave on it. And what a secure enclave is a way to generate a private public key pair yourself. And, that private key stays in the enclave and you can do signing operations. So they're actually, what I'm trying to describe here is there is a way of being sure that that driver's license is only, For me, and that's what they call the holder binding.
I'm called the [00:23:00] holder of the credential. You can prove not only that these credentials are unaltered, but that it was issued to me. And if we use, for example, a secure enclave, there's no way for me, for example, to get my private key into your phone. And so there's really no way of you being able to copy my driver's license.
So there are these techniques available and depending on the credential, some credentials will say, look, I don't care. It's a gym membership credential. it doesn't need that high security, other credentials, driver's license, passport, passport, anything like that. Maybe you do need that higher security.
And we're starting to talk about other technologies within mobile devices. And this is why mobile devices are really good because they are not only a pretty good secure operating system, but it has other capabilities like secure enclaves to make the security even higher. So I think when you go and present it, let's talk about how you present it.
Normally what you'll do is just have a reader there and it puts up a QR code. So what you do is with your wallet, you read that QR code. It's an [00:24:00] invitation to connect. So you connect and then the verifier sends out a request to your wallet that says, can I see. These, these items from your driver's license and might be your photo and your date of birth, then what happens in your wallet is it props up a prompt to you and say, by X's is asking for your photo and your birth date.
Are you okay to present that? And you say yes in the wallet and you present it. But again, this is the advantage of using a digital credential if you haven't had to present things like your home address or whether you wear glasses or what you're driving. So you've really controlled your PII to a greater extent
AJ Nash: Yeah, that makes sense. I think it's really interesting. I suspect, and you may have more ideas on this. This will also be, there'll be a long tail to this. There's a process, So you mentioned people do things like, and I do the same thing. When I travel, I will download my ticket to my phone.
So my Google wallet, actually, I still, I'm one of those people who still has a printed ticket when I check in because. [00:25:00] Not because I want it necessarily, but I recognize the one time I don't do it will be the time I get to the gate. My phone stops working, like will lock My phone will security reboot.
I forgot to charge it and now I've got nothing.
Paul Ashley: us. Yeah, yeah,
AJ Nash: So I wonder if that won't be the same. If you think it won't be the same here in terms of passports, driver's license, et cetera, where people will still have the hard ones for a while. Cause what happens if that all goes away and then my phone stops working and a cop pulls me over, I can't turn in my driver's license.
Paul Ashley: Queensland is where I'm from, it's a state that I'm from, actually has that at the moment. So I can get both a physical driver's license, the plastic one that we're all used to, and I can get the digital one. So I've got both and I can use them in different situations. Just in terms of that election, discussion, so we had an election here in October, and one of the things that you could do with that Election.
When you actually turned up to prove your identity is you could present your MDL credential, your driver's license versus showing the plastic one. So this was the first case where they were okay to accept a digital driver's license because actually in the end, [00:26:00] it's actually more secure than the plastic one. So that's an example. So I think, will that happen in your election this year? I don't know whether, it depends on how pervasive digital drives license are and whether it'll be accepted, but certainly here already in Australia, that's one place where you can present it is when you're going to vote.
AJ Nash: What were their huge outcries of people screaming that there was fraud, massive widespread fraud of people with digital driver's licenses by any chance? Or is that just
Paul Ashley: No,
AJ Nash: these days?
Paul Ashley: I think the reality is that fraud is actually much more difficult with the digital version than it is with the plastic version. We all know that we can go online and order fake driver's licenses, Plastic ones. And they're really good at getting a fake digital driver's license that's signed by the DMV.
That's a hard problem. That's a hard problem.
AJ Nash: Yeah, I, I, I think like I see where this is going. I see where the technology is going. I think it's fascinating. and I, I agree with you. I see the advantages. It's going to be harder to [00:27:00] forge and the security will be better. Plus we'll have more control over our own security. My fear with any new technology, frankly, is just how long it takes the public, the general public.
To pick up on it, which is tough. These are technologies, people, some people, they, the people who use things, they don't understand. That's just fine. They'll say, Hey, it works. And I use it. I don't know how it works. Listen, we all have some of that. I turn on light switches and I'm not going to tell you.
I know how electricity works in my house. I have no idea. I just know I turn on the light switch and it works. And if it doesn't, I check the fuse box. If that doesn't work, the neighborhood's probably out, but I don't get into the details of how electricity actually travels and gets to the house. Some people, we'll take more, more time to learn these things.
I do worry though, because, and. There's a little overlap to what I talked about earlier. There's this huge rise of, of skepticism of conspiracy theories of misinformation, disinformation, malinformation, things like that. I worry about people just exploiting the ignorance that goes along with new technologies.
It doesn't matter if this is much, much safer. If you won't think it is, perception becomes reality. Air travels much safer than car travel and yet [00:28:00] people are very, very afraid of air travel and those same people will drive cars all day long. it's, it, that's just one example that hopefully is less political than others I could have used.
So I'll be interested to see as this goes forward and you don't have to answer this. I don't suspect you have one yet, but I'm interested to see as we go forward, how we handle the public education of this, in terms that help people dispel. Those conspiracy theories that are almost certain to show up because conspiracy theories tend to be very simplistic approaches to things.
Easy to understand concepts, even if they're complete lies and bullshit, but they're very easy to understand. And then when the smart, brilliant people show up with the right answer, it's not understood. And so those people stick to the theories. COVID 19 would be a pretty good example of this, in my opinion. And I worry that anti-intellectualism and people who don't have enough knowledge of the technology will just glom onto a lie as opposed to the truth. It's more difficult to understand.
Paul Ashley: Yeah. And I think in this case, I always have the philosophy that trust has to be earned. and so, you don't trust this system initially. What you do is you observe and see what happens. So I [00:29:00] think this will happen like I've noticed here. So we had our MDL. driver's license probably about the middle of almost a year ago now, middle of last year. And so over time more people have downloaded the wallet and put their driver's license in there and done all those and so more and more It's it's starting to get into normal people's hands but then really the test is going to be like how many verifiers are there out there because you should be able to turn up to a bar and present it, when you're voting, present it.
Maybe when buying something online, you can present it as well, because you can present it just as well online as you can in person. So I think trust will be garnered over time when people see that there's not, there's not, Fake versions out there that the technology does work and that it and it becomes more trusted as people use it.
So I think personally, a trust has to be earned and so if people are going to be using their DMV MDLs, then over time, that trust will be earned because the technology is pretty sound. So [00:30:00] it's it should, the trust should grow over time, but there's plenty of other, I can give you plenty of other examples of where there's decentralized on any projects as well.
AJ Nash: Yeah, let's do it. Let's see what we got. We're in a good spot here time-wise. And I'm really interested to get more because the more examples I think the easier it is for people, certainly for me, at least for, to understand it, to make it make sense to me beyond the technologies. But yeah, if you've got more ideas and examples of what we're already seeing, I'd love to hear a couple more.
Paul Ashley: Yeah. So another example is travel. As I said, things like if you think about when you travel, like when you travel overseas, you've got to have a passport, you might need a visa, and you may even have to prove you're vaccinated for yellow fever or whatever it might be.
So these are normally paper documents and you have to carry them with you. There's already some projects https: otter. ai Each of those three into a verifiable credential, and then as you're passing through, rather than you standing with the person and going, here's my wallet and here's my visa and here's my vaccine and, and when you stand in those queues and do all that, [00:31:00] what if I could just, put my wallet up to the scanner, it requests and up.
And as I said, the good thing about a wallet is a wallet will always ask the user to confirm before presents information. So it'll say to you, Okay. You're going through the, say it's all digitized in Australia, coming through Australian customers and they go, Australian customers have asked for your, your passport, your visa and your vaccine. do you approve and you either say yes or no, or you can even alter that, but let's say you say yes and immediately it's presented, they can verify it. And you just walk straight through, you can start to see there's going to be a lot more convenience here. I just actually just did a trip through the US and Europe, I went to two different identity conferences. The amount of time that I spent lining up to get documents checked or going through customs and all that, I was thinking like if I had my phone and I could just present it and answer a question and say yes and then go through, there's a lot of advantages to that. I must have spent hours and hours and hours just queuing up at different parts of the world as I, that's another example. Yeah, that's [00:32:00] another example.
AJ Nash: That's a good point because people hate, people hate travel for the most part, and certainly the inconvenience and just the time, The, the, like you said, the long lines that people have to go through. I don't know how it does everyone in the world in the States, we obviously there's a couple of different systems that people can be in, you can be, TSA pre check, which just means again, you have to give all your information to the government and hope that they, won't, won't.
And let it get compromised, which they will, I promise. or, there's also a global entry. So if you leave the country and come back, global entry actually is a really nice system in terms of convenience. I show up, I take, they take my picture and I just roll right through.
But again, they've, it means you've got to put all your information in somebody else's database, as opposed to having this, what you're talking about, basically controlling your own information and have a selective sharing process, which is pretty Yeah,
Paul Ashley: That's the important point is we are very used to centralize processes and I'll, can I give you another project example that we've actually worked on? So this is actually a farming example. And in this example, There's, there's 40, [00:33:00] 000 farms in this project and there's a whole bunch of issuers and verifiers and, and, and the reason why this project went forward is there's a whole lot of regulation around farming.
I'll have to prove how much fertilizer I used. You have to, you have to say things like whether I'm organic certified and all this and, and mostly this is done through paper documents at the moment. So verifiable credentials, the thing we talked about in the driver's license, could easily be used to hold your organic certification for a farm. So when they looked at the start of this project, they actually had two models in mind. One was a centralized approach, which is to get the farmer to go to the government database and upload all their information. And then the different parties, like the local councils or the federal government or whoever needs to look at it, will go and access that.
And that's your typical centralized approach. So what did the farmers say? No, no way we're going to do that. There's no way we're going to put all our data up there because this is our, this is our personal data. And it might be about what crops I've got, what my farm boundaries look like, how much fertilizer I'm [00:34:00] using, but it's my personal information. If I put it up in that central database, it's going to be. abused, it's going to be stolen. All of those things are going to happen, which we all used to, So again, that's a centralized break. So the reason I went for decentralized on this project is again, the farmer holds the information. So if, if they want to get organic certified, they go to the organic certifier and give them the information.
So the farmer's voluntarily given that information to certify the certifier, then give them a verifiable credential that says you're organically certified. Then the farmer then presents that to whoever needs to know they're organically certified like a wholesaler. So you can see that the data is now living with the farmer.
It's not living in some centralized database and every interaction of that data is going through the farmer and the farmers giving permission. So it's no different to you presenting your driver's license or your passport. You're in the process of providing that information to that other body. And so you're voluntarily giving it and you understand what's being.
Given it's not in some centralized database with all different people [00:35:00] entering it and you don't know who's looking at what and whether it's been stolen or sold or whatever. So there's, there's this decentralized identity concept or the decentralized concept is pretty powerful from a privacy and security point of view.
AJ Nash: That's yeah. That's interesting. The farming and mining example, I find really fascinating because, I'm sure there are a lot of industries that have something similar. Some regulated industry where you have to upload to be validated and verified.
I'm sure healthcare has a bunch of this stuff that comes to mind immediately. I'm sure education has some of these things. maybe the penal system for instance, might. So I think it's very interesting that you're. That example, I think, makes a lot of sense. These organizations don't want all this stuff just pushed up there.
That you only need a small segment of answers to my question, to the questions and not everything else. so it makes sense this again, this decentralized approach versus the centralized approach. I got a question. I know we got to actually get into a standard question that we already prepped for a little bit, but I got a question that I didn't prep before.
So I'm going to ask anyway. That's how the show works. [00:36:00] So. Do you see a future where this might become, how do I say this? Even more decentralized. So the reason I ask, and maybe you're going to answer this in the next question we talk about, but again, in doing this, I've now got a wallet that's got all of me in it,
So if you, if you can compromise my wallet, which we see happen, crypto comes to be. It comes to mind, People compromise crypto wallets and that's it. You're a crypto millionaire. Now you're a crypto zeroaire and somebody else has all your money, all your fake money that they probably won't cash out until they get stolen from somebody else.
But you've got all my stuff, Do you see an opportunity at some point for that to become more decentralized? But still within my control, Where I've got, I've got my, it looks centralized to me, but it's actually splitting out into more different segments, or maybe being, maybe blockchain comes into place.
I don't know. Maybe it's being disassembled somewhere within my phone, Within my technology, within a storage system. So it's even harder to get to. So even if you got to the wallet, you still don't get to everything. There's, there's, there may not be an answer to this yet. I realized, but as I'm thinking loud here and going [00:37:00] through and thinking, I don't want to be in a position where somebody just gets this.
I love the idea that it's not in somebody else's database. If you compromise the post office, I'm not thrilled that you get all my personal information. I can't control how the postal system protects my information. I don't even know if they're compromised half the time. It takes a long time for organizations to report this stuff.
And I'm a professional who does this for a living, so I'll probably see it, but the average person doesn't watch the news every night for every breach, they're numbed to all of it. So I love the idea that you got to come get me personally to get me, which means it cuts down on the chances. I love it.
That's not necessarily going to happen, but I don't love the idea that all my stuff's there. If you get me, you get all of me. So is there, is there thoughts on how to fragment that further? So it's decentralized, even within my control, or are we not
Paul Ashley: Yeah, I think it's a very good and pertinent question. And the reason why I think it's a very good question is, as I said in that previous example with MDL that Apple and Google are adding functionality to their wallets such that they can, Hold these drivers licenses. And that's just the first example.
So we'll be able to hold [00:38:00] and it's following this ISO standard called MDL and we've implemented it in their wallets. And so you can put your driver's license in there where where I would caution is, is as the functionality of those wallets increase, for Apple and Google, right, there'll be more, there will be more incentive for you to go, Oh, I've got these other, I've got my gym credential, my passport, I'll put it in there as well and all that. And so I think that's the centralized decentralized approach where I'm using one big wallet to hold all of my credentials and my identities. And the reason I also cautioned it being Apple and Google is, these are the data brokers. These are the people that have your personal information by using just this one wallet. Are you putting yourself in a position that Apple or Google or Samsung, if you've got a Samsung phone, are now able to use the wallet as a way of, following your digital trail. They know what, what credentials you're getting, where you're presenting them, et cetera, et cetera. So there is an item of [00:39:00] caution there.
So there's probably a couple of answers I'd have. One is that you don't have to just have one wallet. So for example, I have a Queensland government driver's license wallet. It's got my driver's license in it. I can present that from there. it can be updated and all that. And then when I go to some other application, I can put it into a different wallet.
So you could actually have multiple wallets on your phone that hold different aspects of you. there's different personas that you have. So you could say, well, this is for anytime I'm using my driver's license. We're gonna use this one anytime I'm using my passport. I'm gonna use this one, this one, and there's different so you can segment it to different applications within your phone, for example. But there's also that point I made earlier about secure enclaves. The point of the secure enclave is to make it such that if you get presented with a credential where you've used that secure enclave as you're holding a private key, it really becomes very difficult for someone to steal that.
And I think that's an important thing because it's not only about. [00:40:00] following you, but can someone impersonate you? So this is why there's a lot of talk. And as I said, I just came back from a conference in Berlin. and, and, and a lot of the conference was talking about decentralized identity. And they were very much talking.
There I went to a presentation where they talked about secure enclaves and why it's important and how that protects you. It, it, it gives you that protection that someone can't steal that credential and can't steal that identity because it's linked to this enclave. So there are protections, but I am also aware of the privacy concern about centralizing all of your credentials and your identities in a wallet, especially if it's an Apple or Google wallet, and you are just providing a different way for them to be able to track what you're doing.
So I think we do have to be aware of it. So in any of these technologies, it can also be used for good and it can be used for evil.
AJ Nash: Yeah, no, I, I think that's, that's a great point. If we talk about these constant technologies, AI is another one right now. It's a huge, everybody's talking about AI. You notice this entire conversation. I haven't asked you where AI fits in. I haven't asked you how AI as a company.
I'm not going to either. You may bring it up on your own, [00:41:00] but, AI is in everything now. I'm pretty sure that my cheeseburger yesterday was an AI that was somehow made, But, but I do think it's interesting, every technology, Yes. They can all be used for evil, Nuclear technology has done amazing things for the world in terms of power.
Also creates very terrifying weapons. So that's the truth across the board. That's the truth in these technologies as well. But I'm glad, I appreciate that you've shared some of this already and given us some ideas. And it's interesting to see. What the next steps will be. There are opportunities to protect these things better, because I think that'll be one of the things people will think about. I'm just going to create a pocket here where somebody can take it.
If I leave the house, I bring a, well, no, I got a wallet
Paul Ashley: Your phone.
AJ Nash: Right now. I got, I got, well, I always bring my wallet, my phone. That's true. That's a, that's here somewhere now too. But I always bring my phone and I bring my wallet everywhere. But my wallet, if I travel locally, I have for anybody curious, I have two credit cards. I have my ATM card. I have way too many pieces of identification, frankly. And absolutely no [00:42:00] money. no, I have 1, but if I go overseas, I don't take everything with me. If I'm going to go out to the bars, for instance, I probably take one credit card and maybe my driver's license.
I don't bring everything with me. So if somebody steals my wallet, I haven't compromised everything. I don't have to change every credit card, et cetera. and I, I feel like that's the same concept here. Digitally I don't want to be in a position where. It's, it's one shot, all kill.
Basically somebody gets in, they get my wallet and they've got everything. So I like what you're talking about with being able to move things into some different wallets and some other technologies there and some more thoughts about that because I think that's something I fear people won't think of that early.
Most probably won't. Cause again, convenience comes into play. I'm a Google guy. Everything goes in my Google wallet. I'm an Apple person. Everything goes in my Apple wallet. And that's great until your Apple wallet's compromised and you're going to really regret that or your Google wallet is. So I think that'll be the next interesting step.
In this, and it's good to hear, people like yourself already thinking this way and talking about other ways to do this, because as safe as this sounds like it is compared to what we're used to again, that trust building, as you mentioned, that's a big one, especially in, in a, in a situation where it's a, it's a [00:43:00] technology that's not, not necessarily the easiest one for everybody to understand right away.
So it takes time to build trust for things people don't understand, but it's going to be widespread. It's going to become everywhere, I think. but then also having more of these mechanisms for people to, to deep, more deeply protect themselves so that if they are compromised, again, if you steal my wallet, you don't get everything about me, every credit card, every ID, I, I tend to be more selective on what I take, where I'm going, so that if it goes badly, you don't get everything about me, maybe, be the same concept, I think, digitally speaking.
So listen, I stole some of the answers perhaps for this, but, we, you talked about the history. You get really good examples of how this is working in real life today and where the technologies are. I'm also, by the way, very excited to hear the success stories out of Australia with, with, mobile driver's license, especially with voting.
I'd also like to think that countries like our own, like the US over here. We'll actually try to learn from that. I think experts will check and see how did this work? What were the challenges? I'd like to think that I'm pretty optimistic about it still, that there'll be an opportunity there. Cause that'll also be something that can educate the public on how do we think this work?
[00:44:00] What's the fraud rate? And you can say, well, listen, our friends in Australia did this and the rate was really low and these were learned that being said, what do you see? I've already asked some of these questions, but maybe they were the wrong ones to ask. What do you see as the biggest risks and benefits of this movement to, to decentralized identity?
Mhm.
Paul Ashley: With the benefit, which I've probably talked a bit about. And the first is that the underlying philosophy here is to make you more secure and more private online and offline. So, so I think the benefit is, is that this decentralized approach. The opportunity to share less personal information about yourself in all sorts of different situations.
And having more control over that. So I think that's a big benefit, a risk, let's say a risk, actually, and I want to put a risk to the identity and access management company. So, I said, I just came back from two different conferences, one called Identiverse, which was in Las Vegas. And then another one called your European Identity and Cloud Conference in Berlin. And those conferences [00:45:00] traditionally have been conferences that are focused on centralized and federated identity management and all of the stuff around that. And that's where, I am, vendors have been for the last 20 years. I go to those shows and I look at what they're doing now. And I think, gee, that's the same as what they did 10 years ago,
There's been in that centralized federated space for the last 10 plus years. So I think there's a risk actually to those companies, because one of the things I noticed is very few of them have started to think about decentralized identity and most of the decentralized identity companies are small ones like Anonyome, and there's a bunch of others that are bringing this technology to market and those bigger identity and access management vendors, I think haven't actually got themselves over the line to this new technology. And I believe it's going to be disruptive. It's going to be disruptives. And so I think to those vendors that are out there producing identity and access management products, if you're not investing in products around decentralized identity, you probably will get left behind, because I do think it's disruptive and we're going to see it as, healthcare is another example, What's the best way for you to take, you [00:46:00] know, healthcare records from your GP or your doctor over to a specialist. Well, put it as a credential on your phone and present it to the credential. You're controlling it. It's not going to some centralized database. So there's, you're going to see it across all of these different industries.
AJ Nash: So I think there's a risk there. The other risk that we talked about is. And I don't know yet whether this is a risk, but I can assume that it's a risk, which is if you do use one wallet, like an Apple wallet or a Google wallet in particular, and put all your credentials in there, have you given an access, a digital trail to those, which are essentially aggregators of your personal information. So there's that risk as well. And then I guess it's, as you said, it's the uptake of it. Will people accept this technology and be accepting with a wallet and actually start to use it and go, well, they've just stopped printing plastic driver's licenses. Now it's just the digital one. That's the logical conclusion you start. Like we are, like you've got a digital one and a plastic one, but in three years time, will they still be [00:47:00] producing plastic ones? Probably hard to see them doing that because it's expensive, So why don't I just give you a digital one? So, so there's, there's these risks that are involved, but I think overall the benefits of this technology where you're starting to say, let's put the data in the control of the user, they know exactly where they're presenting it and when they're doing it, they're voluntary and they're only giving a minimum. I think there's a lot of benefits to that. So I, the benefits, I, I get the benefits, I think, I think they're, I think they're easy to see and understand. I think your examples really drove at home, the convenience and travel is a big one. The ability to, to share segments of information, all information.
The driver's license one, yeah. It's nothing I really thought about. You hand somebody a driver's license. And again, part of that is also the reality that I'm a male, men don't see the world and are as scary as others, as women do. generally speaking, and, and for good, for good reason. And you mentioned a meme earlier about, when we were talking offline, I know it's going to come up again in a minute, but, there's also that meme about that, would you rather be in the woods with a bear or a man?
And women tend to choose the bear apparently. [00:48:00] So the world is a much more dangerous place for women. Which is why I don't think about that sharing you mentioned, but that's a good point. My driver's license isn't just oh, hey he's 21 and listen, nobody's carding me anymore anyway, but I'm not gonna pretend I have a lot of trouble getting into bars at this age, but you make a great point I don't want people to know my address and my height and my weight and my full name and whether I have glasses and what cars I can drive, all that stuff that you mentioned, I shouldn't have to share all that.
You just need to know, am I old enough for you to serve me that beer that I'm not going to drink? That's all it needs to happen. And, and the travel piece. So, the advantages to this, I think, make perfect sense. I think we've seen it in real life. the, the digital, boarding pass for airlines, it's those risk components, those threats that you were talking about. And while you were kind enough not to mention anybody, by name, the identity management one I think is really, really interesting because there's some huge companies in that space like Octa who are all in on this identity access management, which has been a huge component of security for a long time.[00:49:00]
And what I'm hearing you say is you've been to a couple of these conferences and this could make those kinds of companies. And there's others besides Octa. I'm not trying to pick on Octa, Zero Auth or some others. This could make them extinct. these are multi billion dollar companies that are either going to have to, change, they're going to have to, to evolve, or could go extinct because of their concept, their entire business model, essentially could be wiped out by this, it's, DVDs taking taking out cassette tapes and then digital taking out DVDs. The thing is you got to evolve. This is Netflix killing off a blockbuster for instance. So I think that's really, really interesting.
I also happen to know, I don't know if this will make it to the final cut or we'll drop it, but, I know some senior folks over at Octa, including one of your, one of your country mates over there, who's, who's probably going to listen to this. I hope so at least, and maybe take note of that, because it's a big what they do
Paul Ashley: And maybe give us a call. Maybe give us a call because, because we can help, you know?
AJ Nash: Yeah, perhaps, it's, I, I'm happy to introduce you to him, at some point if [00:50:00] you don't already know him, but, But anyway, back to the point. I think this is really interesting stuff. The technology is very interesting. I love the idea again, putting security more in the hands of the individuals, getting out of these centralized databases.
So we don't have to spend the rest of our lives listening to the next big breach and the next big breach and how these are all being sold and compromised, cutting down on things like the 6, 200, junk phone calls I get every day because, all these different compromises have led to everybody in there.
Everyone, my phone number and calling me to try to sell All my data, my phone numbers, and I, the spam emails, all this stuff, it'd be nice to make a lot of that stuff go away. and so this is really interesting. I guess the uptake will be something to watch. And I didn't realize until you said it, that 20 States in the US already have digital driver's licenses.
This is coming. And like you said, like it or not, money will be a factor. People will stop wanting to produce hard credentials because they cost money. So I think we'll have a period of time where we get to learn and get comfortable with this and build that trust. But then I suspect there'll be a forcing function where companies and governments just start saying, this is the only way we're going to do it.
And if you want to get on [00:51:00] my airplane, you're going to have to use digital. And if you want to get in my country, you're going to have to use digital. If you want to drive a car, you're going to have to use digital. it'd be interesting to see just how long. That takes, so, all right, we're, we're coming up near the end here and, and as I'm sure, the name of the show is Unspoken Security.
So, when we get to the end, I always have the same question. Nobody gets an exception or a pass so far. and so you're up next. And, and so with the idea of the show being called Unspoken Security. I'd be interested to know something in your life, some secret, some unspoken truth, something that hasn't come up yet that you're going to tell the world for the first time.
It's not confessing to a murder. I hope, cause this is being recorded and, and, you're outside of the jurisdiction of where I happen to live, but I wouldn't want you to do that. I'm not looking for the, for the, the secret you don't want the world to know. Cause it's, Dozens of people will probably listen to this, hopefully more. But tell me something that's so far been unspoken in your life.
Paul Ashley: Yeah, it's, it's an interesting question and, and the thing that comes to mind, there's this, there's this meme that goes around about all males and, and we all spend our time thinking about the Roman Empire, [00:52:00] right, and, and, and I keep seeing this come up when, if someone's sitting there quietly thinking, they're probably thinking about the Roman Empire, whether that's true or not, I don't know, but in my case, one of the things that I do, which I've actually done for about Yeah.
The last 30 years, it's a lot of patents, and these are patents for products around security, privacy, and identity. So if you were to ask what's Paul doing sitting over there quietly in the corner? I'm probably thinking about my next patent because I'm always the way I think about patents is where the product is now, where's it going to be in two years or five years?
And can I patent that idea before we even get it built? So I would say the answer to me is like, if Paul's sitting there, he's not thinking about the Roman empire, he's actually thinking about his next security identity privacy patent. That's probably my answer.
AJ Nash: Out of curiosity, when you say you've worked on a lot of patents, do you, do you know how many, does there a number in mind
Paul Ashley: Oh, I've got, I've got about, in terms of actually granted patents, I've got about 40 and, but, and, and that's probably multiplied because sometimes you [00:53:00] do it in multiple jurisdictions, but actual individual patents, I've got about 40 patents in this space, but I've, I've probably got 10 at the moment that are working through the, the USPTO, the Patent Office of the US.
AJ Nash: Wow. that is, I've, I don't have no expert on this either, but I've dabbled a little and. It's a lot of paperwork. It's a lot of
Paul Ashley: Oh, and, and it's a lot of effort here 'cause you've gotta, so it takes your time to write them. Then you've gotta submit them and then they get challenged over and over again. you might go through what's called three patent office actions, where they'll go, oh no, this looks like this other patent.
And you've gotta go back to 'em and say, well it's actually quite different and this is why. And they'll challenge it again. And that. So by the time you gotta a granted, you may have actually had three different interactions with not to get, I gotta say they're not. The patent officers obviously want to make sure that what you've done is, is, is novel and it's not obvious and all those things that they think about.
AJ Nash: Yeah. So first you have to be brilliant and have something worthy of a patent. Then you have to fight through all the processes and do [00:54:00] all the hard work. So, I don't know of anybody you're, I don't know of anybody who has 40. So you're the first I've heard with that, that, with that number, it's a pretty impressive number, frankly.
It's unbelievable. And so if I run into you anywhere and you're staring off in the distance, I now know.
Paul Ashley: What I'm thinking
AJ Nash: privacy patenting. You're, you're not thinking of the Roman Empire. I'm still trying to figure out the bear and the man in the woods thing. Frankly, I, that's, that's the one I'm still stuck on.
If you see me looking alone as a good chance, I'm still trying to figure it out. It's among others, but nothing as interesting as yours at least. So, but thanks for that. That's, that's, that's yeah, it wouldn't occur to me. I didn't, I didn't realize just how many patents you had. That's really impressive.
This is why you're here. This is why you're, you're the expert on something and you have a PhD and you're very interesting and I appreciate you taking the time today to sit down with me, especially because we're on the other side of the earth. This is not the world's greatest time of day for you necessarily because I'm set, I'm selfish and I scheduled most things around me, but I appreciate you, it's a good thing you like to get up a bit early, that helps.
But I appreciate you setting this up and allowing me to ask some of these questions. I appreciate you coming in [00:55:00] with, with some really interesting ideas and, and really more than, than just educating, myself and anybody who takes the time to listen or watch this, that.
We've gone from the centralized approach to the federated approach and now to this decentralized approach on identity and how that's going to make us safer. but it's going to take some transition, some effort and some, some learning for a lot of us to get there. But I love, I love what you've mentioned and the stories and the success stories out of Australia specifically.
And hopefully we can all learn from that because this has come on whether we want it or not. And it sounds like we should want it. So I'm excited about it now and I want to figure out how to learn more and play with it a little bit more. So as we're wrapping up here, first of all, any last thoughts that you want to add before we wrap up, but then the other question, I'll tack these together so you can do it at once is, I just said, I want to learn more about this.
How do I play with this on my own? Like, there's new technologies. Every time something new comes out, there's a password manager or there's a hard token or whatever. I try to figure out how can I find this and play with it? Is there something I can play with now? Or do I have to be a giant corporation and buy something there, something I can play with on this?
Mm
Paul Ashley: [00:56:00] would say maybe the first place and, and it depends on what state you are in, how quickly this comes. Do what I did, like when, when the Queensland government where I am announced that we're, releasing a digital driver's license, I didn't say anything about the technology,
So they just said, we're releasing a digital driver's license, and here's the process you go through to get through it. So you have to download their app, which is the wallet, then you have to go through this. And then you get your driver's license into that wallet and then you can present it. And so I went through all those processes and then I played with it and seeing how you can use it.
I'm like, I actually quite, I learned quite a lot about it just from doing that, doing that. So that's one place. There are other wallets out there. You can go on the internet and search for wallets and there are wallets you can play with, but Wallets only make sense if you've got something to put into the wallet.
So what will happen over the next year or two? I think you'll be given opportunities to use wallets and use credentials. And I think I would just say to you, listeners, just start playing with it and learn about it from looking at real-world use cases that you can actually play with [00:57:00] it. But depending on where you are, how quickly this will come, as I said, I probably had a digital guys license for nearly a year now. and. I think, yeah, by the end of this year, over 20 of the U. S. states will have them. Probably by the end of next year, maybe all of them will have them. So you'll have an opportunity over the next year to start to play with this, but you may see it in other situations where you don't even realize you're using Decentralized.
At any rate, they've just said, here's a wallet and I'm going to put your health care information into that wallet or something so that you can present it somewhere else. So you may start to see these because obviously when they release it, they don't talk about it. This is the standard, and this is using verifiable credentials, and this using the secure enclave.
Well, they're not going to talk about that. They're just going to say, here's your digital driver's license. So I'd say look for opportunities and just play with it. And it was really quite impressive. The one that we've got here, and I have seen the California one as well. And I think Utah is about to release one. They, they're pretty impressive when you see it because you go, actually, I can turn up to the bar now and just just prove that I'm over 21. I don't want to give my driver's license. So once you start to see it in action, you go, this is actually pretty good technology.[00:58:00]
AJ Nash: Very interesting. I just, as you were saying that I did quickly. Look, I'm in Minnesota. We don't have it yet, but I'm definitely keep an eye out for it and see if I can figure out a way to play with some of these technologies because I think we've got to get ahead. As users, we can't be afraid of these things.
They're going to come whether we like them or not. I think they're good things. We should like them and it gets easier to like things when we're familiar with them and we play with them a little bit. So, yeah, there's 20 states now that seem to be working on this and more coming. So I think the best way to do this is to get used to this and, and, and dig in and learn some of these technologies.
So I'm, again, I'm so thankful you came here today to talk about it. It's not a topic that gets talked about very much in my circle. At least I haven't talked about it at all so far. and I find it fascinating. I'll probably go deep down the rabbit hole now and try to learn as much as I can about it, because it's something I actually will get to use at least, any last thoughts, anything we didn't cover and then you want to wrap up anything we missed before we call it a day.
Paul Ashley: No, I think, I think we, we, we probably talked about just about everything about this topic. As I said, this is actually something I work on every day. I've probably been in that space for about four years now. And as I said, you, there's a lot of standards that you can look at. All of this [00:59:00] stuff is happening in the standards group.
And, and why I think that's important is you can have some assurance that what, when you get that mobile driver's license, that It is, it is high quality and it's designed well because that in that particular case, that was five years of development to come up with the standard for mobile driver's license. So five years of technical people getting in and talking about what does the credential look like? How does it sign? What cryptography uses and all those things. So they spent five years developing that just so that you could have a digital driver's license. So I think it's a space I would just start looking up.
If you go to the Anonyome website, you'll see where. I write papers all the time in this space. There's lots of white papers. We have a lot of blog articles. So just start learning about it because it's coming your way. So you might as well be prepared for it by starting to do that reading and start looking at it.
And there's a lot of material. I said, come to the Anonyome website and you'll see a bunch of different white papers and blog articles we've written in this space. And you'll go, Oh, I'm starting to get this now.
AJ Nash: Very cool. I'm going to check it out myself. Anonyome, by the way, [01:00:00] for those who are not, aren't going to read the notes or anything, it's spelled A N O N Y O M E Anonyome Labs. So if you need to go look them up, very cool folks, down in Australia, special company, I'm really excited to have this opportunity.
So, Dr. Paul Ashley, the Chief Technology Officer at Anonyome. Thank you very much for being here. Really appreciate your time and, and all your knowledge here today. I'm looking forward to learning more about this. Can't thank you enough for spending time here. and for everybody else, that's the end of this episode of Unspoken Security.
Thanks again for tuning in and listening and watching. And, if you like what we're doing, please, likes and reviews and all that good stuff. Subscribes and all the things that keep this going, because again, this isn't about me. I'm it's fun. I can hang out in my office and talk to Mike all day, but it's about people like Paul Ashley coming in.
It's about folks listening and learning from this and getting experience. So please give me the feedback, do the liking and all the good stuff. So we can keep this thing going and have more of these great conversations. So, that's it. That's the end of this episode of Unspoken Security until next time be safe.
[01:01:00]