Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Tim Pastoor: Identifi – Rethinking Identity as a Decentralized Web of Trust
Episode Date: December 14, 2015Identity is probably one of the most important constructs in our society. In our modern world, protecting one’s identity has become complex, as we no longer rely solely on governments to prove who w...e are. In addition, most identity sources can be easily compromised. Credit cards and social security numbers weren’t developed with the Internet in mind, and other identifiers such as logins and passwords aren’t well suited truly secure authentication and authorisation. We’re joined by Tim Pastoor, Founder of 2way.io, to discuss how we can improve control of our identities using concepts borrowed from Bitcoin. Tim walks us through how people could better manage different identities and build reputation networks using Identifi, a global address book protocol invented by Martti Malmi, one of the very first Bitcoin users. We also talk what role this system could play in the future as autonomous agents and artificial intelligence become more prevalent. Topics covered in this episode: The history of identity systems and how traditional identity systems are broken How the invention of Blockchain technologies changed the way we think of identity The Identifi protocol and how it works How we can build reputation through Webs of Trust (WoT) The future of identity and how Identifi could provide ID for IoT, robots, autonomous agents and artificial intelligence 2Way.io and what the company is trying to achieve Episode links: 2Way Identifi protocol Identifi service This episode is hosted by Meher Roy and Sébastien Couture. Show notes and listening options: epicenter.tv/109
Transcript
Discussion (0)
This is Epicenter Bitcoin, episode 109 with guest Tim Pistor.
This episode of Epicenter Bitcoin is brought you by Ledger,
makers of the unplugged NFC hardware wallet.
Half piece of mind in knowing your private keys are protected by industry standard physical security.
Go to ledgerWallet.com and use the offer code Epicenter to get 10% off your first order.
Hi, welcome to Epicenter Bitcoin, the show at Stocks, The Technologies, Technologies, Projects, and startups driving decentralization and the global cryptocurrency revolution.
My name is Mr. Bessing Kuchua.
And I'm Meher Roy.
Today we are going to talk about identity and reputation with Tim Pasior.
He is an entrepreneur and his startup is called 2W.io.
They're building on a protocol called Identify,
which tries to build a next generation decentralized identity and reputation network.
So first, we'd like to begin with an introduction from Tim.
Tim, can we have your intro.
I used to work in IT from age 17, and I work my way up from a help desk support engineer all the way up to IT manager.
And I got interested in Bitcoin relatively early on.
I was already working on complementary currencies before Bitcoin.
But it took me a while before I really understood the importance of Bitcoin and the whole aspect of decentralization.
So somewhere in 2013, I started thinking about the idea of what if we could decentralize identity.
So what if we could issue our own identities without having a government or anybody else issuing it for us?
So we could decide for ourselves which data and which communications we want to link to our own identity or identities.
And that's how it all started.
And somewhere halfway 2014, I bumped into my...
Artimomi, also known as Sirius within the Bitcoin community, who was the first developer
after Satoshi to be working on Bitcoin.
And when I bumped into him, I asked him, when do you think we'll see a truly decentralized
identity and reputation network or something that comes close to that?
And then he showed me to identify, and it didn't take me very long to see that that was
actually something I was looking for and I was trying to come up with.
and he was already several steps ahead of me.
So from that moment on, I got really interested in Identify,
and I think about three months later,
I quit the day job to work in this full time.
Okay.
So you've talked that we don't have a really good decentralized identity system today,
but we do have centralized ones like, I don't know, Facebook.
Some people might construe Facebook as an identity system,
and you always have the government once.
What are the big challenges with these systems?
that you think necessitates a decentralized solution?
Well, for example, if you look at Facebook, you just to mention one,
because it basically goes from most centralized identity systems out there.
When you look at Facebook, then you create an identity on their platform.
So thereby it basically becomes their identity.
And anything that you upload to Facebook is linked to your identity,
but they will always keep ownership of that.
So I think that's a big problem because this way you don't have any control over your own data,
of your own communications.
For example, when I log into Facebook, the connection itself is encrypted.
Then I send you a message and on your end it's decrypted,
but Facebook will always have the master key.
So they will always have the ability to decrypt that information.
So this way there's no real privacy.
There's no real encryption because they always will have control over that information.
So I think that's a big issue where it comes to centralized identity systems.
And another issue, but that's mostly social identities because there are several types of identities.
You have the identity that you are yourself, which lives inside of your head.
You have your legal identity.
So that's probably the one that's being issued by the government, for example.
example, and you have your social identities such as Facebook, et cetera, but also in the offline
world. So there are several types of identities, and nowadays most of them are issued through
centralized parties, so you don't have any control over that. And they basically also have
control over the revocation of any of your identities because they can simply just pull your
identity and from there on you have no control over it anymore whatsoever. So this way people,
people have the illusion that they have their own identities on the internet, but most of the time, they really don't.
So I guess as a thought experiment, you could say that the only sort of decentralized identity we have is the one that we construct ourselves.
Like if I tell this group of people that I'm a startup founder and I tell this group of people that I train particular martial arts and I tell this group of people that I like kit.
Well, that's the identity that I construct and then I'm the one that controls that.
So in a sense, that's probably the up until now, up until we have these decentralized systems,
probably one of the only forms of decentralized identity that we have, right?
Yeah, I agree.
So when you name that example where you tell people different things about yourself,
it's where you, the user, in an electronic fashion, it's a user.
user, the person, has control over what information they want to share with other people.
And that's basically the only decentralized form we have right now.
And decentralization really means that each party, so in this case, each identity can
control for themselves which information they want to share with other parties.
So the user has to be in control in a fully decentralized system.
So with all these traditional centralized types of identity systems that we've mentioned so far,
we've mentioned Facebook, we've mentioned government IDs, and there are others.
What are some of the problems that we see there?
Identity theft is obviously one of them.
Can you talk about that and perhaps some of the other issues that these systems present?
Yes, of course.
When you look at identity theft, for example, it's mostly because if I want to have my identity
verified by a certain party.
So if I want to trade, say, Bitcoin on a certain website, then sometimes they require me to send a
copy of my identity documents.
There are basically three issues with that.
The first one is that physical documents have security features.
And as soon as I make a photocopy of that, the security features disappear because that's
the whole idea of the feature.
So as soon as I send anybody a copy of any of my physical documents,
the security features disappear.
So you will never be able to really verify
if that's a real copy or if it's Photoshop.
Next, you will have to send it over a communication channel
where it can be intercepted by men in the middle attack, for example.
So that's the second issue there.
And then the third issue is that once it does arrive
at the other end of the line,
then it all gets stored in a central database.
So this way, you create an information silo with a lot of sensitive information, with a lot of sensitive data.
And when you do that, you become a target to hackers.
So the whole thing, the whole idea here is that if you don't have to process and send sensitive data,
then the chance of becoming a target for hackers also decreases.
And if somebody, let's say I create an identity, which is verified by a bank, for example,
I would simply have in a decentralized system such as identify,
it would simply have a public key with a verification from signed by the private key that belongs to the public key of the bank, for example.
And then it will only say that I'm over 18 or that I'm a citizen of a certain country.
So if somebody steals that, then they will only know that a public key belongs to a person that lives in a certain country or is over 18.
But they won't have my social security number then.
they won't have my date of birth or any other sensitive data that can be used for identity fraud.
So you've mentioned the Identify Protocol in this conversation.
Can we know what it exactly is?
All right, yeah, sure.
It's not very easy to explain because it's a relatively new concept.
The software itself identified, like I said earlier, was created by Martimomi.
He started working on this back in 2013.
and the software itself is a fork of the Bitcoin demon.
So it uses the same sort of networking mechanism.
It uses the same sort of command line interface, JSON RPC API, the same public key cryptography.
But what it doesn't use is mining, proof of work scheme, or an objective logic consensus.
So the major difference is that there is no blockchain.
So if I store anything within my own database, I will simply connect to other peers in the network.
I will start flooding this information to other peers on the network.
And if another note trusts me, then they can sign the public key of my note.
And from that moment on, they can verify any information that I'm sending,
thereby they choose to store it in their own database.
That's a very brief summary of how it works.
But feel free to ask because it's a bit of an abstract concept at the moment.
Yeah, so first of all, let's go to one key difference between Bitcoin and Identify,
which is that in Bitcoin, there's a consensus mechanism and a global database that keeps,
let's say, an objective record of truth.
Like, you know what has happened in the network till now, because you can look at the database
and see all the entries in it.
In Identify, there is no consensus, which means there is no central global.
view of truth, right?
Right. So there is no objective consensus.
So when you look at Bitcoin, you want to make sure that coins haven't been spent before.
And the majority of the network is basically always able to agree on whether coins have been spent
or not when you look at Nakamoto consensus.
So this is purely about objective logic.
But where it comes to identity, it's mostly all subjective logic.
And with subjective logic, the problem is that a majority of people,
will probably never agree on whether a certain statement about the world, an identity,
is true or false.
So I could say that blue is a nice color, but you could deny that.
I could say that you are a good person, a good barber, or a good car salesman, and somebody
else could refute that information.
So that's why the consensus mechanism itself doesn't work like it does for Bitcoin.
and so the consensus mechanism is purely subjective.
So I could verify, for example, that your Facebook account belongs to you.
Somebody else could deny that.
And then anybody who has me and their trust network will see that I have verified that your Facebook account belongs to you.
But if somebody else has denied that, then the people within their trust network will see that according to the people or the person they trust, that they say that it is not true.
So in essence, what you're saying is like in Bitcoin, if you're a node, you have this one database that is the global record of truth.
And you can verify that that global record is correct because you can always verify the proof of work.
In Identify, when I'm running an Identify node, I basically have to choose a set of peers.
And I can see what these peers have done in the past, like,
who these peers have approved as being good or not being good.
And depending on my peers, I develop my own view of the world,
the world meaning the identities and reputations of other people.
And all of the users of the identity system can come to different conclusions
about the state of the world.
Yes, that's correct.
So like the example I mentioned with a barber,
when I'm looking for a barber,
I may be looking for one which is cheap and nearby,
but somebody else may be looking for a bar,
but that is just very good,
and they don't really mind to travel really far
or pay a lot of money for that.
So if I say a barber is good,
then the people within my network,
pardon me,
will probably know what I mean by that,
or they will have their own interpretation of what I mean by that.
And this is,
where the subjectivity comes in
because what's true for one person
can be false to another one.
Let's take a short break so we can go to Paris.
I stopped into La Maison du Bitcoin,
the house of Bitcoin,
at the ledger offices,
and I met with Ledger CEO, Eric Larchavec,
so he could tell me all about
the Ledger Wallet Chrome app.
The Ledger Wallet Chrome app
is the perfect companion app
for your Ledger, HW1 or Nano.
We have very powerful and cool feature.
use multi-accounts. For instance, personal accounts, business accounts. This is very useful.
Also, when you want to make a transaction, we use a second factor verification. You can either
use a physical security key or cryptographically securely pair your Android or iOS smartphone
to your nano. This way, when you issue a transaction, a payment, the transaction will
pop up on your Android or iOS phone and you will be able to verify the amount and destination
address. Finally, the Ledger Chrome app has an API with which you can easily integrate
third-party applications. For instance, if you want to create a multi-signature account with CoinCite
or Coppae, it will be known using the Ledger wallet Chrome app.
Ledger is making hardware wallets easy and convenient without compromising on security.
If you want to get a secure setup for storing your Bitcoins, go to ledgerwalt.com and use the code Epicenter to get 10% off your order.
We'd like to thank Ledger for their support of Epicenter Bitcoin.
If you are actually not using global consensus, then why are you using the Bitcoin D software at all?
Why are these two things linked at all?
Well, I think right now I have to speak for for Marty, the man who developed the software itself.
I look at the networking mechanism.
So the way you connect to other pairs,
the way information is being flooded to the network,
that's basically for a large part the same as how the Bitcoin demon worked.
The same goes for the public key cryptography,
the command line interface, the JSON RPC API, etc.
So there are a lot of similarities between the two,
but yeah, the major difference is the mining mechanism for the Nakamoto consensus.
So basically, there's technology that had many of the components that he was looking for
and used some of those components to build, identify,
while removing the Nakamoto consensus, objective consensus mechanism,
and replacing it with a subjective consensus mechanism, which,
subjective consensus, can we call that reputation? Is that synonymous?
Yeah, you could see it as reputation, but reputation is more than just what I say.
about you. So it's more than saying if a person is a good barber. Reputation is also if I
verify or deny that a certain connection belongs to your identity. So it's much broader than just
giving ratings, for example, like you do on eBay or on Uber or Airbnb.
Okay. And so I'm interested in this web of trust, this trust network.
So Web of Trust is terminology that has been around for a long time.
It's used in PGP and other trust-based systems that have to form the sort of subjective consensus around facts.
Can you talk about how the Web of Trust is built in Identify?
If I have an identity on Identify, what does that look like?
How do I link to other people that and how do they?
how do they provide assertion or not that some facts that I'm saying about myself are true?
How does that work?
When you look at the PGP Web of Trust, a great example out there is the Bitcoin OTC,
the Bitcoin over the Condor Web of Trust.
What you basically do is you create a key pair.
So you have a public key and you have a private key.
And if I choose to sign your public key with my private key, pardon me,
then I thereby add you as a first degree connection to my own web of trust.
So I can do this with multiple identities,
and I create a personalized trust network in this way.
And if I add you as a first connection to my network,
and for example, if I don't have Meher in my own network as a first connection,
but you do, then Meher becomes a second degree connection through you
for me.
So this is how you create your own network and how it works to, in degrees.
So it works in an exponential way.
So if I have, let's say that I would have 200 people within my own network on a first
degree level.
And if these people all have, let's say, also a certain amount of people as first degree
connections, which I don't have as first degree connections myself, then
I might have 200 people in my first degree network, but to a second degree, I might have 50,000
people in my network.
And in a third degree, I might have already have like seven or 10 million people in my own
network.
So this is how you create your own network and you start relatively small, but the larger it grows,
the more exponential, the power of the network comes.
So the further it scales, the better it work.
Okay.
So I'm interested in also, like, how, what does that look like?
So, for instance, if we imagine a user interface for Identify, so say you have a mobile app,
we can talk about the client in just a minute, because what's interesting about Identify, too, is that you don't need heavy notes.
It works really well with lightweight clients, so you could have this on a phone or something like that.
So on your phone, you'd have, you'd create a private key.
and through some sort of, through some way you would send your public key to someone else.
You know, it could perhaps be linked to Facebook or something like that or some other social network.
The key would go to, say, mayor that I would send it my key to.
And then mayor would sign my public key with his private key.
And that creates a connection in my first degree network.
Yeah.
So in the case, the example that you're mentioned.
mentioning where you run it on a mobile phone.
It's a bit of an hypothesis at the moment because right now the software only runs within Linux.
But it should be able in the future.
Like you said, the software itself, the demon is a relatively lightweight,
especially if you compare it to a note like the Bitcoin demon, for example.
So let's say if you would have, if you would both have a note running on your own phone,
then you could connect to each other by signing each other's public key.
So the note itself also has its own key pair.
So what you can do is you can use your private key to sign Meher's note or his public key that belongs to his note and vice versa.
Then what you will do from then on is any information that you store on your own note and that you decide to publish with the world will be flooded to Meherr.
Because he has added your note to his own nodes web of trust.
And by doing so, he chooses to store any data that you flood towards him.
So if any information comes in, he can verify this by the signature.
He will see that the public key that this signature belongs to is within its own web of trust.
So it's a trusted key.
And then these messages will be stored in his own note.
Can you explain what do you mean by any information that I flood to him?
So there are several types of messages that you can send.
You can, after you've created a keeper, after you've.
you have your public key.
You can, for example, add a URL to your Twitter account or your LinkedIn or your Facebook,
but only the URL.
So the software itself has no need to look at the profile behind it.
And you can also add a Bitcoin address or a name or a nickname or that you live in a certain
country.
But that's one type of message that you can send, which is a connection.
So you connect any type of identifier as an asset or like an attribute.
to your identity, which is the public key.
The other type of messages are the ones where you refute these kind of connections.
So if you see that Meher has added my Facebook account to my name,
and you see that it's the wrong one, then you can simply downvote it.
So you can say, no, this is not correct.
So that's another type of message where you refute a connection.
And then there are the messages where you can send a rating.
So I can say Sebastian is a good barber or a good car salesman and I can attach a score to that.
So I could say, is a good car salesman and I give you an eight out of ten, for example.
So these are basically the three types of messages that you can send over the network.
Of course, it would be refuted right away because I'm a horrible car salesman and an even worse barber.
So let's take this scenario.
where
like Tim,
you are the barber
and Sebastian is in my
is a first degree
connection
for me in Identify
and let's say
Brian is a
second degree connection
because Sebastian
is connected to Brian.
Now in the first
scenario we assume
that
like because Sebastian
is a first
degree connection
if he sends me
a message I accept
that right?
Now
if I have
like say
hundreds of
thousands of first-degree connections, then my mobile device cannot, or my, I wouldn't want
all of the messages that these connections make to be stored on my device, because it would
be like a lot of data, right? So even though they're sending me messages, I might only keep
a very small fraction of these messages, right? Now, so let's say now actually Sebastian has
rated you as a barber, but I have not kept that message on my computer because I,
I don't keep whatever he sends to me.
I trust whatever he sends to me,
but I don't keep it with me.
And now I want to go to your shop and you are the barber
and I want to see what does my web of trust say about Tim as a barber.
How do I discover that Sebastian actually put something for you there?
Well, if you don't store messages,
then it's, of course, rather difficult to make any decision based on that.
but I could still be able to show you those messages as a barber because he has sent the ratings to me.
I can choose to store those ratings and whenever you walk into my shop and you say,
well, do you have any rating from these persons, for example?
I could also show it to you the other way around.
It doesn't sound very effective or very efficient this way,
but it is an option where I can show you the message and you can still verify that,
Sebastian has signed this message because you can check the signature and the public key.
And yeah, if that suffices for you, then that will probably be enough information for you
to base your own decision on.
And if you still don't trust me because you say, you could say, okay, maybe you've generated
this yourself.
The chance is highly unlikely, but you could still assume that.
Then you can still double check it with Sebastian.
if that information is correct or not.
And that could be automated.
So in a sense, like what I'm trying to ask is this kind of approach seems to have like an
inbuilt search problem.
Right.
Like, so what is what is really happening is everyone's writing, like let's say, let's assume
a world in which everyone is using identify and everyone is putting stuff about all of the
interactions that are happening.
If say I go to buy a barbershop, I put a rating for him.
I go to a car wash, I put a rating there.
So everyone is generating a lot of reputational data.
And it seems to me that, like, in order to actually figure out what my Web of Trust says for somebody,
I actually need some kind of search engine.
I actually seem to need some kind of search engine where if I go to a shop, I can see what my Web of Trust said about it.
but then the search engine is itself a point of centralization because we don't have a decentralized search engine, right?
Right.
So what you can do with the example where you don't store the information yourself,
maybe there will come at some point where there are so many messages that you simply can store them on your phone.
In that scenario, you will need many connections and a lot of messages.
just looking at what mobile phones are capable of nowadays
and what the database size of an identified database is.
But what you could do is you could also choose to trust a public note
to store this information for you.
So somebody could provide a surface where they say,
okay, if you want, you can also trust us,
you can flut your information towards us.
We will store it for you and you will pay, let's say, certain fee
that could be per month or per API call per quick,
And where it comes to searching, it's very interesting, I think,
because if you look at centralized search engines,
they basically always work based on blacklisting.
So if you look at Google Patreon, for example,
the most well-known reputation system in the world probably,
that basically everybody uses every day,
you see that first they try to crawl through all the data.
So they try to find all the data on the web.
and the thing they do next is they try and filter out irrelevant information.
So, for example, stuff that has to do with child pornography or terrorism, et cetera.
So they decide what you will get to see.
But what you could do with something like Identify is you could turn that concept around.
So you could have all the information available.
And then I could filter by my own first degree connections or second degree connections.
For example, if I go look for a barber, I could either Google that to see which barber
is closest by.
But if I would use something like Identify, I could look for a barber.
I could first see if any of my first degree connections say anything useful about it.
If they don't, I can then filter a bit more outwards by my second degree connections to
see if any of them has to say anything useful about any barber, which is.
is relevant for me. And this way I can personalize search even further in a decentralized fashion.
Okay. So in Identify, do you have any like any namespace at all? Or do you have a global list of
names or global address book or something like that? Well, the namespace itself is undefined.
So it uses the public key namespace. You create a key pair and you can basically,
basically attach any type and any value to your public key.
So I could say the type is name, name is Timpestore.
I could say URL and Facebook account or I could say is over 18, yes, etc.
So the namespace itself is totally undefined.
So this way it can be used for, for example, if you look at Namecoin,
you have certain namespaces which are predefined that you can use.
So you could also use these within Identify,
but you're not limited to anything that's predefined in any way.
So there are no namespaces as such with Identify,
but you could always use something like one name or other services.
You can mold them on if you wanted to.
Yeah, right.
you could for example attach your one name account to your identity you could attach your uber your uber profile to your
your Airbnb profile or you could create separate identity so that you create one identity that you
link to your uber and one that you link to your to your facebook account for example so this way
you can you can decide for yourself which identity you want to link to
which of your,
to any of your social identity or so.
So with a system like this,
it's the same goes for,
you know,
social networks and things like that is, you know,
you need,
it's mostly reliable,
relying on network effects and,
you know,
because you want to be with your,
where your friends are.
And if,
if most people are using Identify
or some other identity system,
um,
well,
I guess my question is,
are you concerned about,
about fragmentation in this space because there's other protocols out there.
There's like the blockchain ID protocol, which of course one name is using.
Then you have key base, which is mostly for PGP, but one could imagine that they get into
more identity-based stuff and then identify.
Can there be multiple identity, decentralized identity protocols in this space or competing
with each other?
Are they compatible?
What are your views on that?
Yeah, I think so.
that identify could be complementary to many of those systems. So for example, if you take one name
and blockchain ID, I think it's a good example to prevent men in the middle attacks. So if I want
to verify an identity and I do it through a website, then I still do it through a centralized
mechanism and I can still become a victim of a man in the middle attack. But when you
publish, for example, you're naming your public key to the blockchain, then you can double check
it on the blockchain, which is immutable. So this way you can prevent men in the middle attack.
So I could create a one-name account, and I could attach it to my identify profile.
This is all in a public setting, where we use it to create our own personal networks on more
of a global scale. But what you could also do, this is a bit more hypothetically.
but theoretically the proof of concept should prove that this works,
is that if I have two information silos,
I could add two identify nodes to each end,
and then I could add a request handler,
so I could say, okay, I have two information silos,
which are very difficult to connect to one another
or to have them exchange data among each other.
So what I could do is I could put an identified node or two between them with a request handler,
and then I could send specific requests for specific information.
And when I do that, I already know the public key of the other nodes.
So any requests that I send can be encrypted purely for the note on the other end.
And when that request is being handled by that note, they can check according to their own web of trust.
So to see if that information that's being requested, if that can be returned.
And if it can be returned, it can be extracted from the database.
It can be encrypted for the receiver on the other end because both parties know each other's public key.
And then it can be sent back to the other party.
So this way you can not only use it for humans, but also for machines.
So you can also create trust networks for machines.
Okay, and we'll come back to machines in a few minutes because that's something that I think I'm really interested in as well.
But first, coming back to identify, let's talk about security a little bit.
If you're dealing with a decentralized identity system, conserving and preserving the integrity of your private key is really important because then someone can just take your identity.
What happens with Identify when your private keys are stolen?
Well, if you look at the prototype on Identi.Fi, it's a prototype for a front end.
So anybody can download it from the GitHub and run it for themselves.
And what you can do there, or it's an example, you can log in with your Facebook account on your note.
And when I log in with my Facebook account, the only thing I do is I set up a session with Facebook.
And the note can verify that I've set up this session.
So then the note will know that I am in control over this Facebook account.
After I've done that, it will create a key pair for me.
So if I lose my control over my Facebook account, for example,
I can reset the password and through my mail.
I can use the forgotten password function on the Facebook website.
And then I can reset my password through my mail.
And then I can log in again on my identifying.
node and then I will have access to that same key pair again.
So that's one solution that can be used.
You could also use more privacy-friendly options.
So in that case, the key pairs are being held by identify and released to you when you sign
in with Facebook.
Did I understand that correctly?
Right now, when you have a note, then the note will generate a key pair for you.
So in the future, you could run your own note.
That's the idea.
Or you could generate this on the client side.
You could use something as a BitOth, for example, which was created by Jeff Garsik and the team at BitPay,
which uses the same principle where you have the idea that you type in an email address and a password,
but this way you can actually generate a key pair on the client side.
So this way you don't have to send a password to the other end of the line.
and you can still prove via a signature that that's really you.
So the only idea there for logging in with Facebook or Twitter or Google or Mozilla persona
is that you prove that you are the owner of, let's say, a Twitter account.
And when you do that, then the note will verify that.
It will sign for you that this Twitter account or this Google account has been checked.
So next time, if I lose control over that account, I can reset password and I can have access again to the keypers.
And so one could also, I guess, use something like the Fido Protocol or something perhaps a bit.
If you really want to have control over your keys, you could use something like a ledger to store the private keys on some of the device or even on your mobile.
with the secure element type stuff.
I mean, in the future, I presume that the idea is that this is somehow connected to biometric information, right,
that you can prove your identity through iris scan or fingerprint data or some other biometric information.
Yeah, that could be personally.
But this is my personal point of view.
I'm not a really big fan of biometric.
Because if you ever lose, you know, it's not really difficult to go door to door and get fingerprints of the doorknops.
And after you've changed your fingerprints 10 times, you've run out of fingerprints.
You can then use your toe prints and then after 10 times you've also ran out.
And the same thing goes for your iris that if somebody has a copy of your iris or knows how to duplicate this in any way,
then the rest of your life you will have issues with that.
So that's just a small side note why I'm not a really big fan of biometric.
But what you could also do is use the multisic principle.
So if I have, let's say I have three devices, I have my laptop, a tablet and my phone.
They could all have their own identity.
And as soon as my phone gets stolen, for example, I can use the other two devices to
download the public key that belongs to the node on my phone.
and I can thereby automatically update everybody in my own network that my phone has been stolen or that it has been compromised.
And as soon as if it turns out that, for example, my phone was in the fridge because I accidentally put it there,
then I can simply upvote that key pair again and then I can let everybody in my own trust network know.
I can flood this information to them like, oh, I found it again.
This device is still trusted.
So I think that the multi-sick principle is really interesting here.
Also, where it comes to generating key pairs through social media accounts, for example.
So if I would lose control over my Facebook account and if I had no way to regain access anymore,
I could use two other accounts or three or five to downvote that account and update everybody
in my own trust network that that account has been compromised.
Today's magic word is identity.
I-D-E-N-T-I-T-Y.
Head over to let's talk,
Bitcoin.com to sign in,
enter the magic word,
and claim your part of the listener award.
In the conversation that went by,
the question of,
like, identity for devices came up.
Like, is the Internet of Things
and identity linked in some way?
Yeah, I believe so.
because let's take the example of a fridge.
If I would run an identify node in my fridge somewhere in the future and my neighbor would do the same thing,
then when my neighbor orders food, let's say they order milk.
And once the milk arrives, once it has been delivered, it turns out that the milk has expired.
What you can then do is that if that fridge is in the trust network of my own fridge, it can send a message to my fridge that they have ordered milk from a particular supplier that it has arrived maybe on time, but that the milk itself already was expired when it arrived.
And then from there, I could, if I control my own fridge, I control the node on my own fridge,
I control the software on my own fridge, and I could set a threshold that if anybody, if any first-degree
connection receives anything that has expired, not to order from that supplier in the next two or three
days, for example.
But this way, you can tie identities to devices.
And when you look at, you could run an identity, another example, you could run an identify node as a sort of a firewall.
So for the internet of things, where it comes to your home where you have a garage door connected to the internet or the lighting in your house,
if I would use an identify firewall, sort of firewall, a note running within my own home, I could say only my phone, only my tablet can connect with that device.
And if it doesn't contain the right signature, this message, then it will simply do nothing.
So in that case, somebody could hack my Wi-Fi connection, but as long as they don't have the private keys that belong to the devices, which are whitelisted to control those devices, they still can't do anything to it.
So we talk a lot about decentralized systems and how they be great for IoT.
There's been a lot of talk about that.
And, of course, there's been some proof of concepts, run by IBM.
and others.
But I have a hard time seeing how that's going to play out exactly.
And so, let's take and identify, it's obvious that this would be a good system for
for IoT, for devices to have identities.
And we can go even further and say that like an Ethereum DAP could have an identity.
But specifically regarding IoT, what incentive would device manufacturers have
to implementing this type of technology in their devices?
Well, I think, first of all, security,
because if your fridge can hack your car,
then we have a big problem.
So you want to ensure that only trusted devices
can communicate with each other.
So I think that's probably the most interesting proposition
for hardware suppliers.
And is that, is there an instance?
specific incentive for them to implement a decentralized system like this because they already have
security systems that will manage permissions and things like that. They're centralized, of course.
But if you had to go to a device manufacturer and say, like, because I mean, we'll talk about
your company later, that's essentially, I think one of the things that you do is try to promote
this technology. If you had to go to, I don't know, Fitbit or like Samsung and you, you
you had to tell them, all right, we have this technology, it can benefit your customers.
How would you sell it as opposed to like a centralized system of permissions that they would
implement?
I think that a major difference there would be that if any hardware supplier would use this
within their own hardware, then they would have a very big advantage compared to the competition
because a decentralized system, it means that you as a user who buys their home,
hardware has control over whatever you buy.
So it's very privacy-friendly, it's very secure.
And I think that's a very interesting selling point,
especially because there doesn't necessarily have to be a trade-off with usability here.
And that's normally the issue that if you want security,
then you have a trade-off with usability and the other way around.
But with this system, you can have security on the back end,
and you can build very secure U-X-friendly applications on top of that.
And I don't think there's any system out there at the moment which lets you do that.
So I think they would have a big advantage over any of their competition if they would do that.
This is like a very interesting concept.
What you are saying is basically just as we think that humans will have,
so in your system every human has a subjective view of the world about the reputation of other humans or, you know,
Similarly, like, machines could have their own subjective view of the world about the competence of other machines, right?
So, so basically, yeah, I don't even know how to take a good example with it, but like my drone could rate your drone that your drone has a tendency to run into, I don't know, I don't know, windows and break them or something like.
that. And some other drone could look at what my drone has rated your drone for and
conclude something about your drone. Something like this, right? Yeah, it's something like that.
Or you could connect it too. So you could have drones that establish permissions for each other,
for example, or if they build up a good reputation with each other because they don't fly
through each other's airspace, I don't know, then that they will start sharing more permission.
if the owner of the drone decides that that's a good case.
But you can also combine these devices with humans.
So I could use this software to find a drone operator,
which is best suited for me to deliver fragile package, for example.
But another, which is maybe a more interesting case where it comes to hardware,
is probably a trust-based mesh routing.
So if I trust certain routing devices,
then I could choose to send information only through trusted parties.
And you could all do this through a public key cryptography.
So I think it's a very secure way to connect both humans and devices.
I mean, like your ideas, they all seem very awesome.
It's like what I like about what we have talked until now is it's decentralized.
The data is open.
and basically this can scale infinitely, right?
Like if you have, if you basically solve the search problem,
how do I figure out, search for data,
then you can scale it really well.
Like the kind of questions I'm having in my mind are,
A, it seems like a complex system, right?
Like everyone needs to, everyone needs to have their own identity,
certify the identities of other people, then give reputations on other people, and only when it
gets to a certain scale, it becomes useful. And it seems very similar to the PGP web of trust.
So I'm kind of wondering, and recently I was at the Ethereum DevCon. And there, in the Ethereum team,
you have this person who's called Vinay Gupta.
I'm not sure if you have heard of him.
He's an old Siffa Pung from the 90s
and he was talking about this PGP Web of Trust.
And what he was saying is
that the ideas were of building a web of trust
have been around for a long time.
The ideas for building a web of trust
have been around for a long time.
And the reason they did not
they did not actually permeate through into society
is because their user interfaces
and applications were just too complex.
Like nobody wanted to handle private keys
and nobody wanted to go to key signing parties
and build this actual web of trust.
Do you have any ideas on this dimension?
How do you make it usable?
So Phil Zimmerman, who is the inventor of PGP?
Sorry.
Not sure what's up today.
Okay, I'll rewind.
So Phil Zimmerman, the inventor of PGP,
PGP, he recently said, I read a news article about this, that he believes that PGP isn't
user-friendly enough. And he used that as the excuse for why he doesn't use it themselves. So
the inventor of PGP claims he doesn't use it because it isn't user-friendly enough. So when you
look at Identify, then on the backend, it's very technical. It's rather complex. As you can see
right now it's already difficult to explain the concept itself it's a rather abstract but once you
grasp that then you can build very secure applications on top of it which can be very user-friendly so
if you go to identity.fi for example i'll admit it's not the most intuitive user interface at the
moment but it's a prototype it's also a proof of concept to prove that you can build something on the
front end which is relatively user-friendly
which communicates through the API with the backend to combine it with security.
And this way you don't need a trade-off between usability and security in order to use a web of trust.
Okay. And do you see like any use case?
Like part of the challenge here is like pure network effect.
I already have a list of friends on Facebook.
and you could think of my friends list as me having signed the public keys of my other friends, really.
You could see it that way.
So there are already these networks that handle identity and reputation.
Do you see any particular place where Identify could have a foothold?
Well, one of the most interesting possible use cases I see myself is probably BitcoinTalk.org.
It's interesting for multiple reasons.
first of all that Sirius, who Martimomi, who created Identifies also the guy who set up BitcoinTalk.org originally.
So there's a nice connection there.
But I primarily mean it because if you go to BitcoinTalk.org, if you are familiar with the forum, then you'll probably know that there are a lot of trolls.
There are a lot of suck puppets.
So for most people, there's a lot of irrelevant information there.
So if you would have a browser plugin that would connect to your...
identify node, you could simply downvote all the trolls and if you would do that and I would
trust you and you would decide to share your own web of trust with me or your own filter of what
you have filtered. So then I could apply this filter to my own view. So this way you could make it
a business to downvote trolls and I could pay you for example a pair update to use your filter
on top of Bitcoin talk.org forum.
So this way I could filter by relevant information based on my own web of trust.
And I think that that forum is a very interesting example.
And I'm curious to see if anybody will pick up this idea.
Well, that could be really useful in a lot of places, not just Bitcoin talk, I guess.
Right.
Yeah.
Everywhere on the internet.
Agreed.
So let's just sort of, I would like to talk about the future of identity and where you see
this going. Right now, obviously, the most trusted source of identity, I think, without a doubt,
is national identity cards. So the identity that the government vets is our true identity,
at least in a broad circle, and perhaps in a close circle, that's not necessarily always the case.
But what do you see as the future for government identities and will we continue to have
government identities as sort of the
trusted ID
when you go somewhere and you need to show your
ID that you'll show this? Or
do you see that as something
resembling
more identify that's more decentralized
and where you have multiple parties
vetting your identity?
I basically see
two possible scenarios.
The first one is the one where
big corporations will issue our
identities and
will therefore have the control
over the data and the communications that is linked to our identities.
We already see this with Facebook and Google and LinkedIn, etc.
But I think it can go even further because right now here in the Netherlands,
they're working on a new digital ID system and it will basically be controlled by the big corporations.
So that's one option, one possible scenario I see.
The other one, which is a bit more hypothetical, is the one where the whole world,
would be using Identify.
So what you could do there is if I would create an identity, I could have it signed by the
government.
So next, I could simply bring my public key to anybody else who also trusts the government
that has issued that verification to my ID.
And I could simply show them, look, I am a real person and that has been verified by the
government.
So if they then also have that government within their own web of trust, they can verify
the signature. But you don't necessarily need the government for that because if I live in a small
village where everybody trusts the local barber again or the local butcher, then they can do the same
verification. They know that I am Timpestore. I come there every day. So if the butcher has verified
that I am Timpestore, then most other merchants in this small village will also trust that I am
Timber store because they trust the butcher. So in this way it becomes this way you see that
information silos start to break up and that humans themselves can have more control over
their own identities. Another interesting thing there is where it comes to those verifications.
You could theoretically have hierarchical deterministic verifications. So, for example, the DMV or
the DVLA, as it's called in the UK, can issue a driver's license to me, which could be
hierarchical deterministic, which means that every time I have to show my driver's license, for
example, at a routine check, when the cops pull me over, I could show my identity. I could
create new verification out of the master key that the DMV has provided to me. And I could then
show them, okay, look, this is my identity and it has me verified that I have my driver's license.
then the cop can could simply scan a QR code for example and they will see a green check mark
okay this is all right they can double check it with BMW with their note and they will see okay
this person really has a driver's license but next time that a cop pulls me over I could create
another verification from the same master key so I could I could create a new identity per
interaction and this way it becomes much more difficult to link multiple interactions
to one identity. So I think that's much more privacy-friendly. These are just a few of the options
that I see possible with a system like Identify or any other system like that will hopefully
one day come out on top. So what you're saying is you're decoupling the fact that you have a
driver's license from your ID, from your identity. So essentially you can tell that police officer,
okay, I have a driver's license while staying private.
And I guess you could also do this for age verification.
So for instance, if you're buying alcohol, you could simply prove to the person in front of you that you are 21.
If you're in the States, you're parts of Canada, you're 18.
And if you're in France or Europe, then you're like 12.
And without showing your, without actually giving up your.
your identity, which I guess could be valuable, but I think could also be seen by the state as
something that is undesirable. I had one last question before we move on to your company,
two-way. So we talked about this idea that devices and perhaps even applications could have identities.
Do you see a problem arising from the fact that humans and artificial,
intelligence, applications, devices share the same type of identity system? Do you see problems
perhaps arising from that, or do you think that's totally fine? I don't really see a problem
there because if the user has control over the machine, then it shouldn't be a problem. But when
one's artificial intelligence and deep learning, et cetera, finally becomes like a
real big thing, then you could have some other implications, but I'm not too scared of that
at this moment. Yeah, the machines could all downvot us in mass, right? If the machines turn
Malav will and they'll all downvot us and screw us out of the web of trust. Yeah, but the thing is
that if somebody downfought you, they only remove you from their own personalized network. So
it will only have an influence on themselves.
And the parties that decide to listen to them and trust them, of course, because they can also
see that information and they can see that a certain machine perhaps doesn't trust the
human.
And then the other machine, which is controlled by another human, could be able to decide
for itself whether it still wants to communicate with the untrusted human, or so to say.
So that's a very interesting
case to think about a bit more.
But as long as people keep control over their machines,
I don't see this as a big issue
because identify itself,
it doesn't try to automate trust.
It just collects everything that's being set.
It presents it.
So it organizes trust.
And then the human will always have to make the decision
on what they want to do with that information or not.
Okay, cool.
So one final topic before we close off this great interview is, yeah, you have a company which is 2Way.io.
And this company is different from the Identify Protocol itself.
Identify as the protocol and 2Way.io is the company.
So what is 2Way.io trying to do?
What are you going after?
The main goal at the moment is to stimulate the development of identified itself.
So what we're trying to do is we're trying to create a platform for developers to make it more accessible,
identify the software itself.
So that's documentation.
We're working on setting up a forum, a wiki for the documentation.
And we're also trying to create a platform where developers can come together to build
build things together based on identify.
So that's basically our main goal.
And we're trying to support this through building custom solutions for customers.
And we also do consult to see work where it comes to blockchain identity and reputation.
Cool.
Well, that sounds very interesting.
And of course, I think this is a really interesting sort of idea that we could have
decentralized identities.
is it really disrupts sort of centuries and perhaps millennia of the way that we've thought about identity,
much like Bitcoin has really disrupted the way that we think about money.
So I think this was really a good interview.
And I'm really interested in seeing where this is going to go in the future.
So thanks a lot for coming on today.
Thank you very much.
And I really enjoyed being on.
And if you have any further questions or anybody in the audience, if you have any questions, feel free to reach out to me.
You can go to Identity.Fi and look me up or simply Google me.
Great, and we'll have links to that in the show notes as well.
So that's it for our show today.
Epicenter Bitcoin is part of the LTB network.
You can find a lot of great shows and content about Bitcoin,
cryptocurrencies, blockchain technologies and all that stuff at let's talk Bitcoin.com.
We released new episodes of Epicent of Bitcoin every Monday.
You can subscribe to the show on iTunes, SoundCloud, or your favorite podcasting app.
on iOS or Android, and also you can watch the videos on YouTube, of course.
And if you're loyal to listeners to the show, you can always leave us a review on iTunes
or anywhere else, really, that you can leave us reviews.
We greatly appreciate it.
And if you do so, just send us an email at show at epicenterb Bitcoin.com,
and we will send you a free Epicenter T-shirt.
That's right.
You just leave us a review.
It could be, you know, just whatever you want to say.
You know, just believe it for it's a review.
We'll send you a T-shirt.
And, of course, you can always send us a tip.
and the tipping address will be in the show description.
There is one more thing I want to add.
We're looking for developers.
So we're looking for a WordPress developer
to help us build a new website.
It's not very big job,
but we still need someone to help us do it
because I personally don't have time anymore
to work on that kind of stuff.
So if you're good with WordPress
and building templates and things like that,
please reach out to us.
You can reach out at a show at EpicenterBitcoin.com as well.
Thanks so much,
next week.