Show Notes

This episode is made possible thanks to my sponsors, help me continue to make contributions to the web by sponsoring my work.

Socials

You can follow Heather on BlueSky or Mastodon

You can follow Lola on Bluesky: lolaodelola.bsky .social and Mastodon: mastodon.social/@lolaodelola

Episode Links

• W3C Verifiable Credentials
• Heather on LinkedIn
• Spherical Cow Consulting

Transcript

[00:00:00]Lola: Welcome to this month's, What the Spec?! First up, I want to say a big sorry for the delay in this episode. This was supposed to come out in July, however, I've had so much on my plate that it has just meant some things have had to be pushed to the back burner, but thank you for your patience. I also want to mention that this is going to be one of the last three episodes to be released.

[00:00:29] So there'll be two more episodes after this episode and that will mark the end of season one for What the Spec?! Thank you so much for coming along for the journey, and I hope you enjoy this episode and the two that will follow. This month i'm joined by Heather Flanagan and we are gonna be diving deep into verifiable credentials, digital identity, and more. Thank you to everybody who has been so supportive, whether that's through listening, leaving reviews, [00:01:00] or sharing or donating. If you would like to donate, please visit give.lolaslab.co. Thank you and I hope you enjoy the episode.

[00:01:13] Okay, welcome to What the Spec?! Today I am going to be talking to Heather Flanagan and we are gonna be covering all things at verified credentials. Heather Flanagan has a CV longer than I can recall right now, so I'm not gonna go through every single thing she's done and contributed to the web, to privacy, to identity.

[00:01:39] Because she is a big time change maker in this space. I'm gonna let Heather introduce herself. Heather, how are you?

[00:01:48] Heather: I am well, thanks so much for having me on. I asked someone one very fairly recently, a good friend of mine who I've known for a long time, I said, so what is it that you think I do for a living? [00:02:00] And he looked at me and he is like, oh, that's easy, you're an idea super spreader. But I'm like, okay, I see where you were going with that, but maybe too soon to call anybody a super spreader.

[00:02:12]Lola: Yeah,

[00:02:13] Few more years before we can start using that language

[00:02:16] Heather: Just a few. Just a few. But at least for the topic of this call I am and have been heavily involved in the open standards world since around 2011, 2012, and at least as of right now, I am co-chair for a lot of interesting groups, including two within the W3C, well, three technically within the W3C, the Federated Identity working Group and the Associated Community group and also the new Exploration Interest Group, so something that's supposed to be helping vet and form some new things that might be coming into the W3C, but I'm also still heavily involved in the Internet Engineering Task Force, the IETF, where I'm a working group chair for Secure [00:03:00] Patterns for Internet Credentials, which starts to touch on some of the interesting identity problems in the non-human identity space. And also the chair for something called Hot RFC, which is a fun little lightning talk moment that happens at the start of every IETF meeting for come in and talk about, you know, you've got four minutes, what's your idea? So lots of different roles, lots of different opportunities. A lot of opportunities to see what are the smartest people in identity thinking about where the world should go, and that's a lot of fun.

[00:03:33]Lola: You mentioned a term there just now, non-human identity. What is that?

[00:03:39] Heather: So non-human identity is, I'm a really bad person because I keep thinking of them, they're like roaches because there's so many more of them than there are actually people in the world and you know, nothing is going to ever make them go away. Non-human identity touches on the space of your APIs, it touches on the space of the workloads that [00:04:00] happen if you're an old time SysAdmin, which, technically I sort of am. It's the cron jobs that spin off and then those jobs spin off something and then those jobs spin off something else. If you're however much more into the human space, you've probably thought of non-human identities as those entities in your HR system that aren't actually people because they're your test accounts or they're the, you need, you need a guest badge, but badges are maintained by your HR system, so you've got these in your HR system. Non-human identity actually encompasses all of that.

[00:04:35]Lola: When we think identity, we definitely, think of humans identities are very kind of like sociological concepts where it's like about who you are, what you do, the cultures you come from, and you know the cultures you exist in and so it is interesting that in tech it's not really about that. Would you agree?

[00:04:57] Heather: It's only about that in as much [00:05:00] as that sets a certain level of expectation for What does your digital identity do?

[00:05:05]Lola: Mm.

[00:05:05] Heather: What does it hold? How is it used? that, I mean, a lot of that is influenced by, well, how do you think of your online experience, for example, let's say you're from an area of the world where you have absolute faith in your government.

[00:05:25]Lola: Mm-hmm.

[00:05:26] Heather: There are places like that where they actually have faith in their government. I don't live in such a place at the moment, but that's a whole nother story. But no it's the, okay, I trust the government, the idea that they're giving me, that they're looking out for my interest and so you may very well just default towards a government digital identity. However, you may be in a country where you don't trust your government, and there's different levels of what I mean by trust in this respect. And depending on that, you may want a lot more. You know, your digital identity, it sounds like it's a one thing, but maybe you have [00:06:00] one I only use this for government, but I have other ones that will do more to preserve my anonymity online that I feel like I can trust more. And so it diverges it, does come back to something of a societal, cultural expectation that then play out in what and how you use the credentials that are presented to you.

[00:06:19]Lola: I think we're gonna get a bit more into the relationship between identity credentials and government a bit later on. But before we get into that, I'd like to really just have some definitions so that our audience isn't lost while we're having this conversation.

[00:06:37] Heather: Absolutely.

[00:06:38]Lola: What is a credential, specifically? What is a web credential?

[00:06:42] Heather: Oh well.

[00:06:45]Lola: I feel like I started with the biggest question.

[00:06:48] Heather: That's, that's like saying what is a digital identity? It sounds like a simple question to ask, doesn't it? And yet, you know, our field is still new enough that we don't always have clear [00:07:00] definitions for all our terms. You can actually get people to argue what, what is authentication?

[00:07:06] I never thought it was a hard question, but apparently it is what is a credential? Is a credential is a collection of information about a subject they would then use to do any number of, activities. Either authentication, which basically is saying, yes, I'm the same entity that showed up last time.

[00:07:28]Lola: Yeah.

[00:07:28] Heather: It might allow for identity verification. So it's not just I'm the same entity that showed up last time, but here's information that you can check about me to say that, in fact, I am, you

[00:07:41]Lola: Who I say I am.

[00:07:42] Heather: Who I say I am. It can include information that allows authorization decisions, not just I am who I was the last time I was here, and you can verify that information against me being a, real person or a real entity, 'cause non-human identities count here too. And in fact, I'm allowed to [00:08:00] access the thing I'm trying to access.

[00:08:02]Lola: Right,

[00:08:02] Heather: So it's something that enables, can enable all of those things.

[00:08:06]Lola: And I guess in a real world scenario then an email can act as a credential, right? Like you could use an email to gain authorized authentication,

[00:08:20] Heather: is more like an i, it's more like an identifier, it's like a label. An email is more like a label to something, whereas the credential, it has a little more, it has a little bit more power than that I always thought.

[00:08:34]Lola: So when we talk about Verifiable Credentials, then... I came across this term at a TAG away day earlier this year, and we were trying to understand Verifiable Credentials because we wanna try and write a finding on this stuff. But as you mentioned, a lot of this stuff is still very new.

[00:08:56] And you know, you type in Verifiable Credentials into Google [00:09:00] and a whole bunch of stuff comes up that's not just the specification and it's kind of hard to pinpoint like what exactly we mean. And I'm not trying to get you to pinpoint what exactly we mean, but for the purpose of this discussion, when we talk about the W3C Verifiable Credentials, what is that?

[00:09:18] Heather: So one of the things I do for a living is I write a lot. I write for fun in my own blog. I write for others, I edit other people's material, and the term Verifiable Credential is is one that I do tend to get on a soapbox about a little bit if it's written with capital letters as if it is a proper noun.

[00:09:36]Lola: Yeah.

[00:09:37] Heather: Then you're talking about the W3C Verifiable Credential specification, and specifically how it's defining digital credentials that can be cryptographically verified.

[00:09:48]Lola: Right,

[00:09:48] Heather: That's, that's what the W3C Verifiable Credential spec is all about. It's a digital credential that can be cryptographically verified in a very specific manner.

[00:09:57]Lola: Yeah.

[00:09:58] Heather: That said not every [00:10:00] entity wants to use that term and it's also starting to move into a situation where it, it's like saying Kleenex when you mean tissue.

[00:10:08]Lola: Right,

[00:10:09] Heather: It is a, you know, Kleenex is a brand name, and if you use it with capital letters, then by goodness you should be talking about that

[00:10:13]Lola: about the brand.

[00:10:15] Heather: But if people are doing it with lowercase, verifiable credentials, then it's probably any kind of digital credential that can be cryptographically verified. It just takes too long to say,

[00:10:25]Lola: Yeah.

[00:10:26] Heather: if you go to something like the US National Institute for Standards and Technology, NIST they don't use the term verifiable credentials, they use the term verified digital credential. Other groups just say digital credential when they actually mean something that is cryptographically verified and, you know, set in a contained pattern. If anyone gets curious that's one of the things I wrote about because I find this very frustrating-- how many people don't know what they mean when they use the term, and so one of my blog posts was about digital credential terminology.

[00:10:56]Lola: That was one of the things I read in preparation for this, and I would [00:11:00] encourage listeners to go on Heather's blog -- the link will be below in the show notes -- because Heather definitely writes very frequently. You're always gonna learn something from her blog, especially if you're interested in the identity space, there's always an interested nugget of information.

[00:11:18] And so when we talk about the cryptographic element of this, we're talking about basically securing the credentials, which is then to say that these credentials are potentially sensitive, like it's personal identifying information potentially. I guess another way to frame this is who would be verifying the credential? Who is this for? Is this for governments to interact with citizens? Is this for companies, private companies to interact with customers? Who is this for?

[00:11:51] Heather: So when, when you're working in the model that would actually use and I'll go ahead and use the term verifiable credentials since, since that's where we started but I'm using it in [00:12:00] the lowercase term for what it's worth. If you're talking about that particular model, then you're probably talking about something that has the entity that issued it,

[00:12:09]Lola: Mm-hmm.

[00:12:10] Heather: the entity that's actually storing it and the entity that wants to verify it,

[00:12:17]Lola: Mm-hmm.

[00:12:18] Heather: these are called the issuer, the holder, the verifier,

[00:12:22]Lola: Right.

[00:12:23] Heather: The issuer is supposed to issue this credential to, and then the, the holder, a wallet, for example, holds it. When the issuer issues it, they sign it in a way to say, no, no, this, I actually, me, the government or me, Costco, or you know, Waitrose or whoever, my organization actually issued this thing and it has not been changed since I issued. It actually has nothing to do with what the content actually is. It may have no PII in there at all. It's just the, yes, I, I am asserting that I issued this thing and you can check to make sure it wasn't changed.

[00:12:58] And the fact that I am the issuer [00:13:00] great. At that point, it kind of, they're supposed to step back. They're not supposed to actually have further information about when a verifier comes in and says, excuse me, I, I'm looking for information about, I need, I need credential information about is this person a member of this club?

[00:13:22]Lola: Mm-hmm.

[00:13:23] Heather: Is this person a citizen? Is this person over 18? There's any number of use cases or it's, but is this person A, and , the holder, the wallet gets that query and says, Hmm, I can answer that i'm so proud and it will share some or all, and we can get into that in a little bit of that information along with that signature to say, okay, here's the information that I have.

[00:13:48] It is trustworthy because it has been signed, and the verifier can therefore accept what it is without actually having to go back to the issuer itself and say, Hey, I got this information [00:14:00] about Lola is this accurate? Doesn't do that and that way the issuer doesn't get to track how you've used that credential or with who.

[00:14:11]Lola: That is really interesting. That's kind of thrown a spanner in the works for me because I didn't realize that's how it worked. I thought that the entity that wants to verify goes to the issuer and says to the issuer, did you issue this credential? And is this credential valid or whatever? And then the issuer goes back to the entity that wants to verify and says yes or no. So you are saying that we go to the holder?

[00:14:38] Heather: It's requesting that credential from the holder, from the wallet. Do a lot of the checks that way.

[00:14:46]Lola: so is it possible for the issuer and the holder to be the same entity?

[00:14:49] Heather: Maybe technically, but that's generally not how the architecture is set up, if you're talking about a person, then you have been issued the [00:15:00] thing.

[00:15:00]Lola: So for instance, the UK government

[00:15:04] Heather: mm-hmm.

[00:15:06]Lola: let's say in some time in the future will be able to issue digital passports, for instance. Right? And so they are the issuer of the digital passport.

[00:15:16] Heather: Right,

[00:15:17]Lola: And I am just the entity that receives the digital passport. I want to I don't know, use a service that requires my id, and they ask for any number of IDs including a digital passport.

[00:15:34] And so I give them my digital passport and they go to the holder. Now, is it possible for them to, is it, lemme figure out the question.

[00:15:51] Heather: So basically the, if, if the government has issued the passport has issued additional [00:16:00] passport into a wallet, can the government then track how you've used that?

[00:16:04]Lola: Yeah.

[00:16:05] Heather: If they're, if they're going by actual agreed upon standards, then no, that's not how it's supposed to work. They're not supposed to be able to track that now if they've issued their very own wallet and it's not actually complying with standards, I mean, if you're not complying with standards, I presumably can do sort of any number of things, but wow you're kind of in trouble with, with the rest of the world?

[00:16:33]Lola: So assuming the issuer who, whether it's government or private company or, or whoever is following the standards, they shouldn't be able to build a profile on you based on the activity of the credential that's been issued to you.

[00:16:46] Heather: the issuer should not be able to track how you used it,

[00:16:51]Lola: Mm.

[00:16:51] Heather: The verifier, technically could start building a database of [00:17:00] maybe if you go back and you keep answering with a different credential, could it do something with that? Yeah, probably. It probably could and that is, that is definitely one of the privacy concerns that gets talked about as we build our specification. Is it possible to for example, for sites to collude on information because you may have done this kind of verification through site A, but site A has a relationship with Site B and maybe they start sharing information between them about who's who's authenticated with what information.

[00:17:31] It is possible, but it also can break some interesting privacy and data protection laws if they do that without permission.

[00:17:41]Lola: Cool. We'll get onto the privacy bit in a second. Before we do, I kind of wanted to delve a bit more into this relationship between policy and standards and like government and standards, right? So we've just mentioned that an issuer of a verified credential shouldn't be able to build [00:18:00] a profile on you in any way.

[00:18:01] But you said something very pertinent, which was that if a government decides not to follow the standards, then there's a any, they can do anything they want 'cause they're not following the standards, right. And so where does the responsibility lie for these kind of like more nuanced things? The standard has said it doesn't allow these things, but does there need to be legislation as well to back that up? Is it enough for the standard alone, you know?

[00:18:30] Heather: So it's a really interesting question about whether standard should set policy or should the policy define the standard? It's almost a chicken and egg problem, and it's one that I get to see play out regularly in, for example, some of the working group discussions. More to the point, the discussions about why aren't more organizations participating in the standards process at all.

[00:18:56]Lola: Mm.

[00:18:57] Heather: They're not, because when it [00:19:00] comes down to it, if you don't follow the standard what happens?

[00:19:08]Lola: Right.

[00:19:10] Heather: Nothing. I mean, there's no, there's no consequence. I mean, things might not work as well. You might get some bad press, but ultimately nothing's going to happen. Whereas if you don't follow the law, you're getting to really big trouble. And there are fines, there's jail terms, there's, I mean there's much more consequence of not following regulation. Now in most modern societies, they, the regulators do often refer back to, you need to be compliant with the standards because the standards have gone through some really interesting process to ensure privacy preservation or security models or things like that. But it's not always completely aligned, right?

[00:19:53] For the longest time, for the first 45 years of the thing that is now [00:20:00] the internet, right? Technology was far, far, far ahead and regulation didn't even know to talk about this stuff,

[00:20:08]Lola: Right.

[00:20:08] Heather: So what was technically possible was leading the way. What we're seeing now is an interesting change in that regulation is kind of catching up and is now starting to even in some cases, get ahead to say okay, it's not technically possible yet, but this is, this is what we're going to require. And feeding that into the standards process to say you have, you know, as you're working on this, you have to, you know, we maybe, we, maybe they won't say, you have to comply with this, but it's gonna tell all the companies participating, build whatever standard you want, it's gonna have to comply with this.

[00:20:45]Lola: Yeah. Yeah. What has the engagement been in terms of government activity when it comes to verifiable credentials? Because we're seeing things, for instance, although this isn't verifiable credentials, proper noun, this is just

[00:20:59] Heather: [00:21:00] in general

[00:21:00]Lola: lowercase. Yeah, in general. We're seeing things like, you know, digital driver's license come into practice. I know the EU wants to have their own kind of like EU digital identity type situation. And so from your observation, how have governments engaged with verifiable credentials, lowercase.

[00:21:22] Heather: Well, that's a, that's actually currently a fascinating topic of conversation and one that keeps me awake at night a little bit because in the US , states have made one of four choices. They've either chosen not to have mobile driver's licenses, or at least not yet, they've decided to write their own wallet to hold their mobile driver's license credentials.

[00:21:44] They're using Google or they're using Apple?

[00:21:46]Lola: Mm-hmm. Not very interoperable.

[00:21:51] Heather: sometimes yes, sometimes no. I mean, the good thing about a mobile driver's license is a mobile driver's license is, I don't think there's any [00:22:00] scenario where it's not using an ISO specification.

[00:22:04]Lola: Mm-hmm.

[00:22:04] Heather: 180-13 I think is the number.

[00:22:07]Lola: Mm-hmm.

[00:22:08] Heather: Great. That actually makes life a little bit easier. Now let's look at the EU. The EU does have the regulation of we are going to have digital wallets for all, but how that's actually implemented from one member state to the next, all that's all that they're being required is that they have one.

[00:22:26]Lola: Right,

[00:22:27] Heather: But how they do it is their choice. And some of them are choosing to go down a route that says we are happy with using, you know, ISO specifications.

[00:22:38] Some are actually looking more towards the Open ID Foundation's specs that are, are in progress. And in, even in additional cases, we have an interesting challenge where there have been people who said, okay, well we see that the W3C is working on this too, is working on a component that would allow this ecosystem to function.[00:23:00]

[00:23:00]Lola: Mm.

[00:23:00] Heather: Except, you know, we don't really trust the W3C. In fact, we don't trust any of the open standards organizations because they're US-based and primarily resourced by those companies that have money to dedicate to standards, which would be big tech, are US-based. And no one wants to trust the US right now.

[00:23:20] So what do they do?

[00:23:22]Lola: yeah.

[00:23:23] Heather: And literally that is a debate that's playing out this very second. Of, of some people saying we would rather a less good technical solution if it keeps us away from, from big tech and those things contaminated with them

[00:23:40]Lola: Yeah,

[00:23:41] that's, that is something that I've been thinking about, thinking about researching this episode. And just kind of like the situation in the US at the moment, which is, yes like most country, most citizens of most countries do not trust their government. But I think [00:24:00] there's a level of hostility that's happening in the US that is atypical, at least in the 21st century for western countries right. And so how does that then affect things like verifiable credentials where for the average person engaging with it, it is really about, you know your identity, you are engaging it with it through a driver's license for the most part so far. And that is a, you know, a serious identifier.

[00:24:29] Like if you lose your driver's license, it's a big deal. And if your driver's license gets stolen, also a big deal, right? And so in a, in a situation where the state is antagonistic to its citizens, does that impact how these things can be abused? At the moment, it seems like, no, because of how the standards is written, but if it means that there's less interoperability because companies and governments outside of the US [00:25:00] don't wanna engage because it's US-funded I think that there's a potential there for things to be worse off for the average person, you know?

[00:25:09] Heather: It does become complicated and where you see the impact is in whether it is, like, whether it will be used or not. There's absolutely no reason that the average person should have any understanding as to how digital wallets work.

[00:25:26]Lola: Yeah,

[00:25:27] Heather: They shouldn't have to know, but if they do know that, well, my government issued this, I do not trust my government. I don't know how this works. I'm only going to use this when I absolutely have to.

[00:25:39]Lola: Mm

[00:25:41] Heather: And so the, the adoption becomes the challenge. You can deploy it as far as you want and you can even mandate its use, but people will find creative ways to not use it. I think is, is the big risk.

[00:25:58]Lola: Yeah.

[00:25:58] Heather: And it's unfortunate because [00:26:00] if you think about it, right, the reason digital identity, services exist as opposed to, you know, my old, I have a plastic driver's license,

[00:26:09]Lola: Same.

[00:26:09] Heather: The whole point of going the verifiable credential route is to have something better, something that you can actually say rather than handing it to the bouncer at your favorite club, who can then see your home address, can see what your signature looks, can see so much about you, you can just simply scan something and say, yep, I'm of age to be here.

[00:26:32]Lola: Yeah.

[00:26:33] Heather: It's so, it's so much more privacy preserving in its own way to be able to use it. But if you'd rather trust the bouncer at the club than your government, why, why would you even bother with your digital credential, you know?

[00:26:49]Lola: That's brings up an interesting point though, because in terms of the privacy aspects of it, so does that mean [00:27:00] then that verifiable credentials, digital credentials are harder to have fakes of

[00:27:07] Heather: Yes,

[00:27:08]Lola: then like a physical credential?

[00:27:11] Heather: absolutely.

[00:27:12]Lola: Right.

[00:27:14] Heather: If deployed and used properly and all the other ifs people have complied with the standards and everything, then suddenly things like -- we're gonna touch on payments for a minute -- the fraud risk of does this actually belong to the person? Are they actually, you know, who we want them to be? Does this card belong to them? Fraud risks go down a lot.

[00:27:35]Lola: And what other kind of privacy considerations are being talked about as these things are being developed?

[00:27:43] Heather: Well, you've got the collusion, right? How likely is it that organizations would be able to collect enough information to build a profile about you? Usually on the verifier side. There's the, you know, have we made sure that nothing gets back to the issuer that [00:28:00] shouldn't? They shouldn't be able to see who you're using this stuff with.

[00:28:04]Lola: With?

[00:28:04] Heather: Right. There's the question of, okay, well your, your digital ID is going to live somewhere. It might be your phone, it might be your computer, it might be your, you know, some device. It's gonna live in some device. Can you trust the operating system that that device is on? Can you trust the browser that it's going through? What about the app? You know, there's, there's any levels of, existence that this thing has, that we have to think about. Is this okay?

[00:28:32]Lola: I've been reviewing a bunch of different privacy web stuff recently and trust, you know, does feature there too, but in a completely different way here with speaking about trusting so many different actors, not just the browser, you know, or not just the company who made the browser and, and their potential relationships.

[00:28:53] And so do you foresee there having to be [00:29:00] like science communication about this to not just the average person who doesn't need to know anything about verifiable credentials, but also to implementers as well in terms of, most people do not read the spec. If, if we're gonna be, you know, most people do not go and read the specification or the standard. And so do you foresee there having to be like a middle lane communication of like this pros and cons, do's and don'ts, this is how to use this thing, these are the laws you're breaking if you use this thing in the wrong way.

[00:29:35] Heather: So I'm, I'm gonna date myself a little bit further as if I hadn't done that already earlier on this chat. So my degree is in library science,

[00:29:43]Lola: Yeah.

[00:29:44] Heather: I was supposed to be a librarian when I grew up, and my master's paper was to look at FAQs specifically when used by Usenet news groups a long time ago.

[00:29:56] And my question was, if you have an FAQ, does [00:30:00] people behaviors change in the news group? More flame, less flame, more spam, less spam. 30,000 news group postings later, the answer was no.

[00:30:11]Lola: Oh wow.

[00:30:12] Heather: Doesn't change at all. So fast forward to today, if we had that middle layer between the spec, because no one reads the spec, well, would they read this?

[00:30:22]Lola: Right,

[00:30:23] Heather: No, not, not your average user. Your developer will have developer documentation and that's absolutely critical to have, certainly, but something that would help people understand what's going on. Honestly, they don't wanna know.

[00:30:38]Lola: Mm.

[00:30:39] Heather: They just want the thing.

[00:30:40] They got enough to worry about from day to day.

[00:30:43]Lola: yeah, I mean like the, I definitely don't expect the average user

[00:30:46] Heather: Mm-hmm.

[00:30:47]Lola: read anything. Like I think of, I think about myself sometimes when I think about the average user, even though I'm not the average user and I'm very much in the, in the standards world and stuff, but when I'm outside of my [00:31:00] jurisdiction, I, I'm not getting into the weeds about anything, right? Like I just want my things to work how they're supposed to work. And at most, I'll read the support documentation. At most, I'll read the instructions for putting the thing together or making the thing work, right? But I mean, in terms of developers, right?

[00:31:19] So when, even when we talk about developer documentation, a lot of web technologies. That developers care about are front end, right? And so that's where documentation platforms like MDN come into play, where it's like not entirely front end, they're definitely web APIs documented on web, on MDN, but it really is like HTML, CSS, JavaScript the documentation on, for example, WebRTC, which is a lot more behind the scenes, not, it's not the same as the documentation on like CSS. And so when we're talking about verifiable credentials, what does the [00:32:00] documentation for that even look like when explaining to a developer like that? I feel like the implications of doing something wrong in verifiable credentials is much higher than like have using the wrong HTML tag, you know?

[00:32:16] How do you communicate that to developers? How do you communicate that to people who will be implementing this stuff?

[00:32:21] Heather: Yeah, it's a, it's a perpetual challenge, especially since this place this space is churning so much right now.

[00:32:27]Lola: Yeah.

[00:32:28] Heather: As soon as you write documentation it, it may be out of date. It may not be quite accurate. It also doesn't help that some of the things that it might refer to like, okay, this needs to comply with the MDOC format. How do you get the MDOC format? Well, you pay ISO.

[00:32:44]Lola: pay.

[00:32:45] Heather: You have to pay ISO. Now, if you are a government entity, then you probably get it for free because that's, that's just how ISO works. If you are a regular developer for a commercial entity, then you probably have to pay.

[00:32:59]Lola: [00:33:00] Hmm.

[00:33:00] Heather: Your government may or may not make it freely available if it's mandated by law. Different countries vary on this one, but at the end of the day, it's not easy to get to, not like some of the open specifications and yet the open specifications that we care so much about, the W3C does have this now as a standard, but the Open ID for Verifiable Presentations, which fits at a slightly different layer and is, and is kind of important to how do you get the credential to and from where the issuer to the verifier, how do, how do you transport this thing around?

[00:33:35]Lola: Mm.

[00:33:35] Heather: It's not actually a standard yet it's still a draft. I mean, it's a draft that's pretty darn far along,

[00:33:41] Don't get me wrong, and they, and they wanna get it published actually formally as a standard this year.

[00:33:46]Lola: Yeah.

[00:33:47] Heather: But it's not there yet.

[00:33:48]Lola: Yeah.

[00:33:49] Heather: what do you, what do you even write?

[00:33:52]Lola: Mm

[00:33:52] Heather: Another interesting point and this is something that comes up when I'm, when I'm reviewing specifications you use the word [00:34:00] trust.

[00:34:00]Lola: mm

[00:34:02] Heather: Trust needs to have a descriptor. What kind of trust are you talking about? Are you talking about the trust that comes with a societal agreement? Are you talking about the trust that comes with a contract, a legal document?

[00:34:17] Are you talking about trust that can be technically verified, like a cryptographic trust? What kind of trust are, you know, and if you're talking about all of them, that's fine, but if you're talking about some of them, you actually need to specify what, what trust are you talking about? Because it may be cryptographically verifiable trust, super easy.

[00:34:39] That doesn't make it. That doesn't actually pass the bar for, well, yes, but to society then trust it.

[00:34:44]Lola: That's really fascinating because in the UK we're pretty much cashless, especially post COVID, most people use just their, either their bank cards or their phones to pay for stuff. My partner doesn't [00:35:00] walk around with his cards anymore he just walks around with his phone. I think it's, I think it's wild, I think living like that is too close to the edge. I still walk around with my cards but you know when that transition was starting to happen, I remember thinking like, this is a bit too much, this is a bit too far, I think we still need cash.

[00:35:19] And I say this now and I mean, I have a few points, like if someone came into my home right now, they wouldn't be able to steal any money. And so I think payments was definitely the gateway for the societal trust, at least in the UK for things to kind of shift to be more comfortable with using digital things to do things that you need to do.

[00:35:44] Heather: It is, it is definitely a shift to being more comfortable but, think about it for just a second so you've got a payment thing and you've got it in a wallet on your phone.

[00:35:53]Lola: Yeah.

[00:35:54] Heather: click your phone twice, you scan it, you're done. It's very rare that someone actually flips through and goes I want to use a particular card, you're probably gonna use [00:36:00] the first default one that you have. When you put in identity related information there, though, suddenly you have choices to make and you know, that's, that's what scares me a little bit of, okay, you have choices to make. Do you know how to make those choices that will best protect you? Or are you just gonna go with the default? What's the first thing so I can scan and go?

[00:36:19]Lola: Speaking to the general public about privacy is really, really hard. Even when I speak to, like my mom about why she shouldn't post certain things on Facebook, I have to remind her that you know I work in tech, right? I'm not just, I'm not just parroting things I've heard on YouTube or whatever, this is informed. And even then it's like, well, if they know all this stuff about me, I'm not hiding anything, who cares? There's that kind of thing. But I think what's happening in the US right now actually is a big challenge to that, right? Like you don't have to have anything to hide for your information, your personal information to be used against you. And we're not even talking about [00:37:00] like personal information that should be private. We are just talking about like tweets or blog posts or, you know, saying things on a podcast and how that can be used against you.

[00:37:12] Heather: Yeah.

[00:37:13]Lola: and so I do wonder about trying to not make the public paranoid when it comes to this stuff, but at the same time informing and, you know, having a citizenship that is informed about technology. It's really, really difficult.

[00:37:30] Heather: It is many years ago, many years ago at this point, there was a an RFC published out of the Internet Engineering Task Force, it was actually published in 2013.

[00:37:40] And the title was Pervasive Monitoring is an Attack and the response to, okay, if everything is being monitored and it's not encrypted, then even though you aren't doing something scary or something, you, you don't care whether people see about other people.

[00:37:59] Maybe they [00:38:00] live under a government regime where they will get, you know, seriously in trouble if they post it. That kind of monitoring is an attack on just the whole concept of an open and trusted internet. And so the the recommendation coming outta that particular RFC was encrypt everything,

[00:38:18]Lola: Hmm.

[00:38:18] Heather: not because everything is worthy of being hidden. Because if you only encrypt what's worthy of being hidden, then you've highlighted those things that you should go after. Right? So, you know, that's, that's almost a way to, to make an argument to the general public is you may, you may feel that you don't have anything to protect, but your neighbors might.

[00:38:37]Lola: Yeah.

[00:38:37] Heather: And it might not be bad things, you know, it might be that they haven't outed themselves. Or you know, it in a way it doesn't even matter what.

[00:38:47]Lola: What it is, yeah, it's just something that they wanna protect still.

[00:38:52] Heather: Or they've, they've got a, they've got a stalker and they don't want that stalker to be able to follow them. Or they've got a, a helicopter parent [00:39:00] that just won't let them, won't let them go, or, you know, it could be any number of things and it's, it's up to those who don't care to help protect society as a whole.

[00:39:13]Lola: Those who may not be a target of anything like that to kind of do the work.

[00:39:20] Cool. So we are gonna take a break right there. Thank you so much, Heather. We'll be right back after this break.

[00:39:28] I hope you've been enjoying this episode so far. Just to let you know, you can leave a review for this episode on your favorite podcasting platform, and please don't forget to share and like across social networks and tell people. Tell a friend to tell a friend. Now back to the episode.

[00:39:47] we're back and we are back with our game patch notes from the future. Just to remind folks at home what this is, this is a game where I ask my guest three questions.

[00:39:59] The first [00:40:00] is one browser feature or web API that you'd bring back from the past. The second is one current feature that you wish never existed. Or that you would change. And the third is an invented feature, which can be real or absurd that you'd create if you could. So Heather, for you, one browser feature or web API that you bring back from the past.

[00:40:23] Heather: You know, this one really made me smile a lot because I just posted on LinkedIn last week a comment out of a workshop I attended at MIT where someone said there is no failed innovation. It's just not yet. Right.

[00:40:38]Lola: Right?

[00:40:39] Heather: It just might not be time for it. And, and the thing that I wish, could come back from the past or, you know, we're, we're finding other ways to do it now, but which was ahead of its time.

[00:40:49] We'll say it that way. It was probably the Mozilla personas,

[00:40:52]Lola: Okay.

[00:40:53] Heather: The ability for someone to establish the, okay in this browser session, this [00:41:00] is the, this is what I am and who I am and all this other stuff. And, you know, you were able to really differentiate the different personas that you would be using in any, in any given moment.

[00:41:12] It didn't really take off. People didn't really see the utility, and yet that's a lot of what we're working on today with some of the other standards in use, like the federated credential management API and some of the wallet stuff, I think is gonna, it's gonna have a lot of flavors of those old personas.

[00:41:30]Lola: Yeah.

[00:41:30] Heather: I kind of wish, I kind of wish we had had those persona, we, we'd followed that path

[00:41:35]Lola: And they stuck around. Cool. What is one current feature that you wish never existed or that you would change?

[00:41:44] Heather: okay. So this one, do you remember back in the day when you used to be able to say, I really want to not be tracked, and therefore I'll just shut my browser down. I'll just shut my browser down at [00:42:00] night that will clear out everything.

[00:42:02]Lola: yeah, yeah,

[00:42:03] Heather: Yeah, that doesn't work anymore. Not really. Not really. so

[00:42:06] many things.

[00:42:07]Lola: in and actually like manually clear out your cookies

[00:42:10] Heather: Exactly. Exactly. And you know the things where, when help desks have been debugging to say, oh, just you just close your browser and come back and that will reset your state in such a way. Now can you go into your browser settings and flip all the bits to try and make that work every time? Yes. And I do know some people who have done that, but for the mo, for most people, for

[00:42:32] most

[00:42:32] users,

[00:42:33]Lola: doing that.

[00:42:34] Heather: they not doing that.

[00:42:34] They probably don't even know that they could. Because it's so, oh, it's so convenient. Look, they can just log right back in where they were. I'm like,

[00:42:41] you know,

[00:42:41]Lola: Yeah.

[00:42:42] Heather: I'd really like that not to be a thing.

[00:42:45]Lola: Yeah, I know that in so this is gonna age me in primary school

[00:42:52] Heather: Mm-hmm.

[00:42:52]Lola: is when e is when we got email. But I was in like year five and like email's a big thing. [00:43:00] It was like, email is so amazing. Like you can send messages that delivered instantly. Wow. And I think we had like a class email address and we were all very excited about it.

[00:43:10] Fast forward a few years to secondary school. I, so just for context after year five, I, I went to school in Nigeria for a few years and then I came back to the UK and finished my schooling in the UK. In Nigeria, not that we didn't use the web or, or the internet in Nigeria we did, but not to the extent that we did here in the UK. And so my school in Nigeria was a private school, but we didn't have like, a computer lab in the same way and so when I came to school here and we had like computers on computers on computers and the school, and the school I went to was very working class school as well.

[00:43:48] Like it was vastly different from the private school I went to in Nigeria. And so when you unleash the web, you learn tricks, right? You learn things. You learn how to hide from the teachers; you're [00:44:00] in ICT class, you're supposed to have a Microsoft Word open, but you've got the browser open and you know that if you close the browser, it's fine.

[00:44:10] 'cause even if you are on it, the teacher's not gonna know what you were doing on it because everything is flushed out, right? Everything is gone. I think at the time you could you could say you want your history and everything to remain.

[00:44:23] Heather: Mm-hmm.

[00:44:24]Lola: I do wish that was the case still, but I'm, I'm not gonna lie, like I do benefit from that not being the case.

[00:44:32] I do benefit when I like go to bed and I know I can come back and everything is as I left it and I don't have to try and like remember what I was doing or what was going on.

[00:44:44] Heather: Yep. Convenience, security.

[00:44:48]Lola: it's always a tossup, right? That's how you get buy-in from regular people. You know, you make their lives seemingly easier and it's gonna be really difficult to take it away.[00:45:00]

[00:45:00] Heather: Yeah. Yeah.

[00:45:02]Lola: Lovely. So the third question is an invented feature, real or absurd that you create if you could.

[00:45:11] Heather: You know, there's a, a document series that holds most of the critical standards that we use today on the internet and the web called the RFC Series.

[00:45:21]Lola: Hmm.

[00:45:21] Heather: on April 1st, April Fool's Day, they often but not always publish a joke, a joke RFC that isn't real, and it's things like the coffee pot protocol to actually have, you know, things that look like HTTP warnings and whatnot; a full coffee pot, empty, empty coffee pot, or the IP over carrier pigeon, that's a pretty famous one. My personal favorite is RFC 6919, which is, is the additions to requirements language. Everybody knows about MUST, and SHOULD and MAY, yes. But this is SHOULD, [00:46:00] BUT WE KNOW YOU WON'T, WOULD REALLY LIKE TO, IS KIND OF A GOOD IDEA, you know? Really snarky and it is my favorite. So when you ask me this one, I'm like, oh, so what you're saying is think of an April 1st, RFC. Hmm. So I'm thinking just to, to give people what they ask for and make them hate it, right? Is I think there should be something like a User Intent API, so that when the user is doing something, the browser would turn around and say, okay, wait, wait, are you trying to log in? Or are you trying to create an account. Are you just curious as to what's here? Or have you just given up on the web entirely? we'll change your user experience depending on, you know, what, what you're intending for this moment.

[00:46:43]Lola: Yeah. Cool. Yeah, that would get annoying.

[00:46:48] Heather: Oh, yes. And yet, think about it that's what people do, they go to a website and they're like, well, this is too hard to use. Why? Why hasn't it read my mind? It should be intuitive. Well [00:47:00] it, it's trying to solve for 7 billion people, how intuitive do you think it can be? So yeah, we'll make it intuitive, but first give it some hints.

[00:47:10]Lola: Yeah. Give a bit of direction. Yeah.

[00:47:13] Heather: yeah. They would hate that so much.

[00:47:16]Lola: Yeah. Well, thank you so much, Heather, for joining me today. On What the Spec. Where can the people find you? How can the people support you?

[00:47:25] Heather: Oh, well, the easiest thing to do is probably just to follow me on LinkedIn 'cause that's where I post my thoughtful questions and whatnot. If you'd like a little bit more in the way of cat photos than following me on BlueSky 'cause that's where I tend to post those. And if you just want to keep up with my blog, 'cause I do try and post something new and interesting every week, the website, sphericalcowconsulting.com. And I hope, I hope people would find it interesting. Tomorrow's, tomorrow's blog post is about introspection and whether introspection is a bug or a feature.

[00:47:55]Lola: Nice. Just to let you know, this is going out probably in July, [00:48:00] so tomorrow is going to be a, it would've been a while ago.

[00:48:05] Heather: back in the day, just start scrolling through it. You will find something that might interest you.

[00:48:12]Lola: Lovely. Thank you so much, Heather. All of that will be in the show notes below. As I mentioned please do go and read Heather's blog,  Spherical Cow Consulting and if you need consulting in especially the digital identity space she is the person, like she really is the person, so you'd be lucky to, you know, grab some time with her.

[00:48:36] If you've got inquiries and whatnot. Thank you again, Heather.