Digital identity can be difficult for organizations to get right. Recently, Indicio hosted a Meetup with academic and digital identity expert Phil Windley, author of the recently published “Learning Digital Identity,” to talk about the basics of digital identity and some of the pitfalls companies and individuals can run into.

By Tim Spring

One of the leading thinkers in digital identity, Phil Windley brings a wealth of experience in industry and academia, and is the co-founder and organizer of the Internet Identity Workshop, one of the world’s most influential and long-lived identity conferences.

While his new book, “Learning Digital Identity,” is mostly geared toward a business and technical audience, it is replete with important insights for how we all should think about digital identity, namely:

1) Everything we currently experience with digital identity is so much worse than it has to be: it’s less convenient than it could be and it’s less secure — and often the security involved requires tedious repetition.

2) At the same time, creating better digital identity is a lot harder than it looks. As Windley notes, people are constantly popping up with the “answer” — usually a universal identifier tied to a biometric — which just ties a digital signature to a physical body. This is bad: “Universal identifiers are a 20th century tech that we have no business bringing into the 21st,” he says, “there are just too many privacy and other issues with them.”

3) We shouldn’t just “leave it to the experts.” There’s complexity and nuance in how digital identity is accomplished; if something is representing you, you should know on some level how it works.

When getting into the more technical topics, Windley breaks governance  — basically the rules that dictate how an identity system works — down further into two categories, confidence, and trust.

The difference between trust and confidence

Windley describes trust as a place where we are vulnerable, we’ve put ourselves at risk, we’re depending on the actions of someone else for the right outcome to occur. For example, looking at someone’s ID as they pass a checkpoint is to trust that the papers are genuine and contain correct information, and have been issued by the appropriate authorities using established identity assurance procedures.

Confidence on the other hand is knowing (or having a high degree of certainty) that something will happen. Within digital identity, cryptography should be understood as confidence. It

can tell us that a digital credential was issued to the person presenting it and has not been revoked or tampered with.

Cryptographic confidence can’t tell us whether or not the entity issuing the credential is  trustworthy or whether the attributes the credential  contains have anything to do with the individual presenting it. These factors require human governance to ensure trust.

In other words, effective digital identity depends on combining  trust and confidence and this requires appropriate governance. What constitutes appropriate governance? There cannot be a one-size fits all framework for digital identity given the multiplicity of use cases, jurisdictions, and competing needs from different governance authorities. The governance required for a grocery store loyalty program will require fewer rules than the governance necessary for large financial transactions.

Governance is an intense topic of community discussion and Indicio is currently contributing to the creation of a specification for Decentralized Ecosystem Governance (DEGov) at the Decentralized Identity Foundation. DEGov is a way to manage trusted issuers of digital identity credentials and complex information flows across differing ecosystems and jurisdictions through easy-to-implement machine-readable governance files.

If you want to hear more on this topic from Phil Windleywe highly recommend the recent Indicio Meetup Recording.

If you want to learn more about DEGov you can see how it works, and view a demo of the Indicio solution, the Governance Editor.

If you have specific questions about digital identity systems you can reach out to our team of experts here.