by Timo Hotti, Principal Technology Strategist, OP Financial Group
This is the first part in a trilogy of articles by OP Lab on Digital Trust, Digital Money and Digital Business Transactions. What is trust all about in the context of identity? What have been the different ways to establish trust in transactions? And, most importantly – how can we bring identity and trust to the digital era?
All interaction between persons, both natural and legal, requires some degree of trust. Because people are known to have interacted for thousands of years, it is very safe to assume, that trust has been there before computers. “Analog trust” has existed thousands of years longer than “digital trust”. Therefore, it is probably a good idea to spend some time trying to understand, what trust in general is, how it is established and maintained and where it is needed.
When a person is born (or a legal person established), the person starts with very little trust. Essentially the person is given by the society a unique identifier, that is associated with the name and some other means of identification of the person. This connects the new identity to its surrounding society.
For the person to interact with the surrounding society, something else is also needed. During the life of the person, trust accumulates on the person in the form of assets and properties, that are created as the result of the trust-requiring interactions, where the person has been a participant. The person must be able to use the accumulated trust to participate in new interactions, that further contribute to the trust.
How does this trust building mechanism actually work?
It seems, that trust has three different functional components, that need to be mutually compatible.
1. Identification – Who am I? How can I prove, that I’m the person that I claim to be?
2. Proof presentation – What facts about myself do I have in my possession? How can the recipient of a fact presented by me trust the authenticity of the fact?
3. Issuance verification – How did I get those facts? How can I prove, that the facts I have in my possession have been produced by legitimate interactions?
Let’s see how those three components have been implemented in different “incarnations” of trust.
The age of Analog Trust
In the age of ”analog trust”, i.e., the age before computers, the three components were implemented in the following manner.
For identification purposes, persons were issued an ID document by the society, typically represented by the state government. That ID document is requested in various interactions, when the identity of the person is needed to be known in the interaction and the person is not known otherwise by the other persons of the same interaction. These ID documents are still widely in use. They are practically the only means of “strong identification” of a person today.
When a person, legal or natural, participates an interaction, he/she/it often needs to present a fact about him/her/itself to another party of the interaction. This is what the proof presentation is about. In the analog world, the proofs are typically written documents, that have been signed by a third party. Trust on these documents is strongly enforced by the legal system of the society by making the forgery of the documents and their signatures heavily punishable.
The written document, that is signed by a third party, is not sufficient alone for establishing trust. The issuance process of the document must be universally verifiable and hence, trusted. For example, a credential signed by a bank stating, that I’m the customer of the bank, is not enough. The recipient of the proof must be able to trust, that the bank, before issuing the credential to me, has performed all the steps, that are required for me to become bank’s customer. In some cases, this trust is established by regulation. Banks are closely monitored, that they follow the “Know your customer” processes when accepting new customers. In most cases however, the trust on issuance is established by following the interaction rules, that are well known to the type of interaction. Trade transactions are typical such interactions, that have well-known rules. The buyer can keep the goods if the seller gets the money. The buyer is entitled to obtain a receipt signed by the seller. The receipt is a proof-of-purchase that is recognized by law. If there ever is doubt about what happened in the interaction, either party can take the case to the court of law, who decides, what has actually happened.
The “analog trust” system has been proven over centuries to be a reasonably well functioning system. It is reliable, but it can also be somewhat heavy to maintain. Moving signed documents around introduces friction in the interactions. The friction costs money. In some cases, we are talking about lots of money. There’s a good incentive to make that friction go away. That’s where computers should be good at. The results so far have not been as good as one might wish.
What is Digital Trust?
Finding a proper and concise definition for digital trust has been quite hard. Not anymore! The following definition has been generated by my new friend(?), the AI Bot (chat.openai.com):
“What is digital trust?
Digital trust is the confidence and belief that individuals and organizations have in the security, reliability, and integrity of digital systems, networks, and interactions. Digital trust is essential for enabling digital transactions and interactions and is based on factors such as the security and reliability of digital technologies, the trustworthiness of digital actors and institutions, and the transparency and accountability of digital processes.
Digital trust is increasingly important as more and more aspects of our lives and economy are digitized, and as we rely on digital technologies and networks for communication, commerce, and social interactions. Digital trust is also essential for enabling trust in the digital economy and is a key factor in enabling the growth and development of digital markets, platforms, and services.
Overall, digital trust is the foundation for enabling trust and confidence in the digital world and is essential for enabling the growth and success of the digital economy.”
This definition is the best one I’ve come across over the years. It is also quite consistent with my description of analog trust. Let’s stick with it!
I’m claiming that we have so far taken either insufficient or even misdirected steps towards removing the friction and establishing proper digital trust. Let’s see, hoping that we can learn something, what those three missteps are.
Timo Hotti pitching innovation opportunities of Digital Identity and Trust for a jury during Innovation Week 2022.
The three missteps of digital trust
Misstep 1: Silo-based trust
Most computer systems today establish and maintain trust inside the system. The users are authenticated into the system using some means of authentication that is deemed sufficient for the system. The most typical authentication method is userid/password combination that is specific to the system.
Once the user has been admitted into the system, the “proof presentation” and “issuance verification” parts of the trust model are very simple. All data inside the system is trusted because it is maintained by the owner of the system. All actions of the system are also trusted for the same reason.
Silo-based trust works quite well, but it is strictly confined inside the silo. What happens in the silo, stays in the silo. Real world does not function that way. It should be possible to use the trust gained in some interaction somewhere else. If I get a receipt as an evidence of a completed trade transaction, I should be able to use that receipt somewhere else as the trusted evidence of a properly executed trade transaction.
Misstep 2: Blockchain-based trust
About a decade ago, blockchains were invented and shortly thereafter marketed as the holy grail of digital trust. Let’s see, how the three components of trust have been implemented in blockchains.
To identify him/herself into an interaction that occurs in the blockchain, the person presents his/her public key to the node of the blockchain network. This sounds good and straightforward, but there’s one major problem: if you lose your keys, you lose everything you had in the blockchain. Even worse, if someone else gains access to your keys, whatever was yours in the blockchain is now his/hers. This principle is fundamentally incompatible with the existing legal system. Having keys to something does not necessarily convey legal ownership of that something to the person.
In blockchains, the key holders are able to obtain tokens, that they can use when they interact with other key holders of the blockchain. A token may represent ownership of something within the realm of the blockchain, for instance. The tokens are issued to the blockchain by piece of public program code called “smart contract”. The tokens are the trusted proofs, that act as key holder’s inputs in an interaction. They are trusted because the logic of their issuance is public and verifiable. Everyone can check the logic of the smart contract. Everyone can also check the transaction management process that finalized the execution of the smart contract logic.
Clearly, we seem to have invented something, that takes trust from private silos into a public network. All three components of trust – identification, proof presentation and issuance verification – seem to have been addressed. What’s not to like here? Why is this a misstep?
The main problem is that blockchains are not compatible with the legal system of the real world. The keys are not properly bound with real-world identities, the “smart contracts” are not contracts in the legal sense of the word and the “transactions” of the blockchain network not only lack a clear point of finality but they also often lack a counterparty that is liable of the validity of the transaction. Yet further, public blockchains assume, that everything is fundamentally public. The real world starts from the principle of privacy. All interactions between real-world persons are private, unless the participants of the interaction decide otherwise.
Misstep 3: Governance-based trust built on self-sovereign identities
Self-sovereign identities are an idea, that started gaining ground in earnest about half-a-decade ago. The self-sovereign identity of a person manifests itself as a wallet (or more generally, an identity agent), that is in the sole control of the person him/her/itself. A well-known primer about the self-sovereign identity thinking is available at https://www.trustoverip.org .
When a person creates an identity agent for him/her/itself, that agent is bound with the real-world identity of the person. To establish the link between the agent and the person, the agent may e.g. receive an “anchor claim” from a trusted source, such as a national population register, as part of the agent creation process. The anchor claim contains at least one unique identifier associated with the person.
Once established, the agent can request and receive facts from other agents of the network and manage those facts in its vault. These facts are called verifiable claims. The agent is also capable of assembling proofs from the facts and presenting such proof to another node in the network. Whoever receives the proof from the person, can verify it using a standard verification mechanism provided by the network. Identities of the self-sovereign identity network can therefore communicate with each other using verifiable facts. This is something new and apparently very useful.
We now seem to have a solution, that has at least the identification and proof presentation components of the digital trust properly addressed. The identification mechanism, that maps the agent with the real person seems robust. We have working code to prove that. Also, the proof presentation mechanism between the nodes of the network seems rock-solid. Lots of working code exists to prove this as well. It’s the issuance verification part, where the TrustOverIP community consensus seems to have chosen the wrong direction.
The community consensus has mistaken governance as the primary source of trust for issuance verification!
Trusted issuance verification means, that anyone in the network can trust, that the fact (“verifiable claim”) issued to a person’s agent is the result of a proper transaction known to produce such facts. For example, how can the recipient of a proof, that’s assembled from a verifiable claim representing a digital receipt, trust, that the receipt is an outcome of a legitimate trade transaction?
The self-sovereign identity community seems to have cut corners to solve this problem. The community is proposing that all issuers of claims such as digital receipts, must be recorded in a “trust registry”, that is owned and operated by a governing entity. You need to convince a third party about your legitimacy as an issuer of a claim! If you’re not in the trust registry, you’re not trusted as the seller party of a digital trade transaction, for example! Now that sounds quite dystopian to me.
In the real world, there are very few trust registries. Therefore, trust registries should not be needed in the digital realm as a primary source of trust, either. The whole idea of self-sovereign identity was to steer clear from centrally managed trust systems, that easily devolve into dystopian systems.
There are two major problems with the public trust registries.
First of all, they are probably not legal. Law is quite clear here. Any person, who is not under guardianship, must be able to participate in any legal transaction. For example, anyone should have the right to sell an item owned by him/her/itself, and hence, be able to issue a receipt. This principle must apply also in the digital world! Regulated businesses such as banking are an exception to this rule.
Secondly, such public registry would require the person to become a public identity, i.e., to have a public permanent identifier. For example, every seller of every trade transaction would need such permanent public identity. That’s not acceptable, or probably even legal. Persons, both natural and legal, must be able to participate in transactions without giving up on their privacy, also in the digital realm.
So… we have now solved two out of three challenges separating us from proper digital trust. What should we do to solve the challenge of verifiable issuance without resorting to solutions that have unsurmountable legal and privacy issues?
It seems apparent, that proper trust requires, that the past interactions occurred in the network are verifiable. It also seems apparent, that the privacy of the persons of the network of trust must be maintained. How do we achieve issuance verifiability without breaking privacy?
My hypothesis is, that we need to re-think the topology of the network of trust. The network of trust cannot be a network of private persons only. It must also be a network of public places providing verifiable interactions, that occur between the private persons.
Let’s dig in…
Fourth time’s a charm?
Let’s assume, that we have now the two first components – Identification and Proof Presentation – solved properly. We have a network, where the identities are represented by agents that are properly bound with the real-world entities. Those agents can present to each other verifiable proofs about the facts (verifiable claims) they possess. How did those facts end up to the possession of the identities in a manner that can be regarded as verifiable issuance? How can we be sure, that the fact that we see is a product of a legitimate interaction?
By now we know that governance-based trust is not the way to go, as it is not legal, and it may even lead to dystopia.
A receipt obtained from a trade transaction continues to be a good example here. This time we just make it properly electronic.
A receipt proves, that the buyer of an item specified in the receipt has paid a specified amount of money to the seller. If VAT is payable in the transaction, the VAT amount is also documented in the receipt. The receipt is created in an interaction between the buyer and the seller. In the analog world, the interaction occurs in a place, where the buyer and the seller meet each other to perform a trade transaction. Both the buyer and the seller know, how the trade transaction should be conducted in that place. In the transaction, the seller gives the goods to the buyer, the buyer gives money to the seller and finally, the seller gives to the buyer the receipt that records the essential content of the transaction. The seller keeps a copy of the receipt for bookkeeping purposes. In some cases, there may also be a clerk present in the place and overseeing the execution of the transaction. The clerk may record, what exactly happened in the transaction and shares copies of that record with the participants of the transaction. The receipt obtained in this transaction may be used as an input for another transaction.
There’s no reason, why the network of trust of the digital world could not function in a similar manner. There actually are very good reasons, why it should function exactly the same way, only with digital facts and in a frictionless manner. The most significant reason for sticking with this principle is, that the existing legislation, including the contract law, supports the way how the analog world works. Re-inventing legislation and centuries-old ways of human interaction just to transform a manual process into a digital one is not a good or even a realistic idea.
We already have agents reliably assigned with the buyer and seller. We also already know, how to create a presentable proof from a fact issued to a person. We know from the example of the analog world, that the facts are issued to persons in public spaces as the result of some interaction, whose logic and rules are universally known. Those public spaces are an essential part of the analog network of trust. The digital network of trust needs them also. Because the communication in the digital network of trust happens between agents, those public spaces need to be represented in the network by agents as well.
These “transaction spaces” resemble quite closely the identities representing the legal persons in the network. Just like a legal person is an identity that is owned and represented by some other identities, the transaction space is a construct having its own identity that is owned by another identity who is responsible of the actions of the transaction space.
The transaction space however needs, in comparison to person identities, to have some additional capabilities. It needs to be able to advertise in a trustworthy manner, what transaction is available in the space. For example, the transaction space must be able to communicate to other nodes in the network, that it can and will execute a trade transaction in a specific manner. The transaction space must also be able to execute the advertised transaction logic in a verifiable manner. Furthermore, the transaction space must be able to accept new persons into a started transaction. For example, a trade transaction space must be able to accept the buyer to a transaction started by the seller.
Advertising the business logic of the transaction space may happen e.g., using a verifiable claim, that is signed by the owner person of the transaction space. The “verifiable business logic advertisement” claim should have at least the following elements:
· roles of the required participants of the transaction; e.g. a trade transaction has at least three required participant roles: the buyer, the seller and the buyer’s bank who moves the money
· input credentials required from the participants; these are required by the space to establish trust on the participants and to receive verifiable input information for the transaction
· logic executed using the input credentials; this includes the verification of input credentials of the transaction.
· output credentials issued to the participants by the transaction space
For this purpose, some new presentation format may be needed.
When the advertised business logic is executed by the transaction space, the agent running the space must create a verifiable transaction execution log, that records the same details about the transaction, that have been previously advertised by the space. Once the transaction is successfully completed, the transaction space signs the execution log of the transaction and sends copies of it to the participants of the transaction. If there ever is any dispute about what actually was done in the transaction, the signed copy of the transaction execution log can be used as a piece of evidence, e.g., in the discovery process of court proceedings, by any of the participants of the transaction.
Verifiable issuance delivered? I believe so!
The following figure further illustrates the proposed solution. It is about a prototype that was done on year 2018 to demonstrate the power of the combination of digital transaction management and digital identity management. The transaction demonstrated was stock trading of a non-listed company.
Illustration of Case Jupiter in 2018. The experiment was about creating a platform for trading non-listed company shares. The project was a joint effort of OP Financial Group, Asiakastieto, TietoEvry and Nordea.
A stock trade is in principle a fairly simple transaction, but without the proper network of digital trust, its digital implementation has been very challenging.
Now that we have the network of trust available, things are fairly simple also in practice. All parties of the trade gather to the Transaction Space, that contains the business logic of the trade transaction.
To enter the space, each participant presents the credentials to the transaction space, that are required by the transaction space. For example, the buyer and seller must present their official identifier, such as social security number. Also, the company whose shares is being traded, must prove, that it is the right company for the transaction.
The business logic, which according to the proposed solution is advertised to the network as verifiable claims, is fairly simple. The transaction space requests proofs and other inputs from the participants. For example, the buyer presents a signed offer to the transaction. The seller and the company accept that offer, also using signed credentials. Also the other participants, such as the tax authority, the regulator and the buyer’s bank, approve the transaction on their behalf using signed credentials.
Once the inputs are in the transaction space, it validates the inputs according to the advertised business logic and creates outputs to the participants in a single database transaction. The outputs contain e.g., new verifiable credentials that prove, that the buyer is now the holder of the stocks, the seller has received the money, and that the tax authority is authorised to invoice the value transfer tax from the buyer. The credentials also include signed instructions for the bank to execute the funds transfer from buyer to seller.
Once the transaction is completed, the Transaction Space signs the transaction log and sends copies of it to the participants. Any of the participants can verify the transaction log against the advertised business logic of the space. A participant may also compare his/her/its copy of the log with the log of another participant. They should match.
This is how value-transferring transactions should be digitalized – by creating digital identities to all participants of the transaction and to the space where the transaction is executed!
What Next?
As stated early in this article, to properly digitalize trust, we needed to do three things right in the digital realm:
1. Identification – We bind the digital identity with a physical one using a proper authenticator.
2. Proof presentation – We use the standard verifiable credential model for this.
3. Issuance verification – We are proposing a mechanism that allows the participants of a transaction verify, what has happened during the execution of the transaction. Also, outsiders can be confident, that the participants of the transaction are in agreement with each other and hence, the transaction is a legitimate source of the credentials it has issued.
Now we can assume, that we can build a privacy-preserving network of trust, whose participants are properly linked to the real world, who can present dependable proofs about themselves to other participants of the network in different transaction contexts and where the proofs have their origins in facts issued from verifiable interactions.
How could we utilize this newly found digital trust to solve some valuable problem? Let’s jump to the deep end of the pool and see if we can swim! Let’s make decentralized commercial bank digital money flow in the network of trust! We envisioned this already last year in an article titled “Money – the thing in your wallet”. The steps that put that vision into action follow in the next article.
