Interview with Stephen Curran (Technical Architect and DevOps Specialist on the Verifiable Organizations Network)

The government of British Columbia, Canada, is using an open-source blockchain framework, Hyperledger Indy and Aries, to streamline their services and cut red tape. 

Canadian companies claim they waste more than 6 billion € every year on unnecessary bureaucracy. This governmental project – The Verifiable Organizations Network – believes decentralized identities and trusted credentials are the solution.

Each Canadian business owner has to use three different tax numbers and navigate three different levels of governmental bureaucracy: local, provincial and federal.

As the saying goes “on the Internet no one knows you’re a dog.” How can we trust who is on the other side of our screen? The main goal of the Verifiable Organizations Network is to help people and organizations “conduct business online in a trusted manner” (1). Aiming to prevent possible online imposters and cyberattacks that want to explore and misuse a user’s personal data.

The Verifiable Organizations Network aims “to create a trusted digital network of verifiable data about organizations, which is globally connected, interoperable, secure, and easy to join” (2) using blockchain-based self-sovereign identity.

Using this innovative technology, one trusted organisation within the value chain (such as the provincial government) can issue a digital verifiable credential to the business owner, and the other organisation (such as the federal government or a financial institution) can verify that credential and trust the attestation made by the first organisation.

We had the opportunity to chat with Stephen Curran, Technical Architect and DevOps Specialist on the Verifiable Organizations Network and a member of the Sovrin Foundation’s Technical Governance Board, about his work.

What are your responsibilities as Technical Architect and DevOps Specialist on the BC Government’s Open Source Verifiable Organizations Network?

I have a varied and always interesting role on the VON team. I’m a product owner for the various Trust over IP (ToIP) projects that we have undertaken, including production systems such as OrgBook BC and the tools we are building to enable services to use ToIP, such as the Aries Cloud Agent Python (ACA-Py) that BC Gov contributed to the Linux Foundation’s Hyperledger Aries Project. Beyond that, I try to do a lot of community building to ensure that BC Gov is both aligned with the community and, where appropriate, leading the discussion. For example, we really need interoperable components and so I took a lead on our team and helped in the community to define protocols so Indy (and later Aries) agents that could be built by independent teams and yet still interoperate. To enable the digital economy we’re envisioning, we need contributions, services, tools and understanding from across the economy. We need interop.

I’m also doing a lot outside of the VON project but in the same domain. I’ve recently worked with technical writer, Carol Howard, to complete an online edX course for the Linux Foundation on the identity projects in Hyperledger. The course is titled LSF172x: Introduction to Hyperledger Sovereign Identity Blockchain Solutions: Indy, Aries and Ursa and will go live on November 21st, 2019!

I’m serving on the Sovrin Foundation’s Technical Governance Board and I’m talking to lots of people about SSI, verifiable credentials and adding a trust layer to the Internet. It’s a ton of fun!

You currently have 1.2 million active legal entities in OrgBook BC. How are all the organisations involved reacting to it and how has the feedback been?

The reactions have been fascinating. People related to registered entities—the businesses— learn about OrgBook BC and immediately go online to find their company. We’ve had one company discover that their business was “inactive” and we dug in to find that they had unknowingly let their registration lapse, effectively dissolving their active company! One of our government issuers discovered that an organization to whom they were about to issue a permit had been sold, and two others were not even registered entities. What we learned in building OrgBook BC was that although our original goal was limited (to bootstrap a verifiable credentials-based economy), we’ve found there is long-lasting value in how OrgBook BC works that makes it self-sustaining. The class of product upon which OrgBook BC is built—a “credential registry”—is broadly applicable as a source of trust in many contexts. Now that we’ve built it and understand it, we see many applications. That’s why the underlying software is now “Indy Catalyst,” an open source credential registry that BC Gov will soon donate to the Hyperledger Foundation. Governments and authorizing entities worldwide can take advantage of (and contribute to!) the Indy Catalyst project.

What are the next steps for Verifiable Organizations Network?

Our vision remains the same: to enable the digital economy for the citizens in BC in a global context. As BC Gov’s John Jordan says, we are building locally, thinking globally. The specific work we are doing is in two areas: 

First, continue to drive uses for verifiable credentials that provide value for citizens. OrgBook BC is one example, but we’ve got others that, for example, use verifiable credentials that make authentication and authorization into systems much easier to manage. Those initiatives will get verifiable credentials “in the wild” and we will learn a lot about making it easy for people and businesses to understand and use credentials to convey trust.

Second, continue to work on and drive standards and interoperability in the broader SSI community. In July 2018, we initiated within the Hyperledger Indy community the first face-to-face meeting of agent developers so we could discuss “interoperability protocols.” Now we have a raft of Indy/Aries apps that work together. But we need to go further to enable interoperability across the SSI communities, solutions that work globally. We’re trying to do our bit to make that happen.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

I’m relatively new to the Digital Identity space and the biggest revelation for me as I’ve dug in has been how contextual identity is. What attributes about you that are important to prove are different in every transaction in which you participate. One-size fits all “identity” doesn’t exist.

What really matters for a verifier, a relying party, is getting specific attributes from a source that the verifier trusts. For the subject of the attributes, what matters is simplicity, control and reducing the distribution of their private data.

This leads to two questions that I think are important. The first is for verifiers to focus on what they actually need for identity versus what they collect in order to trust the data they need, to mitigate their risk. What if they could just collect the actual contextually required attributes and trust those attributes because they were issued by a trusted source?

That leads to the second question, specifically tied to getting started using the verifiable credentials model. Since identity can be so contextual, what constrained eco-systems do you participate in where you could get started using verifiable credentials today? Places where your partners are the authority for certain attributes such that they could issue credentials, you could trust them, and eliminate the hassle and risk of over-collecting and holding private data?

My favourite example these days is one we are working on for lawyers. A government service is being provided only to lawyers currently eligible to practice. How does the service determine who is currently eligible to use it? Traditional authentication mechanisms require over collection of data and complex integrations. With verifiable credentials, the authority that tracks practicing lawyers gives their members a “practicing lawyer” verifiable credential, and to access the service, they present that credential. The service trusts the authority, access is granted.

Apart from your work, what applications for digital identity/SSI really excite you?

I think that when you can ask the user for information and you can trust their response, you open up a lot of exciting opportunities. There are many services that find out who you are, and then call out to some service to get the information they really need because they don’t trust the user. When users can present trusted information directly, you eliminate a lot of painful integrations and a lot of unnecessary data sharing. I’ve heard of a great use case in the US where a health insurance policy is given to the user as a verifiable credential and trusted when presented at a hospital or clinic to determine coverage, on the spot. No need to integrate with others to understand their policy, what’s covered, what’s not, etc. The information is all there, from the person presenting their credential. That is really powerful, especially in the uber-complicated US healthcare space!

What are your hopes for the digital identity field in the future?

The big goal is to make it “safe” for citizens to use the Internet—to make wandering around online as safe for our citizens as walking down the street. It’s not like that today—people must be constantly vigilant about who is trying to rip them off. We can do better and trusted digital identity is a huge step forward in achieving that goal.

The next big goal is for your credentials to be accepted and understood wherever you are in Canada and even globally. Imagine identity credentials given to you in one jurisdiction (e.g.  a Canadian province) that are trusted when you enroll in services because you’ve moved to another country. That’s both a technical challenge and a governance issue, but it’s possible.

What are the specific roadblocks other people in this space should look out for?

The biggest challenge we’ve seen for newcomers is that “getting started” guides are usually focused on technology, not the business problems and solutions. As a result, people jump at the wrong layer and have to work way too hard to find where they need to be to use the capabilities. Decentralized identity uses blockchain, right? Way too often, newbies jump right in at the blockchain level and waste a lot of time and energy. What about at the core verifiable credentials implementations layer?  Again, that’s rarely the right place. You want to start at the highest layer upon which you can build your use cases. Over time you will learn more about the lower levels, but if you start too low, you are wasting your time and the knowledge and experience of those that have come before. Stand on the shoulders of giants…

What is the book (or books) you have recommended most to others?

You asked this of Kim Hamilton-Duffy recently and got a really great answer for the identity space.

I run a lot and so I’ve become more of a podcast person these days so I’m going to mention a podcast of which I’m a big fan. I really like IEEE’s Software Engineering Radio podcast, especially when Felienne is hosting. She’s a brilliant interviewer and adds so much to the discussion. Checkout a recent episode that Felienne hosted on gender, cognitive styles and usability bugs. I learned a lot from that discussion.

SE Radio recently interviewed Justin Richer about API Security with OAuth2. Justin is well known in the identity space (and has great taste in t-shirts). Well worth a listen!. Other recent episodes on Securing PKI and Distributed Consensus are also great, and really useful for those in the identity space.

We, at Tykn, would like to thank Stephen Curran for his time and for sharing his ideas and knowledge with us. Thank you, Stephen! Be sure to follow his Twitter.

Tykn is a digital identity company. We just launched Ana, a digital identity management platform that allows organisations to issue tamper-proof digital credentials which are verifiable anywhere, at any time. If you’re keen on reading more we suggest you check out our Blog. There are interviews with Daniel Hardman, Elizabeth M. Renieris, Kim Hamilton Duffy and many more. There’s also our Definitive Guide to Identity Management with Blockchain and the Ultimate Beginners Guide to Self-Sovereign Identity.