Zero Trust, Web5, and GLEIF’s vLEI

My business partner at Digital Trust Ventures, Dr. Samuel Smith, happens to be the smartest human I’ve met, and through my line of work I’ve been fortunate to meet some smart ones.

In an email exchange during the last 72 hours, Sam opined about the McKinsey Technology Trends Report for 2022 (the full report), which strongly touts both self-sovereign identity (SSI) — which I now believe should be considered as part of Web5 — and zero trust architecture (ZTA). As happens often, I found Sam’s private comments insightful, but this time so much so that I’m making them immediately public, with his permission.

I’ve not changed a word, other than adding [Web5] and emphasis where appropriate.

I think a useful insight with regards the McKinsey report is that the GLEIF vLEI is leveraging a zero trust architecture (ZTA) to provide digital identity. This means that the benefits of both trends are realized in the vLEI. Moreover, once an enterprise adopts a ZTA for digital identity, using ZTA for adjacent functions to digital identity becomes easier. Indeed, fully decentralized ZTAs fall short unless they include a zero trust digital identity system as the basis for verification (which verification is essential to the function of ZTA). The two go hand-in-glove.

All forms of zero trust require some form of access control which in turn requires some form of digital identity. But centralized digital identity has large trust surfaces (things that must be trusted and therefore can’t be verified). But truly fully end-verifiable zero trust is the gold standard for ZTA and end-verifiable is largely incompatible with anything but decentralized digital identity. Decentralized digital identity makes zero trust more secure because it both increases the surface of what can be verified and decreases the surface of what must be trusted without verification.

Autonomous control over data and relationships [Web5] is best enabled by end-verifiable mechanisms where the parties involved in any interaction are enabled to choose their trust surfaces and trust anchors. GLEIF is an end-verifiable trust anchor. GLEIF vLEI credentials enable a party to an interaction to present trustworthy end-verifiable artifacts (AKA vLEIs) to bootstrap trust in a decentralized way.

Decentralized means control is diffuse. Control structures are distributed amongst parties. Autonomous control means each party picks its control structure. If my identifiers are portable across platforms and I get to pick what trust anchors I trust then I have a high degree of autonomous control. Each side of an interaction/transaction gets to decide what they will trust and what they will not trust without verification. The transaction is not finalized until both sides are satisfied with the other side’s trustworthiness according to each’s own criteria for sufficient trustworthiness.

I guess what I am saying is that ZTAs all require digital identity but end-verifiable digital identity requires a ZTA. But not all forms of digital identity require ZTAs.

If you’re like most people, you might want (or need) to read what Sam writes at least twice, slowly. My opinion: Sam Smith is the TBL of “the authentic web”, and I believe his short missive above contains some critical insights about the surprisingly strong relationship between Web5, decentralization, and the globally recognized gold standard of cybersecurity, zero trust architecture.

Sam’s insights are worth paying close attention to. For those who don’t know, here’s a bit about Sam’s accomplishments in this space.

Sam is the originator of the blockchain-based issue-hold-verify model that the SSI/Web5 industry now embraces. Evernym hired Sam as a consultant in 2015, having discovered him from his early 2015 paper, Open Reputation. At the time he was the only one we could find who was talking (writing) smartly about how blockchain might be used for identity, and he happened to live 30 minutes away.

Sam and Jason Law, my co-founder at Evernym, soon figured out how to “give people their stuff” through the use of digital wallets, rather than “put it on the blockchain” as everyone else was doing at the time (some still do!). Sam authored Identity System Essentials along with Dmitry Khovratovich, a world-class cryptographer we’d engaged, and the issue-hold-verify model using blockchain was born, resulting in Sovrin, with Hyperledger Indy, Aries, and Ursa under the hood.

But that impressive innovation pales in comparison to what he’s invented since with KERI, ACDCs, CESR and more: making SSI possible (and better) without blockchain (KERI); solving decentralized (and centralized) key management by solving the key rotation dilemma (KERI); making verifiable credentials chain-able, highly secure, and ultra lightweight to implement (ACDCs); making event streaming ultra-compact and switchable between text and binary without sacrificing security (CESR); and more.

My advice: if you’re interested in digital trust, ZTA, digital identity, and all things Web5, when Sam writes or speaks: listen, learn, and act accordingly, and you’ll end up toward the front of this train rather than the caboose. His written and oral communication is often thick and technical, but hang in there and let us know what needs better ‘translation’ to simpler language, and we’ll do our best.

This short post is just a taste of what’s to come on these rich topics. We’ll be writing (and podcasting) much more about zero trust, the vLEI, and of course Web5 over the coming weeks and months, so stay tuned.