I was lucky enough to be able to attend the Internet Identity Workshop (IIW) in November after being away from it for a couple of years. IIW always holds a special place in my heart as it was my first opportunity to meet and really get to know many of my heroes in the identity space. IIW’s unique format guarantees you a more personal and conversational back-and-forth with experts in the field.
You arrive at the 3-day conference with no set agenda. This year, 300 attendees would gather each morning and many would pitch sessions that they wanted to present during the day in one of the five designated time slots. Within those time slots, presenters would choose one of 15 available rooms so on any given day there could be up to 75 sessions available. Over the course of the conference, 171 sessions were presented.
When I said presenters choose their room, it may be more appropriate to say they fight for a room. When the pitches are over, the presenters all crowd around the main display board with their session information written on pieces of construction paper, waiting to grab sticky notes with the room and timeslot designations on them. When the signal to begin is given by the organizers, a mad rush commences as presenters try to get their choice locations. In this manner, the conference schedule for the day is manifested for participants to view (and snap pictures of for later reference).
In the recent past, IIW has seen a continuous uptick in the number of sessions concerning Self Sovereign Identity (SSI) and its related technologies (blockchain, DIDs, distributed ledgers, etc). This year, while those sessions were still prominent, more traditional identity topics have not only made their way back into vogue but there were a number of sessions that discussed how to accomplish some of the goals of SSI.
Some topics I found of particular interest:
- Kristina Yasuda, with Torsten Lodderstedt, gave a presentation on OpenID for Verifiable Credentials (which was formerly named OpenID for SSI) which covered all of the changes that had been made since the last IIW in May, including the use of OAuth now as the base protocol. Kristina gave a presentation later on Selective Disclosure for JWTs (SD-JWT) which allows the user to act between the issuer and the verifier to only selectively disclose certain claims while hiding others.
- George Fletcher also wants to leverage the advantages of JSON to solve technical issues that were raised during his presentation Enabling Native Mobile UX for OAuth/OpenID Connect Flows where he proposed adding a new response_mode=json to OAuth, which returns a JSON-based description of what has to happen for the login and which is meant exclusively for first-party apps. This would allow a certain flexibility to the app to improve UX while ensuring that login and confidentiality of the credentials are handled properly.
- Passkeys continue to be a popular topic as they showed up in a number of different presentations. Tim Cappalli presented his Passkeys 101 presentation from October’s Authenticate conference while Dean Saxe found some potential security concerns that still need to be mitigated during his Passkeys are Great, Until They’re Not discussion.
The biggest trend at the conference, however, seemed to be the rise of the wallet with ten different sessions discussing different aspects of wallets and their potential uses. Many saw the wallet as a unique combination of verifiable credentials and SSI as you maintain the wallet on your device and essentially load it with claims made by issuers related to you (tickets, credit cards, mobile driver’s licenses [mDL], etc). In Heather Flanagan’s session on Digitized vs Digital Credentials, it was noted that a digital wallet was finally something both technical and non-technical people could relate to. Finally, there was a presentation on the new Open Wallet Foundation that is looking at how to develop wallet consortiums outside the existing Apple/Android ecosystems.
And then, of course, there were many sessions on topics that normally wouldn’t arise at a traditional conference including: SSI Tech Stack for New Zealand Farming, End Surveillance Capitalism, Trans Identity, Your Greatest Standardization Regret, Roger & We: Collective Action for Collective Action, Can SBT (Soul Bound Token) be a practical tool for identification?, Show Me the MONEY Biz Models, People are LAZY So How Can We Make It Easier for Them to Do the Right Thing?, and many others.
IIW remains an incredibly valuable and entertaining conference. Its greatest characteristic is its openness and low barrier to entry as anyone can present. It’s also a great environment to begin conversations with those on the front lines of standards development and possibly an opportunity for you to begin your journey in that space.
If you would like to get a closer look at what goes on at the conference, you can check out the Book of Proceedings for not just the latest conference, but for the past 29 conferences at https://internetidentityworkshop.com/past-workshops/. These BoPs contain notes for almost every session that was presented in November.
Steve “Hutch” Hutchinson
Director of Security Architecture at MUFG
Steve “Hutch” Hutchinson is the Director of Security Architecture at MUFG. After cutting his teeth in C/C++ software development and network engineering, Hutch spent a decade as an enterprise architect in the healthcare sector focused on security and network technologies. Hutch is a founding member of IDPro and is honored to sit on the inaugural Board focused on community development which has always been one of his passions. If you’re ever in Richmond, VA on a Wednesday night, drop him a note for an invite to his biweekly backyard get-together.
