ToIP pitches trust-spanning protocol for digital ID and data

The rules that determine how much and how a digital identity or piece of data is trusted are set by the authority of each digital ecosystem – often a national ecosystem operated by a government or a corporate ecosystem operated according to company policy. For trust to span ecosystems, however, protocols for translating and applying those rules must be established, and this is the project of the Trust Over IP Foundation. A panel on the final afternoon of KuppingerCole’s EIC 2024 shared ToIP’s progress and the potential it’s project could unlock.

Trust Over IP Foundation ED Judith Fleenor was joined by six members of ToIP’s steering committee for the presentation: Futurewei Technologies Senior Director of Technology Strategy Wenjing Chu; Accenture Managing Director and Digital Identity Lead Marie Wallace; Karla McKenna of GLEIF (Global Legal Entity Identifier Foundation) Americas; GLEIF Head of IT Development and Operations Cristoph Schneider; Gen Digital Director of Trust Services Drummond Reed and Esatus AG CIO Dr. Andre Kudra.

The overall goal is to find a minimum protocol that will enable maximum interoperability. The work is now in its third stage, and the implementers draft for ToIP’s trust-spanning protocol specification was published in April.

ToIP’s model includes a dual stack, spanning both technology and governance, which are both needed to achieve full internet-scale interoperability, Fleenor says.

The stack and the trust spanning protocol

The tech stack is organized into four layers, as described in the architecture specification released in 2022, to mirror the internet itself. The layers are “trust support,” which includes secure elements and registries, the trust-spanning protocol, trust tasks like credential exchange and digital signatures, which Fleenor points out is the level most EIC presentation topics are drawn from, and applications.

“Governance is not layer-specific,” however, Reed notes.

Digital trust ecosystems like eIDAS are where the protocol is instantiated, and ecosystems interacting with each other creates the interoperability ToIP seeks to support.

The third-generation ToIP model is a template in the form of google slides that “anyone can come, download those templates, and start to design, put together the trust model canvas for your ecosystem, and your partner’s ecosystems, and you can even start designing, it will start to look like a global network of interoperable digital trust ecosystems,” Reed says. “That’s what Trust Over IP was founded to help you achieve.”

Chu explained that the trust spanning protocol is intended to accommodate the many digital identities that can belong to an individual. A given person may have different identities, or “personas,” for different parts of life, from work to dating to commerce, for instance. Each of these domains may communicate in a different language, but they all need to be translatable to each other to interact.

For now, ToIP has a draft specification for the minimum standard needed for trust spanning, and a draft implementation for the Open Wallet Foundation, written in Rust.

Authenticity, confidentiality (which is optional) and metadata privacy are the three necessary characteristics for trust, ToIP has determined.

If these are in place, Chu says, then not only does any particular verifiable identifier work with the protocol, but also any kind of identifier, whether based on a centralized, federated or decentralized architecture.

The need for a trust registry protocol (layer 1) become obvious when identity stakeholders began considering how to coordinate “a worldwide network of covid credential issuers and verifiers.” This registry protocol allows parties to answer the question “Does entity X have authorization Y under governance framework Z?”

Trust in practice

The vLEI (verifiable legal entity identifier) ecosystem governance framework from GLEIF is made up of over 20 documents and based on the ToIP trust spanning protocol, Schneider explained.

McKenna reviewed the challenges that go into identifying people and their role within an organization. These begin with verifying that the organization is real as represented, even before the person and their role are identified and cryptographically bound together.

To carry this out, GLEIF combined its existing governance foundation, the ToIP protocol and Authentic Chained Data Container (ACDC) specification.

Kudra began his talk on the practical implications of trust registries by pointing out that everyone’s daily smartphone use depends on them.

ToIP and the trust model canvas (based on the business model canvas) allows organizations to have clear discussions with clients about how to model their use case, he says. The model will have to match trust registry of the jurisdiction the client is working in,

A global construction company worked with esatus to identify the identifiers the use and create a trust ecosystem that will work for their application. Kudra notes that the company can then use the model to show regulators or new partners how trust is created and maintained.

Wallace sees a trillion-dollar opportunity in decentralized identity and the decentralized data economy, due to “the ability to allow you to very, very flexibly grow the entities that interact with each other for a specific business process.” This opens up new business models, and ways to apply data to business problems, and will allow people and organizations to weather the transition to the new data economy, she says.

Article Topics

Accenture  |  biometrics  |  digital identity  |  digital trust  |  EIC 2024  |  Gen Digital  |  GLEIF  |  interoperability  |  trust framework  |  Trust over IP