Making Data Better

Building a Credential Management Platform: So Many Stakeholders, So Many Use Cases

January 10, 2024 Lockstep Consulting Pty Ltd Season 1 Episode 6
Making Data Better
Building a Credential Management Platform: So Many Stakeholders, So Many Use Cases
Show Notes Transcript Chapter Markers

Credential sharing is complex and exciting. Take a listen to our guest, Dan Stemp from JNCTN, in this installment of Making Data Better. We discuss JNCTN's credential sharing platform and its major use cases. 

Discover how managing digital identities supports the work of critical industries, from power generation to healthcare. We unpack the intricate relationships between those who rely on credentials, the individuals who hold them, and the authorities who issue them. 

Dan tells us the story of his firm's evolution from card personalization bureau to today's digital credential management scheme. We discuss the firm's clients' transition from physical tokens to digital credential presentation. Of course, we discuss wallets because they are the natural containers to hold verifiable credentials and we address  JNCTN's proprietary approaches, the W3C, and big players like Apple and Google. 

Implementation of systemic systems is never easy. JNCTN has multiple stakeholders to convince. We examine enterprise adoption and the leverage points that resonate with the relyingn parties, the risk owners, who deploy these systems. It's not just about risk mitigation and operational efficiency.

So, take a listen as Dan, Steve, and George share their enthusiasm for verifiable credential sharing and the breadth of applications ahead.

George Peabody:

Welcome to Making Data Better, a podcast about data quality and impact it has on how we protect, manage and use the digital data critical to our lives. I'm George Peabody, partner at Lockstep Consulting, and thanks for joining us With me is Lockstep founder, steve Wilson. Hi, steve.

Steve Wilson:

Hello George, happy new year. I hope it's some off to a good start for you and great to be talking with you again.

George Peabody:

After a great start, we're actually expecting, finally, our first snowfall in Boston over the weekend, so I'll be getting into the hot tub after I do all the snow shoveling. So, steve, today we're going to take a look at the power of credential sharing, some examples of what's possible when we address safety and security concerns through the use of the right credentials, presented at the right time. And to do that, we're fortunate enough to be looking at a company that operates what we're calling credential management service and system that has to work with all the stakeholders in its system. What is really intriguing about this model where you do everything, where you are a credential management service serving everybody? You've got to work with all the parties, all the stakeholders, in the identification process. So you've got to get the party that's taking the risk, what we call the relying party on board, whether it's the physical or digital worlds. The provider has to make it easy to grant access to a service, speed the process, log each of those accesses, trust the validity of the credentials presented. In other words, the relying parties want the ability to control access, know what each credential presenter is, who each one is, subject, referred to as what they're certified to do, and again to log each of those interactions. Then the service provider has to get the capability into the hands of the subjects, the holders and presenters of the credentials on board. So they've got to answer the question of what's in it for the subject easier to get into a building or is it easier to access an online service? Maybe it's putting a QR code in front of the guy at the gate instead of a booklet full of stamps that say that someone's been certified to do a job? And the third party, of course, is the issuer of the credentials. Think about a registry motor vehicles or an educational institution or a training company that provides certification. Those credentials have to be in the hands of the subject to be presented to the relying party in order to make a complete loop of the transaction. One of the beauties of the service provider that does all the work is that they got great visibility into what users are doing on all hands, whether it's the relying party, the subjects themselves, the folks who are presenting the credential. And given that visibility, given the fact that they're seeing interactions everywhere, they can actually respond to new changes, new requirements pretty quickly and push that capability out. Steve, let's illustrate this in the context of identification and credential sharing through talking with, I'm happy to say, junction, a New Zealand company that has assembled a solution that addresses the needs of each of those three parties the relying party, the party taking the risk, the subject and the credential issuer itself. So to do that, let me welcome Dan Stemp, who is Junction's chief customer officer. Dan, welcome.

Dan Stemp:

Thank you. Hey, look, thanks for having me, guys. I'm really excited to talk today about the work that Junction's doing and look verifiable credentials as a whole. Look, it's such an exciting topic and we kind of refer to it as the you know and lots of other people do is the new gold rush. You know this idea of owning your own information and being able to use it whenever you need to use it, knowing who has access to it. This is important stuff and we're really excited to be in this space.

Steve Wilson:

We're so excited to have you on the show, dan. We met on the other side of the planet for you and me at least, is Antipodeans. We had a great time at Identiverse in Las Vegas with George last year. It's fantastic, isn't it? You go to the other side of the planet to meet people that are almost next door we also. When we were chatting, we found that we three have been in adjacent areas of business now for decades, so I found the history of Junction really fascinating. Could you recap that for us right now?

Dan Stemp:

Yeah, yeah, look, I'd love to. And, george, I'm going to pinpoint a word that you just used in your intro there with visibility, and it's a key part of Junction's learning. And, again, the word I'm going to use quite often during this is journey. Through Junction's journey, we had a lot of learnings when we owned a large scale card production and personalization bureau. So we were in the business of delivering physical identity tokens to individuals to showcase who they were, whether they had a particular skill or qualification or work authority. So, having that visibility of the information that we were producing for individuals and having that visibility of those individuals themselves and what they did with those physical tokens hold them in plastic card wallets, information in the vanilla folders we had this insight into how we could create better user interactions for these individuals by using emerging technology like verifiable credentials and building software was not new for Junction as an organization. As part of our card bureau offering, we had an online ordering tool, so essentially an online portal for our customers to input data around the individuals who were receiving these physical tokens and the information that was going on these tokens. So think firearms license and what your authorities were under your firearms license, what classification of firearms you're allowed to hold on to. This is all information that we would print onto a physical token for an individual to put in their wallet. So we saw the opportunity to create these digital interactions, of those physical user interactions that people will be having out in the world. And specifically, we've taken a focus on our high hazard industries and really that's just out of need and necessity, because we have heard that there are problems and we've had people approach us within those industries that they have problems and they think we can solve them. So yeah, coming from the card bureau industry has given us a massive amount of insight into the amount of credentials that people actually hold on to, and it's not just one to three.

Steve Wilson:

We see all those common areas which are really, conceptually, it's an analog to digital conversion, isn't it? You take information from sources of truth, you have some way of quality assuring that information and then you package it on behalf of subjects. They then hold it in a plastic card or a digital wallet. I guess Can we dig into this sort of infrastructure and that common ground, what you've had to build and what you've had to leverage. And I guess we could also ground this conversation relative to COVID, because we love what you guys did relative to COVID, so maybe you can use that to illustrate and underscore how your infrastructure works.

Dan Stemp:

Sure infrastructure. Firstly, we've got to build something that's scalable. If it's not scalable, if it's not secure, it's not something that we want to have as infrastructure behind us. Because this needs to be scalable, it needs to be secure. So at the core of all of this really is data. It's important to understand again the journey of what we've built. But kind of underneath it all, we have set of tools for people to interact with us. We have a digital wallet for holders to hold verifiable credentials in. We have an issuing platform that allows issuers of credentials to create a credential catalog and issue those to individuals. We have an admin portal for enterprises to use to consume that data. So, whether I employ 200 people and I want an overview of the credentials that those 200 people have, we have an admin portal that allows you to access that information, all permissioned by the individual. So an enterprise can't always be looking for a request when they need to access information around an individual and their work authorities or skill sets and I want to caveat this all the way all the time this is under permission from the individual. So let's take that MIQ type scenario Managed isolation and quarantine, a piece of work we did for the government during COVID here in New Zealand and specifically around the border workforce, the individuals who are working in these highly regulated environments, compliance high environments where they needed to showcase that they were the right people with the right skill set to be working in the environment. So let's take a managed isolation and quarantine facility where you've got hotel staff, defense staff guarding the gates, a health staff coming in and out and performing health duties within these environments. You've got caterers, you've got repair people. You've got this highly compliant environment where, under the New Zealand Health and Safety Act, the person who's controlling that business unit needs to make sure that they are taking the best duty of care possible to make sure the right people are undertaking the right jobs. So, essentially, people are qualified, people are skilled, people have the right credentials to be in that environment. We needed to provide a value to this government department for them to make sure that the right people were coming in and out. The right compliance ticks were being ticked and that was relating to particular credentials around that individual. It happened to be obviously identity individual credentials that needed to be health credentials. They needed to be health and safety training credentials, as well as work authorities something as simple as a site induction All of this information we were able to provide to the government, or the government to issue the credentials to individuals. They already had existing databases that held the truth around this information. So say, for instance, think the COVID immunization register there was already a point of truth around COVID immunizations. We simply took that data and created a verified credential out of it, issued it to the individual, made the mechanism to hold it in a digital wallet and then, from a verification point of view, the same digital wallet tool has the capability to check or validate credentials. So the defense force at the gate was scanning QR codes of individuals when they were coming in. Rulesets were created in those environments that ABCD credentials needed to be showcased. Our tool allowed that to simply return a result of you meet requirements. Where you don't meet requirements based on the verified credentials that you had sitting within your wallet.

Steve Wilson:

Then got it. There's a lot of parties involved there. What matters to the most and we think I'd love to discuss this further with you, but we think that the relying party, or the party that's on the hook for most of the risk in these transactions and these interactions, is almost like the silent partner in a lot of discussions. But what matters to all of those stakeholders, especially the relying party, what are they telling you matters? Is it things like logging? Is it visibility? Is it performance? What is it?

Dan Stemp:

It's all those things. It's all the things that people are screaming out for Efficiency, productivity. Time is so important to individuals and what our tool and our solution allows people to do is essentially take a lot of that time controlled back, particularly in this environment that we just discussed about managerisation and quarantine. What was important to them was time. These individuals, every time they turned up at the front gate, needed to showcase a set of credentials that took time to validate and make sure they were true before that individual came into that environment. So A I needed to know when that person came in. I needed to know, at the point in time that they turned up, that they had the right credentials to actually be in this environment. There's logging, there's validation that the right people are undertaking the right tasks. That audit trail is really important because if something goes wrong, I need to showcase, from an audit trail point of view, that I put everything in place to make sure that I was doing my job correctly as the essentially custodian of this environment. And that can be totally translatable to a construction site. If I'm the lead can a contractor on a construction site, it's my responsibility that people coming in that environment I kept safe when they were there. So what this tool allows people to do is give them peace of mind that the right people are turning up with the right skills and qualifications, and verified credentials is the perfect way to do this, because it's not just me trusting that a piece of paper, a plastic card, some sort of proof that I have to validate whether it's true or not, is really up to me. So giving the technology and allowing the technology to make those decisions for people and give them that peace of mind is really important and gives them so much control, validation, but also, most importantly, it gives them time back because they can get back to actually doing what they should be doing, as opposed to spending time validating information. And for my Q-workers, what was taken the minutes before we were able to come and give them the solution we're literally able to reduce to seconds. So we're also able to reduce a whole bunch of admin staff and behind the scenes. Whose job was it to go and validate that this information was true and real?

Steve Wilson:

So you've got the ability for holders of these credentials to present themselves quickly and to get approved quickly, and you've got strong audit trails to show that the correct rules have been followed and that the correct data has been presented by the correct people at the right time 100%. Now we've talked about wallets already and you're obviously using a wallet. Is that a proprietary junction wallet? Is it part of your solution and how do you feel about the operating system wallets like Google and Apple, the built-in wallets?

Dan Stemp:

It is a proprietary piece of tech that we've created ourselves. We're kind of operating with two wallets at the moment. One is a progressive web application, so essentially it's a cloud wallet, but we also have a native wallet both on Android and Apple. Really important to kind of see why we have two. A web wallet or a progressive web application allows us to push updates, you know, instantaneously to that platform for our users. So when it comes to increasing functionality, it's not reliant on that individual having to go and update it on the app store. We're able to kind of push some of these updates straightaway to it. Obviously, it has some downfalls to what a native app would have and, for instance, offline capability. Our progressive web application relies on the internet, whereas the native app doesn't necessarily rely on connectivity to transfer credentials to individuals, so that validation can still be done in environments that are important to junction. You know, like sectors, forestry, etc. They work in environments where there is no internet capability, so that validation of a credential still needs to happen. So our native app allows us to do that via Bluetooth. So there are some cool things in both and important. But when it comes to the operating system wallets, you know your Google wallets and your Apple wallets. We're big fans of those. We believe here at Junction in the ecosystem where the user should be able to choose where they store their credentials. If I want to store it in my junction wallet, because I have all of this other cool functionality and great tools to utilize, then I should be able to do that. But if I want to store that credential in my Apple wallet or my Google wallet, I should be able to do it as well. And that's what our journey is with Junction is to help these issuers of credentials and give them a mechanism and a platform to be able to do that. So if you want to issue a credential to somebody, you can issue it to them. They can hold it however they want to hold it. And if that's within Junction, then fantastic, because we've added value with the toolset that we've created within our solution. But if I want to hold it in my Apple wallet and keep it in my Apple wallet, I should be able to do that as well, and that's what we believe in and I suppose that comes back to well, how do you do that? And standards are a big part of this, and the W3C standards around verifiable credentials is a big part of this and we're big believers in that to drive adoption so that someone can turn up somewhere and claim a credential and hold it in a junction wallet or in an Apple wallet, and we want that capability for people.

George Peabody:

And, to be clear at this point, the ability to put a credential into an Apple wallet is not present.

Dan Stemp:

Not true. We have done some experiments where we've proved this within Junction. Not in a valid market, though, so we haven't got it actively being used within a marketplace, but I suppose, just like any organization, there's a whole bunch of research and development going on to make sure the stuff is entirely possible. Another example is pushing into another quasi-wallet, which would be the Microsoft Authenticator app, proving that there are multiple ways to issue these credentials to people, and it doesn't have to be through proprietary wallets like a government wallet or a Mastercard wallet. These credentials should be following open standards where they can be consumed by any type of wallet, and I think that's really important for people moving forward that choice.

Steve Wilson:

We see the same pros and cons playing out in Australia. One of the world's preeminent state government credential wallets is the New South Wales Digital Drivers License a project here that's close to my heart and that's been extended for COVID credentials. But a whole lot of other trade qualifications and building permits and working with children's checks and so on. The ability to update that wallet quickly is something that makes it very difficult for New South Wales to move to Apple or Google, because there's a whole lot of momentum and inertia with those big projects. And, of course, the ability for finer-grained functionality in the app. When you've got a proprietary wallet integrated with the app, it's a lot easier to be sharing information, to be streamlining data sharing and so on. So I think it's a really nice design problem about the choice of wallet and I myself am prepared to think that we'll have a choice of wallets going forward for quite a long time.

Dan Stemp:

And I think a key thing here is all of this is good. The use of verified credentials is good, no matter how it's done, whether it's in a proprietary wallet. I think we will get there and again, there's a massive journey for people to take on. We've gone through a long history of showcasing who we are and validating the skill set that we have via paper and physical plastic tokens, and if I take the example of the work we're doing within the energy sector, for 40 years I've used a green passbook. It's called the Green Book and it literally is a green paper-sized passbook that holds onto information around. You talk to our Vistar who you are and what you're entitled to do. So when you turn up to the geothermal power station gate, you hand over that green book and inside is handwritten, rubber stamped signature information around site inductions or working at the heights, training or qualifications and skills. We've got a long way to get to our utopia because we've had this long history of this paper-based roof and there's a mindset that needs to change within industries and organizations as well, and I think that's a big part of it too is actually embracing this technology, and it's up to people like me and our organization to convince people the value of this type of technology and why we should move to this. So, again, that goes back to the challenge of that closed-loop environment where you are literally selling this and educating people at all levels at the issuer level, at the holder level and at the verifier level.

George Peabody:

Let's get to the business piece. So it's the relying party who's paying, it's the enterprise that's paying for this, it's the party that has the risk exposure, correct, correct. What do you find to be the leverage points in your argument for adoption?

Dan Stemp:

Look, there's a couple of important things here. Traditionally, how these guys, or how these organizations and enterprises, these relying parties, have dealt with this information is very manual. So if they haven't done a database, that's maybe in a spreadsheet somewhere, it's in some siloed database that has a piece of the puzzle. So being able to give them a toolset where we can access some of that siloed information and bring it into a platform where it's visible all at once is hugely important to them. We're talking about organizations, especially in the energy sector, who have a high-value asset. They have a highly hazardous environment in a power generation site where they need to make sure that the right people are undertaking the right task. So when that person turns up at the gate, they need to make the quickest decision possible to get that person on site to undertake their work that they are supposed to be there. So that's validation of their identity, validation of their skills and qualification and their work authorities. If that takes time, there's a trickle-on effect and for six weeks of the, every generation site is shut down for cleaning and maintenance. Time is crucial through a period like that. So they need to, ahead of time, make sure that the right people are turning up or going to be turning up. So that's where our platform comes into play, where, as an individual who contracts to you as a company, I can give you access to particular credentials for a particular period of time or to allow us to say stop. That allows you to make those forward-planning decisions. So in six months' time, if I'm still sharing with you, you can validate that I've got the right skill set to hire me to come and contract and do this work. Now, as soon as I untie the box and say I'm no longer sharing with you, you no longer have access to those verified credentials that I was once sharing with you. Having that, from a privacy point of view, none of these organizations want to be holding on to information they shouldn't be holding on to. So it takes so many boxes from efficiency, productivity, privacy and compliance that the seller isn't actually too hard when you show the value and you show the time saving To the extent where these enterprises are so happy to pay for the people who are coming in and track with them because it actually saves them so much more money than what it does at the cost of it all. I just want to expand on that particular example and use one particular use case that the industry the energy industry has highlighted to us here in New Zealand Prior to us coming along, an individual's information wasn't managed that well. So if I work for a large generation company and jump ship and go and work for another large generation company when I turn up, my new boss wants to know what I'm skilled and qualified in. If that is too hard, or if I don't bring everything with me because I can't remember everything, my previous organization has paid for my training. Maybe they feel like they own my training. It's mine, by the way. I did the training. I should be able to own that. But because there isn't this easy way now to give this credential to the individual, they turn up to a new environment, shrug their shoulders. A new boss says well, I need you to have this skill, so I'm going to send you on a training course tomorrow At the cost of double training. That individual already had that skill set. They just didn't keep it with them, didn't have it. It wasn't easily accessible. That cost to the energy industry is around $10 million a year that double training costs. So for spending $50 million a year on training, $10 million of that, 20% is wasted double training individuals because it's too hard to validate their skills or training qualification. So automatically by implementing this across an industry and hats off to the New Zealand energy industry world leading in the fact that, as an entire industry, they've said hey look, there's no IP in health and safety, so we just want to make sure that people go home safe. So what we want to do is we want to give a solution for everybody to be able to validate that Now who they say they are and have the right qualification. We want them to be able to turn up to a training environment and receive a verifiable credential straight away. So we're working with all of these separate parties to create this efficiency and this productivity. And it's working for them because automatically show off the back, thus saving millions of dollars because all of a sudden, this information is visible and the information for the individual is transferable and they can take it with them. That's so empowering.

George Peabody:

So let me be clear about that at the end. If I'm working for Power Generation Company A and then I decide I want to go move to South Island and work for a company B, the junction wallet that I have that's containing my credentials can that just be valid as soon as I get to my new place of employment?

Dan Stemp:

Oh, 100%. Those are your credentials. If they've been issued to by somebody, you still hold them. You can take them with you. The fact that you've been sharing with your employer while you've been working for them is just so that they can utilize those credentials. They need to utilize those credentials. You're their worker, you have a particular skill set. They need to know that that's valid when they're sending you on work. So having access to when those credentials expire is hugely important for them, Hugely important for you as an individual as well, especially when you do want to take them with you somewhere else and showcase them to somebody else. So, within the energy sector, I can do that. I can take all my credentials with me to new employer and I can showcase them.

George Peabody:

How do you assure the new employer that the credentials are legitimate?

Dan Stemp:

Great question, george. And within the energy sector in New Zealand that's not an issue because what they've done is that this is a recognizable form of currency within the sector. So if someone is turning up with junction wallet and there are credentials in there, you can be rest assured that those credentials are true and valid. Now I'm going to caveat that with we give the ability for individuals to upload their own credentials to claim a credential. But what we've done with that is we've implemented a trust matrix, so essentially it's a red, amber, green traffic light system. We know that we're not going to get absolutely every issuing authority on board from day one, but it's important for these individuals to carry credentials with them that maybe haven't been digitized yet, so they haven't got to the verifiable credential status where they're issuing a digital driver's license. We don't do a digital driver's license here in New Zealand yet, so an individual working in the energy sector needs to showcase that they have a driver's license. We can give them a mechanism to showcase that as a verifiable credential. But it's caveated on this trust matrix, a red, amber, green traffic light system. If it's been issued from the licensing authority, it's a green verifiable credential. If I have self-claimed this credential. Its flagged is red. So anyone I'm showcasing it to can clearly see this trust matrix, clearly see the levels of the trust matrix. And what we've done there is again, I'll go back to this journey is we're building so that when that licensing authority comes on board they have the ability to turn all of those red credentials. And we do have an amber status which has been endorsed by the organization you work for. So if I'm endorsed by a large generation company here in New Zealand and I'm showcasing that to somebody else, they can be rest assured that it has been validated by another authority. And then again it's up to them, their own business decisions on how much they trust that. All of this comes down to trust. At the end of the day, trust is the underlying thing to everything. How much do you trust this that I'm showing you? And all we've done is give them a mechanism to be able to validate that trust, but also for the issuing authority to be able to come in and say actually I want to turn all of those credentials that people are claiming of mine green, because we're now on board with this movement of verifiable credentials and we want people to be showcasing our credentials out in the marketplace. We want people to have peace of mind that that is a true and valid credential, because you look across, you know, in New Zealand we've got the city councils who have just been through a bit of a scandal where an engineer signed off on a thousand pieces of work using another person's credential. So those authorities want people in the marketplace showcasing verifiable credentials to prove that it is them who has that authority, because the triple on effect is massive if someone's impersonating or stealing somebody else's credentials. So yeah, this is good for everyone. The same story in healthcare, I guess.

Steve Wilson:

professional licensing, maintenance, aircraft, aviation, Generally speaking, what's next? What are the most important use cases for this sort of technology going forward?

Dan Stemp:

Look. What's next is? It's a big question, steve. There's so many opportunities here. As a commercial organization, our focus is Look as a laser focus. It's a laser focus on proving in the environments that we're already in, that it works and that there's value, because the use cases are so great. This could go absolutely everywhere, but we need to prove it somewhere first, and it just so happens that we found the industry that was screaming out for a solution because they want to send their people home safe and you know the the high hazard industry, that environments where people need to have skills and qualifications in order for other people to stay alive, in order for people to go home safe. There's a great place to start with this because there is an immediate impact and it's not just a top-down approach either. I think this is something that's really important to understand and I See just briefly before empowerment. You know, like individuals holding on to their information and being able to take that with them. It's hugely powerful, and we have a use case within the United States, where we have particular sector of workers who are trying to push from the ground up with this technology. They care about their data, they care about their information, they care about their identity. They don't want people to steal their identity. They don't want people to be showcasing their particular skills and impersonating them. So they want to use this technology in the environments that they work in so that the organization they're working for is held accountable for that data and is not at the risk of being hacked, not at risk of leaking that data. So it really is a ground-up approach, for where we've found success and drive has been from industries that have a requirement, mainly around health and safety. But, steve, yeah, the possibilities are endless. You know, george, you mentioned in your intro access to solutions, access to systems. You know a verified credential could be a key for you to access a particular solution. Or, you know, have access to some digital tools. Yeah, it might mean that alignment, because of his particular credential set, gives him access to some maps that allow him to see where, you know a Power grid is is mapped out. This is really important stuff and I think, with what we're doing, we're just kind of scratching the surface with this use case of individuals showcasing their credentials for their work environments. There's so many opportunities with verifiable credentials. It really is the new internet. It's um, yeah, it's very exciting space.

George Peabody:

Well, dan, thank you very much. We're gonna have to leave it there. Wish you all the luck in this new year, and you're speaking our language. We really appreciate your time. Hey, look, thank you so much, guys.

Dan Stemp:

It's um. Yeah, it's been a pleasure and look forward to talk to you again If I have the opportunity, and and thanks to all your listeners as well.

Steve Wilson:

Let's do it. Keep up the good work, Dan. Cheers guys.

Credential Sharing in Data Management
Web Wallets and Credential Storage
Verifiable Credentials for Energy Sector
The Exciting Potential of Verifiable Credentials