Self-sovereign identity, decentralised identity, web5… collectively “ID Tech” has become a much more mainstream topic in recent years, and we are seeing an increasing number of products being built using these new technologies. However, with all the hand-wringing about adoption that we hear in the industry, it can sometimes feel like a hammer looking for nails. Which specific and tangible benefits can ID Tech bring to its users, and what special considerations should a product manager have in mind when working in this space? James Monaghan has been a product leader for two decades and has worked on ID Tech projects in financial services, travel, healthcare, education and more. In this talk he will share his views on how to tell whether a customer problem might call for an ID Tech solution, and how to approach some of the product decisions which arise when applying these tools.
5. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
About me
James Monaghan (@james_monaghan)
Entrepreneurial product leader
● 3x technology startups (MXTelecom, TeleSign, Evernym)
● Currently advising companies and incubating new ventures
Digital identity practitioner
● Over a decade in digital identity
● More than half of that in SSI
SSIMeetup.org
6. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Why give this talk
I want to see:
● More products built using SSI
● Those products be more successful
Not enough SSI awareness in wider industry
● DIDs & VCs have amazing superpowers
● Which only the SSI community knows about
● And are mostly only using for ID related use cases
Not enough PM practice in SSI community
● Need to get out of the lab and into the market
● Strong focus on the technology, less on business
● Care a lot about users, but don’t talk to them very much
8. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
What is SSI?
Wikipedia definition:
● Self-sovereign identity is an approach to digital identity that gives individuals control over the
information they use to prove who they are
Many related terms:
● Decentralised identity
● Portable identity
● Web3 / Web5
● ID tech
For our purposes:
● A system for portable, high-fidelity data which enables a more decentralised and user-centric approach
to solving business problems
An exciting new tool in the tool box!
9. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
SSI building blocks
Decentralised identifiers (DIDs)
● Unique identifiers which users create and control without relying on a central
authority
Verifiable credentials (VCs)
● Digital documents which can be verified without requiring access to the
underlying data
Trust task protocols
● Frameworks for interacting with and about claims and credentials
14. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Authenticity
Proofs are cryptographically verifiable
● Source (who made the claim)
● Integrity (claim hasn’t been tampered with)
● Validity (claim hasn’t been revoked)
● Ownership (proof is presented by the
legitimate owner)
For businesses:
● If you trust the issuer, you can trust the data
(no matter how you got it)
For users:
● Easier to prove what is needed without
repetition or over-sharing
Source: ToIP Foundation
15. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Composability
Proofs can combine claims from multiple
credentials
For businesses:
● Access to wider universe of data and use
cases than any single ecosystem
● Issuers only have to be experts in their
own domain (don’t have to design the
whole system)
For users:
● More natural and flexible approach to
proving things
● Maximum leverage for every credential
Passport
First Name
Last Name
Date of Birth
Gender
Citizenship
Date of Issuance
Date of Expiration
Endorsements
Rental
Agreement
Full Name
Address
Start Date
End Date
Monthly Rent
University
Degree
First Name
Last Name
Issuing University
Subject
Level
Grade
Date of Graduation
Job
Application
First Name
Last Name
Date of Birth
Address
Issuing University
Subject
Level
Grade
16. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Privacy
Prove only what is required
● Selective disclosure of claims
● Non-correlation between presentations
● Zero-knowledge proofs
For businesses:
● Only collect (and be responsible for)
data that is strictly necessary
For users:
● Prevent unwanted surveillance
Passport
First Name
Last Name
Date of Birth
Gender
Citizenship
Date of Issuance
Date of Expiration
Endorsements
Proof of Age
Age is Over 18
User
Government Retailer
issues presents
22. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Immature standards and technology
DIDs
● W3C recommendation since 2022
● Over 330 registered methods, with different properties
● Examples: did:web, did:key, did:ion, did:sov
VCs
● W3C recommendation since 2019
● Multiple serialisation and signature schemes, with different properties
● Examples: JSON vs JSON-LD, RSA vs Ed25519 vs CL vs BBS+
Trust task protocols
● Different approaches from different communities
● Examples: CHAPI vs DIDComm + Hyperledger Aries vs OpenID4VC
Not all benefits are available in all implementations
24. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Blockchain taint
Nothing about SSI requires the use of blockchain, but…
● Several (by no means all) DID methods do use a blockchain or DLT
● Say “self-sovereign” or “decentralised”, people think “blockchain”
● Web3 is explicitly blockchain-centric
Many businesses can’t or won’t touch anything associated with blockchain, due to:
● Regulatory concerns (securities laws, privacy laws)
● Unfavourable associations (environmental damage, pump-and-dump scams)
● Complexity of the technology
Exercise caution when positioning SSI solutions for your audience
25. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
New risks and harms
SSI represents a major yet poorly understood change in how we view, manage
and interact with human identity
It may introduce a range of potential harms:
● Political
● Economic
● Social
● Technological
● Environmental
● Legal
Explored in more detail by Hickman et al, Sheldrake and others
28. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Identify the user problem
Clearly articulate the problem you are trying to solve
● All good product management starts here
● Especially relevant when thinking about user-centric solutions
Look for signs that SSI might apply:
● Inherently fragmented or decentralised environment
● Entities have mutual trust but no means to exchange data
29. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Example: health worker staff passport
Problem:
● Doctors in the UK waste 100,000 clinical days per year waiting for approval to
practice at a new location
● Identity, qualifications, training, work history must all be verified manually before
every placement
Signs that SSI might apply:
✓ Inherently fragmented or decentralised environment
○ Over 1 million staff working in over 200 NHS trusts
○ High degree of mobility (clinical training rotation, locum shifts, etc)
✓ Entities have mutual trust but no means to exchange data
○ Same standards apply across the NHS
○ No central HR system exists
31. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Example: health worker staff passport
Proposed solution:
● Workers get a digital wallet with credentials for identity, qualifications, training, work history
● NHS trusts (and later, other relevant bodies) can issue and verify these credentials
Relevant benefits:
✓ Portability the main benefit, allowing trusts to rely on each other’s records
✓ Authenticity absolutely critical given the trust placed in health workers
− Composability highly beneficial but not essential
✗ Privacy always preferable, but not essential for a workplace application
− Control beneficial, allowing the shift of admin workflows to the user
✗ Security not meaningfully improved in this case
✓ Interoperability important, as a choice of vendors drives competitive pricing
36. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Questions to answer
Issuers
Who issues credentials?
How do they verify
users?
Verifiers
Who requires proof?
How can they get it?
Who do they trust?
Holders
Who is the user?
How do they receive
credentials?
How do they present
proofs?
Conveners
Who do the actors trust?
How are incentives
aligned?
What regulations apply?
Credentials
What credentials are
available?
Presentations
What proof is required?
39. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Example: health worker staff passport
Issuers Verifiers
Holders
Conveners
Credentials Presentations
Identity
Qualifications
Training
Health Worker
IDV Provider
University
Training Provider
Hospital HR
Right to Work
NHS
GMC
3. In future, IDV Provider,
University and Training
Provider can be issuers
40. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Example: health worker staff passport
Issuers Verifiers
Holders
Conveners
Credentials Presentations
Identity
Qualifications
Training
IT Access
Health Worker
Hospital IT
IDV Provider
University
Training Provider
Hospital HR
Right to Work
NHS
Hospital IT
Right to Login
GMC
4. Adding the Right to
Login to Hospital IT
systems
41. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Example: health worker staff passport
Issuers Verifiers
Holders
Conveners
Credentials Presentations
Identity
Name
Date of Birth
Photograph
Qualifications
Date
Subject
Level
Grade
Training
Date
Type of Training
Valid Until
IT Access
System
Type of Access
Valid Until
Health Worker
Hospital IT
IDV Provider
University
Training Provider
Hospital HR
Right to Work
Name
Photograph
Has Medical Qualification?
Has Required Training?
NHS
Hospital IT
Right to Login
Has Access to System?
Within Validity Period?
GMC
5. Add the attribute-level
detail of credentials and
presentations
43. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Pick your poison
Technology family
● Choices driven by desired benefits
Build vs buy
● How much control do you need
● How much expertise do you have
Approach to custody
● How self-sovereign should the solution be
● How much responsibility is it reasonable to give the user
Trust network
● Join one or create your own
46. https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
The role of the PM
Your #1 job is to advocate for the user
You also have to:
● Write great requirements
● Craft a compelling roadmap
● Manage engineering priorities
● Develop a credible go-to-market plan
● Champion a learning culture
And if SSI-enabled solutions help solve user problems, then great