Building SSI Products: A Guide for Product Managers

https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup.org
@james_monaghan
Building SSI Products
A Guide for Product Managers
James Monaghan
@james_monaghan

@james_monaghan
1. Empower global SSI
communities
2. Open to everyone interested in
SSI
3. All content is shared with CC
BY SA
Alex Preukschat @SSIMeetup
@AlexPreukschat
Coordinating Node SSIMeetup.org
SSIMeetup objectives

@james_monaghan
Agenda
● Introduction
○ About me
○ Why give this talk
● SSI for Product Managers
○ Definition
○ Benefits
○ Challenges
○ Tactics
● Product Management for SSI Practitioners
○ A few reminders
● Conclusion

@james_monaghan
Introduction

@james_monaghan
About me
James Monaghan (@james_monaghan)
Entrepreneurial product leader
● 3x technology startups (MXTelecom, TeleSign, Evernym)
● Currently advising companies and incubating new ventures
Digital identity practitioner
● Over a decade in digital identity
● More than half of that in SSI
SSIMeetup.org

@james_monaghan
Why give this talk
I want to see:
● More products built using SSI
● Those products be more successful
Not enough SSI awareness in wider industry
● DIDs & VCs have amazing superpowers
● Which only the SSI community knows about
● And are mostly only using for ID related use cases
Not enough PM practice in SSI community
● Need to get out of the lab and into the market
● Strong focus on the technology, less on business
● Care a lot about users, but don’t talk to them very much

@james_monaghan
SSI for Product Managers

@james_monaghan
What is SSI?
Wikipedia definition:
● Self-sovereign identity is an approach to digital identity that gives individuals control over the
information they use to prove who they are
Many related terms:
● Decentralised identity
● Portable identity
● Web3 / Web5
● ID tech
For our purposes:
● A system for portable, high-fidelity data which enables a more decentralised and user-centric approach
to solving business problems
An exciting new tool in the tool box!

@james_monaghan
SSI building blocks
Decentralised identifiers (DIDs)
● Unique identifiers which users create and control without relying on a central
authority
Verifiable credentials (VCs)
● Digital documents which can be verified without requiring access to the
underlying data
Trust task protocols
● Frameworks for interacting with and about claims and credentials

@james_monaghan
SSI superpower
Fundamentally different (more natural?)
way to think about interactions between
systems and people:
Recipients can instantly and
independently verify the source,
integrity, validity and ownership of a
proof about a claim they receive
directly from the subject
Source: ToIP Foundation

@james_monaghan
Benefits

@james_monaghan
Benefits
What is enabled, who benefits, and how:
● Portability
● Authenticity
● Composability
● Privacy
● Control
● Security
● Interoperability
Not all benefits matter in all cases
These are not the same as Cameron’s 7 Laws or Allen’s 10 Principles

@james_monaghan
Portability
Move data between contexts via the
user
For businesses:
● Avoid the complexity of a mesh of API
integrations
● No need for a costly and limiting hub
architecture
For users:
● More natural and flexible approach to
proving things
● Maximum leverage for every
credential
Context A Context B
User

@james_monaghan
Authenticity
Proofs are cryptographically verifiable
● Source (who made the claim)
● Integrity (claim hasn’t been tampered with)
● Validity (claim hasn’t been revoked)
● Ownership (proof is presented by the
legitimate owner)
For businesses:
● If you trust the issuer, you can trust the data
(no matter how you got it)
For users:
● Easier to prove what is needed without
repetition or over-sharing
Source: ToIP Foundation

@james_monaghan
Composability
Proofs can combine claims from multiple
credentials
For businesses:
● Access to wider universe of data and use
cases than any single ecosystem
● Issuers only have to be experts in their
own domain (don’t have to design the
whole system)
For users:
● More natural and flexible approach to
proving things
● Maximum leverage for every credential
Passport
First Name
Last Name
Date of Birth
Gender
Citizenship
Date of Issuance
Date of Expiration
Endorsements
Rental
Agreement
Full Name
Address
Start Date
End Date
Monthly Rent
University
Degree
First Name
Last Name
Issuing University
Subject
Level
Grade
Date of Graduation
Job
Application
First Name
Last Name
Date of Birth
Address
Issuing University
Subject
Level
Grade

@james_monaghan
Privacy
Prove only what is required
● Selective disclosure of claims
● Non-correlation between presentations
● Zero-knowledge proofs
For businesses:
● Only collect (and be responsible for)
data that is strictly necessary
For users:
● Prevent unwanted surveillance
Passport
First Name
Last Name
Date of Birth
Gender
Citizenship
Date of Issuance
Date of Expiration
Endorsements
Proof of Age
Age is Over 18
User
Government Retailer
issues presents

@james_monaghan
Control
Users can choose what to share with
whom
For businesses:
● Enables more user-centric
information architecture
● Greater confidence relating to
consent
For users:
● Ability to give truly informed
consent (or withhold it)
✓ /
✗

@james_monaghan
Security
Data doesn’t have to live with the
issuer (and can reside with the user)
● Radically different attack surface
For businesses:
● Potentially reduced exposure to
liability from data breaches
For users:
● Potentially reduced exposure to
fraud from data breaches
Issuer
User User
User

@james_monaghan
Interoperability
Connect disparate systems using
standards
For businesses:
● Choice of vendors
● Access to wider universe of data and
use cases than any single ecosystem
For users:
● Choice of vendors
● Maximum leverage for every
credential

@james_monaghan
Challenges

@james_monaghan
Challenges
Important considerations when working with SSI:
● Immature standards and technology
● Fragile interoperability
● Blockchain taint
● New risks and harms

@james_monaghan
Immature standards and technology
DIDs
● W3C recommendation since 2022
● Over 330 registered methods, with different properties
● Examples: did:web, did:key, did:ion, did:sov
VCs
● W3C recommendation since 2019
● Multiple serialisation and signature schemes, with different properties
● Examples: JSON vs JSON-LD, RSA vs Ed25519 vs CL vs BBS+
Trust task protocols
● Different approaches from different communities
● Examples: CHAPI vs DIDComm + Hyperledger Aries vs OpenID4VC
Not all benefits are available in all implementations

@james_monaghan
Fragile interoperability
A dynamic and growing ecosystem of:
● New standards
● Multiple implementations
● Explosion of new vendors
Means that for now there is:
● Somewhat limited technical interoperability
● Severely limited practical interoperability
Expecting full interoperability at this stage is premature
FRAGILE

@james_monaghan
Blockchain taint
Nothing about SSI requires the use of blockchain, but…
● Several (by no means all) DID methods do use a blockchain or DLT
● Say “self-sovereign” or “decentralised”, people think “blockchain”
● Web3 is explicitly blockchain-centric
Many businesses can’t or won’t touch anything associated with blockchain, due to:
● Regulatory concerns (securities laws, privacy laws)
● Unfavourable associations (environmental damage, pump-and-dump scams)
● Complexity of the technology
Exercise caution when positioning SSI solutions for your audience

@james_monaghan
New risks and harms
SSI represents a major yet poorly understood change in how we view, manage
and interact with human identity
It may introduce a range of potential harms:
● Political
● Economic
● Social
● Technological
● Environmental
● Legal
Explored in more detail by Hickman et al, Sheldrake and others

@james_monaghan
Tactics

@james_monaghan
Tactics
Practical tips for the SSI PM:
● Identify the user problem
● Prioritise the most relevant benefits
● Map the ecosystem
● Pick your poison
● Test, iterate and evolve
Illustrated with a simplified real-world example (health worker staff passport)

@james_monaghan
Identify the user problem
Clearly articulate the problem you are trying to solve
● All good product management starts here
● Especially relevant when thinking about user-centric solutions
Look for signs that SSI might apply:
● Inherently fragmented or decentralised environment
● Entities have mutual trust but no means to exchange data

@james_monaghan
Example: health worker staff passport
Problem:
● Doctors in the UK waste 100,000 clinical days per year waiting for approval to
practice at a new location
● Identity, qualifications, training, work history must all be verified manually before
every placement
Signs that SSI might apply:
✓ Inherently fragmented or decentralised environment
○ Over 1 million staff working in over 200 NHS trusts
○ High degree of mobility (clinical training rotation, locum shifts, etc)
✓ Entities have mutual trust but no means to exchange data
○ Same standards apply across the NHS
○ No central HR system exists

@james_monaghan
Prioritise the most relevant benefits
Propose a solution
Evaluate which potential benefits are relevant
Focus on the benefits which are most central to the value proposition
Be willing to discard SSI if the benefits are questionable

@james_monaghan
Proposed solution:
● Workers get a digital wallet with credentials for identity, qualifications, training, work history
● NHS trusts (and later, other relevant bodies) can issue and verify these credentials
Relevant benefits:
✓ Portability the main benefit, allowing trusts to rely on each other’s records
✓ Authenticity absolutely critical given the trust placed in health workers
− Composability highly beneficial but not essential
✗ Privacy always preferable, but not essential for a workplace application
− Control beneficial, allowing the shift of admin workflows to the user
✗ Security not meaningfully improved in this case
✓ Interoperability important, as a choice of vendors drives competitive pricing

@james_monaghan
Map the ecosystem
A visual framework for working through key questions:
● What are the actors and credential flows
● What data is needed
● Where data can be obtained from
● How do users interact with the system
● How is trust established

@james_monaghan
Ecosystem map template
Issuers Verifiers
Holders
Conveners
Credentials Presentations

@james_monaghan
Information and trust flows
Issuers Verifiers
Holders
Conveners
issue to
to present
trust trust

@james_monaghan
Order of completion
Issuers Verifiers
Holders
Conveners
4 2
3
5
1
6

@james_monaghan
Questions to answer
Issuers
Who issues credentials?
How do they verify
users?
Verifiers
Who requires proof?
How can they get it?
Who do they trust?
Holders
Who is the user?
How do they receive
credentials?
How do they present
proofs?
Conveners
Who do the actors trust?
How are incentives
aligned?
What regulations apply?
Credentials
What credentials are
available?
Presentations
What proof is required?

@james_monaghan
Issuers Verifiers
Holders
Conveners
Health Worker
Hospital HR
Right to Work
1. Hospital HR needs to
verify Right to Work
from a Health Worker

@james_monaghan
Issuers Verifiers
Holders
Conveners
Identity
Qualifications
Training
Health Worker
Hospital HR Hospital HR
Right to Work
NHS
2. Hospital HR can issue
Identity, Qualifications,
and Training credentials

@james_monaghan
Issuers Verifiers
Holders
Conveners
Identity
Qualifications
Training
Health Worker
IDV Provider
University
Training Provider
Hospital HR
Right to Work
NHS
GMC
3. In future, IDV Provider,
University and Training
Provider can be issuers

@james_monaghan
Issuers Verifiers
Holders
Conveners
Identity
Qualifications
Training
IT Access
Health Worker
Hospital IT
IDV Provider
University
Training Provider
Hospital HR
Right to Work
NHS
Hospital IT
Right to Login
GMC
4. Adding the Right to
Login to Hospital IT
systems

@james_monaghan
Issuers Verifiers
Holders
Conveners
Identity
Name
Date of Birth
Photograph
Qualifications
Date
Subject
Level
Grade
Training
Date
Type of Training
Valid Until
IT Access
System
Type of Access
Valid Until
Health Worker
Hospital IT
IDV Provider
University
Training Provider
Hospital HR
Right to Work
Name
Photograph
Has Medical Qualification?
Has Required Training?
NHS
Hospital IT
Right to Login
Has Access to System?
Within Validity Period?
GMC
5. Add the attribute-level
detail of credentials and
presentations

@james_monaghan
Follow-up questions
After mapping, it is easier to contemplate:
● What integration points exist
● What standards are required
● Who needs to trust each other
● What blockers exist (gatekeepers, regulations)

@james_monaghan
Pick your poison
Technology family
● Choices driven by desired benefits
Build vs buy
● How much control do you need
● How much expertise do you have
Approach to custody
● How self-sovereign should the solution be
● How much responsibility is it reasonable to give the user
Trust network
● Join one or create your own

@james_monaghan
Test, iterate, evolve
Start with minimum viable ecosystem
● Small number of actors
● Adaptive governance
Consider progressive decentralisation
Learn from real user behaviour

@james_monaghan
Product Management for SSI Practitioners

@james_monaghan
The role of the PM
Your #1 job is to advocate for the user
You also have to:
● Write great requirements
● Craft a compelling roadmap
● Manage engineering priorities
● Develop a credible go-to-market plan
● Champion a learning culture
And if SSI-enabled solutions help solve user problems, then great

@james_monaghan
Nobody wants SSI
Some hard truths:
● SSI is not a “thing” you can give to a user
● Most stakeholders are unaware of SSI
● SSI is not an end unto itself
● If you’re teaching, you’re losing
The benefits should stand on their own merits

@james_monaghan
Prioritisation is everything
Start with the user problem
Then the solution and value proposition
Then the relevant benefits of SSI
Plan for evolution rather than a “big bang”
The “chicken and egg” problem is a myth

@james_monaghan
Don’t reinvent the wheel
Source: xkcd

@james_monaghan
Don’t forget the business model
Consider who receives the value
Useability and privacy tradeoffs
Beware adverse incentives

@james_monaghan
Conclusion

@james_monaghan
Conclusion
Portable, high-fidelity data is a powerful new tool in the toolbox
Hopefully these tips will help more PMs apply SSI with confidence

@james_monaghan
Thank You
James Monaghan
@james_monaghan

Copyright @AlexPreukschat
www.IdentityBook.info
@IdentityBookHQ
www.SSIMeetup.org
@SSIMeetup
@AlexPreukschat

Building SSI Products: A Guide for Product Managers

More Related Content

Similar to Building SSI Products: A Guide for Product Managers

More from SSIMeetup

Recently uploaded

Building SSI Products: A Guide for Product Managers