One of my favourite client projects (Verifiable Organization Network) was demonstrated at last month’s Rebooting the Web of Trust conference in Santa Barbara. John Jordan runs an incredible project out of the Office of the CIO for British Columbia. I play a minor role providing executive leadership and advising. John nailed the presentation.

Some key timeline points:

  • ~20:30 John demonstrates creating a new corporation.
    • A Verifiable Credential is created for the Corporation
    • that credential is then shared to a different service – to get a Clearance Letter from WorksafeBC, whi
    • ZKP that Worksafe Clearance Letter – if it didn’t exist
  • ~22:00 John explains that a Sales Tax registration applicaiton is made by sharing the corporate registration AND a zero-knowledge proof that a current Clearance Letter exists. Neither of these systems need to be directly integrated, which is normally high cost. They just need to support the JSON-based verifiable credential format (which is still being hammered out at W3C but it is gelling nicely).
    • the idea of a multi-service workflow is incredibly powerful and really needs to be tried out to fully understood. Instead of massive integration efforts (API work, getting permission to connect, dealing with inevitable changes in endpoints, etc.) you focus on supporting the JSON that will be either received or generated (or both).
    • You can reach out to verify each and every piece of data received, and that verification follows the same pattern.

Here are a couple of key things to consider:

First, the Verifiable Credentials here are real, though we’re using it in a demonstration stage – and they change how integration can happen. Instead of each system – 13 Province + Territory registries, 1 Federal registry, and the Verified Supplier list at the Federal level – requiring to directly attach to each other via systems integration – they just share a bit of data. The JSON that John mentions is pretty simple really.

Second, connecting systems is HARD and you will NOT do this kind of integration unless you absolutely MUST.

  • If you need to reach deeply into another system – you need to understand their API, how they represent data and the events that change those data, and their unique security approaches. Even the largest organizations will only integrate tightly with their most crucial partners. It is simply too expensive and gets exponentially harder as you add more players as each is slightly different.

BUT – if all you need to do is know what format data will be received in and how to verify it came from the right authority, you have repeatable and simple integration. You focus on different things:

  • What schemas (types of Verifiable Credentials) will you support reading from and writing to?
  • Where do you get the list of authoritative sources – that you then verify the credentials against when you use them.

That is far, far simpler and scales sub-linearly – a massive shift.