I’m working with a few Canadian leaders on a large report that is aimed at describing the current state of Digital Wallets, particularly wallets that are more about digital identity and credentials – as opposed to crypto wallets.  One concept that is clear is that we need to consider how Digital Wallet apps are created and validated as “safe for use”. That’s where Bubba’s Wallet comes in.


x22130608617a

We pretty much agree that a Digital Wallet is going to be in our future.

Capabilities will range wildly and we will likely have a combination of different agents that do things for us.

But who will make that wallet? How do we know that we can trust it.

What about Bubba’s Wallet?

Imagine that Bubba’s Wallet is ranked #1 in the app store. Can you trust it?

The short answer is maybe

We need to figure out how to digitally sign an app (Bubba’s Wallet) – so we know that when we run it, we aren’t running a hacked version.

Digital signatures of an app are fine for general use. But, a Digital Wallet is going to need a lot more behind it than “I, the developer of this beast, used my app store key to submit it.”. That developer could very easily be monitoring inputs and outputs for nefarious reasons. We need assurance that the application hasn’t been tampered with and doesn’t do bad things with our information.

Certifying Bubba’s Wallet

But how do we do that? That’s where things get ugly potentially. We need to get into some pretty hard-core certification and accreditation. Some trusted third party needs to run through the application and make sure, to some high level, that it isn’t doing nefarious (or stupid) things. That’s going to cost money – a fair bit.

Is that fair though? Is it fair to ask Bubba, the masterful developer of Bubba’s Wallet, to pay a third party $5,000 to certify his application? What if the amount is $50,000? $250,000? Higher?

Regardless of the cost there will be some kind of certification regime – a “certified by ____” logo that needs to go beyond the cosmetics. It will need to provide real-time “not tampered with” certification. There are many areas that require thinking:

  • Is there a way to tie Bubba’s Wallet into a smartphone’s trusted execution environment to generate this “not tampered with” certification?
  • Who are the players that can help get this kind of real-time certification done? It’s likely the operating system, hardware manufacturers, and telcos.
  • When does the cost of certification get high enough that we stifle the innovation that we need in the Digital Wallet community?
  • What organizations should be doing the certification? Do they need government approval? aaggghhh – government approval in a decentralized world? I am aghast that I wrote that! 😀

Definitely some things to think about here.

 


Also published on Medium.