I’m working with a few Canadian leaders on an extensive report describing the current state of Digital Wallets, particularly digital wallets that are more about identity and credentials – as opposed to crypto wallets. One clear concept is that we must consider how Digital Wallet apps are created and validated as “safe for use.” That’s where Bubba’s Wallet comes in.
We pretty much agree that a Digital Wallet is going to be in our future. Capabilities will range wildly, and we will likely have a combination of different agents that do things for us. But who will make that wallet? How do we know that we can trust it?
What about Bubba’s Wallet?
The short answer is maybe…
We need to figure out how to sign an app (Bubba’s Wallet) digitally – so we know that when we run it, we aren’t running a hacked version.
Digital signatures of an app are acceptable for general use. But, a Digital Wallet will need a lot more behind it than “I, the developer of this beast, used my app store key to submit it.”. That developer could very easily be monitoring inputs and outputs for nefarious reasons. We need assurance that the application hasn’t been tampered with and doesn’t do bad things with our information.
Certifying Bubba’s Wallet
But how do we do that? That’s where things get ugly potentially. We need to get into some pretty hard-core certification and accreditation. Some trusted third party needs to run through the application and make sure, to some high level, that it isn’t doing nefarious (or stupid) things. That’s going to cost money – a fair bit.
Is that fair, though? Is it fair to ask Bubba, the masterful developer of Bubba’s Wallet, to pay a third party $5,000 to certify his application? What if the amount is $50,000? $250,000? Higher?
Regardless of the cost, there will be some kind of certification regime – a “certified by ____” logo that needs to go beyond the cosmetics. It will need to provide real-time “not tampered with” certification. Many areas require thinking:
- Is there a way to tie Bubba’s Wallet into a smartphone’s trusted execution environment to generate this “not tampered with” certification?
- Who are the players that can help get this kind of real-time certification done? It’s likely the operating system, hardware manufacturers, and telcos.
- When does the cost of certification get high enough to stifle the innovation we need in the Digital Wallet community?
- What organizations should be doing the certification? Do they need government approval? aaggghhh – government approval in a decentralized world?
I am shocked that I wrote that! 😀
Definitely some things to think about here.