This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good. I feel like my my voice is a little hoarse. I just got done presenting a executive read out of IGA road Map. And yeah, jump right over to do the podcast because the show must go on.
You talked for almost an hour straight. I think I clocked at 1.15 minutes without like a break at all, so yeah. Yeah. But there was, there were points where I was like, does anybody have any questions? And of course nobody had any questions. I was like, OK, I'll talk for another 10 minutes straight. Yeah. So when that happens, I just say, yeah, I'm picturing roaring applause in my mind, and I just kind of go with that and just assume that everybody's loving what I'm saying.
Yeah, I know. Like this podcast? Yeah, exactly. Like you throw the podcast out there and the only way you know if people are listening is if they go and give you a five star rating or go and subscribe to YouTube channel. Are these subliminal hints working do you think? I hope so. I mean, those are cool. Or come up to us in conferences and things like that. That was Identiverse in New York
City last week. I think that was, I forget where I am this week, but I had somebody come up and ask me about that, which was kind of cool. It seems like for whatever reason, you're like the approachable one. Everyone comes up to you. And I don't know, maybe I just have like, you know, resting B face or something like that where nobody wants to come up. Why is where my I was wearing my fancy suit jacket, So I think people Los Angeles come up and say, whoa, that's a cool jacket.
Yeah, Hugh Hefner died and left you all his jackets, I feel like. Yeah, exactly. So we're starting some new things coming up here and before we get to our episode, we're actually going to get into blockchain identity and stuff like that. But before that, something that's coming up later this week that we're pretty excited to to share is we're starting a new series of kind of podcast episodes calling them Sponsor
Spotlight for now. Basically they're fully sponsored episodes that we've collaborated with different folks on and the idea is to have a less vendor neutral conversation. This podcast is generally we try to be as better neutral as possible, right? But sometimes we really want to get into like maybe a specific product or service or something like that. And this kind of I feel like gives us an opportunity. So it's extra content doesn't replace our existing content.
Does that make sense, Jim? Yeah, yeah, it makes sense to me. I mean, you know, honestly, I was thinking during that entire episode, like this feels like a normal episode. So I have a feeling the sponsor spotlights aren't going to feel that much different. I think our, you know, our listeners are the ones who benefit because it's just extra content.
There was a little bit more of like you know, we we always tried to stay very vendor neutral and we had, we had more leeway on the sponsored episodes. But actually I think that can be beneficial because if we're talking to talking to somebody from a sponsoring company and they can say like hey, this is how we solved that problem that just, you know, I don't know, I don't get offended by that. I think that's actually pretty interesting.
Yeah, I think it just, you know, like so we, we try to stay away from questions that would be like too salesy or too like too much of A commercial for folks. But these new episodes are not that. So I feel like like I kind of mentioned it in the one that we've already recorded like the shackles are off. It's like, hey, let's ask specific questions about this because that's the things that I
want to know. I think that's kind of the intent is like, OK, how does this actually work, you know, what does it take to do this sort of thing and get a little more detail around that versus just trying to be maybe abstract about it? I I kind of feel like the the folks who want to do the The Spotlight series, they want to be on the Identity at the Center podcast, right? They like the formula of what we do, which is education and
entertaining. And so I think folks, you know, our listeners, if you just go out there and listen to a Spotlight episode and give us your feedback, like, do you like it? What else would you like to see that'll help us, right? We, I mean just like this podcast in general. We started it and depended on the feedback because that tells what we're doing right and what was not so right. Yeah, we are constantly building this car while we're driving down the street.
And yeah, I think it'd be cool to get some feedback. So yeah, folks can check it out later this week. Probably going to drop these on Wednesday, Wednesdays or Thursdays, kind of kind of, you know, kind of off cycle from things, but curious to see what people think, you know, get us feedback, use LinkedIn. We've got the contact form on our website. We've got a new voicemail button that I've put on our website, idacpodcast.com.
So if you go to our contact page now, there's a little thing that you can do to send us like a 92nd audio clip. And then from that we'll use that on our show theoretically, depending on how we get. But I'm curious if you know people want to send something to us. We can test it out and see how that works, but that'd be a good way to maybe send some feedback. Now are you concerned at all? Because I know we've always had to contact us link where somebody could type something in.
And it feels like in the past month or two since we really went crazy with getting all of our content up to YouTube, I'm getting a bunch of contact information from people who want to market our YouTube site and get us as many more subscribers. And it's like it's not about the number, it's about getting the
information out there. So we have like 500 subscribers, but it's people who really are loyal to the podcast wanting, you know, there's the practitioners of the world as we like to say, I don't care like, so there's marketing things are, you know, 0 value to me, but I kind of look at them like spam. Well, you're getting them because you didn't used to get them before. They would all come to me and I'd be like, Nope, Nope, Nope, Nope. So I was acting as a filter, but no longer.
Now we both came at the same time. Oh, thank you very much then, Yeah. It's me. e-mail infrastructure changes behind the scenes so that I wouldn't be a bottleneck so much. But yeah, you're seeing a lot more of the the stuff that I would normally just filter out and be like, yeah, I don't need to help building our YouTube channel. Like that's not what this is about. You know what else has been cool?
I've seen a couple of posts where people are taking these Spotify videos that have been put out. So Ian Sing, you know, he's a, he's been a loyal listener to the podcast for a long time. Apparently we're his number one podcast. I mean, that's I I. Love Ian. Thank you. Thank you so much, Ian, But that is so sad. Can anyone pick an identity podcast as their number one podcast? Oh yeah. Flattered. That's very cool. I saw the same push you're talking about.
Is this the the Spotify unwrapped basically for like podcasts? So that's. Yeah, that's right. Yeah. And I actually got a link sent to me from Spotify that, you know, there are a lot of people where we're either their top podcast or their top three podcast. So I feel really good about that because again, we kind of started this as like we were calling it pirate radio, where it's like we get 25 downloads and know who those 25 were.
That was over four years ago, 4 1/2 years ago, something like that. Now we're at episode. 200 and. 50X Is it 250 on the button? 250 on the dot. Yep. We should have done something special. Well, we did do something special. We did do something special. We're getting into a content that you and I, I think have had interest in. I am a skeptic on this, so we're going to get into it in a second.
The other thing that you mentioned about Spotify was I started adding like polls and like questions to it. So this is just something Spotify allows us to do. Can't really do it on any other platforms. So if you're not a Spotify user or listener of podcasts and it's really kind of, you'll have to check it out there. But people have started to answer questions, leave comments
and stuff like that. And Sean O posted a comment on episode 245, which I think was, I think that was Dave Middleton, where we're talking with him and he really loved to show you. So it was awesome. Can't wait to check out more, which is very cool, 'cause it's like, hey, we're, you know, still reaching new people. Yeah, absolutely. Yeah. And you know what I also think is like, people who listen to podcasts or people who have been our guests, like, wind up becoming our friends too.
Like, you see these folks in person, maybe for the first time. You're just like, awesome. You really can connect. You just mentioned Dave Middleton. He was texting with me over the weekend because all the College Football Playoff games are happening and I'm a Georgia Bulldogs fan and it our weekend didn't go so great, so. I I have no idea what happened because I don't care. Oh, he sent his condolences to me, so I thought that was cool. Well, he's a nice.
Guy, fortunately. Fortunately for him. Singing voice too. And he does. He does have a good singing voice. Should we get into our main topic today? I think it's time. He's been making Face at a Faces at Us the whole time here on our recording studio. We said we were going to do something. Especially he's like, what I'm here. Why don't we get into it? Because we really kind of. I'm thinking about the title here. It'll be kind of demystifying blockchain and identity.
Definitely not cryptocurrency. That's not where this is going to go. But let me introduce you to the show, Jay Shulman. He's a principal and lead for the blockchain and digital assets practice at RSM US1 of our colleagues. Welcome to the show, Jay. I couldn't be more privileged of being Guest 250, so thank you for for picking me for this for this occasion. Yeah, high praise for sure. We appreciate you coming on
here. And I kind of let off the fact that I feel like I'm a little bit of a skeptic. Not a little bit. I am a skeptic of blockchain and identity. We're going to talk about that. But first time on the show we always like to find out about background. We were kind of talking before we hit the record button and say, OK, well, you know, how did you get into the space of blockchain or identity or security or what are you like, what? What space are you like? How do you feel?
I'm old. I feel very, very old as I think about that introduction. So 20 something years ago I started focusing on information security. I think like Dave Middleton said before it was even a thing my parents asked me when I took my first infosec job is that that's a full time job, which is amazing when you think about it. Today, 10 years later, around 2010, I got into Identity and I, before we hit the record button, you know what we were talking
about how that that happened. And I've always and the theme I think you'll hear throughout this is I've always tried to go where other people aren't. And it's really fascinating when you think about where Identity was in 2010, 'cause you'd say, well, Jay, that's that. It was a thing back then and it was, it was amazing to hear about you. You guys just presenting an IGAI, don't I don't we definitely call it governance at that point, but I'm not sure IGA
had been a moniker yet. I think about sale point was was just governance, Vexa was out there Tim and Tam you want to think about what UCTA looked like in 2010 versus what it
looks like today. It is it's amazing to me while I have have left the identity space momentarily probably it's it's been amazing to watch what 10 years of innovation have done in the space and and I'm certainly proud of what I did back in 2010, 2011, 20/12/2013 but it it's it's just it's so cool to look back on that and so so I went back.
I actually focused on another area of security application security spent a ton of time there and I did a project back in early 2017 at an incredibly old financial services company that was implementing blockchain. And I'll, I'll be honest, I was skeptical then too. I was I I was not born and bred for this and we'll go into the details of it. So I don't want to preface that part. But I looked at the tech and we'll talk about what the tech is and why I think it's
legitimate. But I I didn't think this was going to become of anything. And doing that project at the Super old financial services company really showed me that there's value and that this was going to be a thing. And you know, we all, we all work together. Somebody at the company called me up and said, you know, is it, is this really a thing? Is this what you want to do? Think so. And they're like, all right,
you're in charge. And and here I am today and I, I, I love it. But I also think that 10 years from now will kind of laugh that there was a blockchain guy, 'cause I think you think back to 2000 and there's probably a person in charge of the Internet, you know, oh, I run our Internet practice. I just, you know, that doesn't exist today. And I don't, I don't think blockchain will be a thing in 10 years either.
But I'm super excited to kind of get into it because I bet you're not the only skeptical person or people out there. And so hopefully you can represent all the skeptics as we go through it today. I'm. Going to do my best and you say in charge of the Internet. I immediately go to the IT crowd and Moss and Roy pulling out the little black box for Jen like this. Jen is the Internet and they're and she's carrying it around with such reverence and things like that.
You know, I see, you know, maybe that's blockchain in the future. I don't know, you know, for the, for the, for the real geeks. So when I say I'm a skeptic, I feel like it's not because a technology skeptic more of a, it seems like a really good solution in search of a problem. And I've been hearing and seeing about this for at least five years now. I remember seeing you at a conference several years ago. I was like, oh, that's interesting.
Yeah, OK. You know, five years later, one of the questions that I had recently in our Spotify poll was, have you set up a decentralized identity yet? Nobody has. So I think it's maybe still in that, you know, early adopter maybe stage of things, but maybe we can get into that. But I don't want to lose people right away. So let's talk a little bit about blockchain itself. What is it? Can you kind of help me understand the identity components, especially of the blockchain?
Absolutely. And I'm for anybody who is actually super deep in blockchain, listening to this, this discussion is going to be hogwash to you. I'm actually going to try to think about this from an
identity perspective. So somebody who is somewhere in their identity career and how they might think about blockchain and and it's kind of how I went and looked at it maybe in 20/15/2016 and said I I thought this was some dude in his basement who wrote all kinds of homegrown encryption code and it was going to be, you know, a hot mess. What I found was something really similar to way the Internet works. It is really based on asymmetric encryption, public and private key pairs.
And so when we think about the blockchain it really represents well first it's immutable. I didn't in 2017 I I completely asked. I'm not sure I knew what the word immutable meant, so I looked it up. ChatGPT didn't exist so I couldn't quickly ask that. And it's a right ones technology and I think that is actually the use case. How much time do we spend as security professionals, as identity professionals, as investigators, making sure that the data that we have hasn't
been changed? And so we have this technology that you can only write once. How do you do that instead of having a single repository? And I'll tell you, this is the absolute worst database in the entire world, hands down. It is slow. It is written to text files like it's not even, it's not even a real database. It is everything that you would hate about database technology
is how block chains work. But because it's slow is what gives IT security and immutability and that's the way it is built as a feature, not a bug. And so we have this, this copy that's spread all around the world. Bitcoin is the biggest block chain. Again, we're not talking about cryptocurrency here today, but just quick example is there's 11,000 nodes, 11,000 copies, full copies of the Bitcoin blockchain spread all around the world.
So as we think about data and data integrity, we're not talking about hot and cold backups and things like that. We're talking about this idea that 10,000 people are keeping copies of the same data that I have and we're comparing them to each other and that is really valuable. And so when we're talking about how the functions work, I, as the user of the blockchain hold a private key.
There is a public key representation that sits on the blockchain and kind of what's different and and we can go into some analogies to other security things. But I think what's different is it's not just recording that my public key, it can actually record other other things about me and certainly cryptocurrency that I hold. Bitcoin as an example, could be one of those things.
But more importantly, any kind of metadata that you want, you can go record to a blockchain, whether that's a log, whether that's what my name is or that some event happened, I went and climbed to Mount Everest and I reached the top and we're going to, we're going to memorialize that on a blockchain. There's a lot of really interesting use cases that I think we'll dive into, but that's a pretty simple example of it. It it is exactly if you've ever worked in client side certificates.
I hold the client side certificate on my side of the blockchain and the biggest difference here and I throughout my career, public key infrastructure was always something that clients inquired on is it doesn't it?
It's a pain to make PKI work at scale, and I think the user interface in blockchain is horrible today, but there's so many people developing really high quality user interfaces in this perspective that I really think that will get to the point where blockchain might be described as public key infrastructure at scale. Does that make sense?
Yeah, that's pretty interesting. So you brought up this immutable Ledger and to me that it's something I always hear about the blockchain with the identity management conversation. And you said there's a lot of good use cases and probably there's some use cases that aren't so good. But I I guess like I hear about this immutable Ledger as an I am practitioner, like what does that mean to me? Where where can I see that becoming A use case that actually can wrap my arms around?
I think a lot of people, I mean some of the early examples I had where they unplugged their database and plugged the blockchain and then they're like Jay, it doesn't work. I was like, no, that would be horrible to do. And I've also heard the example of, well, gosh, I could take all my log files and I could go write them to a blockchain. Wouldn't that make sense? And I don't, I don't think so. Again, let's think about it for a second.
This is incredibly slow. The sole purpose is immutability when we think about all the data in the world. I mean, I think the problem we have from a data perspective today is so much of it is throwaway. Where I think the use case is, let's narrow down to two things, really important data. So I think about it from a financial transaction perspective. Do you care about all of the, you know, one and two dollar transactions that you have in your bank account?
Not really. But do I care that I paid my mortgage or that my pay my car payment or some of these really important payments? Absolutely. So take that to a corporate perspective and you can see where they may have a million transactions, but they're only writing like hundreds of the blockchain. And I think that's my mindset. So we're thinking about identity. We're not writing every login and logout. We're not writing all these things. Are we writing a password change? Maybe.
Are we writing a privileged access, successful login? That's that feels right to me. And there's some of these markers that I think that do make sense in this space and and that's that's how I think of it. I think one of the reasons that we see a lot of failed projects and I I think we saw these in identity too, is you're trying to do too much. If we just got these things smaller and simpler, we find a
lot more success. Just wondering if, you know, we've had folks on the show talk about decentralized identity and self sovereign identity. And I think one of the biggest actors in that where that use case makes sense is government agencies where they can issue a credential. And not just government agencies, but anywhere that you're not kind of your typical corporate IDP environment where you change passwords and things like that. But let's take the digital driver's license for example.
Seems to me like the blockchain could play a valuable role in that. What are your thoughts there? I think there's a lot of interesting use cases like that, but I also think that there's a role. While governments is a great example, I think there's a role for a corporation as well. So we we all, at least personally, I I want to be done with Social Security numbers. I actually want to be done with passwords too, if we're going to go argue about that. But how do I, how do I actually
know who I am? Isn't a bank a great entity to go validate who I am? They've already done a ton of know Your customer elements. They know everything. They would know far too much about me. Can't they attest on the blockchain to who I am? That allows, yes, governments to rely upon that too. But wouldn't it be nice to have a whole suite of corporations to rely on it? I think the different, yeah, you could do this today. You know the question.
I'm sure the skeptics would say I could do that in a database. Like, that's nothing new here. I think it's the transparency that a blockchain gives that allows you to see a whole lot of what's going on. That gives you the comfort that when your bank goes and attest to these things that it's something that I can rely upon and that that I think you have trouble doing that with the database. So when you say the blockchain, is that a lowercase the OR an
uppercase the? Because this is one of the areas where I'm not sure how this is supposed to work, because you mentioned that, you know, banks had it. What about population of people who are unbanked? You know, we say, well, the government blockchain, OK, well, at least in the US, 50% of the population immediately is going to not want to use that regardless of whoever's in charge, right? That kind of thing. So the blockchain means, who's blockchain? Is it? Multiple blockchains?
Is it really one blockchain to kind of rule them all? How do you see this working? I think there are multiple block chains. I think there are going to be multiple public block chains. So block chains that you don't need permissions to access. You can everybody can just go in and use them at will and they'll be multiple private block chains. So a group of companies get together to collaborate around some particular idea and the only way that you can write to that block chain is with
specific access permissions. So it's definitely a lower case. T and I you know it, I think I compare this to the Internet a lot because I think we see the same type of disruptive technology coming to fruition. And if we go back to when I started my career way, way back, I didn't you, you can't see that I don't have any hair, but if you look me up, I don't have any hair. I didn't have any hair back then
either. A lot of of websites failed, right, that they got billion dollar valuations and they crashed and burned. So are there going to be block chains that grow huge and crash and burn? Absolutely. Are there going to be ideas that start off looking really successful and fail?
Absolutely. But there's also going to be ideas that kind of chug along for a while and then you realize that they work really well and they will become the next, you know, whatever brand name Internet company we want to quote right now. So what happens when a block chain fails? If I've been using that as my decentralized identity source or my, you know, way to verify some sort of credential or something like that, right? If it fails, well, now what? The data's gone with it?
How do I can I save it? Do I have to start over on a different blockchain? So you probably need to start over on a different blockchain. That I mean and this is super complicated technical question, but that is one of the big considerations of building on top of these platforms is what what's the long term probability. And so you do see some centralization around a number of very big platforms because of that exact purpose.
But I I think that's a short term, a short term thing that over time we will see that becoming less of a concern because we can just we know which ones are going to be successful and which ones are not. I'd argue it's the exact same thing when you go pick an identity tool or a governance tool or or any of these tools is well what happens if they go out of business. I got to go rip it out and put something new in. And so I I don't think that the issue is that much different.
It's probably a lot more impactful though to your end user, whereas you have a a tough weekend of transitioning from one platform to another is a little different than ripping out, you know, your your decentralized identity. I guess the closest thing that I can probably liken this to would be like switching password managers, except without maybe the benefit of being able to export and then import, right? Trying to go to each website and then figure out whatever
credential I had, I don't know. I mean, I think I'm speculating here what happens, I guess. Is this something where organizations should be creating their own blockchain? Like if I want to start one, how would I do that? Or maybe this isn't something like a normal organization should be. Maybe it's like you said, something's either finance related or maybe civic or government or maybe education. Like do you see, like any company, just name one starting their own blockchain for their
own. Purposes. A lot of companies have started their own blockchain for their own purposes I think, and I can answer the question a little bit differently, whether we're talking about companies or whether we're talking about individuals, I think everybody should be experimenting and understanding how this technology works. I don't think you should run out and go implement this and and be a decentralized identity guru tomorrow. I think that would be a a
horrible mistake. But I do think that it's really important to understand how a blockchain works, how it might be applicable in the identity space and and play with it. And you can play with it in a public way and I can give some examples of how to do that. Or you can spin one up in a private way too. And all the major cloud providers have a pretty easy template to go spin up a
blockchain. Not to say that that's inexpensive for a personal person to do it, but there's a lot of ways to easily play with this stuff and I think that that is the most important thing. That's what's going to prevent you from making the big long term mistakes and you just become educated on it and you'll start to see the use cases yourself. I'm pretty confident in that. So what? How do I get started with this? I guess what are the building blocks here associated with if I
do want to experiment? You mentioned templates, but can you talk a little bit about like what's what does it mean to set up a blockchain? So I think the the 1st place I would go to really quickly understand how this works, Ethereum is what is the second largest blockchain to to Bitcoin and Ethereum is much more like a decentralized cloud computing platform than anything else. And so you can run little programs on there and it's quite powerful.
They have something called login with Ethereum and that is the answer to password less logins or decentralized identity. There's probably a bunch of different ways that we could describe it and none of them would do it justice. The idea there is again, if we go back to that basic definition I started off with, I hold the private key, the public key key is on the blockchain. I can go log into a website, present my private key and public key pair.
Obviously I'm not giving my private key away. Just for those who think I misspoke and and go log into a website, there is a full documentation suite. It's obviously all open source code. You can really look at not only how to do it yourself, but how a bunch of companies are using that technology and then you're
off to the races. You can go implement that not, you know, full production corporate world, but you can go implement that in a dev environment pretty easily yourself on a private blockchain. You can go experiment with your own website and having people log in that way on your own website.
There's a whole lot of different things and I think that's the best place to get started and thinking about it and that I I think that's it's really well documented and there's a great community behind it if you have technical questions and things like that, to go try to figure this stuff out. All right, I've got a couple questions here. The 1st is, I guess you mentioned Etherium is and then
you've got blockchain. And I know there's a whole bunch of other things out there and I don't want to equivocate this with like cryptocurrency, right? But there's like Dogecoin and a whole bunch of other things. Is there a benefit or drawback to some of these blockchain styles?
I guess I don't know if that's the right word or not for identity, like is yeah, if you're going to do something identity like a theory miss the one to use, or if you're going to do identity, you know whatever other template or style is the one that's probably the best fit. Or are there different styles of blockchains that that maybe lend itself better to different types of identity use cases?
I'm going to try not to get too complicated or technical here with the answer, but Ethereum has been copied a ton of times. And so that mini decentralized computer is actually called the Ethereum Virtual Machine or it's abbreviated a lot EVM. And so a lot of block chains are built on top of EVM Etherium virtual machine, which means they're actually all completely
compatible with each other. So if you build login with Etherium, you can actually reuse a lot of that technology to log into or to use that to use a different blockchain because they are EVM compatible. There's probably a lot I could go into and get more detail there, but wait, let's let's leave it at that. So by building on top of that style blockchain, it really allows you to extend the possibilities. Absolutely, each block chain is
going to be different. And I think over time, what we're going to find is block chains will have maybe not a singular purpose, but a really small number of purposes. And so, do I think there's going to be an identity block chain in the future? Absolutely. Do I know which one it's going to be today? So that you guys could all run out and figure that out.
They don't. And I anybody who says that they do, I mean there's some theories on which one's going to be the the media or video and music and things like that are stored. I'm not sure which one is going to be for that either. So it's it's again, I think you're yeah, you put it correctly. We're still in the early adopter phase and we have to kind of figure this stuff out. Who benefits from controlling the blockchain?
So if I am setting up AI, don't know if I'm one of these companies, maybe that specializes in blockchain and I decide, hey I'm going to create this thing that does X, what benefit is to me to own? I don't think you can really own the blockchain, but maybe there is some component of it. But who benefits from being the owner of a blockchain? The end user, and I think that is the hard part for a lot of different stakeholders to, to get their head around.
So today we have a lot of centralized data and we have a lot of security breaches and we have, you know, a whole bunch of issues all around that. And the whole idea of implementing A blockchain is, is changing the paradigm away from the centralized data store and pushing it out to where each individual owner owns their data.
As I say this, for those of you who have spent time in PKI, you're going to say that's great Jay, but but the end user is going to go lose their private key and then all their data is lost to. And I think that that is in fact where we need to get to. That's the gap of where we sit today. And what the feature looks like is not only the user interface and the tooling to make it work, but it's the IT. It's kind of understanding that process and making sure that the user is bought into it.
I'm there's absolutely an argument that most users don't want to own their own data. I think it. I'm not sure that that I fully believe that. I think given the choice, a lot of users would own that data if they had the right tools to hold on to it. And I, you know, I think about my less than technical mom. No offense, Mom. If you're listening to the podcast today, you know you have to you have to include them in the the, the use case here. And I think that's that's where
it gets hard, right? Mom needs to be able to to own their own data too. The end user's the benefit, I get that part of it, But what's in it for me as a entrepreneur in the space? How do I make money off this? Running a blockchain? Or is this a loss leader of some sort? Or is that really not a viable, I guess, strategy to build a business of creating blockchains and rely more on public funding or or something like that? I don't want to get too deep there.
There's a whole lot of different theories on the economics of it. I think most importantly, you need to have sound economics behind it. But there's a lot. You know that there's the old expression, If you're not paying for the product, you are the product. And that that's the paradigm that blockchain changes, which means it also changes the monetization model. And there's a lot of different companies trying a lot of different monetization models here.
Again, early adoption phase, I don't know exactly how this is going to work. The one that strikes me that's really interesting from that identity and the identity proofing model is if my bank is going to proof me and write that to a blockchain then I'm probably going to pay my bank to do that. And there are.
Then you can start to see where there's a whole lot of new services that pop up. Today when I go to on board with with a company they're paying the fee to proof me versus me paying the bank to proof me and then being able to use that all all over the place. That's the paradigm changing that I'm talking about and and yeah, that's that's I'm used to getting something for free that I now have to pay for. So I could see where that end user's like, wait, why, why do I
want to pay for this? But I also think that they'll see a ton less friction if I only have to do that once and I can reuse that proofing all over the place versus having to go reproof every single time. If potentially your next question is, well, why would a company want to do that? Less less expenses of having to do proofing. And from what I've seen for the past 1520 years, friction is still a huge factor in onboarding a new user. We got to keep that friction down.
And if I can rely on somebody else's proofing to to to reduce my friction, that's going to get more customers on my platform where I can then interact with them and and solve them or whatever the platform does. Yeah. I've mostly been listening here and learning a lot.
And it's interesting when I think Jeff was talking about, well, how would I get started, I was expecting you to maybe say hey go out and check out some of these services that Microsoft is starting to create like around the web 3 point O around Microsoft intra verified IDJ. I'm totally talking way out of
my element here. Can you even, you know, based on what I just said there, can you give us kind of a high level explanation of what those pieces are and whether or not that's something that people could get into to start, you know, using blockchain to build applications, maybe those are identity applications. I think that it's this is, this is that paradigm change is. I'm not going to go to the big cloud providers and go sign up for a service.
I absolutely can go spin up a blockchain over there. But if I'm going to go build, I'm probably going to build on something that already exists and almost everything in the space is open source. And and I want to remind you, if we go back to 1997 or 2000, a lot of the Internet was open source too. And that's that's where I find these similarities. And So what would I have
recommended in 1997? Go learn HTML, go set up a website and go play with this and try to see what you're going to do and you're going to build on top of open source. That's kind of the same thing I'd recommend somebody today. Logging log in with Ethereum is a great example of an open source construct that there's many possibilities that you'll
see when you get in there. And that's actually a a great place to start, even if your goal isn't identity because you'll see all the interconnections and you'll be able to find whatever it is that you ultimately want to build. But it this is bringing us back to our open source roots and I think that's hard to believe sometimes when you see a lot of commercial enterprises deep in this space. But the reality is, is that that it it's open source at it's at
its core. Jay, you mentioned you were old. Thanks, thanks for reminding me. Reminding you of that, no. But I've heard you speak several times, and when you talk about blockchain identity, you bring up PGP, which is like a thing of the past, right? Why is that even relevant to this subject? And what is PGP? Pretty good privacy Back in in 2000, when I wanted to go send an encrypted e-mail to somebody, I would encrypt the e-mail with PGP and send it, you know, with my private key.
And they'd use my public key to decrypt it, much like we do in blockchain. If that sounds familiar, Amongst many other things for that matter. And it was clunky and painful. It worked, man. It worked really well. But part of the problem was always, how do I know it's really J on the other side of this message? And so there was the PGP key server. And it's amazing to me that that 2324 years ago that was still housed at MIT and it is still
housed today. And I bet you can find, you know, my, my 2324 year old public key sitting on that server. But there's also something part of that that was the web of trust and that was the idea that three of us are on a podcast together. And I'm like, guys, this is really my public key. And you vouch for me and say, Yep, I've met Jay in person. This is really Jay's public key. I'm going to to to cosign the key so that you can see that that it's real.
And obviously the more people that validate that you're real, the higher up your trust level goes. And and I look at that and I mean brilliant in its time and kind of left behind as a lot of the capabilities around encryption and SSL and and a whole bunch of other things, you know, SAML and all these things come to fruition that allow us to do that process a lot easier. But honestly, you know what's
old is new. Again, I feel like there are people building on top of that philosophy using a blockchain. And I think that it's important to think about some of these failed experiments from the late 90s and early 2000s and revisit them in light of new technology and that, you know, that's going to be true of AI and a whole bunch of other new things that are coming out as well. But it goes to show you back to the the first comment you had Jeff is this a solution looking
for a problem? It it takes time for these to develop and I'm confident that when we look back over time, blockchain's one of those things that holds up. And it'll be interesting to see what very dated old balding technology actually reappears now in the age of blockchain and AI and a bunch of other new technologies.
I kind of feel like what we generally do with new technology and identity is try to map it to a real world use case where we we don't have technology, we have driver's licenses and we go to the liquor store and that person just wants to see that we're of age to buy their product etcetera. So you have like this issuer and relying party and so we tie that concept back to this. Now thinking about that I'm the OR the Internet practice manager, you know I I run the
Internet consulting practice. And I think if you're in that role you would have said and by the way the Internet does not have a construct for identity for how you identify yourself. And that's kind of one of the core problems that we've been trying to to solve forever. And I don't know that there is a parallel, you know, real world use case that maps to how you do it on the Internet. So you're talking about this web of trust in the PGP world where other people wind up attesting
to you. I think the parallel is that's the block chains that attest to you. I think that's a pretty fascinating concept. That's probably why it's hard for people to wrap their brain around this kind of approach, do you think? I not only do I think, I think your example really resonates with me because we we added passwords and we said, gosh, that's the end game, right? Passwords work. We've secured everything. And then it turned out passwords
aren't that great. And we said, OK, two factor. And we've tried a whole bunch of different kinds of two factor, right. UB keys again, really, really secure but pretty clunky. Text messaging, really easy but not necessarily that secure. And again, at each one of those steps we kind of say, hey, we solved the problem and we we kind of stay that way until something else better comes
along. And I think that that is in fact the best analogy where a lot of these things we think are solved when in fact something better is being built and developed that will at some point realize, you know this is better than a password. You know, this is better than than two factor and we kind of move on.
I mean I I think about 2005 doing Access reviews and man like I have there are definitely some companies out there that thought they had nailed Access reviews and they had the fanciest Excel spreadsheets and man they were on top of their game and then the sale points and of Access come around and it's like whoa this this we could do this a whole lot
better. And then you look at where we are today and there's a lot more automation underneath it to make these things work better and it and and I think that's that's the piece we don't know it's coming or we don't think it'll work because of our pre-existing thought process. But when it actually comes time to to use it it's better and that that's hard. And I don't think that's unique
to blockchain. It's certainly not unique to identity, and I honestly think not to make, you know, go on an AI rant, but I think I think we're going to have a really hard time with AI for that exact reason. Oh, you're going to tell me that AI can do an access review? No way. And somebody's going to implement AI on top of a governance platform in a really unique way and they're going to kill it, man. And I think that's hard to see as it's coming.
But once it gets here, you you kind of see the whole perspective. So, given all that, PGP Pretty Good Privacy Pretty Good kind of hints at the idea that it's not perfect. Jay is PGP pretty good. That's pretty good. That's the big moment with the podcast for today. There's our teaser, the shortest teaser ever. Jay, I want to ask you about some of the applications of blockchain in the identity management space. Is there I guess, Is there a
blockchain tool for identity? Is there a tool built on it already today? Are there other features maybe like ldapse or graph databases or things like that where there are parallels that exist? So all the the graphs and and other repositories are going to be built on top of blockchain. Again, horribly, horribly slow on purpose.
And so that is one of the, gosh, why am I doing it this way if I'm so I'm going to go pull all the data off the blockchain and go put it into a graph to go access it better. But again the immutability is, is the reason that you're doing it. So login with theorem is is probably the the, the beginning stages of a full identity suite. But again, I don't look at this as let's go log into a website. I don't I don't think that's the use case here.
I think and and let's weave in AI because I'm usually the guy that can drop 100 type buzzwords in a a 45 minute podcast. How do I know that. And I was my daughter and I had a fun time listening to AI generated music. And is this is this the real artist or is this the AI artist? And it it was a good time. We had a a good time doing it. But there's a lesson here in not do I want to know whether this
is real or not. But creating AI music is in fact a skill set that I want to get credit for that. So how do we identify the AI artist, whether that's music or video or a picture? And so we're going to be entering an area where identity is going to look a little bit different and it isn't going to be the common username and password, e-mail address and things like that.
Where blockchain identity may not actually replace LDAP, it may not replace all of the O auth and all the different types of of identity we do today. It may actually fill a new niche of being able to identify some of these non traditional types
of users or or entities right? Authenticating a bot in a a unique and definitive way so that there's again kind of a new world of the Internet that we're going to face and I think that the blockchain identity is in fact concentric circles versus replacing some of the existing technology that's out there. Sounds to me like time is a flat circle for all your True
Detective fans out there. So one of the things that I think vendors in, well, really any space but the identity space like to attach their products to whatever Wave is cool at the moment, right? We saw a whole bunch of zero trust marketing over the last few years. When vendors come along and say, oh, we're a blocked, we have a blockchain product, what do you think they're really trying to
get to? And I know this is probably a little more speculative, but I feel like there's a lot of marketing speak out there to say, oh, you know, we have the best zero trust XYZ, we have the best blockchain XYZ. Like what do you think vendors are thinking about in the technology space around this? I mean I I This is why, why it is so important for for people to go play with the talk and understand it in a controlled research, research oriented
mindset. Because when the vendor shows up in the room and says now with blockchain inside, you know, with a little stick around the box, you want to be able to ask the the really thoughtful questions that get to how are you using it, why are you using it, what are you actually doing? And so I I can't speculate and I'm sure there's going to be 100 different answers to those questions across the the vendor
ecosystem. But if you're not armed with that first layer, I've touched it, I kind of understand enough to ask the good questions. You are kind of left in the dark with with marketing speak and I think we saw in 20/17/2018 a ton of the built with blockchain I think that's gone away a little bit and we're we're seeing a lot more thoughtful inclusion of
blockchain and vendor products. And so I I don't, I don't want to say that everything's perfect, but we're getting to a better place where it's a lot more thoughtful than it has been in the past. And I think that's just part of any. I'm sure we saw the same thing with zero trust, right. Everybody puts it on the the cover and now we're probably to a better place where it's used
more judiciously. Yeah, it was at RSAI, don't know, a couple years ago and I I came back, my report was you know to the to the podcast crowd, good news, zero trust has been solved. Every product now has a part of their you know, solution setter features. So everything's good now. You mentioned, I thought it was kind of interesting what you're you're talking about I guess with your daughter trying to figure out AI music versus regular music, right. What was the kind of the artist?
It's it's clear obviously generative AI is kind of taking over. It's having a moment right now. And I think there's a lot of people who talk about ownership and rights and things like that and being able to verify that, you know this is authentic. Certainly I can see the benefits of having something like an immutable Ledger out there that kind of tracks this. But then I also hear things like NFTS, which get a bad rap as well, right?
I'm, I'm selling a picture of, I don't know, board a parade or whatever that whatever those are right for 10s of thousands of dollars or even millions of dollars. And I guess how do we balance the two to make sure that we're really not getting too crazy with how we're trying to leverage this? Yeah. And I'm, I'm going to come at it from the other side because I think if we assume everything is fake, then I want to know what
is real. And that leads me to how do I know that that what I'm looking at came behind the lens of the camera. And yes, I think we need to authenticate all the AI generated content. Me personally, I'm not terribly excited about reading a book that was completely generated by a computer. I think there's some value in in human being having written a
book. And so I think at some point you're actually going to authenticate that this is a human generated what percentage of this book was generated by the author, human being. But but let's take that picture for a second and there's if this were a video, this, this will encourage you guys to do more video podcasts. There is a picture of Jared Leto at the mat dressed up in this. I think it was a Bunny costume. And when you look at the picture, it actually looks AI generated, it looks fake.
It it turns out it's real. It's a real photo. And so having that authentication that this came off of a Canon or a Nikon or a like a camera is going to be hugely beneficial. There's actually a standard that a lot of the camera manufacturers and others have created, C2 PA if you want to go Google for that. That is a really interesting standard. That by the way, anchors itself to a blockchain. I've been, I found it fascinating to look at kind of how how that standard gets implemented.
And there's a camera from Sony, a camera from like, I think there's a a camera coming out from Panasonic. And like if we compare the styled app, everybody's implemented the standard. It's a little bit differently. So it will be interesting to see, you know, what this looks
like in a few years. But again you can see the identity of the the camera person, the identity of the camera, the identity that that they were standing in this place and actually hit the the shutter button and took that picture is going to be valuable. And I think the genesis is that that photographer will likely get a higher fee for that piece of artwork because it was it was real versus completely AI generated. I pay a buck for an AI generated sunset. I yeah, I'm just throwing out
fun fun numbers. I paid $10.00 for a real sunset taken by a photographer. Interesting conversation, but I also think that over time, the nature of art is going to change. I mean, I look at things people create in Photoshop or, you know, it's some of the computer generated video. I'm just blown away. That's real art. There was some human behind the scenes, but of course there's a lot of technology brought to
bear as well. I can see, you know, potentially in the future people don't just deal with paint brushes and canvas, but actually they use some kind of like virtual painting and you know, it probably feathers out the paint and things like that. That doesn't mean that it wasn't human created art, just that. Not that doesn't counter anything that you just said, but it just it got me thinking that I think the nature of what we consider human generated will
change over time. Let me add on something to that. Where is a good example of that paradigm shift I was talking about what if Photoshop was free and the art that you created with it, they got a cut of that art. That's really hard to do today. There's no way to do it right Try. It's it's just trust like that that you're going to give them 10% of of whatever art you
create. If we anchor these pictures to a blockchain and Photoshop has an identity and I have an identity and when I sell that photo that that there's some automation behind it that gives Photoshop their 10% cut and I get 90% cut. Now, now that's a that's a completely different dynamic and I think that's what is exciting to me about blockchain technology is that's really hard to implement today.
For Adobe would never enter that market where they're giving away this product in the hopes of getting some artistic return. But if we can, if we can actually put some some contracts on a blockchain that enables that, that's really interesting and that's really exciting. And that Jeff going back to what are the economics that make it work. That's why it's hard to predict you know what the right economics of running a blockchain is.
But you could see that that's a good example of an interesting model that some upstart AI image company might choose. We'll just take a cut. I feel like my head is spinning a little bit because we went into this with trying to demystify this. I think we've done a good job with that. But I think there's still so many questions that it's just kind of like, how's this going to work, right? Where is this thing going?
If you had to put on your prognosticator cap on what do you think blockchain looks like as like a market and sort of like an industry and two years from now? So first I think I need to come back on episode 300 to to do a follow up to. The time zone just. Throw that, just throw that out there. Right now I I think we actually talk less and less about blockchain. I think it becomes this boring thing at the bottom of the tech stack that enables some stuff that we kind of just forget about.
I I actually think the blockchain will be most successful when we don't think about it. How often do we have really deep conversations about L DAP? We don't. It's just there. It kind of works and we take it for granted. And is that going to be in two years time? I think we'll start to be on the road. I definitely think that the retail user probably doesn't think about blockchain very much, even when whatever product they're using actually uses a blockchain.
Now, does that mean IT people and identity people? Yeah, well, obviously still be in the middle of all of it, but I would hope that that this is not a front and center thing. I do not think the sticker on top of the box that says now with blockchain inside is actually going to be that exciting. It's really the ultimate use case of being able to get a product for free and they just take a cut of whatever I developed with it, that's that is going to be the front and center value.
That you may ask, hey, how how did they do this thing? But the reality is, is we're just not, we're not going to spend a lot of time talking about it. Well, we're hitting here an hour, and I want to wrap up the conversation with a little bit of a lighter note. You mentioned one experiment that you were running with your daughter around the AI music. We were talking before we hit record about another one that you were working on regarding eggs and coffee. You want to care to explain
yourself, Jay? So I got I got three daughters just in case anybody's confused at home as to what's going on here. My oldest daughter and I share a lot of music and so we're we're listening to that. The middle daughter is working on a an interesting science experiment. I hadn't thought about this before. We are taking eggs and dying them with coffee. I I will pause for a second and say, gosh, why did she pick coffee? She has this strange feeling that she's going to get to drink
coffee during this experiment. So that that's how how she picked coffee and we're testing a cold cup of coffee, a room temperature cup of coffee and a hot cup of coffee to see which one is going to die the darkest. And that is what's yeah, everybody asks me so what's on tap this weekend? That is what is on tap this weekend.
So that's coming up. We're going to have to look for an update to see, do you have any theories or posits that you want to put out there and say we think that this might hold true?
I mean, I I'll be honest. I asked ChatGPT what what the AI bought to the world thought and I learned all about the pores of an eggshell and when eggs are or sorry, when the temperature of the liquid is hot it opens up the pores and allows more dye to come in. I'm I'm actually I so I I'm pretty sure the cold coffee is not it's it's probably going to be pretty light. I'm really curious where lukewarm falls in the spectrum so I'm I'm still going to be
surprised here. But it it I'm really curious why no egg dying company at Easter recommends warm or or dare I say hot die for their eggs and that it it may be that there's some real world applications of our little science experiment and I can report back exactly how we should be dying eggs in the springtime. OK, So what I'm going to do is what we typically do is put out like a little teaser.
And so when I tag you on LinkedIn on Monday when this comes out, I'll be looking for an update to say, so which one was it? Was it hot coffee that got the pores open, which, hey, logical makes sense, right? That's how humans work, I guess. What is the temperature that allows the pores to open enough, right? Maybe there is a big difference in cold and lukewarm, maybe not so much difference between lukewarm and hot. I don't know. I'm not an an agologist or
whatever. I will put my risk management hat on for a second. And for those of you who are at home who might have a young child who's going to stick their hands in boiling hot water, probably not the best idea. And so I highly recommend you check the temperature of your your dyes before choosing to die an egg. That's that's my disclaimer of the day. That's Identity Center for you. Safety first at all times.
Jim, have you ever done anything like that with your kids with like any sort of like scientific experiments or anything like that? I don't have kids, so it'll be difficult for me to do that. I'm sure I have, but I, you know, it's been a long day and I actually don't remember what they were. But you know, I spend a lot of time with my kids, like trying to fix things. And you know, I'm not the most handy person in the world.
My, my father was like, he'd get out under the car and replace the brakes and do all these like, crazy things. And then I became an adult, got into computers. And now I I can't even, I can't change brakes on a car. But my son is now 19 and he got a motorcycle. He's like taking it apart and fixing. And I'm like, I guess that Gene kind of skipped me, 'cause he seems to have it. I don't know where that came from, but not a lot of science experiments.
OK. Well, other than this podcast, this we'll call that this is our experiment. See how this? Goes what are you doing on the side, Jeff? Are you doing science experiments? I'm always tinkering. I wouldn't say I would say computer science experiments. How about that? You know what's a better way to use, you know, this tool or that tool? How do we make the podcast better or things like that? I'm always. I'm always tweaking stuff behind
the scenes. Yeah, no. And you do a, you do a great job with that. Well, thanks for that. I think that's a good spot. I always like hearing compliments and that's how we'll close the show out today. So Jay, thank you so much for taking the time with us. I know you're a busy guy, but we definitely want to have you come back on and be looking for an update on the the egg experiments on on Monday when this goes live. And hopefully we'll see you
there. We'll have a link in our show notes for people to connect with you if they have questions about this or if they want to tell you you're wrong or you're right or what maybe people are seeing in the market, etcetera. Obviously, please be respectful that we'll go ahead and leave it for this week. We're on the web, idacpodcast.com. Try our new voicemail feature you might get on the show if it's something we think we can use. For that.
We're on Twitter at IDAC Podcast, Mastodon, Hey Decentralized, at IDAC Podcast, at Infosec, dot Exchange. And of course, Jim and I are always looking for feedback on LinkedIn, especially for these new sponsor Spotlight episodes that were going to come out later this week. So let us know what you think, what works, what doesn't work.
We want to hear it all because the goal here is to put out something that we think is worth our time and your time to listen to it. So with that, thanks everybody for listening and we'll talk with everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and
review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.
