This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good, man. We've been podcasting fools lately. I feel like every day we we're on this platform recording or meeting with folks. And I mean, I love it, don't get
me wrong. But yeah, spending a lot of time with you lately, Jeff. Oh, the keyword there is fool. That's for sure. A couple of fools doing this. No, I mean, I think this is, you know, this is how we start the year. We end the year. It's like this mad rush to kind of get stuff in place before you and I disappear for a couple of weeks of, you know, well earned time off and then trying to hit the ground running and then, you know, all that stuff. But I'll highlight the word again. Fools.
That's what we are. Yeah, well, you know, I one of the things that I always like to do is like watch your background. So we're an audio only podcast, but Jeff has the coolest background at home with his, I guess office or studio. You've got like ATV set up and you've got, I think it's like screen savers running on it, but
always very cool. Today you're at a hotel, your background is the hotel door and they've got the the fire escape placard and usually on that placard is what the nightly rate is. If you don't have a, you know, a discount code or something like that, it's like Comfort Inn 450 bucks a night. Yeah, today's show coming to live from a Residence Inn in Plymouth, MN up in the frozen tundra. And I believe the rate kind of for me to see from here is like 349 at night, which actually
isn't too bad. I've seen absolutely ridiculous hotel rates in the cities and things like that where you're you're into 4 digits for sure. Yeah, I'll bet it's cold there now. It's only going to get colder though. Yeah, not so bad 27°. Those are rookie numbers. We got a We don't really pump those up, right. You want those lower, I guess in this case, but not too cold yet. I'm going to go out and hit some top Golf tonight. Yes, in freezing weather.
I'm curious to see how it's going to work. I believe we have heat, you know, fans that should should be running. So hopefully that would be a good time. We're actually going to, I'm actually going out to meet our friend Tom Sheffield who's been on this show tonight, so that'd be good times. Yeah, from Target. That would explain the the Minnesota piece. Yes it does. Yeah, no, he's a good guy, man. I'd hope that he had him back on the show. Yes, maybe.
That's maybe he will make a wager on golf tonight or something. If whoever wins, give me a son to come back on. If he loses, he has to come back on the show that. What does that tell you about the show, Jeff? It? Doesn't tell me anything. How about that? Actually he and I were talking at Authenticate last year and he's working on his new sort of presentation for this year.
So I think last time I talked I was like, hey, you know, once you come on the show and kind of work it out, once you've got sort of the framework in place and you know go from there. So Tom, true listening, looking forward to get you back on here and looking forward to seeing seeing you tonight. Yeah, Well, I'm excited about today's episode. This is a long time coming and I'm really honored to have this guest on our show. You want to go ahead and do your
normal introduce introduction. Yeah, let's get Phil Windley on the on the line here. He's a Senior Software Development Manager at AWS Identity. He's also a Co founder and organizer of the Internet Identity Workshop. Welcome to the show, Phil. Hey, thanks. It's great to be here. I've listened to a number of episodes and I'm excited to be a guest. Yeah. Well, thanks for taking the time here and joining us.
I know you're a very busy guy. You got a lot of different, I guess, identity frying pans on the stove that you're probably cooking with. One of the things that we like to figure out though, is how people get into this world of identity. How did you get into the identity and access management space? Is it something that you chose or did it choose you? In the early 2000s, 2001, 2002, I was the CIO for the state of Utah under Governor Mike Leavitt.
And when I was done doing that and was doing some consulting, a friend of mine, Doug Kay, had written a book on web services. And I thought that was kind of cool. So I was just talking to him about, hey, how'd you write a book, what you do? And he said, well, you should write a book on digital identity. The world needs one. And I said, Doug, I don't know
anything about digital identity. And he said, no, you do just think about everything you did as CIO, and it's probably Digital Identity. And, you know, as I thought about it, sure enough, he was right. I ended up writing a book that was published in 2005 called Digital Identity from O'Reilly. And if you know anything about 2005 was a little bit of a watershed year in Identity. It's when, well first of all Web 2 dot O was a big thing.
People were worried about how do we get access to AP is for, you know, everybody's stuff. Before that the world had primarily been kind of centralized identity systems. I built them right. Organizations ran you know directories or whatever in order to manage their identities, but so, so, so the book is primarily about that. It's primarily about his kind of centralized directory based identity. You know, how do you do that?
But, but the world changed in 2005 and people started talking about identity in different ways. And because I was writing a book, I got included on lots of interesting conversations in the January 31st, I mean December 31st day year's eve, 2004. Steve Gilmore, who is, you know, something of a legend and and Podcasting circles had done, he's doing a good Gilmore Gang and he's still doing Gilmore
Gang 20 years later. He did this thing that people came to call the Identity Gang. So it was a he had like 30 people on and you know, his podcast host. You can probably imagine the sheer just, you know, cacophony it brings. Terror to my eye, my ears. Just thinking about 30. Yes, on a single podcast, right?
But anyway, it was all about identity and after that was over, Doc Searles who was also on it and I were talking and we were saying, you know, the world needs a conference to talk about this kind of new user centric identity Vibe. You know what what people are doing. I don't think we said vibe in 2004, but that was, you know, that was the idea. And so we decided that we would. We wanted to do a conference, and so we set out to do something called Internet Identity Workshop.
We failed. We we went to have the first one in the spring of 2005. Just couldn't get it together. Just wasn't working. But we were still interested. Still trying to figure it out. Doc ran into a woman named Kalia Young at a Giants game. They were both there as part of some conference. I don't know what conference it was. And they started talking and Doc was mentioning that, oh, we ought to do this. We we want to do this workshop. And she said, oh, I could help
you with that. And that was kind of the, you know, the little bit of extra magic sauce that it took to actually get it off the ground. So we have the first Internet identity workshop in the fall of 2005 at the Hillside Club in Berkeley, CA, about 70 people there. And what we did was we pulled together people who were doing what was called what was Uri based identifiers.
And there were four of them. There was Dick Hart was doing something called Skip. Johannes Ernst was doing something called Lid Drummond. Reed had something called XRI and the folks at Live Journal, David Ricardon and Brad Fitzpatrick, we're doing something called Open ID. And we thought, hey, this will solve the identity problem. Let's get all these folks together.
We'll figure out how to create a single protocol for Uri based identifiers and then we can all go off and do the other things we want to do that are not identity. And of course, as you guys know, we just held the 37th Internet Identity Workshop kind of last October. So we didn't go off and do other things. We just kept doing identity over and over and over again. And so I've been doing that, you know, since then. Digital Identity's kind of been my thing.
You know, just wrote another book for O'Reilly called Learning Digital Identity. And so that's how I got into and kind of have been growing through digital identity over the years. And Jim's been probably showing that book off on on the camera here whenever he possibly gets the chance. I gotta so I think you said 37 different iiws so far and this was in 2005. The numbers don't add up unless you're doing more than twice. A year? Yeah.
OK, that's twice a year. Once in the spring, once in the fall. Gotcha. So I've never been to an IOW. Who's this conference for? I guess What do people get out of it? Is it a bunch of big brain identity people? Can I go as a noob in the identity world? Like, what's the show? Any given I, I WI think it's probably about 60% people who've been there before and about 40% who are new coming for the first time. Yeah, And so. So no, you don't.
You don't have to necessarily be, you know, part of the identity as people sometimes call it. But who is the conference for? It's for whatever you want to do because IIW is what uses what we call open space technology. Basically, it's a non conference, so you can come and talk about literally anything you want. If you want to have a session on the best guitar chords for singing Christmas songs, you're welcome to come to IIW and talk
about that. And whoever's interested in the best guitar chords for Christmas songs will come in to your session. But what do the sessions primarily focus on? They primarily have focused on things like protocols, solving new identity problems, product and how do we get adoption for these new protocols, how do we make things work. So I mentioned that we brought the first group together to kind of do these URAURL based identifiers and they all became Open ID, right.
So Open ID as we know it is not the original live journal Open ID. They lent the name and some of their ideas, skip XRI lid all lit ideas to the whole thing. Other people lent ideas and the first version V1 of the Open ID specification was kind of what came out of that.
That happened at IIW. OS is an outgrowth of Iowa Open IDV 2 or Open ID Connect. Now, Iowa is not the only place people have worked on these, but that's what people do, right, As they come to Iowa and have sessions on solving this particular problem, right. You'll have sessions on Skim and yeah, IGA, I mean you name an identity topic or protocol and people will be hosting sessions on that. And if they aren't, you can call one. You don't even have to be the expert.
You can just say, hey, I am really interested in knowing how we can use Open ID Connect in the Internet of Things and I don't know anything about it, Please come and teach me. People will come and run your session for you. So that's how IW works, and that's the kind of sessions that get held. We had Clea Young on the show a few episodes back, #248, for those interested. And she kind of described this. She's the same word, the UN
conference, right? And I think I've seen pictures on the Internet, of course of, you know, people writing a topic and they just stick it up on a board and then people either attach themselves to it or they say, you know, it's like go to this room if you're interested in this thing. Is it really like that where people just? Really kind of confront exactly like that. So we have. So every day we have a grid,
right? And the grid is vertical columns, different session rooms, rows or different time slots. And you literally write your title and who you are on a big 8 1/2 by 11 piece of construction paper. Stand up an opening circle, say hey, I'm Phil Windley and I want to host a session on the best guitar chords for Christmas songs.
And then after opening circle is done, you go up to the wall and say I want to be in this in this time slot and in this in this room you put a put a sticker on there that say what room you're going to be in. And then you go to that room at that time and have your session. So yeah, it's exactly like that. I wonder if we can put like a card up there, Jim. It's like, hey, identity at the center. We want to record a podcast, come into the room and get interviewed by. Us if you if you guys.
If you guys come, I will find a room that you could use to make to set up and post a podcast and you know, grab as many guests as you want. So. OK, Well, well, now, now we're cooking. I think now you're speaking Gemini's language. OK, yeah, let's talk about that. Because I've never been to one and I've always been, I'll be honest, intimidated to show up to something like that because I feel like there's just these
geniuses, right? You mentioned so many different specs and protocols and frameworks that have come out of this. Maybe they weren't created there, but I mean you've you've basically named every single thing that's used in Identity today has some sort of touch point with IW. That's got to be really gratifying. Yeah, it is. I mean, if I, if I were to point to one thing I've done in my life that I think has had a huge impact, it probably be IIW.
And, you know, I mean, frankly, I can't take tons of credit for it, 'cause I don't do much. I mean, you know, I make sure, you know, I charge people for their ticket prices, make sure the food vendors get paid, you know, rent the venue. But the content, right, really comes from all the people. We don't even do a program, right? We don't even have a program committee who decides what the topics are. That's all from the attendees. So it's really the attendees who make IOW what it is.
Wasn't that true? I think that's true for every conference, right? The the, the, the more, I don't know. Amenable attendees are to having those conversations and this is one thing I've really enjoyed about the identity space is everybody's just so gosh darn friendly. I mean. And in fact, that's that's exactly why we do IIW. The way we do is because we think the best conversations at most conferences are the hallway conversations.
And so we're trying to do a workshop where every session is a hallway conversation. That's brilliant. That should be like part of the marketing or logo or something like that, Because you're absolutely right. I mean, I've had some amazing hallway conversations that were, no offense to the conference, way better than the conference content, right? It's this, this dynamic
conversation that takes place. I always pointed back to the example of Rodger Grimes spending an hour with me at a table at Authenticate In. It would have been Seattle talking about quantum computing. I mean, ridiculous conversation. And I'm like, OK, this is awesome. Seeing that IW you just call a session on that or sit at a table. We have lots of tables set out and lots of, I mean I suspect that there are probably you know 10 times the number of interesting conversations that
happened as there are sessions. The last IW there were 162 sessions, about 320 participants. So, you know, two, you know, two participants per session. Obviously it's spread out over time. So you know, it's not really just two people in each session. But yeah, it's a lot of sessions happen. Some of them are small, some of them are big. I mean, we have rooms that'll hold, you know, 60 people. We have rooms that'll hold 5. So you're also you have a day
job. It sounds like you're also working with AWS Identity. What's your role over at AWSI? Guess what do you work on there? What's your day? What's your What's your like day-to-day like? Yeah, so so I am in AWS Identity and I manage a team of developers working in the Identity space. The most recent thing my team launched was AI. Don't know if you're familiar with Amazon Verified
permissions. It's a fine grained access control system based on the Cedar policy language that launched in Gated Preview last June and then was generally available, I'm sorry, Gated preview last November at reinventing. It was generally available last year my team launched a companion service to that that allowed people who are also using AWS Cognito to use Cognito tokens as part of the authorization context for their for their authorization. So. So that's the kind of stuff we do.
I'm very interested in authorization at this point. Somebody at IW this last time in Closing Circle said that, you know, they thought that the that I'm paraphrasing the authentication is mostly a solved problem, right. The the Fido and a few other things. I mean we're not, I mean we might mess around with Fido at the edges, but pretty much it's unfishable. It's, you know, challenge response. It works great. Yes. We don't, we probably aren't going to get a lot better than
that, right. So what's the new thing? What's really interesting, What should people be focusing on authorization, right. I mean, when you think about it, authentication is really the simple thing in the book, which I know we're going to talk about in a bit. But in the book I give a definition of identity, which is Joe Andrews definition, right. And he says that identity is how we recognize, remember, and respond to other people, places,
things, whatever. So if you think about authentication, it's just about that first part recognizing, right? So with authentication, we recognize people, but you still have to remember who this is. What are their attributes? What do I, what do I care about? You still have to respond to them, which often means saying what they can access, what they can't access.
So you know the the big part of Identity is really I think in the authorization piece and that's where I'm focusing a lot of my time right now is, is on authorization. And that's a really tough problem. I feel like a lot of organizations struggle with authorization issues. I remember Sarah Cicchetti had announced the Cedar kind of thing out there a while back. And this is not a topic that we've actually been able to touch on for people who aren't familiar with Cedar.
And we should probably do a whole episode on this separately. You should, yeah. What is, I guess, what's cedar in a nutshell? Yeah, so Cedar is a policy language, right? That allows you to write policies. It is principal action, resource condition based. Like a lot of policy languages, it doesn't have loops, doesn't have recursion. So it's not Tory complete,
right? You can't write programs in it, but you can say things like permit, you know, users who are part of the resource owner group to make updates to any resource in the photo album, right? And so that's the kind of thing. But you also could add conditions to that. You could say if it is, if the time is between 8:00 AM in the morning and 5:00 PM at night or you know those kinds of things so so you get this permission action resource triple.
And then you also have conditions so that you can do attribute based access control as well. A Cedar comes with an evaluation engine that is open source on GitHub. It's a great tutorial at cedarpolicy.com that people can go and play with. Amazon Verified Permissions, which I mentioned a minute ago, is a hosted service that essentially runs Cedar for you, you know, makes it easy so you don't have to manage your own policy store and you know, all of the all of the things that
services do, right. I mean, certain services are great at at those kinds of things. So, so yeah, that's that's what Cedar is in AVP. So, Phil, you've wrote a book called Learning Digital Identity under O'Reilly Publishing, O'Reilly Publishing. Whenever I think of those books, I think of the animals on the cover. Yeah, there's an animal on your cover and I'm wondering, what is that animal and how did it get there? Yeah, so it's a it's a Nanking Night Heron and it's from Australia.
And one of the things that is true about O'Reilly books is authors don't get consulted about which animals go on the cover. So you don't get to pick. Right. So. So it's not like the 9 Nanking Night Heron is my spirit animal or anything. However, you know, there's a colophone in the back of the book that talks about it.
And one of the things I think is really interesting is it it says that the Night Raven in ancient Greeks, which is what the Greek name for the bird is, was used to describe thirds of the ill omen. So I'm not sure why A Bird of the Hill Omen is on the front of my book, but yeah, there it is. There it is. So is this the first book you wrote? You mentioned that you wrote a book in what was it, 05 or 06, 2005? So in 2005, under O'Reilly was the same bird the night.
Down now at that, at that point they had a different series and so digital identity was classified in their security series. And so they were doing old I guess woodcuts or something from like the medieval time period. And so I've got some woman on the front of the book. I don't know. I don't remember what the significance of that was. And then I wrote, I wrote another book in 2012 on event processing. So not digital identity. And did that have an animal?
No, it was not for O'Reilly. It was a sand gauge book. So got you. Yeah, I did get to design that cover. Actually. I had a friend of mine design it, but yeah. So I found the I forget how I got turned onto the book, but I was like, OK, I'm going to order this and I was expecting it to be Digital Identity for Dummies. It's definitely not Digital Identity for Dummies. It's it's thick. It's it's meaty. The text is not huge. There's a lot in there. Who's the book for?
So our our podcast, I tell you, is for the IAM practitioner. People were taking all these great ideas and and putting them into work in the real world. And you know, I think that describes a lot of us, right? You you do that on your in your day job. Who's The Who is the book for? Yeah, so, so I think that matches, right? I I wrote the book for IAM practitioners. My hope was, you know, not not to be an introductory book, although I certainly think people do read it as an
introductory book. But to be a a complete kind of almost umbrella over the field of digital identity, 'cause I think too often I am practitioners. I mean, there's a lot of, there's a lot of books, fine books, right? For, for the purpose that they that they are trying to to solve for the problems they're trying to solve that are kind of aimed at oh, here's how you use Open ID Connect to authenticate users in on your application.
Right. And I mean there'll be a great big book about lots of, you know, very meaty, lots of code examples that sort of thing. This book does not have specific code examples, right. This book is not going to tell you how to use Open ID Connect in your, you know, Java application to, you know, do whatever. It's it's trying to teach you about what the field of digital identity is from a holistic standpoint.
So you know, so it starts off, you know, like we just talked about, with a definition of digital identity. It talks about why digital identity is hard. It introduces Kim Cameron's Laws of Digital Identity, which if you're if you're an identity professional and you don't know Kim's laws, then you really ought to learn Kim's laws because they they tell you why it's So what, why identity system so often fall short. That doesn't mean they're bad,
right? Because often identity systems are built for a specific purpose. They might not fall short in the terms of the specific purpose, but what happens then is somebody says, you know, product manager somewhere says, oh, we should, you know, let our users, you know, add, you know, yellow buttons to this part or whatever. And identity people go, oh, no, we can't do that. I mean that that isn't going to work. We can't support that or that'll take six months of work before we can.
And that's because, you know, the identity system was built for a specific purpose. And like I said, that's fine. I mean, that's how that's how things work. But yeah, the laws of identity try to get you to. Yeah. To to think about identity more holistically. And then, you know, the book kind of goes into some general topics, things like trust,
privacy, those kinds of things. And then we get into some specific things like how does authentication work, you know, and I do talk about Open ID Connect and I do talk about Fido and some specific technologies. But like I said, not in a way that you know is here's how you use Fido in your application. More about why would you think about using Fido instead of Open ID connector, Why would Open ID Connect be a good thing to use
in certain circumstances? And I try to go back as often as possible to the laws, right, And talk about why this specific technology, which laws is it trying to meet and which laws does it not meet? Is that OK for your application? Talk about authorization. Talk about Federated ID. Yeah. And how Federated identity works. And then probably the last third of the book or so I get into what I think is the next frontier of identity, which is I use the term self sovereign
identity. Some people say decentralized identity. I I am very opinionated about this. I I like the term self sovereign identity because I can imagine decentralized identity systems which don't give the user control over their data and identifiers. Self Sovereign very clearly puts a stake in the ground and says the user has to have control
over this and that's that. So that's why I like and so the last start of the book really talks about the the, the technologies and protocols for doing self sovereign or decentralized identity things like did com verifiable credentials that sort of thing. You have to follow up on. We're talking about the laws of identity. So Kim's laws. I remember I was at digital ID World in O5, right? And it was like when these things were brand new and I was as green as green can be to the
the industry. Are they, are they still relevant? I mean, this is 18 years ago. That's that's I think what is so interesting about them and and why I think they deserve the word laws. But they're not laws in the sense of legal laws. They're not laws in the sense of you know, the laws of physics, right. But they are laws in the sense of they they describe big enough concepts in general enough terms to to still be specific enough to be useful but to not go out
of date. And and I think that's one of the things that makes them laws and I I believe they're still extremely useful. You know, there's things like user control and consent, and Kim makes a stand on what are what. How digital identity system should enable user control and consent. So you can ask yourself a question, does the identity system I'm using enable user control and consent or to what? What extent does it enable user control and consent and is that OK? Minimal disclosure for
constrained use is another one. I mean that's kind of timeless, right? I mean that's the kind of thing. I mean identity systems, which haven't respected minimal disclosure for constrained use is what's gotten us into the whole privacy debacle that we're in that now, right, with people worried about AII mean, you know, how does digital identity relate to artificial intelligence?
I think artificial intelligence without a good self sovereign identity system is just a disaster waiting to happen. All right. So So Kim's laws, I think, are still very, very relevant. I think you know as you were saying that I'm like one of the things that attracted me to the identity space was going to those orally conferences and seeing this isn't just technology, ones and zeros and how to plug this in to make it work with that it's there's a philosophical layer that. There is.
It's always. Just beneath the surface of everything. And maybe AI is like the next industry where that can happen because it seems like every other kind of industry within IT kind of gets boring and just gets commoditized. Like I I originally entered the space coming from the network engineering side of the house and it's like everything that I used to do got commoditized in terms of like data centers all just got outsourced. Like nobody run physically run servers anymore.
I mean, I'm sure some people do, but it's certainly shrunken down in terms of the overall population of IT professionals. But Oh yeah, yeah. Yeah, back to the book. One of the things that that blew me away, like again, I was like kind of expecting digital IT, Digital ID for Dummies. Not saying that in any kind of insulting way. I think those books are fantastic, you know. But what I also saw was like this is like an encyclopedia and I'm wondering like how does one person know all this?
So did did you write the whole thing yourself or did you have like sub authors or how does that work? I wrote the whole thing myself. I mean, that doesn't mean that all of the ideas are mine. I mean, you know, I've, I've gone to, you know, 37. I I WSI, yeah. One of the things I I write A blog at winley.com. My name. And one of the reasons I write is, you know, I tell people I write for me write it. I write so that I can understand ideas and get them in my head.
You know, if they happen to be useful to other people, that's great. But, you know, I like to write them down, 'cause it's how I process information and how I come to understand things. So, you know, some of the things in the book actually came from my blog. Obviously, you know, modified, edited, expanded, that sort of thing. But yeah, just I just kind of collect this stuff. And, you know, I I originally, like, like we discussed, I wrote a book in 2005.
My original idea was to write a second edition and and I've been meaning to write a second audition of digital identity for probably 12 years now since 2010 or so. And you know I've held several sessions at IOW saying hey you know if you're if I go to re redo this what should I put in it. You know, people always gave me ideas and then you know, the whole self sovereign identity thing happened. And I I knew I wanted to do a
book that included that. But I also wanted to not just do a book a self sovereign identity, I wanted to do a book that was, you know, covered the digital identity from, you know, start to finish and kind of had like you mentioned, of kind of a philosophical base to it. You know, one of the things I I like to say is that digital identity isn't about identity, it's about relationships. People build identity systems to manage relationships, not to manage identities.
The identities are just the the things they need to put in them in order to create the relationship. And so I wanted to include all of that in the book. And so I started putting together a table of contents, which if you ever in a book, that's like the first thing you do, right, is you write a book proposal that includes A detailed table of contents. And you know, when I sent it to O'Reilly, they said, wow, this is great, but this is way too different to be a second edition.
So it's going to be a new book. I said, OK, so it's a new book. How do you suggest someone read the book? Like do you attack, attack it from cover to cover or do you that maybe I could say here's what I did. I decided to attack it from page one. I probably read the first three or four chapters, but then I got excited about different areas. I was like, I can't wait to get to this chapter. So I jumped ahead and read the
chapters that I wanted. Yeah, Well, I mean I think that a lot of the chapters are standalone. So for example, you know, like like I said, I lead a team in AWS Identity. Not all of them are Identity experts, right. They're developers who came from different areas. You know, I'll just point them at chapter, you know 11 and say hey, you know, you need to go read about authentication and how Open ID works. You can go, you can just go read Chapter 11 and kind of
understand authentication. Now it's going to refer back to things. It's going to say, oh, you know, here's the definition of identity and authentication is about recognizing people. It's going to do those things. It's going to refer back to the laws of identity. So. So you can probably pick out almost any chapter and just read it by itself without having read
anything. That said, I think what you did is probably how I'd recommend people read the book because you're certainly read probably the 1st 5 chapters. They're probably the the chapters that layout kind of my overall philosophy of how I approach identity and how I think about it. But then after that, you know, if you're interested in, you know, how does privacy work, Chapter 8 works great. You know Chapter 9 is kind of a general developer's intro to cryptography, right?
I mean, it's not going to teach you to be a cryptographer. It's more if you're doing identity cryptography is everywhere, what do you have to know about cryptography in order to do it? So you know, you might go into the, you know, to the authentication chapter and get into some section and say, OK, and it says, oh, we use digital signatures to validate the token. And you're going to say, what's a digital signature? Well then go back to Chapter 9 and read about digital
signatures. I think that's a perfectly valid way to read the book. Yeah, and like I said, I'm giving my endorsement. Great book. How can people get their hands on the book and is there an audio version? There is not an audio version but you know you should suggest that to O'Reilly on their on their website. You know to go in and suggest, oh we need an audio version of this. Yeah. So I mean obviously Amazon is a is a good way to do it. It's it's available on on on
O'reilly's site. You know, if you're if you're part, if you're a member of O'reilly's for what they call a Learning Center, you have access to the book. Ping Identity actually bonds writes to the book to publish on their website and you can go get chapters of the book. I think they're serializing and I don't know what they're up to now but Ping Identity has it on their website. So any of those are great ways to do it.
Yeah. Go to my blog and click on the link and that'll take you to Amazon. So. We'll put links in the show notes so anybody can, you know, grab a link and hit find the exact, you know, place to go and purchase a book if that's what they're interested in. You know, I I kind of wonder like if you were not the person reading the audio audio book, who would you choose to read it? Just well, I pick you, Jim. Oh God, it would make it would make it twice as long.
What else can I say? Yeah, That's a good question. Morgan Freeman is who came to my mind. Yeah, I I think I'd pick Doc Searles. He has a great radio voice. He used to be in radio way back in the day. So. So yeah, I think he'd he'd do great and I'd pick Doc. All right. Plus one for Doc. OK. So now I wanted to talk more about what was it like to write the book. And so kind of broke this into a couple of questions. What was the hardest chapter for you to write?
Probably the intro and the last chapter so so the intro. I always wait till the end. So when I started writing I I pretty much wrote it in order. I started with chapter 2 and went on through, but I didn't write chapter one, partly because I think introductions are hard to write, especially before you've written the book. You know, 'cause you really want the intro to be an intro, right? You wanted to talk about what the book's gonna say. And so, you know, I wait till
I'm done and then I write that. And so chapter one is probably one of the hardest chapters. You know, all of them involve a little bit of of research. I mean, you know, even now you know somebody will talk about Samuel and I'll pick up my book and. Go look at the sample section, 'cause I don't remember all that stuff out of my head, obviously, you know, so. So there's a little bit of
research in all of it though. The last chapter though, I think was also not difficult, but it was challenging because I wanted to talk about me my my goal right in. I think digital identity is foundational to how we live our digital lives. In fact, I say that several times in the book that without digital identity systems that respect individuals and their rights, we cannot expect to live effective online lives and have any degree of privacy.
They'll they'll always. I mean, don't get me wrong, I I think the current world of the Internet is actually amazing. But it's like living in Disneyland in the sense that it's all curated, right? It's all these experiences that Google put together for you, or Apple put together for you or whatever, and you really aren't having a authentic human experience where you connect with people. You know, I like to use the example of going to a
convenience store, right? If we put a convenience store online, you would have to actually have relationships with like the coffee maker and the people in line with you. And you know, you'd have to like exchange identifiers or you know, or maybe the convenience store would have a login system. You had to log in so that you could even talk to the other people in line. I mean, that's what it would be like. That's not authentic.
That's not how humans live. So, so, so I'm, I'm ranting, as you can tell, but but if you want to live effective digital lives, we have to have identity systems that respect human rights, human privacy, give people control over their identifiers, over the data that those identifiers are linked to. And so I I wanted to end the book in a way that help digital identity practitioners understand that they were building the future and the future was what they decided it
was going to be, Right? The future is not preordained. It is based on what we build as practitioners. What, And you know, we can say, oh, but Google, Apple, blah, blah, blah, we all build it, right? We go to work for them. We decide what kind of systems we're going to build. We decide what kind of systems
we're going to advocate for. And if we advocate for systems that help people live good digital online lives, then then we've built something great and we have built a future that is worth living in. You know, I said, I think I close with a quote by Shoshanna Zubov, who wrote the book on a surveillance capitalism. You know, and and I can't remember her exact question, but it's something like is is the future, is the digital future when we want to live in?
And you know, my answer is a hearty yes. So long as digital identity practitioners built the future they want to live in, not the future they want to avoid. So anyway, there that, that's my spiel. And so I I wanted to write the last chapter in a way that led people to that and help them feel a sense of purpose and responsibility for the for the digital future. And whether it succeeded or not, I don't know, but that's what I wanted to do. So it was a challenging chapter
to write. Yeah, I know that's I think the the whole introduction like made a lot of sense to me because writing it at the end probably makes the most sense. But I also like that you brought up Surveillance Capitalism, another great book, right. All of our listings, if you're looking for that that reading list for 2024, that's a good one
to put on the list. I'm wondering Phil, so when I again with how much is in here and I'm sure when you sent the the outline over to the O'Reilly people they're probably not only like is a separate book but this is like a an epic especially if you did your day job while you're writing the book. So so did you take a hiatus in order to write the book or just? Do it at night. I didn't. I wrote it mostly at night and on weekends, you know.
Thanks to my wife Lynn for putting up with all of that. But but yeah it was I I wrote it in about a year and you know do you have an editor and you know I I try to be nice to my editors and give them their chapters when I've promised them and they get and they do give you a schedule, right. They they say, OK we want half of the chapters turned in by this date. We want, you know, another quarter turned in by this date, so on. So yeah, so I tried to make make their schedule and got it done.
So did did as you're going it. Did much of what you're working on end up on the cutting room floor? I mean, it seems like that, you know, you look at something that's written it, not just the 20 pages that made it. It's all of the editing and everything. Yeah, yeah. Well, and I and I mentioned I had an editor and actually love working with editors. You know, some people don't. They don't like having their
work criticized. Whatever. I I, I love that someone is going to spend their time making me look smart. And that's what editors do, right? They make they make your writing look good. They tell you when things don't make sense and you know when you need to clarify something. So I I don't know how much ended up on the cutting room floor, but I will tell you that lots of stuff changed as we went into the editing process moved things around.
You know she'd asked questions. I'd add a new section. I'd move a section. I'd, you know completely redo a description and that that kind of thing. So yeah, the the editing definitely changed the book, and for the better. Oh, that's really cool. So what does it feel about the book, or about the experience of writing the book, or whatever, that you're most proud of? Well, I mean, I feel like I accomplished the goal that I set out to which we just discussed, right?
Getting people to the end of the book with a call to action with with a feeling for that they understood the world of digital identity. That they knew how important it was, that they knew the concepts and the underlying technologies and could could then go out and say OK I know that we should be doing it this way or we need to work on minimizing, you know the the information we ask users for. You know, whatever that is that's that's what hope they do.
And I think the book gets there. What whether people agree with me or not on that, I don't know. But that's, you know, I think that's where the book got to, and I and I hope that's, you know, what people get out of it. Yeah. And I think, yeah, it was definitely the opportunity to get that and and probably introduce a lot of people to some of these concepts who haven't been in the industry as
long as as you have. Last question about this is you talked about the 2nd edition of the first book. Will there be a second edition of this one? And if if you were to write a second edition, what would be different? Yeah. So if I were to write a second edition right now, obviously it's only, you know, less than a year old. So I probably wouldn't change the structure too much.
But I mean, if you look at my blog, you'll see all of the stuff I've written about since the book came out is is stuff that likely I would think about adding, you know, so, you know, I've got, you know, even just, you know, most recent things, I mean things like permissionless and 1:00 to 1:00 computing at the edge, you know, those are all topics that I think zero data, I mean zero data, zero trust. I mean, I don't even mention the word zero trust in the book.
And yet that's, you know, I think a huge topic that people care about. You know, as I've gotten more into authorization, that's clearly one of the one of the use cases for authorization is zero trust. So, so you know those are things that you know, now I go my word, why didn't I think about zero trust and put that in the book, But you know at the time it wasn't in my radar. So. So yeah, there are, there are plenty of things I would add, don't know that I'd cut much,
not yet anyway. But, you know, some of the chapters, you know, if you look at the first digital identity first book I wrote and look at the chapters, you'll see there are chapters that are have essentially the same title. And, you know, some of the sections sound similar, but, you know, they're, they're largely rewritten. You know, like in the chapter on authorization, I do talk about mandatory access control and discretionary access control.
Those are things I just lifted from the first book and rewrote. But yeah, so. So yeah, I don't know that I'd drop much. But, you know, if you ask me in five years, yeah, there's probably stuff that I'd sell. Nobody cares about that anymore. I feel like this is the space of identity, right? There's always something coming and going. Like I mentioned earlier, right? I mean, we started IIW literally with the idea. We all had things we wanted to work on.
Doc was interested in, in, you know, personal data. I was interested in reputation systems. And we thought, oh, we'll solve this identity problem, then we'll go off and work on the things that we care about. And we're now, you know, in April, we're going to hold the 38th edition of IIW. And it's always fresh. It's always got new topics. Yeah, it's it's like this identity is this Evergreen topic because we're constantly learning new things about it and, you know, expanding what we
think is important. Is there a new topic or topic du jour that you've seen really kind of take hold and let's say the last six months, maybe the last two or three Iiws? Is there something that's like wow, this is starting to catch? Fire. Well, I mentioned one authorization. I think authorization is a is a big topic that people are starting to pay much more attention to than they have in the past.
The other one that is clearly been a topic of conversation at Iowa for probably the last four years has been self sovereign identity, digital identity, you know protocols like did com systems like verifiable credentials, how do we make those work? What's user uptake, how do we get adoption for those? So, so yeah, that's been a huge topic. I mean IW has in some ways been Ground Zero for that topic over the last few years.
So yeah, those those are big. I want to pick your brain on sort of identity itself and from an innovation standpoint, what do you think is the most, I don't know, important identity thing that's come into play recently like let's say within the last maybe year or two? I would probably pick Decentralized Identifiers and Verifiable Credentials. They they mean decentralized identifiers. Especially the peer DID method change how identifiers work in
some fundamental ways. And the most important way is that decentralized identifiers, like I said, especially peer Dids, are meant to be controlled by people in wallets. And that is, if you think about, you know what I was saying earlier about why what, what it, what's it going to take for us to lead effective online lives? That idea, right. I think the biggest thing standing in the way and this is going to go to Jim's philosophical bet is we are not
digitally embodied. If and you know I I cause we've got video I can see it kind of squinting a little bit what does Phil mean by that. Well, what I mean, what I mean is if you think about, obviously anybody could stand up a website. I mean there's something stopping my mom from standing up a website, but the she's not going too right. It means so who are the things online or what are the things online that we think about as
being the places we go? Well, they're all, they're all things run by companies and most of them are run with what I term intervening administrative authorities, meaning that the, the identity administrator is sitting between you and whatever you want to do, right. They're intervening in this interaction. We don't have any place to stand in the online world. The browser, isn't it right? The browser is client server. It's a client. It's on the server. Server is making all the
decisions. The client is just echoing whatever the server tells it to. What do we, what is it going to take for us to be embodied, To have something where we are online work, where you and I can exchange messages without any intervening system? Well, what I think it takes is it takes what people are calling digital wallets. And so, you know, what do I think is the most exciting, interesting digital identity thing right now?
Digital wallets and how digital wallets allow us to create peer identifiers, exchange those peer identifiers, exchange trust information with each other, you know, verifiable credentials and essentially be the masters of our own system, right. And you know phones, the things that we carry around in our pocket, give us platforms that we can use those digital like digital wallets in. And I think that that is the most important and exciting thing that is coming along right now. All right.
Last question before we start to wrap things up with a lighter note. Where do you see AI taking identity in the next five years? Yeah, yeah. So. So I think that I think I said earlier, AI without a good self sovereign identity basis is pretty scary. What's fake? What's not? Who created what? Who didn't? Are you really you or are you a fake you? How do I know that you're really you? How do I know that you're human? How do I guarantee that you're human?
Well, I mean think about, so think, think about just that question. How do I guarantee you're human? How do I know that you're human? And now think about how we do that. This is 2023. You go to open up a new bank account. How do they do it? They do like a zoom call with you and have you hold up your driver's license in the call with them. I mean my word talk. I mean this is like Stone Age technology compared to. Neanderthals, yeah. Yeah, what we could do, right.
And and so in order for AI, in order for us to coexist with AII think we have to be able to prove online that we're human. We have to have clear ways of knowing when we're interacting with an AI and when we're not. That is all going to be based on self sovereign identity systems. Or I mean I don't know that it's actually going to be did come in a verifiable credential spec, but it's going to be something like them.
But it's going to be something where I have identifiers that I control in my wallet and can prove that I'm human without having to hold up my driver's license and a zoom call to you. So, so those that's where I think AI takes identity. I think it drives this need for self sovereign identity even further than it has been. I know we're running long, but I I just have to have ask two more questions here.
We talk about Self Sovereign Identity and I I I put a poll out recently on one of our episodes, 'cause we had a conversation around blockchain on the identity side of things. And basically the poll question was who would you trust to run your decentralized identity platform? And I think that's going to be a problem for adoption is who does run, you know, this decentral platform? Is it the government? Is it education?
Is it healthcare? I mean, given where we're at today politically in the US, if the government does it, 50% of the population is immediately out. Yeah, like, who do we trust first? Of all, first of all I would say it doesn't need to be a blockchain. And there are lots of ways to decentralize identity and create self sovereign identity systems that don't necessarily require the the somebody to run
something. So for example with peer Dids we can all create whatever Dids we want, You and I can exchange them, we can all, you know, vouch for each other. We could create reputation systems. None of that requires any kind of platform at all. Now, that doesn't mean I don't believe we don't. We won't get benefit out of a platform.
So for example, if I want my driver's license as a credential that I hold in my wallet, there needs to be something that can tell me that that driver's license really came from the state of Virginia and not from, you know, I did just make it myself. How's that going to work? Right. So, so there's a, there's kind of a new term that people are floating around called
acceptance networks. We could probably do a whole show on just acceptance networks, but that's that's essentially I think what it's going to take. It's not going to be a company, right? It can't be a company. It has to be a protocol, A governance model. It has to have lots of people who have bought off on it and you know there there can be more than one one acceptance network. There doesn't have to be 1.
When I say acceptance network, the best example we have of acceptance networks are Visa and MasterCard and American Express. They're all acceptance networks. They have governance, they have technology, they have protocols, they have processes. And all of those things make it so that I can walk into a merchant in London, slap down a little piece of plastic and that merchant is almost guaranteed that they're going to get paid. But that's that's magic. Why does it work?
Well, it works because governance, process, protocol, technology of them all come together and solve that problem. That's what we need. We we need that sort of thing doesn't have, it shouldn't be run by the government, doesn't shouldn't be run by a single company. But we're going to have something like that, maybe multiple some things like that and you know we'll decide which ones we want to use based on where we want to do business, so. All right.
Final question. Go back to AI because I just have to How do you see that impacting your book writing process in the future? Well, you know, it's it's interesting. So I'm I have tried to incorporate generative AI in multiple places in my life. So I use AI like a virtual assistant, but I don't like to just ask it to write sections 'cause I think it produces text which at least at this point, you can still kind of tell It wasn't written by me at least because I have a certain writing
style. And even if you say, oh use the style of Technometria blog to to do this, it still doesn't write. So what I do is I like asking questions. So I I don't know, I mean one of my favorite books and there's a whole store back story to this. One of my favorite books is a book called Snow Crash. And in Snow Crash, the protagonist who is named Hero Protagonist uses this. AI called the Librarian. And this Neil Stephenson wrote this book like in 2004. Something like that.
No, no, sorry. So 1994. I mean, long ago, right? And if you go list, read the read the dialogue that hero has with the librarian, that's what you should be doing with Chachi PT, right? So I'll ask Chachi PT. Something like tell me how this particular company enables zero trust or what their product does to And then I'll say OK, but what about this, do they And so
I'll ask it for information. Now you have to kind of take it with a grain of salt because as Johanna Stern says, these are large language models, not large fact models. So, so you you say you have to know enough about the subject to be a good interrogator that I use it.
I interrogate it all the time. In fact, I am giving all of my kids at 5, giving all of my kids a $250 gift certificate and a instruction sheet on how and and I'm expecting them to use the $250 to subscribe to chat sheet PT for one year. It's because you do get some benefits from subscribing and to to incorporate it into their lives. So, so that's how important I think it is. I I want all of my kids to know about it and that's my Christmas gift to them. I think that's cool.
I'm, I'm, I'm a ChatGPT subscriber and I've built, I think, let's see, three or four different specific models for different types of use cases and yeah. That's one of the things you can do as a subscriber that you can't as a non subscriber and I agree with you, that's really important. And I think it's it's a good way to learn it. But it's also really interesting to see how the the technology is evolving literally right before your eyes. And you know it's the ultimate
low code experience, right? Tell me this, do this and you see it take shape. From you it feels, it literally feels like the web in 1994. But with better graphics. He went better graphics. All right, let's end on a way to go. This is definitely one of our longer episodes, but I've. I've really enjoyed this conversation. Before we started talking, we were talking about hobbies and you mentioned that you're into bicycles, and they said, OK, well, what kind of bicycles?
And then you started rattling off a bunch of bicycles. Rd. Gravel. I've got a Specialized road bike, which is a road bike. I've got a Cannondale Quick CR1 which is kind of a gravel bike. I've turned it into a gravel bike. I've got a Trek Super Commuter plus eight that is AI use it for commuting, but it's electric bike. I also use it for longer rides like on bike trails and stuff.
And then I've got an electric bike, mountain bike, which is a a Specialized. Oh, now I'm going to forget the name of it. Anyway, yeah, all great bikes. I I I love all of them. I can't part with any of my babies. Why do you need 4 bicycles? Well, it kind of depends on the mood you're in, right? I mean, sometimes I want to go out on a trail and so I take the, the mountain bike, Sometimes I'll take the gravel
bike. If I'm, you know, feeling especially spry, I've kind of, you know, I'm more, I'm more prone to take the electric bikes nowadays, I have to admit, you know, I find that it is true that the electric bike is less work. My running theory is that, and I have some data to back this up, is that on a mile per mile basis you're doing 65 to 70% of the effort on the electric bike.
Of course it depends on how high you have it dialed up, but doing 60 to 70% of the effort on the electric bike that you do on non electric bike. But on an hour by hour basis
it's exactly the same, right? So on a on an hour by hour basis I'm doing essentially I'm burning the same amount of calories according to my calorie tracker and you know feel the same kind of tiredness and and So what that means is the electric bike allows you to do more in an hour than you could have with a non electric bike which means you get to have more fun right? You can go further you can see more places. So I do find myself tending more towards the electric bike these days.
All right, bonus lighter note. Jim picked up on the stacks when I'm reading the book that, but you might be a Jackson Browne fan. And so, Jim, you want to ask, ask the Jackson Browne question? Yes, I would tell us your favorite Jackson Browne song. But bonus to that question 1A is why are you a big Jackson Browne fan? Yeah. So, so I'll answer the last question first. So I'm a Jackson Browne fan because I kind of came to him through the Eagles.
So I'm also a huge Eagles fan and Jackson Browne and the Eagles kind of intersect with each other. Jackson Browne and Glenn Frey Frey were roommates when and he wrote, oh, oh, now I'm can't forget. It's tough getting old. Anyway, he wrote one of the Eagles, you know hits and so. So I kind of came to him through that, right? Started listening to his music and you know, I like it because he's very philosophical.
So. So I'm going to pick a couple of probably less well known songs as my favorites, even though I like them all, but but I I like Fountain of Sorrow. It's not as well known, but it's it. It's about how, you know friends and lovers kind of navigate through this kind of, you know, where where they're at in their relationships and and you know, it's called found of sorrows because this fountain of sorrows springs from your life like a fountain in a pool. You know.
That's the lyrics, right. And I just find his lyrics so, so interesting. Yeah. The the other bonus which I, I almost no one has heard of is lawyers in love, which so, so go listen to it. Jackson Browne, Lawyers in love. It's about the Soviet Union being turned into vocational land for lawyers in love. I I don't know that there's deep philosophy there, but it's definitely entertaining so. It's interesting premise, I
guess. Yeah, I always go back to somebody's baby, which was a song in Fast Times at Ridgemont High, which. Yeah, yeah, it's. Got to rank within my top five movies of all time. Yeah, yeah. Well, and the song's great. I mean, it's very light hearted. It's not as philosophical as many of many others of his songs, but yeah. All right, we'll go ahead and wrap it up for this week.
I know we've spent some extra time here with you, Phil, but really appreciate it. I'm gonna have links in our show notes. So phil.winley.org is your website. The book is called Learning Digital Identity. We'll have a link to that for for Amazon for people to check that out. I guess try and find the Jackson Browne's Easter eggs, maybe through it. Yeah. And then, yeah, we'll wrap it up for this week.
You can find Jim and I on the web at idacpodcast.com or on Twitter at IDAC Podcasts on Mastodon. Speaking of self, sovereign slash decentralized at IDAC podcast, at Infosec, dot exchange. And of course you can connect with Jim and I on LinkedIn. And yeah, let us know, you know, what you think of the episode and subscribe like you know, all that jazz. And Jim, anything you want to close with?
Yeah, I wanted to close with, we got a mention from Lindsay Dunn, who is somebody that I met at Octane this year. She's a identity consultant out of Germany and she just mentioned, thank you Jim McDonald and Jeff Seidman, your podcast is the best. She was writing about the the episode that we did with Jason Rebholtz of Corvis Insurance and just how much she had taken away. I mean it was quite at the write up, so I know you got tagged,
you'll see it as well. But she just mentioned that our podcast is the best, so we'll just leave it at that. I'm not gonna argue with that. I mean that's that's, that's, that's that's an opinion and we'll take it as fact. How about that? So, yeah, thanks for that. Stuff like that is cool when we see it out in the world. And yeah, keeps us going. So, all right, good mention. We'll go ahead and wrap it up for this week. Thanks everyone for listening and we'll talk with Y'all in the
next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.