Episode 155 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Applying Governance to Digital Trust
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Scott Perry, Founder/CEO Digital Governance Institute
Channels
Description
Learn how a risk-based trust model is architecting how technology ecosystems are governed. Hear how the C2PA and GLEIF have used the Trust Over IP Governance Metamodel to provide a transparent and accountable framework to prove its integrity to users and relying parties.
Homework
- a. https://trustoverip.org/our-work/deliverables/
- b. https://github.com/c2pa-org/conformance-public
- c. https://www.gleif.org/en/organizational-identity/introducing-the-verifiable-lei-vlei/introducing-the-vlei-ecosystem-governance-framework
Takeaways
-
⚡ C2PA uses nested JWTs, where "each step adds another signed assertion, forming a chain of provenance." This could be a model for conveying trust over distributed transactions. Nicola Gallo has a similar idea for delegated authorization. But what's interesting C2PA is that it shows it can work--C2PA already has adoption.
-
⚡ Don't confuse asset provenance with the digital rights to use it. This needs another data structure, see the "Creator Assertions Working Group" at DIF. I wonder what is the overlap with ODRL (see episode 114 with Josh Cornejo).
-
⚡ It seems like the goal of the "Governance Model" at TOIP is to build organization trust to foster adoption of wallet-based credentials. Scott pointed out that one of the frequently underestimated risks when designing governance for emerging digital trust ecosystems is protecting private keys.
-
⚡ LEIs have strong adoption--the world needed an alternative to US-based DUNS numbers for a correlatable organization identifier. The goal of vLEI credentials was to enable an individual to assert a role at an organization, for example who is the president or secretary of the corporation? This use case clearly shows the need for governance, without which, such claims can't be trusted.