The Linux Foundation is hosting a new open source project, one that’s gunning to improve how we use digital credentials to prove online identity.
The Trust Over IP Project (TOIP, for short) is the latest initiative to win the favor of The Linux Foundation, the non-profit organization committed to free and open source software development. By hosting ToIP, the Linux Foundation will feature the project on its website, but ToIP will have to provide its own funding.
ToIP’s mission is simple, even if the problem it’s solving isn’t: it wants to create a standardized framework that will alter and optimize how we verify identity online. At scale, such a system, complete with a tech stack and guidelines for best practice, would theoretically improve security and privacy for everything on the web that requires you to verify your identity—from booking travel to logging on to social media and everything in between.
Given the project’s scope, it’s little wonder it has attracted interest from all walks in both the public and private sectors. Its membership includes Mastercard MA , the University of Arkansas, IBM Security, the government of British Columbia and 25 other entities.
“Cover The Whole Spectrum”
The core issue ToIP wants to solve is the problem establishing trust between two entities online. For example, when you log on to Facebook (if you still do, that is), you can’t currently prove to Facebook that you are you simply by visiting the site from your IP address. Instead, Facebook has to store credentials for you in the form of a username and password; this establishes your identity and credentials for this site.
The problem is, it also introduces a level of trust: you’re entrusting Facebook (and companies like it) with your data. And so with this model, online identity and its contingent data is gate kept by a handful of mega-corps.
What if, instead, this process were standardized to be more private and more secure, or even disintermediated so that users hold the keys to their own data?
Blockchains have been pitched as the technological breakthrough that will make this possible. If public chains like Bitcoin and Ethereum are used, the argument goes, they cannot be easily altered and are not typically controlled by a single entity. With this base layer you can create an immutable reference for a digital identity (DID); anyone who has a DID could prove ownership by referencing the record on the blockchain, and data that keeps track of which DID corresponds to which reference is stored either locally on each users device or in a third party database.
But it can only improve the situation so much. You can never remove all trust and human error entirely. This is why ToIP is also focusing on developing standards and a best practice framework, because they believe that technology is only one half of the solution; the other is in governance.
“When identity met blockchain 2 or 3 years ago, everyone thought this problem was solved, but blockchain is one end of the spectrum,” Drummond Reed, one of the founding members of the project, said over a Zoom call.
His colleague and fellow founder John Jordan agreed, adding that at the other end of the spectrum lies “the human element.”
“So many approaches to DID and trust infrastructure are all about tech. You can have the best tech in the world and fail because you don’t have the best practices to establish trust between the humans behind the technology.”
So the final goal is not only to provide technical solutions but also “rules that can be adopted by the entire [data] industry … and general guidelines for establishing digital trust and templates to discover what governance works best.”
ToIP’s protocol is dual-facing in the sense that the governance framework reinforces the technical framework. From here, you can have a tech stack like blockchain, but in truth it could be any distributed database that can create cryptographic proof. Once you have this proof, then you need an additional layer to link the proof with DID ownership.
Under ToIP’s envisioned model, the data stored in this layer could be local (like in a user’s wallet or a key store file) or in an encrypted data store with a trusted third party. Either option would create a much more private experience where users would retain more control over their data than they do under the current FAANG infrastructure.
From here, the challenge, of course, is figuring out what the secret recipe is for providing this solution. How to ensure that developers are building systems that ensure client data is stored securely isn’t exactly novel, but figuring out which blockchain or distributed database will provide the technical layer for this project is the largest unknown.
So first things first, ToIP will be “a place of learning,” John said, to explore which available solutions (and there are several) will work best in tandem with governance models to find the right fit for the internet’s missing identity layer.
Perhaps in the future you will be able to store your ID locally on a digital wallet. At the very least, ToIP believes, you should have the right to choose how it is stored, where it is stored, and who has access to it.