Transcript
This transcript was autogenerated. To make changes, submit a PR.
Hey, everyone.
My talk today is called No Wallet, No Problem.
How JSON Web Tokens Define the Future of Mobile Driver's License.
let's get into that.
first off, I want you to envision this.
And you might be familiar with this if you're a technologist
or software engineer.
You just finished this really big feature, the type of feature that, You
promised the sales team and product managers and customers that this will
be done in two weeks, but you found yourself working on it for two months,
and it went on forever and ever.
And now you're just finally done.
And so you're like, I want to just unwind, maybe movie and some wine.
I know we're not able to talk back and forth since we're not in person,
but just from your perspective, if you were going to go about this path, would
you decide you want to order the wine online or pick it up from the store?
Feel free to think about that for yourself or maybe write
your answer in the comments.
So in this situation, maybe let's say you chose that you
want to order the wine online.
and so when you did that, the app where you ordered the wine said, Hey, don't
forget, you need to make sure you show two items in exchange for the wine.
So give me some of your answers.
What items do you think the app told you not to forget?
What two things do you think you would need in order to get that wine?
So i'll give you all like the answer since I can't hear you back but you would need
money, of course to be able to pay So maybe you already paid that online or you
will be paying in person when the delivery driver comes to you with a credit card
or debit card and then you will also need Your id and of course you forgot your id,
which is super annoying delivery driver is like man I don't have time for this.
I can only spend a certain amount of time at each house.
So you need to hurry up So you run up the stairs?
You're like, let me go get my id before he leaves me and he
can leave but he's whatever I'll risk getting fired and I'll stay.
I'm being nice person.
So curious from you all or just reflect on your own.
Have you ever ordered any alcohol online?
And what was your experience like?
I'll dive in deeper to me and who I am.
My name is Rizal Scarlett.
I am a staff developer advocate at a company called TBD.
Yes, that is the real name.
It's a company owned by block.
So block owns square cash app title after pay a couple of other
companies, including TVD, and I don't necessarily drink alcohol, but I
know some tips on purchasing booze with a Jason web token, and it'll
tie into mobile driver's license.
You'll see if you want it to connect with me, my handle is at black girl
bites on most social media platforms.
So we're going to talk about JSON Web Tokens, we'll talk about a
specific kind of a JSON Web Token, how it works, how they're being
used, the various challenges.
We'll build that special type of JSON Web Token together, and because we're online,
we won't be able to do the interactive fun and the swag, but that is okay.
You'll still come away with learning something.
in terms of JSON Web Tokens, the acronym that people normally use is JWT.
I'm not sure, you, from the audience, if you've known about what
JWTs are, but I'll go into them a little bit so you can understand.
And also, I wanted to let you know, sometimes you might
hear someone say JWT or JWT.
It just depends on how they prefer.
I will say JWT.
JWT or JSON Web Token is a secure way to share information
between two parties online.
So it will often look like this alpha numeric string.
But you may notice it has two full stops to separate different parts of it.
So the 1st part is the header.
The 2nd part is the payload.
And then the 3rd part is the signature.
So as you can see, the header will tell us like what type of token
and I'll go to the next slide.
slide here, the header will tell us what type of token this is.
So in this case, it's a JSON web token using the specific algorithm.
And then the payload, which is the second part will basically be
the data that we're sending over.
So in this case, we're sending over that name is John Doe and whatever IAT
and sub is we're sending over this.
this string of numbers as well.
And then the last part is also important.
This part is the signature and the signature is verifying that the
data wasn't changed along the way.
Now you might have, you might be familiar with a JSON web token if you've done any
like authorization or authentication.
when you're building web applications, you might have seen like bearer token,
and that's oftentimes a json web token.
Not all the time, but sometimes now people often get confused with this.
So I just want to give people a quick tidbit.
People sometimes get confused if a json web token is tamper
proof or tamper evident.
So let's figure it out together, right?
Tamper proof means that something is designed to completely prevent
unauthorized access or changes.
So that means you can't make any changes if you don't have authority to.
However, tamper evidence says, all right, you can make some changes.
It shows clear signs of unauthorized Any unauthorized access or changes
have occurred so you can make changes, but it will tell on
you if you made those changes.
So we're going to go ahead and try this out.
See how this works.
So I'm going to copy this JSON web token and we're going to go to JWT.
io.
And this is a website that I like.
It basically shows us the encoded and decoded version of a JSON web token.
and.
Let me zoom out just a bit so we can see it better.
but this is a website that Auth0 crafted and I really like it.
if we paste this JSON Web Token in, we can see here on the left side,
the encoded version, and then it gets decoded on the right side.
Oh, cool.
It's a JSON Web Token using this specific algorithm, which is cool, right?
The EDDSA.
and then it has some information in it, right?
It tells us, oh, the name in here, or the data we're sending
over the name's Alice Smith.
The completion date is, June, 2024, June, 18, 2024 expertise level beginners.
So that's some of the data we're sending over and then it shows us
the signature to verify that has.
Like it happened to change along the way, but let's say I'm like, let me
see if I could try to change the data.
I don't know what some of these letters are, but I'm
going to be hacking my way in.
And maybe I don't want it to say Alice Smith.
Maybe I wanted to save result.
So I'm going to try to delete some letters and type.
Result.
Oh, wow.
We see that the data, the payload that was being sent over has now
is now looking a little weird.
We having different characters in different languages and question marks.
It's giving wingdings from Microsoft Word.
So looking back at that experience and how things change.
Do we think that Jason Web tokens are tamper evident or And the answer
here is that they're tamper evident.
And the reason I say this is because I was able to change and edit it, but it showed
clear signs that changes had occurred.
Okay,
so now I want to talk to you very quickly about the W3C.
what this stands for, if you aren't familiar, that stands for W3C.
The World Wide Web Consortium.
So the creator of the World Wide Web, Sir Tim Berners Lee,
he also helped to form the W3C.
And this is a group of or a group of groups, a group of
working groups, That are deciding different standards for the web.
So there's setting standards for how we're going to write CSS on the
web, how we're going to approach accessibility and so on and so forth.
That way, we're all on the same page.
There's also a working group for folks focused on digital identity.
As we're moving to a more digital state, and as things are getting
more and more, advanced in terms of digital, we're also having this.
option or this reality where we don't just prove our identity in physical format.
We'll have to also do it in the digital format.
So there's people coming together to think about that.
So they've come up with a specific standard called verifiable credentials.
And I will describe this for folks as A special Jason Web token.
so verifiable credentials officially there.
These digital proofs used to confirm specific facts about individuals,
organizations or entities.
And I like to expand on this a little bit more just for people to
understand there are basically digital representations of paper documents.
So like a digital version of your I.
D.
Degree driver's license, health insurance card.
And so here's an example, right?
off zero.
They do a lot with verifiable credentials as well as TBD and or they are
expanding experimenting a lot with it.
And here's like a little prototype they made.
So like this could be a verifiable credential, for an educational
one for a diploma, right?
Proving that Hannah Hurwitz got her diploma, in electrical engineering.
She graduated with honors on June 15th, 2019, this will expire in 2025, March 1st.
and she got this in, United States and it came from Socrates university.
So that's just a little example, right?
And the way it will work is it'll be a verifiable credential that
gets stored in your phone's wallet.
Kind of like where you store like your debit card or your, your gym
membership or A ticket to a basketball game in your Apple pay wallet or your
Google pay wallet, your verifiable credential could live there as well.
And at the end of the day, many verifiable credentials, not
all, but many of them are just cryptographically signed JSON web tokens.
Some of them are using CBOR, which stands for concise binary object representation.
It really depends on the company and the purpose of that verifiable credential.
So but We'll talk in terms of Jason web tokens, because that's the focus today.
So I wanted to let you all know.
Remember that example where I was talking about ordering alcohol online.
Angie Jones actually did this.
I don't drink.
Alcohol, but my boss, Angie Jones, she actually told me about this and didn't
talk about this and my mind was blown.
She actually paid our, and got, alcohol online by showing her mobile
driver's license on her phone.
So she didn't have her physical ID, showed it on her phone and behind
the scenes, that technology behind the scenes of a mobile driver's
license is a verifiable credential.
So I'm curious for anyone in the audience.
I wish I could see.
Your response, but I'm curious who has a mobile driver's license
and who doesn't and we can take a look at the states in the U.
S.
right now.
And, Canada that are working on mobile driver's license or implementing them.
the ones in the purple are the ones that are like.
We're we've, we have mobile driver's license.
We like it, or they're like experimenting with it and stuff like that.
The ones in the green are more in this attempt to execute
legislative study or activities.
So they're like, maybe this will be something that can work for us.
We're going to look into it legally, with our governments.
And then the ones in the gray, like my state here, womp, they're not
even thinking about it, which sucks.
but that's just.
I just like to look at, or there's no information available, but I just like
to look at this just to see the progress that's happening, in North America, for
adoption of mobile driver's license.
So we see that mobile driver's license, or at least I hope we've
seen the mobile driver's license are convenient in some way.
in addition to oh, they're just in your phone's wallet and you can pay
for, And buy some alcohol with it, we saw that educational diploma as well.
And I think 1 of another benefit there in terms of convenience is, let's
say, your school shut down, maybe due to natural disaster, or they just.
Didn't have enough money to go on.
Like these are all realistic situations that do happen.
and your job wants to call and say, ask for proof if you really want
there, but there's no one to call.
There's no one to ask proof of.
So you have this verifiable credential that can withstand the test of time,
withstand that natural disaster or whatever it's in your phone.
Easy to prove.
Makes your background check process go easier.
So that's that convenience layer.
But there's also the option or the idea that there's selective disclosure.
This feature of selective disclosure with verifiable credentials and.
You don't know what it is, but I'll explain it to you.
So I don't know how many people here have watched you on Netflix, but it's
centered around this guy named Joe.
Who's essentially a stalker.
He's very in depth stalker.
And, I can just imagine if Joe was a.
A bouncer at a club or just checking your ID for a bar, he
would easily just memorize your address on your ID and everything.
And so we end up going to bars and clubs and giving away more
information than we need to.
We don't know how many joes are out there that are just like,
consuming information about us and potentially breaching our privacy.
but they really don't need that information.
They don't need our address.
They don't need, even our full name.
They just need to know that we are truly over the age of 21.
So there's this feature called Selective Disclosure where you only
disclose the necessary information that the verifier is looking for.
So here's an example here.
this is from a different company that uses verifiable credentials, but this is
a verifiable credential passport, right?
Or a passport in the version in the format of a verifiable credential.
And what this person is revealing is their name, Preet Patel, their date
of birth, June 20th, 1989, and their gender, their male, but they're not
revealing their birth country, how long they've been a resident, their
identifier, how long this is valid until.
Because that information in whatever situation they're in is not required.
So it says only the required information from the credential is shared.
So that's one feature that's really cool about verifiable credentials, where you
could say, I don't want to share anything that they actually don't need to know.
We're on a need to know basis.
All right.
So the flow of verifiable credential.
Looks like this.
First off, you need to know the 3 roles that get played in the flow.
So you have an issue where that's the legal organization or entity that
created and issued and signed the VC.
So not just anyone is just making VCs up about you or verifiable
credentials up about you.
It's usually someone that is trusted an organization that is trusted.
and then you might have, let's say, the Department of motor vehicles,
a passport office, a college stuff like that is what's trusted.
Then you'll have the holder or the subject, which is who the
verifiable credential is about.
And then you have the verifier.
That's the person who, or the organizations that's requesting proof.
Maybe it's your job requesting proof that you did get that educational
degree, or maybe it's the bartender, the delivery app driver that's saying, Hey,
we want to make sure you're over 21.
So we're not actually giving you alcohol when you, it's not legally.
okay.
So here's like how it would go.
Let's say you go to the DMV.
This is your trusted issuer that would be able to prove that
yes, you're over the age of 21.
then you would ask the DMV hey, or the DMV would create a verifiable credential
for you stating you're over the age of 21.
The DMV will digitally sign the verifiable credential, which
will convert the verifiable credential into a JSON web token.
This way it's tamper evident.
People can't tamper with it.
No one can go in and edit it and say, Oh, I'm changing it because
it'll have proof that it was tried.
It was changed.
And then you store that JSON web token in your phone.
The show it to the, the verifiable credential to the bartender.
The bartender scans the VC and programmatic checks then occur so
that the bartender would be the verifier and they have some checks
in the background checking, Is this verifiable credential expired?
Does this come from a, issue where we trust?
Is, does this have the information that we're looking for?
Is this person actually over the age of 21?
Things like that.
So there's those problematic checks in the background, and maybe the bartender
sees as like a Boolean true or false.
check mark, depending on how the system set up now, I did talk about
alcohol as a use case for this, but there's so many additional use
cases that I found interesting.
So I'll just share a couple with you.
one is the pharmaceutical supply chain.
Now, if there's any pharmacists on listening in, I am still listening.
dumbing this down.
I'm simplifying this.
I'm not in the pharmaceutical industry, but from what I've learned,
from to stay stocked pharmacies, exchange medicine with each other.
So let's say Walgreens says, Oh man, we ran out of Xanax and they hit up CVS and
CVS is yeah, we can send that to you.
But there's a whole process involved of Okay, first, we need to make sure
that the medicine they're sending over, if it's legit, we need to make sure
the pharmacist is legit and we need to make sure the pharmacy is legit, right?
So this process is pretty long, tedious, annoying.
And I recently talked to a CEO of a farm, of a company that's focused on
verifiable credentials called Sferity.
And what they've done is they've enabled, Pharmacist to be able to use verifiable
credentials to prove that medicine is real to prove that the pharmacist is real and
the pharmacy speeding up and streamlining the process, which I thought was cool.
There's also the content authenticity initiative, and this is.
This is a really cool thing as well.
right now we know in the world a lot of things are AI generated.
It's really hard to prove.
is this image or video real?
Is this content real?
I don't know.
So with content credentials, you're able to add this little watermark or have
this little watermark, this little eye on your images, hover over it, and you'll be
able to get information about the image.
So you'll be able to see, Oh!
This was produced by Jane Smith.
and this exists and lives on her accounts and some other information maybe.
And if it wasn't produced by her, you'll say it'll give information
that, Oh, this is actually an AI generated image, just bringing more
transparency to what we see online.
And the content authenticity initiative is so cool.
A couple of companies are working on this together.
Like Adobe, as we've seen Nikon, Sony.
Microsoft, even some news stations like Fox and all that.
So I'm really excited to see, how that continues to progress.
I also recently talked to, this to, a native tribe that's basically using
verifiable credentials to basically help people within that tribe, establish
their identity and their businesses through, verifiable credentials, just
proving that, Oh yeah, this is who I am.
This is my.
this is my business and they're doing this for what is called special economic zones.
And then, one of the, I think this is the last but not least.
Yeah.
Last but not least is the European digital identity wallet.
Europe is going all in on embracing verifiable credentials.
And what they're doing is they're coming out with a digital identity
wallet so that all citizens, residents, businesses have the opportunity.
Option not required, but they have the ability to store any documents that
they have digitally in their phone.
so this is really cool from their diplomas to insurance to any travel documents,
just making their lives a little bit more convenient and securing their privacy.
So I want you to think of any ideas of what you might.
basically use a verifiable credential for and all you do, I'm going
to go ahead and try to build a verifiable credential with you.
If I can exit this.
All right.
what I'm going to do is I'm going to speak.
Move over my, here we go.
So right now I'm going to use, and I'll zoom in just a little bit more.
I'm going to use the web five SDK.
So they have TBD made a couple of SDKs.
This one's called web five credentials.
And what we're going to do is.
Build a verifiable credential of our own.
There's other SDKs you can use, but this one is cool as well.
So first I'm going to go ahead and run this.
And what this does is it's setting up something called
a decentralized identifier.
First, this is our unique identifier that proves who we are.
the URI is simply just a string, but there's other cryptographic methods
that are going on behind the scenes here that I'm not going to take too
much time to explain, but just know.
That it's basically saying hey, this is this decentralized
identifier is connected to resolve.
Okay.
Next thing we want to do is we want to actually create our verifiable credential
so we can say something like constant weight verifiable credential dot create.
And then we're going to put in.
The type and we can say this is a workshop attendee credential.
We're going to say who issued it.
So this is a little weird and unorthodox.
Probably not a lot of people would do this or there's not a lot of use cases
for this, but we're going to create a self signed, verifiable credential.
So I'm going to be the issuer.
And the subject of the verifiable credential, meaning I'm going to
create the verifiable credential issue it and give it to myself.
again, so the subject, so this is my identifier to the issuer
and the subject is me and this is just for demonstration purposes.
Then we'll put an expiration date as well.
And maybe we want to add in some data about.
Who this is about.
Oops.
If I could type, so we're gonna say, let's say maybe name
and My name is Relle Scarlet.
We can say the location I am in Massachusetts.
We can say conference comp 42, JavaScript.
Aha.
Nope.
JavaScript 2024.
And then event date today is actually, the 10th or the October
25th and issuer name is Rizal.
So I received it and I got it, I sent it.
Okay, so when we see what gets printed out, it's simply just going to be JSON.
So let's go ahead and console log this.
Console log VC.
So here we see verifiable credential result.
All of this is just some Jason.
But what we want to do here is the magic here.
We want to sign the verifiable credential with our unique identifier.
And that's going to change this into a Jason Web token.
So we're going to go ahead and run it.
There we go.
We have our signed verifiable credential.
That's a JSON web token.
We can go and evaluate this just to, just so you know, I'm not lying to you.
Let's make this a little smaller and I'm going to paste this in and see
if the data that I wrote is in here.
Let's make this.
There we go.
Here we go.
We have my name, Rizal Scarlett, Massachusetts, the
conference that we're at.
Oops, I messed this up.
The conference that we're at, the event date, etc.
Alright, we got to see that this is a real JSON Web Token.
Let's go back to our code.
and we can present this.
So let's say we presented to a verifier and we want to save it in our phone.
So I'm going to go ahead and drag this over and this is like a demonstration.
So we'll paste this in.
We'll say present our credential and we can check the console.
Whoa, super huge.
I made this big, so you all will be able to see it.
Cool.
All right, and what we got back, I'll zoom in a little bit more on this side
is our verifiable credential that I'm storing in my phone where I'm like,
okay, this is Rizal, comp 42 event date.
I think I put the 24th of October when I met.
25th or whatever.
That's cool.
And then, I can switch this verifiable credential to prove that, yeah, I
attended a workshop and I want to get swag back for it or whatever the case is.
this is the idea around verifiable credentials, how they work,
how JSON Web tokens are, that technology behind the scenes.
None of this is something new.
Or it's not using new technology, but it's creating a new experience for everyone.
so I would encourage you, if you would like to dig deeper into stuff
like this, to go to developer.
tbd.
website and you can learn more about how verifiable credentials work.
what are they?
We have this awesome video on it, how to issue verifiable credentials and more.
it's really good documentation, good reading to understand
and learn how this works.
I want to thank comp 42 for giving me the platform to speak and I want
to thank you as well for listening.