window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-104066415-1');
Listen on iTunes

Mister Beacon Episode #136

Digital Identity with Ramesh Kesanupalli

September 28, 2021

Today we’re talking with Ramesh Kesanupalli, who is the Co-Founder of the Accountable Digital Identity Association (ADIA), about the benefits of a single digital identity for accessing all accounts over the internet. Not only is this a much easier way to access all your accounts, it is also far more secure, preventing fraud and bringing accountability to the real world.

Listen along as we discuss various aspects of cybersecurity, current authentication technologies like FIDO, and much more.

Transcript

  • Steve Statler 00:00

    Having strong digital identity is becoming increasingly important. It's the Root of Trust and the foundation for the Internet of Things. The digital world, even the physical world where identity fraud, and bad behavior result from this lack of an accountable digital identity. In this episode of Mr. beacon, we're talking to Ramesh Kesanupalli, who is one of the co founders of the Accountable Digital Identity Association. He's also CEO of Digital Trust Networks, one of the companies that is implementing this standard that's being adopted some by some very large players in the healthcare industry and elsewhere. He's also the founder of The Phyto Alliance. So very knowledgeable, right at the center of it, and we get some time with him to bring us up to speed on something that is going to become increasingly important to anyone that is designing digital services in any form. Hope you enjoy it. 

    The Mr. Beacon podcast is sponsored by Wiliot, intelligence for everyday things powered by IoT pixels. Ramesh, thanks so much for joining us on the Mr. beacon Podcast. We're here today to talk about accountable digital identity and the AGI association that you are a co founder of. Thanks very much for joining us on the show.

    Ramesh Kesanupalli 01:44

    Sure. Thank you so much for inviting me.

    Steve Statler 01:47

    Well, let's start off. We can talk about why this is important in a little bit. I mean, and let me, let me summarize to say, a number of us in the IoT community are creating services, which will mean that more and more of what we do is online, we're connecting everything to the internet. And that implies more accounts that people are signing up for. And we all know that that process is somewhat painful and risky, there's a huge amount of identity theft going on. So how do we overcome that problem? I believe that there's fundamental changes needed to make to streamline it to make it more secure. And so I was excited to hear about accountable digital identity as a potential solution, some of these friction points, you know, how many accounts can we reasonably have? If each one is is separated? Is it 50 100 1000 2000? There are limits. So 80, I think, is important. I think it's a really interesting topic, it takes a bit of thinking, let's maybe start off with you talking a bit about what AGI is, at a high level, we'll probably revisit it, then we can talk about why it's needed, and then how it works. But what is AGI?

    Ramesh Kesanupalli 03:17

    So actually, that is a good context that you set initially about IoT and identity. area is about bringing accountability to the digital world, not just digital world, what we are doing here can also be used in the real world. A simple example could be when you walk into Wells Fargo Bank, if you want to open an account, they asked you to give you three pieces of two pieces of photo identities. Those photo identities can be anything actually, our and they also probably last few. If you are, say you're applying for a loan, they will ask you what's your employment and give me your employment letter. It is not difficult to type an employment letter that I'm working for, you know, XYZ company tomorrow. It's not I can just download their logo from the web and put a employment letter that I worked there and I asked my Steam friend Steve to sign up for it. And use Steve's number that if you have questions, please call Steve. You know, from the from the bank standpoint, the responsibility from regulation standpoint is I just need the copies of this and file it and open the account. They're not they don't have means today to efficiently and quickly check if the documents that are provided are accurate or not a driver's license license can be faked today, I can get a driver's license that is fake. I can create a photo identity with my name and your picture on that, you know, anything and everything that we're saying there has to be a way to for us to quickly check. You know, it's not Like, we are going to have these relationships and then go to open a Wells Fargo Bank account, you won't go there for four to six months, try to understand teller and then make friendship that way, they will know you and then open an account, it's a one time transaction, you go and open account get out. In that 115 minutes, you're there, they must understand every information that you're providing is accurate. And it is verifiable. Yes. It's just not there today. And similarly, when somebody tells you they went to me recently, you've seen the Yahoo CEO educational qualifications, scandal that happened and he was dead gone. When people say that I went to Stanford to finish a college degree or something, how do you know he actually went is it linked in the right way to go check it, I can write on LinkedIn, whatever I want. So there needs to be a way for us to be so what ADA is trying to do is actually provide a framework for a strong digital identity, where when somebody says something, you can check it, if there is a fraud, you will be able to, you know, we'll find out who that person is. And then you can hold him accountable for. So we are trying to bring accountability to the digital world. And what we are doing there can also be used in the real world to increase the trust and efficiency and accountability.

    Steve Statler 06:29

    So success in what you're doing means there's gonna be less fraud, less identity theft, and presumably, the process of using this strong digital identity becomes easier. So if I have 100 1000 different accounts, if I have a digital relationship going forward with the company that I buy her herbs and spices from, as well as who I get my electricity and gas from that I need. The whole thing needs to be streamlined. And part of that is making sure it's secure. Was there kind of a what was the catalyst that persuaded you that the status quo was not acceptable?

    Ramesh Kesanupalli 07:14

    So as you probably know, are you may not know that I founded Phyto. Alliance before this Phyto Alliance was all about how do you make sure online authentic authentication done more securely, more easily? Phyto. Alliance today is an international standard Fido protocol. And it's there in all operating systems now. All the browser's. So what we tried to do, there was hope to fix the authentication online, like you just mentioned. Yeah, on average, people have 150,000 accounts, and then 50 100 250 accounts, online accounts. And we probably use two to three passports for and recycle all of them. They're like you're mentioning, you are buying hopes from somebody and you're also buying, you know, on lining online. Now accessing Wells Fargo account, it's those two passwords happened to be the same. And Wells Fargo has a different risk profile than helps. And your password is compromised on Herbes, you are compromised on Wells Fargo. The root problem here is the password. So that's the approach that we took when trying to fix the authentication problem. If you take out the password, then you have nothing to you know hack into that for us.

    Steve Statler 08:37

    So that's pretty well established standards. You can you name some of the entities that are part of Fido that are actually implementing it just to give people a sense so that Apple,


    Ramesh Kesanupalli 08:47

    Microsoft, Google, Musk or visa discover American Express Wells Fargo Bank of America, RSA idemia, fighters are close to about 260 companies somewhere in the in the in the Alliance, there is plenty that is branded is not part of Phyto. Alliance today.

    Steve Statler 09:07

    And part of Fido is kind of eliminating the password as a way of authenticating with a single service provider. So API is about kind of identity across multiple service providers. But the Fido thing which is kind of that settle that's done that's dusted this huge momentum around it. But just to finish off, so that people can move past by though having a feeling that they understand it. How can I log in if I don't have a password?

    Ramesh Kesanupalli 09:41

    That's really good. That's exactly the same question. First time when I talked about Fido to people, eight, nine years ago, how do you log into the system if you don't have password? So what we do is we actually establish a cryptographic relationship between the device that you're using The service that you're meaning to access to, and then you are establishing your identity and account credentials through your phone that are bound to your biometric credentials, your like your facial recognition, and your biometrics without actually sending any of your biometric data to the server. So what you do is, you tell your device by a graph made biometrically, who you are, and that phone already knows you. Now, you will tell your phone, hey, here is the service that I use. And here is my account there. But earlier I was using password. Now put me on Fido, when I say put me on Fido, your device actually creates a relationship with the backend server or service that you're using. And then it will say it will share a cryptographic key, it happens on public key private key infrastructure, it creates a specific key cryptographic key for that particular service. And that such key is what gets sent to the service and the corresponding private key actually stored on the device. And your biometrics are bound to that. That key only gets released when you authenticate yourself biometrically on your local device. Once you do that, there is a something called challenge response that happens between the server and your device, where they use those keys that you share to exchange the cryptographic challenge and response. That is how you prove yourself to the server. I am Steve, I am Ramesh. So what you do is you prove to your device that I am Ramesh and device that will prove to the surveys Yeah, I am coming from such rubbish that is done completely cryptographically there are no shared secrets, there are no passwords after that anymore. And each time the challenge response goes back and forth. Each time it is different. So if anybody listening in between each time they will listen something else. So there is no way they can actually keep track. And you know do some kind of dictionary attacks or replay attacks on that.

    Steve Statler 12:18

    So ABI builds on Fido Do you have to be using Fido to to use API.

    Ramesh Kesanupalli 12:27

    To make it bulletproof stronger, we encourage that Fido to be used because Fido is what brings the human binding into the account. Then obviously, you can use other methods of authentication, but none of them how human binding to it. The currently the authentication processes happen. There is some implicit authentication there is explicit authentication. Implicit authentication is primarily trying to understand which network you're coming from, which device you have coming from, what is your behavior patterns? What are your movement patterns? What is your GPS location? Those things I'm trying to get you without actually knowing who you are. But when you use ready password, I know who you are. But most of the websites without even actually providing your user ID password. They already know who you are. Yes, because of the other other signals that they see. So so let's but none of them have human binding. The same things behavioral thing at home, if you and your son, if your son is using your phone back in service won't know that it is not you it is your son, he don't know. So this is where Fido comes in and brings that brings in that additional human binding that is conventionally stay for last 4045 years. The internet infrastructure and online infrastructure has evolved as a contouring tool infrastructure. It's credential oriented infrastructure. There is no tie in back with human. So if I take your account credentials and login, I become you Miko, we never cared about actually binding that account with the user. That's what Fido does.

    Steve Statler 14:16

    Right? So Fido gives us this multi factor authentication. It's kind of a stronger way of authenticating yourself with a single service provider. Yep. So job well done. You've got eBay, you've got Amazon, you got Apple adopting that standard. What was the problem that kind of spurred you on to go beyond Fido to Ada

    Ramesh Kesanupalli 14:44

    in 2019, when there were a lot of attacks that happened on Equifax and a few other attacks online and World Bank was trying to deal with the identity problem and there are many institutions who will have I've been trying to fix this identity problem. And they approached Phyto. alliance to see, you know, we can actually, Fido can actually define an identity framework. But Fido is laser focused on fixing authentication. They are not about identity, although we are looking into KYC process etc now, and we also have, by the way, Phyto for IoT, that's, that's another thing that that's happening there. But we will not necessarily focusing on identity. So now at the time, when looking at the dynamics of what's happening, I thought, This slidingly is a very interesting thing that needs to be fixed. Like I was always mentioning, Fido fixes the integration of an account, but it doesn't attach an account with, you know, bring a human factor into that, with respect to human identity, that's not there. So that's when I thought, you know, it's, it's a very interesting problem. And more and more, our lives are becoming digital, we don't have real world, like the way that we know real world. In the rearview mirror, when you and I were looking for jobs, there is no way that you can get a job without actually going physically and doing an interview. Here now you are hiring people whom you never probably would never meet. But the world has changed. The world has changed. And, and the digital world somehow, we evolved that as a separate kind of a world not having a parallel to the digital in the real world. In the real world. You know, if you need to do something, only you can do it, you can't send somebody else on your behalf and do it. In the digital world, somebody can steal your account credentials, and they can become you. That's what is happening with all these hacking and all that stuff that's happening today. So now, we have evolved the we have come to four which is good for us where that's why, you know, the information connectivity, I've improved quite a bit. But it's now time for us to go back and see what is causing all the problems that we're having today with respect to identity fraud, more than identity fraud, the nice new thing, that new phenomena that has happened, which is actually disturbing, the human dynamics, that's why I was mentioning earlier, we still have good people more in this country than the bad people who start stealing general word, but we are getting there. I said by that what I mean is disinformation, misinformation, getting people you know, against each other, putting bad information, wrong information. People are doing that because there is no accountability. Yes, in the,

    Steve Statler 17:55

    if you're anonymous, then you can say whatever you like. But if your identity is associated with this, then you have accountability, you start telling lies, then you can be held for liable. So I mean, I don't want to flog a dead horse. But tell me is that really what is the difference between identity and authentification? authentication? What is identity from your perspective,

    Ramesh Kesanupalli 18:19

    identity is about actually establishing who you are. And that is bound to a person, not as a credential, not as a person. A online account, if you share the credentials with somebody else, then that somebody can be you.

    Steve Statler 18:38

    What's the what are the attributes of identity, then

    Ramesh Kesanupalli 18:41

    identity is about having a representation like it's almost like identity in the real world is birth certificate for you. And we don't have anything like that in the digital world today. Right? When you were born, your identity was created for you by somebody else, it's not something that you created.

    Steve Statler 19:05

    Right? That's the what is identity? What does my identity look like in this API world? is can you simplify it from that perspective,

    Ramesh Kesanupalli 19:14

    so on obviously, on the digital world, if we want to be secure, and if we want to be real, that is identity oriented? in the digital world, everything is ones and zeros, as you know. So how do you create a cryptographic representation of you using some of the attributes that are unique to you. So it's like your first name, last name, middle name, your date of birth, maybe your social security number, there are enough attributes of you that only you own them, that that represent you. Nobody doesn't represent anybody else. So making sure there is a cryptographic representation of you created out of those unique attributes which can only be claimed by you. That is created only for you. And that can only be delivered to you, which we call digital address.

    Steve Statler 20:20

    Okay, and what does that digital address look like? Is it like an email address or something is

    Ramesh Kesanupalli 20:25

    a like an email address without dot something, it is like john doe, at a service, which is offering this digital address service is the format of john doe. For instance, my company's called Digital trust networks, our product is called gt x. So it will be like if you get a thing, you can name whatever you want, we don't want you to use x. for privacy purposes, we don't want you to use the name Steve, you something else. San Diego, great, San Diego, great. Riverside weekend or whatever, but you want to give that user friendly name that you want. But it will be at the rate dy dx dt, x happens to be the platform.

    Steve Statler 21:12

    So I have this name, separated by some some dots, a GTX. Yeah. And that lives with me and I use it for everything right? Do I have multiple?

    Ramesh Kesanupalli 21:26

    Yes, that is the, it's like in the real world. It's only one you. When you talk to Wells Fargo Bank, you have a different context. When you go to Stanford facility, medical facility, you have a different context. But it is saying you can all go to Stanford and say give me money, you don't go to Wells Fargo and tell me Give me a vaccine.

    Steve Statler 21:47

    Right. And so this identifier is something that how does that relate to my social security number, my driver's license number, things like that.

    Ramesh Kesanupalli 21:59

    So when we try to create your digital, the cryptographic representation of you initially, we use that information and and do a single one way hash, we don't keep any of your personal, we don't want to know you, we want to actually create a cryptographic representation of you. And that cryptographic representation of you can be created by the trusted sources that you already know who you are, you are a company that you are working for you but you are working for knows who you are. Otherwise, they won't put you on the payroll. Yes, then you student, if you are a student, the university that you are going to regularly, they know who you are. Otherwise, they won't enroll you. So they have enough information about you. Your bank has inappropriate information about you, your medical facilities and your physician. All these people know who exactly you are. Your driver's name, DMV knows who you are, the sources where they know who you are, any one of them will be able to bootstrap and create that digital representation of you. That is created from your attributes that only can be active created for you, that can't be created for me. Once that is created, it gets delivered to you once get delivered to you, you bind it with your Fido to the back end service. That way there will be human binding, it is not only created by rights that are people rights it away, it is delivered to you in rights away through a trusted channel, then you enroll yourself with that key. This is my birth. It's almost like when you were born, you had the birth certificate, you go to elementary school and show that birth certificate and say create an element of school identity. For me. It's exactly the same, your your cryptographic representation is created. you bind it and you become part of this Ada citizenship. Once you become part of Ada ecosystem, use the cryptographic representation and say, This is my this is me, give me my employer credential, give me my student credential, give me my student diploma, give me my bank account. Give me my you know, everything that belongs to you driver's license, passport, now can be delivered to that particular cryptographic representation.

    Steve Statler 24:20

    So we've got sort of in our data model, we've got users that have identified citizens that have identities. And then we have these trusted providers of identity the deviant DMV, the the passport authorities, your employer, what what how would you describe them in your data model? What's the buzzword that you use to describe?

    Ramesh Kesanupalli 24:43

    We call them trusted issuers,

    Steve Statler 24:47

    trusted issues, okay.

    Ramesh Kesanupalli 24:49

    And you want to verify them we call service providers, and in some cases, your issuer may also be a service provider.

    Steve Statler 24:58

    Yes. So this Service Provider might be an online store or someone that wants to know who you are presuming Yes.

    Ramesh Kesanupalli 25:05

    It's like, let's say you are going to, you just moved into this country, you want to create an account with Amazon. Yes, today you can put any name and create anything that you want. If Amazon wants to be good, they want to know about you as a vendor who is selling stuff on Amazon. They can say prove that you are actually Steve. Yeah. When you say them, they say prove that you are actually Steve, then you can say, here's my driver's license, go check it.

    Steve Statler 25:35

    Yes. So how does this well look different? Fast forward, and you've got as far with Abi, as you have with Fido. What does that process look like? where someone say someone is trying to steal my identity on Amazon, I have this digital identity, and they're trying to impersonate me and buy a whole bunch of stuff, using my identity or to apply for a credit card or something, use my identity, how do you stop that bad stuff happening in this new paradigm.

    Ramesh Kesanupalli 26:11

    So there is always say, other side of the story who are actually providing the service, let's say I'm trying to create an account for you of using your names in this ecosystem, when I go to Amazon, or when I go to Chase Bank to apply for a credit card, issuing the Dell embrace SDI, if I put Steve says type in your name, and then your social security number, somehow I was able to catch all of that, when they put it the Register button or apply button before that, they will be one more button which is called through your Steve. When you say prove your Steve, you have to talk to and say here's my credential, whatever. Anytime. And every time something somebody claims that comes to your interchange are your cryptographic key, there gets a notification for you, hey, somebody is trying to access this information. Do you approve that? So as long as that key they're using, the notification comes to you, if Ramesh is trying to steal your stuff, you get a notification on your phone. you're applying for a Chase Bank account, would you like to approve it? Then you say, I'm not doing this. I never applied, you hit the no button, the thing will be

    Steve Statler 27:39

    okay.

    Ramesh Kesanupalli 27:42

    Any time any time in anybody who uses anything in this ecosystem? You always get a notification saying somebody is trying to do this, would you approve it?

    Steve Statler 27:54

    That makes sense. So I get away of being notified every time someone's claims that they are me. And so that way I can defeat identity theft. What are the you know, what are the options? What does this look like from a service providers perspective, I mean, they you have people like Amazon and Facebook and they probably want to be the source of identity that we all use is that they essentially the competition for what you're doing.

    Ramesh Kesanupalli 28:29

    Actually, every one of them wanted to be a want to be identity provider. But the problem is you have to create an ecosystem where the consumer was the identity not these entities and big corporations. The end they have to have pride right kind of security and privacy models and that your consumer is comfortable with you know, I wouldn't be comfortable using login with Facebook for my field. But Wells Fargo will never be such a man sorry for using specific names. a financial institution will never be comfortable using a social networks. Login with social network not going to happen.

    Steve Statler 29:14

    Right? And I'm probably me as a user, I may have a few concerns about giving Facebook or even more information about what i what i do so I can see why I would want a disinterested party that is this the the way of proving my identity that makes sense. Yeah, the

    Ramesh Kesanupalli 29:35

    thing is for if you want to really do identity correctly, there needs to be interoperability. It cannot be owned by one entity, one network, one company, it has to be a neutral place. It has to be like today, a simple chat sessions. A Skype ID cannot talk to a you know a Google Chat ID a Google Chat. It cannot talk to you First time I did, every one of them is silo. You know, and if you if you are on at&t and if I am on Verizon, if to need to talk to you, I don't have to be also on at&t, I can be on Verizon, I'm able to talk to you.

    Steve Statler 30:18

    So what is the difference between what we're describing here and single sign on, there's a lot of players that are competing to be the single sign on providers,

    Ramesh Kesanupalli 30:30

    we're not necessarily in the single sign up kind of business. This will actually add value to all those Single Sign On mechanisms where, again, like I was mentioning earlier, those were all account oriented infrastructure. If you are first, that's where Fido adds a lot of value. If your first mile is compromised, everything else is compromised. See, if the single sign on if I am able to log into one of my services in an enterprise, if everything else is single sign on it first by is broken, I have access to every 25 other services that are out there. And that single sign on came into picture we got and samples came into picture because the enterprise don't want to ask us each time to put user ID password that's convenience and friction, convenience and friction etc. That's what pushed the Federation's in the samples in elastic. This is where Fido comes into picture. Each time when you want to go to single sign on access or more surveys, you don't have to ask the user to put user ID password again anywhere even is just Fido a single gesture will reduce the friction and increase the security that's where Fido is extremely effective. If you're using an SSO, or if you're using a federation can our model just don't allow the first guy me the guy who already crossed the first mile let him not go into your locker and your kitchen and yours you know all the other places when he's going there. Again, if you have a security guard asking something in complicated stuff, that's user friction, people walk away easily just saying a gesture high kind of a thing, then there won't be any problem. See, historically, we have added more and more layers to make things more security at the expense of user behavior. Fido is the first protocol which came back and said I'm going to increase your security and guess what I'm going to make it extremely easy

    Steve Statler 32:32

    right as opposed to the opposite normally more security means incredibly long passwords the change constantly and all that stuff which means that you end up

    Ramesh Kesanupalli 32:43

    yeah yeah know what we're trying to do is not that we are actually ADA is about your identity and your personal data. It's not about services it's your personal data at your identity. And you when you go to Paris they lost your passport you type a passport copy there then vanish you fly to London check into a hotel he will give you a copy of passport again there Do you know where they're storing if they are storing properly are they storing safely are these days sharing? How do you know whether they're being careful or not? We are spreading our personal information everywhere yesterday I went to a COVID test because I'm flying to Korea tomorrow on Saturday there are three different sites where they had to give my personal information one is Santa Clara County where they asked me to book an appointment after they drove me to a a testing site where there is a testing facility a testing lab again they have to give them all the personal information and after the test is done it went to a different state database and I had to put my name again there to get my report so just between yesterday and today I gave my first name last name middle name, phone number and date of birth for different places

    Steve Statler 34:03

    yeah so I so that's a very important point so in this new approach then I'm not having to hand out my social security number to so many institutions I'm really

    Ramesh Kesanupalli 34:19

    letters just to give them the digital address I'll tell you one more example recently there was a two weeks ago there was not kill one of them is on vendors actually didn't like the review that a consumer wrote and he actually went and beat beat up. This happened actually two weeks ago There are only five people Steve who five to six people who need to know your physical address, FedEx, UPS, USPS, DHL, name one more. These are the people who need to know your physical address every nobody else needs to know because they are the people who are physically coming and delivering stuff to you. If you're not Adding some stuff to somebody from a vague guy that you don't know on eBay? Why do you have to give you a physical address home address?

    Steve Statler 35:09

    Just put it so how would that? How would that work? So I'm going on to eBay, I no longer give my address, how do I get the secondhand pair of stereo headphones that I bought from someone and

    Ramesh Kesanupalli 35:21

    let's assume that, let's assume that you registered on a digital interface, you have a digital address and you are going to go only place, you're going to put your physical address these five locations I told you, okay. And as I'm

    Steve Statler 35:36

    saying, basically, I buy the headphones, and then I say, this is my digital identity, I want you to use FedEx, tell them what my identity is, and they'll get it. You don't need to know.

    Ramesh Kesanupalli 35:52

    Even for all those five people, you don't have to go and actually give them they see that those are the only people you should disclose your information to when they say, Hey, Steve, I'm delivering some stuff to you tomorrow. Give it till that point, you can just give your PIN code and the city that's all you need to give. Yes, when they're ready to come, you say here's my full data come and give it to me.

    Steve Statler 36:14

    nicely. So back into the alphabet soup. How does this relate to Oh off another one of these related standards.

    Ramesh Kesanupalli 36:26

    Um, what is about, again, authorization and OpenID Connect about is about you know, SSO kind of attribute transport protocol, transportation, we could use OpenID Connect. In our back end right now we're using something called Deep Comm. And clearly, we can actually integrate on the back end with Walt and OpenID Connect, okay, to be able to go to different data sources that are out there. You see, right now, what we do in our architecture is you go and create your digital address and connect to that service that is offering your digital address. And everything else is links to your personal data wherever that is your university diploma, your medical record your financial account, it is just a link going back to those sources. The way we actually go get the data from the sources is using something called we call it come there we can use open ID. Okay, well, we are not necessarily compliment, you know, competative or anything mean, you can implement some of the stuff that we're doing using them also, but we can actually embrace them also in her stuff.

    Steve Statler 37:43

    Okay. And are you using distributed ledger technology and

    Ramesh Kesanupalli 37:51

    distributed ledger right now we are using hyper ledger. And we have, we have our own ledger also called only one. Yes, we are losing. This is all based on blockchain.

    Steve Statler 38:04

    And what do you Why do you need blockchain? What does that bring to this that you wouldn't have otherwise?

    Ramesh Kesanupalli 38:10

    So blockchain provides naturally the immutability. And this is a multi source of multi, it's a place of multi sourced truth, multi point truth. You know, when you're doing business where wedding parties are coming together, you don't want to just depend on what one person says it's a consensus based algorithm that, you know, gets written into the DL T's. And if you're trying to do something, you can actually like, for instance, if you are a supply chain application, same data now recites same identity data and personal data remains in 10 different places, let's consider a simple thing called your your URL. Travel ticket, once it is booked, it gets emailed to you it's in another database to in addition to the database where it is, you know, there are multiple places that actually have to come together and synchronize in the DLT model, you'll need to do all that stuff with one plus one plus publisher, all the nodes get same time. It's a multi people sharing the same source of truth. It's not like, okay, Rama, managed to have this in this database. There's something else in this database, you don't have those kind of problems with this. And most importantly, when you're actually doing this identity correctly. identity has to operate across the networks, then you're operating across the networks, you have to have value settlements. You want to do value settlement at micro level. A crypto based economy and a DLT based economy is always better. And also, when you try to do it internationally, it is better to have a token tokenized kind of economy Based on these Ledger's than if we had currents

    Steve Statler 40:06

    so what about the entity at the center of that? So you're as well as leading this new standard you CEO of digital digital trust networks? And then one of potentially Will this be the only company at the center of this? What's the role of of your company in this

    Ramesh Kesanupalli 40:29

    just like what I did earlier with Fido and knock knock labs, Fido is a standards development body organization, not not laptops was the first implementer and Fido now has lots of implementers. Similarly, ADA is a standardization body, they are advancing the specification, we just published a specification, announced it during hims last week, where we announced the specification availability for review pilots from CBS and commercial availability of the product from Digital trust networks. And we certainly see there will be competition from for what we are trying to do when we want the competition now we won't be able to address every market, do you have healthcare market, your finance market? We have you have educational market, your government segment Do you know many, many segments are there in these networks, your startup company, we won't be able to actually mean that is a misnomer. Like when when when we talk about you know some big company wants to be the identity provider there is never going to be one identity provider. There will be multiple I wish there is only one at in different country. It's not

    Steve Statler 41:48

    you know, but But to be clear dtn is what what's the the name of that entity in this in this schema? You're You're not a you're an identity provider or something else? It's a Brian.

    Ramesh Kesanupalli 42:03

    We call it the ADA nomenclature we call interchange Ada interchange cells.

    Steve Statler 42:09

    Okay, so will I be able to switch from one service to another i mean is it is it gonna be like banks where, you know, it's it's easier to get divorced from your wife or your husband than it is to switch banks. People do it more often in America, they divorce more often than they know it's really banks is that going to be the same with my relationship with

    Ramesh Kesanupalli 42:31

    there is a party process, you can say, I'm going to move from this interchange to a different jail, there is a process that you submit to the new interchange and the old interchange, they handshake and your data gets your pointers gets transmitted, you're ready to go.

    Steve Statler 42:47

    So it's a bit like porting my phone number from at&t to, to.

    Ramesh Kesanupalli 42:54

    Exactly. Okay. And there's this thing that we define, actually at the international level. So once you have the digital address, you can actually if you're trying to recruit somebody in the Philippines tomorrow, and if they come back and say, when I did my PhD from University of Philippines, all you need to do is give me the digital address. And you can actually ping the university directly and check if he really went there or not. That's the power of what we're trying to do. And in the process, by the way, I forgot to mention, University of Philips actually am University of Philippines actually get paid for that service.

    Steve Statler 43:34

    Interesting. Okay, so yeah, what does all this cost? That's a good question before we

    Ramesh Kesanupalli 43:40

    let this provider repay the person who is verifying like for instance, if you got a COVID credential if Levi's Stadium, you are going in a football match, when they want to verify if you got the vaccine or not, they actually pay for that service. How much do they pay? It could be a few cents. Okay, so not a lot. But I mean, depends on making up on volume on the value and it depends on how much you can tax the end of the day consumer pays he doesn't know is the base. Yes, he wants to offer three, but he doesn't know them all what happens when you want the app free. But when he walks into Levi's Stadium, he did not know that usual $30 ticket is not that you want dollars.

    Steve Statler 44:26

    And, you know, I also why would they pay why would the stadium pay that money versus use another method?

    Ramesh Kesanupalli 44:35

    Because right now let's say one of the problems that we're having with respect of giving a specific example of COVID credential for instance, you need to make sure first thing that certificate or credential that is shown is real. You need to understand the past that the entity that issued is real and is trustworthy. You need to make sure that certificate It is issued the right person. It's not like they use my blood test and put your name on that. Or I took the vaccine and we put they put your name. And you need to make sure that certificate is delivered to the right person. fifth thing, you need to make sure the person who's presenting it actually is the person who wants that. If you need to make sure all by all of these, if you're really serious about making sure people with without vaccine will get into a large crowd, you have to make sure you are doing the genuine check. Yeah. And like I was mentioning the Wells Fargo example I gave you if the idea is to just to file those things and then put it Yeah, you can open an account. Who knows if I went to Wells Fargo Bank, if I provided your credentials and get my picture and then open the account there. That's the identity fraud you're mentioning about.

    Steve Statler 46:02

    So I think, to me, this seems like an excellent idea less less fraud streamline processes. There's benefits to all of the players in the ecosystem that you outlined. But I think the the challenge for any of these things and I'm sure you saw it with Fido is you know getting this thing going you know what gives you confidence that this will take off that the people should invest their time into into this is the moment

    Ramesh Kesanupalli 46:33

    like for instance Fido was started around 2012 in the real manner I started evangelizing in 2010 there is always time and the timing and the detail when that happens. It is the last six months the amount of money that was pumped into password less authentication, the amount of money the people who are in the fight or got funded is it's not funny. It's it's like tremendous amount of money. In the identity space, it is happening now people are realizing it, they are realizing it because we have lost the touch with real world because there is no real world anymore. I haven't gone in a month and I've entered last year my daughter didn't go to school at all, it's all online. So we are getting we got to a place where our digital world is a real world. When you use a telehealth doctor should know that he's treating the right patient otherwise, I can sit there and get the medication for you. And I should know the doctor has the right credential then you have to do that without breaching the privacy without disclosing too much information. So there is we have taken considerations into the privacy Security Trust and accountability all together you and I won't go stand on Montague Expressway, start shouting obscenities because first guy might ignore a second guy might ignore third guy will definitely call cops and you will be held accountable. That's why we don't do it. digital world we don't have that. And And last thing when I want to mention in the same tone is even the IoT that you guys that that the plugin that you set the context. My Tesla car is an IoT device as you know. It's not about the car belongs to me there is a identity behind that I don't want somebody else stealing my car and driving away. If the IoT do IoT device is not an orphan, there is an ownership to it. Even if it's a shared device that if a doctor treats multiple patients, Doctor is the owner of the device.

    Steve Statler 48:52

    So what is the kind of the tipping point where you see the kind of the viral effects you start off with any of these things and you're evangelizing you're finding some of the big players, you've got CBS engaged investing in this. So but how do you think this plays out? You kind of have to work hard in the first few years to get this established? When does it become easy? What's that tipping point that you're looking forward to?


    Ramesh Kesanupalli 49:22

    Well, this has to start like big players in a closed ecosystem first. You know, and then we need to identify like healthcare is one of the things that we know is needed for this kind of a system. Like for instance, healthcare is in one place healthcare is one place where there is a multi sources of truth. insurance company pays to your diagnostics lab, your blood test lab, your medical facility, your physician, your radial, he's the one who pays to all of them. And he's the one who has to access to have all the information physician has to have information to your insurance data is your blood test is up, everybody needs to have access to everybody else. And that has to be happening in a clear, definitive way. You know how many, you know people get either, you know, wrongly diagnosed and given down medication because of the identity issue.


    Steve Statler 50:28

    I hate to think I hate to think I wasn't worried about that before. Now I am serious significant.

    Ramesh Kesanupalli 50:34

    Yes. The thing is that there was there was a case where there were two people wanting to build our new bar in New York, they have the same last name first name. One is older lady one is named Kate one had cancer, the other one has some other thing. The Things got switched and an actual elderly woman passed away. Did the patient identity is a huge problem in healthcare, Medicare, Medicaid is a huge problem. You know, so this has to start in closed ecosystems where there is a multi party dependency and source of truth that is required shared source of truth I must tell you shared source of truth. Let's consider Wells Fargo Bank Wells Fargo Bank has probably 15 different services for consumers they will give you a bank loan they will do equity loans they will give you open an account they'll do this there are 20 there is a investment equity arm that they will want to deal with you when you call somebody what is the right hand is doing what left hand does not know it mean if you happen to have 10 million investments somewhere the console bank I probably won't give a shit about you because he doesn't know you're 10 million in the bank. In the equity side you know this provides a multi party and they have to maintain your identity in 10 different places unfortunately. So this brings those things together. It provides a common source of truth shared source of truth a supply chain functionality. Intel probably deals with an a motherboard power will deal with 90 different chipset broadwell chipsets and each one of them will have 10 different vendors. So they probably are importing a motherboard they probably will have to deal with 900 companies and you need to a odium needs to bring these things together. And if this guy loads the stock there and if it has to come to the other side and it takes you know two days for databases to synchronize nightmare

    Steve Statler 52:50

    now so you can see you can see how this would evolve it's a little bit like Geoffrey Moore Crossing the Chasm, the bowling pin you can see this maybe one of those bowling pins is healthcare and integrating identity for multiple providers and then that starts to build the momentum and then maybe some adjacent services decide that they so maybe it starts off with hospitals and then with pharmacies and then from pharmacies you can imagine it going to other retail and then eventually the ball starts rolling and then it you can see expanding very very quickly

    Ramesh Kesanupalli 53:28

    just the opioid crisis alone you will go to Florida and then say your pain level is nine they give you medication next you walked Alabama and say your pain medical your pain is nine they will give you a ride again that's what we had we dealt with opiate crisis was billions of dollars loss and people's death you know in this scenario

    Steve Statler 53:51

    It is a great example great example.

    Ramesh Kesanupalli 53:55

    So in this scenario, you know a simple ad few say that anybody who wants some controlled substance they must use digital address. So I go to a doctor and do my digital address we'll give him medication. I go to Alabama I give you I give him my digital address boom that will show him and I just took the medications in Florida a 60 of them will say I know I can't do this now I can't give you medication now that's what album Okay, we'll say

    Steve Statler 54:27

    what stops me having multiple digital identities then, in that case,

    Ramesh Kesanupalli 54:33

    you the way that you be will be brought on to the ecosystem. Now we will allow you intensely if you have to choose a dual citizenships, you will be able to create one digital address in in London one here. Yes, it's up to you but you will still be held accountable on both sides because whether use that digital address this digital address, we know who bootstrapped you to bring you on board.


    Steve Statler 55:00

    See? Okay, let's get to know as I do have an American passport and a British passport. So I don't I don't get to escape this one source of truth. So Ramesh, we have this strange tradition here on the show, we ask our guests about the music that is meaningful to them three songs. Did you have a chance to think about that? Do you have three songs? That means Yeah,

    Ramesh Kesanupalli 55:25

    unfortunately, all my songs are local language, Indian language.

    Steve Statler 55:30

    Well, that's good. We need to change from Queen and Simon and Garfunkel so love to hear a bit about what what has meaning to you.

    Ramesh Kesanupalli 55:39

    So one of that was is a slightly devotional kind of thing, it is actually not a song, but it is a it is Sanskrit hymns with translation, which is supposed to be the message that Lord Krishna gave to Arjuna when Arjuna was getting nervous and cold feet about the fight. So that brings you back to the earth you know, tells you what's important in your life you know, it's I would say, it is like Bible there's not it's not different than what Bible says some good stuff, but, you know, this brings a different perspective Usually, it's a very powerful message that's there in that in the in those hymns that Krishna says GEORGE You know, and that's that those are the things that I usually listen to quite a bit

    Steve Statler 56:48

    when do you When would you listen to something like that.


    Ramesh Kesanupalli 56:52

    So, there is actually a different context to it, which is this this was sung by one of our fab you know, famous singers called unto Salah. And this actually was apparently is the last one that he recorded before he died. And the song The the hymns and the recording talks about the meaning of life and life and death. That's it right Sidra. Unfortunately, in our culture, people in our language, they play that thing when somebody dies. And, but I always feel that, that is something you can listen to any time. That actually is not the thing that you should put only during that somebody died and that kind of stuff. That's a very motivational thing if you if you can try to understand the the inner meanings of life. You know, like, like, I know, this is a this, this would be a story, but people say when Alexander the Great died, and he wanted his both arms to be outside his coffin. I know it's your story. But people say, and people, you know, the message that he was trying to give was, I conquered the world. But when I die, I'm dead. I'm going with empty hands. That was the message that alexandrou was supposed to be giving you know that that I know that that wasn't practically possible. But people say that story whenever you know. So the Bhagavad Gita has some such deep meaning to life. So I myself went through a tragedy my wife passed away in 2010. Before that, I used to be very, very, very religious. I used to pray to God I used to donate money to me know the temples and stuff. But when my wife passed away, I lost belief in God. So then I completely stopped going to temples and I just have not religious anymore. After that, after my wife passed away. However, this is something that I listen to not as, it is something that is related to God Lord Krishna or anything, but it a human level, that's a good message. So that's why I always believe it is not about good or bad. It's about you being good. Nobody needs to tell what is good, what is bad and is reasonable. You know, behavior, you should be able to know what is good what is bad in the world is Fortunately, there are more good people than bad people. That's where there is still some sanity in the world. Otherwise, these things would go crazy. So from my standpoint, I eat listen to that quite a bit. particularly after my wife passed away while I stopped going to temples and don't believe that at all. But I do listen to this not as something that I feel like there is a God who gives something But part of the reason I lost faith in God and believe in God was I saw actually my wife, completely a potato around 2000, around June of 20, June of 19. After that, for about eight days, they artificially pumped everything into her body, or BP or the temperature of if they're maintaining clinically for nine more days than I felt, if a body can be kept alive clinically, that I can explain that they are explaining me how they are doing it. Now, where is God in this whole picture?


    Steve Statler 1:00:56

    Very good question.

    Ramesh Kesanupalli 1:00:57

    Yeah. So that that actually, I was a heavy believer in God. I pray God every single morning, I used to go to temples when died from the childhood. God was everything for me. That nine days when I saw that, and one thing my wife was also very, very sorry for dwelling on apostles have so much but and my wife was even more religious than me. When the way test for cancer in ICU, the amount of sufferance that I saw, when I was such a pure person with so much devotion to God, if he is going through that much, and then now I see nine days, he's artificially pumped from outside to be alive. Where is God? There is no God. It is just you know. So that's changed my perspective on life. And then when I then after that, I often listen to this one man, I'm alone.

    Steve Statler 1:01:57

    That's fascinating. And thank you for sharing that. I feel privileged to, to hear that. And as your obviously the passing of your your wife of many years is a thing of great sorrow. Do you feel like, but you've also lost this kind of spiritual force? How has the loss of that impacted you on a day to day basis, the relationship with God and talking about?

    Ramesh Kesanupalli 1:02:33

    I don't believe in God, I think, you know, I also mean, culturally in India, we also believe that there is afterlife and means that there is this Heaven, Hell, I don't believe any of those. Being in India, I should be believing all those things, you know, and I truly believe that humans have this brain that they can actually think, and then rationally, justify something. We are not animals where, you know, the survival of the fittest, although we are getting there, unfortunately. You know, and otherwise, this would have been gender life, too. That's why I was mentioning earlier. There are fortunately there are more good people in the world.

    Steve Statler 1:03:17

    That's great. I'm glad that you still think that that's some comfort. So what what about your second song?

    Ramesh Kesanupalli 1:03:26

    second song, again, was related to my wife, actually, this this was actually a romantic song that No, but I shouldn't say romantic, a melodious song with a lot of love in it. That song was released when, you know, I was married. So that that used to touch me quite a bit whenever I guess it is taking the song. So it was from a movie called full our counter. It's about low live marriage and stuff. That actually, you know, whenever I hear that song, even today, I remember my wife.

    Steve Statler 1:04:07

    Well, unfortunately, because of some intellectual property rights legislation in Europe, we can no longer have the music playing in the background as we have this conversation. But if you could do us the favor of sending some YouTube pointers to these, then we'll include them in the notes of this podcast, I'd love to listen to both of these and, and so your third song.

    Ramesh Kesanupalli 1:04:28

    Third song also is again, a family song that actually deeply talks about you know, husband, wife, you know, singing and I give more importance to two things. One is it should be melodious and it should be meaningful. You know, this is another song where I felt there is a lot of meaning to the relationship between husband and wife. So these are the good songs that I like. And unfortunately, a couple of more songs were that are related to some some unpleasant things in life.

    Steve Statler 1:05:11

    Oh really

    Ramesh Kesanupalli 1:05:11

    use during those unpleasant things like I saw my father actually study struggling about something and in tears in my mind, that was the only time I saw my father in tears. So when I saw tears in his face, there was a song playing in the background.

    Steve Statler 1:05:29
    Oh, really? What was that song? What was that sound cool.

    Ramesh Kesanupalli 1:05:33

    It's a really good song. And it has actually no meaning or connection to that scene. It's just that I saw him and that's the song that was being played. So whenever I hear that song, you know, I actually he's a good abs, I can still see his face in tears in his, in his eyes. And that's the only time I saw him actually India. And that song, devotional song, my song, but that brings out of sorrow to me.

    Steve Statler 1:06:08

    He was a stoic character, he didn't portray a lot of emotion. Normally, it sounds like he actually.

    Ramesh Kesanupalli 1:06:14

    weakness is a very, very I saw him angling. I saw him happy. I saw him COVID, sad, Woody, but never a tear in his eye.

    Steve Statler 1:06:30

    That's amazing. Very good. Thank you for sharing that with us. I really, it means a lot to me to hear about these songs and will, if you'll send us the pointers to them online, then we'll share it in the notes of the podcast. Sure,

    Ramesh Kesanupalli 1:06:44

    definitely. And like, like I mentioned, these songs are related to me personally, they are not just some nice songs of the day, like these. Are these the things have stories behind those songs?

    Steve Statler 1:06:56

    Absolutely. Very good. Well, I think it's hard to argue against truth. It's hard to argue against the many problems that you've outlined here. I remash, I really appreciate your spending time with us and helping us think this through I think what you're doing is very important, I wish you success because I think with that success, we get rid of a lot of fraud, a lot of inconvenience. Hopefully we become a little bit more truthful ourselves in this environment. And so I think what you're doing is good work and I appreciate you spending some time with us. I want to thank our hammock for his work on production. Jessie Hazelrigg, our producer, I want to thank you for listening. Please do like us, tell your friends about us. And please join us. For the next time. We meet up