I gave a speech at the 2018 RSA Conference on the overhyped progress of applying blockchain to digital identity.


While blockchain and its descendants are being applied to countless use cases beyond cryptocurrency, one of the last fields to be seriously affected (contrary to the hype) is identity.

Uniquely, the original blockchain took People and Process out of the conventional security triad. It supports a very specialised use case without trust, but that cannot be automatically extended to use cases spanning the physical and virtual domains. Conventional security layers and off-chain processes are required for non crypto-currency apps. Contrary to popular belief, blockchain does not manufacture trust.

To put someone (or something about them) “on” the blockchain is a metaphorical way of saying that a symbolic “token” will be added to a blockchain transaction, classically as metadata. That’s how all digital systems work, of course; every datum in every computer stands for something else. But the special thing about the original blockchain is it works with no mapping from physical to digital. They only thing that matters in the Bitcoin blockchain is Bitcoin. Not even ownership matters, and so blockchain may be the only serious cryptosystem with no need for key management. That is, we don’t care that the right key goes with the right user and device, or that it stays there.

It’s a little magical. But when you make a blockchain token stand for anything in the real world, like a person or their attributes, you break the spell. Important attributes are always defined by third parties and authorities (self-asserted attributes are worth little). Remember Nakamoto dispelled all third parties and agents who normally map real world things into digital codes; the foundational Bitcoin whitepaper makes it clear that “main benefits [of blockchain] are lost if a third party is still required”.

In applications where parties do need to know something about each other, the processes needed to establish those things can trump the blockchain consensus algorithm. Wherever there is an off-chain process to tell us a user is authorized or permissioned, on-chain consensus can become academic. There is an easier way to work out the state of the ledger than crowd-sourcing consensus process.

Only a few identity management innovators have understood this subtlety to date. We present a roadmap for identity management using distributed ledger technologies and review the very rare identity success stories so far.

My handouts.