Rizel Scarlett
===

Paul: [00:00:00] Hi There, and welcome to PodRocket, a web development podcast brought to you by LogRocket. LogRocket provides AI first session replay and analytics which surface UX, UI, and technical issues impacting your users. Start understanding where your users are struggling and try it for free at LogRocket. com today.

My name is Paul, and joined with us is Rizal Scarlett. She's a staff developer advocate over at TBD and block. And we're going to be talking about how she bought booze with the Jason web token. ~Like ~that's a killer intro because I have to wonder like, was the booze supposed to be bought? How did the booze get purchased?

And it's all under disguise of Jason web token. So really excited to dig into the story result. for coming on the podcast.

Rizel: ~Yeah. ~Yeah. I'm excited to be here as well. Thanks for having me.

Paul: So jumping right into ~like ~what the title is hailing, you bought booze with a JSON web token really quick. What's a JWT. ~If people~

Rizel: ~JW T is like, sorry I talked over you. Sorry. . JWT.~

Paul: ~we can edit it.~

Rizel: JWT is basically, I would say ~like ~think of it as a string and it's basically like a secure way to like [00:01:00] share data. ~Um, ~so ~like, ~it's usually made up of ~like ~three different things, like a header,~ um,~ a payload and like a signature. So ~like ~the header is going to tell you what type of token and the payload is going to tell you what data you're sending.

And the signature basically like verifies that it was sent. But it's basically ~like. You send two things across, um,~ like you send data across two different ~like~ areas and it will be ~like~ tamper evidence. So if someone tried to ~like ~change it or something like that, it'd be obvious that it was changed.

Okay, so I need to clarify about the buying. Like the booze Okay, this is based. ~I think um, ~y'all reached out to me because I did a joint talk with my manager So she bought the booze. I didn't I live in massachusetts and we were not allowed to do that yet But basically how she did it is ~um, um, basically, you know, like ~if you order Alcohol for delivery, right?

They come to you, but they need two different things. They need like some money, like some way of payment. And then they also need your ID,~ um,~ to prove that you are who you say you are. But [00:02:00] for her case, she didn't need to show a physical ID. She was able to show like her mobile driver's license. ~Um, ~and mobile driver's license use a technology called a verifiable credential.

~Um, ~and that's a W3C standard. And oftentimes,~ like, um, ~verifiable credentials are represented in like JSON web token format or another format called CBOR. I think that stands for concise binary,~ um,~ object representation. So that's really how she was able to,~ like,~ she didn't have to pull out her ID or anything, she just showed her phone, they scanned it and it was like.

Good to go. Easy does it? So that's like ~the, ~the idea behind the talk and how she was able to,~ um,~ she lives in ~l ~Louisiana and I think they were the first state in the US to say ~like, ~oh, we're giving out mobile driver's license. But Massachusetts, where I live, they're still behind on that. I don't even see that they're like exploring or experimenting or even ~like.~

Wanting to put out mobile driver's license, but yeah, that's it.

Paul: So the mobile driver's license is probably, [00:03:00] likely, because you said it could be C Board, but it's probably a GWT itself. That holds the validity. ~How does, ~how does that work? Is that in the last piece of the JWT that you mentioned the verifiable,~ uh,~ credential? ~Yeah.~

Rizel: ~Yeah So what happens right is, um Okay, let me see how I can Say this because like you can't see it. So basically, um An issuer, ~you need three different parties in this, right? You need like an issuer, you need a subject and you need a verifier. So the issuer would probably be like her department of motor vehicles or something like that, and they would create a more, a verifiable credential for her, and it would say ~like, Oh, or~ let's say for me, right?

~Let's say I live in Louisiana.~ It will say, oh, this person's name is Rizal Scarlett. They're over the age of 21. Like for sure, they live in Massachusetts, whatever information is needed. And then,~ um,~ the issuer would sign it. to say ~like, ~yeah, this is actually me that is saying this information. Like I'm actually the department of motor vehicles and I confirmed that this information is true about Rizal Scarlett.

So it's not like someone could pretend ~like, ~Paul, you can't just ~like ~give me a verifiable credential and ~pretend that you don't know anything. Or ~pretend that you're the Department of Motor Vehicles and you're verifying this information for me, [00:04:00] right? And so once it's signed, it gets converted into,~ um,~ like whether it's CBOR or it depends on like,~ Um, ~since it's a newer technology, I think some organizations are doing it one way and some organizations are doing it another way, but,~ like,~ it depends on however the issuer has decided to do it.

It'll get converted into JSON Web token format. That way, no one will be able to,~ like,~ go in and change it and say, Oh, Her name's not Rizal Scarlet, it's this or no Rizal's under 21 or anything like that. And then I wouldn't really see it in JSON Web Token format. It would look like a card, ~kind of ~like how you have like your debit card in your Google Wallet or your Apple Pay, that type of thing.

And then I would show it to a bartender ~and they would be, ~or ~like ~the Delivery driver that was dropping off the alcohol and they will scan it and they will get all the information ~Does that make sense to you~

Paul: ~Yeah.~ So instead of ~the, ~person dropping it off and verifying it, you have that like third step.~ Uh, ~because of the verifiable identity. Got [00:05:00] it. Okay.

Rizel: yeah

Paul: So ~how, ~how secure do you feel like this is ~in the,~ under the guise of ~like ~a mobile identifier, like at the driver's license? ~Yeah.~

Rizel: Yeah. ~I mean, I ~I think it's pretty secure especially since ~like ~it's tamper evidence So if someone did try to edit something it'll show Like~ I don't know.~ I I normally like show people or demonstrate this on like this website called Ljwt. io So ~like, ~if you have ~like ~a JSON web token ~and you, ~it's just like a bunch of random letters.

~Like ~you really don't know what maps to what. ~Um, ~but if you try to ~like ~edit any part of it, it would just ~like ~turn into, I don't know. It looks like wingdings to me. ~Like, ~do you remember ~like ~Microsoft word? Yeah. ~So like ~it was showed ~as ~someone tried to edit it. ~Um, ~and ~like, ~you were able to ~like ~hold onto it for yourself.

And then the other part that I think is cool about verifiable credentials is, ~um. There's this, ~there's this feature called selective disclosure, right? So normally ~what ~your ID, ~right? You show it, you could, even if ~you show it at the club or something ~like that, right? Like everybody could see your, or not everybody, but~ the bouncer, ~whoever you're showing, they ~can see your name, age, ~your ~address, all ~like ~extra information when they really only need to know, ~like.~

You're allowed to go into this [00:06:00] place or ~you're allowed to ~get alcohol or whatever. So with selective disclosure, you could basically say, I only want to disclose the necessary information in this situation. So I don't necessarily want to give my name or ~my. Like age or anything like that. I mean, not my age, sorry, ~my address or anything like that.

~Just, ~just that my age. And then it'll just show that ~like, ~it'll just be like a Boolean true or false and you get in. So I think it's secure in the way that no one can edit it. You have control over the access to it. And then you also have that selective disclosure where you can say, this is the information I want to disclose.

Paul: Now, whenever the Department of Motor Vehicles Registry, RMV, DMV, wherever you are, when they give the verification. They sign the payload saying, yeah, this person with these claims, ~I guess, ~I don't know what the right word

Rizel: That's exactly it.

Paul: So they're claiming this, claiming that we're going to sign it.

And then we're going to give you this thing that you can then go give to somebody else and they'll know how to verify. It's all good. When they do that handshake with you. The DMV or RMV, does this [00:07:00] last a long time? Is it like it lasts for a minute? It lasts for 30 days. ~Um, how do you, ~is there like a extra tax in the system because you have to keep calling out to them and being like, Hey, you're around, right?

You're around. Okay. Give me the signature. Is that a potential fault in the system?

Rizel: let me see if I understand you when they issue it to you, they sign it and that's the, they don't need to keep signing it over and over again. The verifier just has to check like, Oh, was this signed by them that one time? I guess like you have the ability or ~like ~the issuer has the ability to make it like revocable.

~Like ~if ~the, ~the mobile driver's license was,~ uh,~ expired or you like. You lost your license because you're a bad driver or whatever, but ~it's this, ~it will be the same experience as ~like ~having a physical,~ uh, like~ driver's license where it's like, Oh, okay. ~Like~ I don't need to keep checking with the issue where~ where they're just like, Oh, okay.~

~This is like, you know, ~you know, when you look at a physical ID card, you're like, Oh, this is obviously from like~ the, ~the RMV. This is [00:08:00] not fake or whatever. ~Um, Yeah, does that make, is that clear to~

Paul: ~Yeah.~ So it's like the initial sign will last as long as they want it to last, which is ~kind of ~like analogous to the expiration on a driver's license. ~Okay. Got it. ~Okay. And then when people want to look at it and verify it, they can always call back to the registry and say, Hey, this is legitimate, but I need to check if the licenses was revoked or something like there was an update pushed.

Rizel: ~There should be like the verifiable, like~ you shouldn't have to ~like ~keep going back out to the issuer. The verifiable credential will come back and say ~like information like Yo,~ this is actually expired. ~Like, ~you know how I told you like the true false Boolean ~it, like, let's say I, ~they scan it and it will be like false.

This is ~like~ an invalid verifiable credential or it's expired ~or whatever,~ but you don't need to like, keep calling back out to the issuer.

Paul: So if the license did get expired, that's ~sort of ~like an update that is separate from like a predetermined license expiration date. ~That's like something happened~

Rizel: Yeah,

Paul: wasn't expected to happen. So that new state of information. ~Um, ~how is that [00:09:00] relayed to the verifier, ~I guess. ~Not the issuer, but the verifier side of the party when they want to check, even if something was signed successfully, like maybe prior in the year.

Rizel: let me see if I could explain more on like how the verifier is checking. ~Um, ~Okay, on the verifier side they have something called the presentation definition. So that has like Criteria of what they're looking for. So you have different fields inside of the verifiable credential name, blah, blah, blah. And then you have expiration date.

So their presentation definition would just be like, Oh, ~is the, ~is the expiration date still current? If not, Then ~it's, ~it's a false verifiable credential, but ~it's not like, ~it's not like a new state keeps getting added to the verifiable credential. Once it's issued and signed, like you can't add edit or add any more to it.

~Um, ~for the revocable though, you're right. There will be a additional, like you might update it, but.~ You would ~you would basically just have that presentation definition checking for those different like [00:10:00] criteria.

Paul: ~So in the presentation definition, it's almost like a computed field that when they unwrap it and actually look at the claims, it'll say like, Hey, you have to go do this extra step to like, check this field, given this, And maybe then they can call back to DMV and say, like, just checking there's no revocations of this person's license,~

Rizel: ~I'm kind of like why are they calling back?~

Paul: ~Well, I'm trying to think about, like, how this new information makes its way back to, like, somebody verifying, uh, the license. If, if, if you're, like, a third party, you're not the DMV, you need to know that, indeed,~

Rizel: ~Yeah, but it's like~

Paul: ~it's not, it's not valid anymore.~

Rizel: ~It's part are you saying because i'm like it's just scanned i'm trying to imagine like What you're imagining because it's like are you saying the person goes back to the verifier more than once or like I'm, like if they go to the bartender they scan it It has a field that says this was revoked or this was not revoked and then they're like, oh it was revoked Get out of here.~

~Um, but it's not like Um, it sounds like you're like, this person's going back to that same verifier over and over again, and that that's, that's the part that's confusing to me. Okay. Okay.~

Paul: ~give my, um My what i'm trying to figure out in my head my mental model one more one more shot~ so~ if ~if you go to the bartender and you have this like Jwt that proves you're 21. It was given to you ~and um, ~And you have like it is allowed to buy alcohol boolean ~Like ~that's the ability.

Okay, and it says true. So you bring it. It's signed. It's good for a year You go there for like week one, then you come back week two, but on week two You The bartender needs to know that the night prior you actually got arrested and the police said, this person can't buy alcohol anymore. Like no way. But you still have this JWT that had that Boolean set to true when it was initially signed that you were allowed.

Rizel: Yeah.

Paul: yeah, you're going to go back to the bartender. You're going to bring them this old JWT. And even though the expiration is still valid,

Rizel: Okay. Yeah. But ~it has, ~it has other fields, not just ~like, Is, is it still, is the X is,~ has it been expired? It has ~like ~a field that's ~like, ~has it been revoked and stuff like that? So there's like a couple of methods that get run by the verifier. Like it checks, does this satisfy the presentation definition?

It checks, has this been revoked? So ~once you, ~once you scan it a second time, like [00:11:00] it'll say, Oh,~ like, is this. Um, is this a revoke? Like, ~has this been revoked? Yes or no? And it'll just come back ~to, ~to them as that, but they don't ~need to, like, hit up. They never ~need to call the issuer or anything, cause, and like, is this true or not?

~Like, ~it just has the field and ~it'll get, ~it'll get updated once the issuer says,~ like,~ yeah,~ this is,~ this is actually been revoked now, ~but they'll, let me see. Let me see. Right. So you get~

Paul: ~the second week, so ~so the second week, when they come back. Is there going to be a new JWT payload that will have that successfully flipped Boolean?

Rizel: ~If yeah,~ I guess if the issuer is like on top of stuff Which the department of motor vehicles should be then it would have that updated. ~Um, ~Like field in their list. ~Yeah,~

Paul: So you would need to be issued a new JWT in between the event of the revocability being

Rizel: ~but not in the~

Paul: ~Oh no, Rizal, I just, your audio just cut out. So I didn't~

Rizel: ~Oh no.~

Paul: ~but just for like 10 seconds. That's it.~

Rizel: ~Okay. I don't know what part, but , I was like,~ when you say it reissue, I guess I'm imagining like you're saying, like they go back to them, but ~like Yeah. ~Virtually they'll update it to say ~like, ~Hey, this has been revoked or not revoked.

Paul: Okay. And during the update process, there has to be like a new signature, right? ~Cause there'll be like, Okay.~ Okay.

Rizel: a new signature created. Yeah. ~Sorry. I don't know why it took so long to understand that part from you, but Yeah.~

Paul: And ~like, if, so if the, ~if the registry motor vehicles is like on top of their stuff, [00:12:00] then we can assume if you have this like digital driver's license, this mobile driver's license, they're sending updates if need be, like if something happens in there, like, Hey, people downstream need to know that this is, for example, revoked in the background, whether it be on your Apple wallet or whatever, they will issue a new JWT that is newly signed with the new fields that represent a very important state that they're responsible for communicating.

Rizel: Yeah, I think you could think of it like, you know when your debit card expires and then you order a new one and then they just issue like at least for me like Sometimes they just give me a new debit card with a new number or a temporary one and it's just in my phone Like i'm not really as ~the ~The subject or the holder.

I'm not thinking about the updates and the verifier is not necessarily thinking about it either. ~Yeah.~

Paul: ~Right. ~Yeah. It just ~kind of ~all happens in the background. I was just super curious about ~like, what actually, like,~ who's responsible for pushing an updated state if ~like ~something legally binding changed that didn't work. Could affect ~the ~the way of life for somebody

Rizel: Gotcha. The issuer.

Paul: Yeah, the issue. ~Okay~

Rizel: ~Sorry. I got so sidetracked.~

Paul: ~yeah, I just, ~[00:13:00] cause we were talking about security.

So I'm thinking like, okay, could somebody like break into some part of the flow here and ~like ~stop an update? Maybe they can't sign it, but they can stop an update. ~Um, ~is there one point of control for that update for like revocability? And I know you said in general, this is a pretty secure practice, like States are ruling it out.

And so that then ~kind of ~makes me think, all right, pretty secure. It's JWT. That's pretty accepted there. There's like plenty of articles out there too, on how JWT is maybe aren't the best off solution to reach for, but they're used everywhere. And they have to be pretty damn good if they're used so much.

~So I'd like to focus maybe not on, uh, security holes as much. Cause they might be one in the same with the classic JWT pitfalls that people find. If there's any that come into mind, definitely let us know. Cause I'm curious always to dig into vulnerability. So those are neat, but~

Rizel: ~I~

Paul: ~is good about it?~

Rizel: ~sorry~ to just follow up on what you were saying then. ~Sorry to to bring it right back to it. Um, ~but I think part of how someone wouldn't be able to is they have something called like a decentralized identifier that like identifies who exactly this person is. So there's no way for you to Retrieve somebody else's decentralized identifiers because like behind the scenes there's all these like cryptographic keys and stuff like that and ~like ~if It just [00:14:00] wouldn't match up ~like ~if you tried to pretend you were me and grab my decentralized identifiers It would just ~like ~fail and you wouldn't be able to sign it So that's how somebody else wouldn't be able to ~like ~jump in through that process.

~Sorry. Go ahead~

Paul: ~No, no, that, that's good to know.~ So the decentralized piece ~is, ~is that like another entity that's separate from the issuer and the verifier?

Rizel: The decentralized identifiers represent ~each per ~each person or entity on the web. So the decentralized identifier would represent the issuer and then I would have my own decentralized identifier and then the verifier would have their own decentralized identifier.

Paul: And those basically go into the signing algorithms and~ like ~establish the parties. Got it. Okay.

Rizel: ~I'm sorry. I made you take 20 minutes just to get this. We can move on.~

Paul: ~Uh, ~yeah. ~I mean, I would love to talk a little bit about, you know, I guess the good things if we want to move away from the security vulnerabilities if there are any There always are~

Rizel: ~Yeah~

Paul: ~Of course, there's always are but~ let's move on to like how this could be a good thing notably and B how you think this could start to~ like, uh~

Rizel: ~Trickle down~

Paul: ~trickle down?~

~Thank you so much ~trickle down into affecting like how I fly out from logan or something like that ~Um~

Rizel: ~yeah. Yeah. Okay. So how this is a good thing is one ~It allows people to be able to control a little bit more of ~like ~what data gets shared and when? ~Um ~with different people because you know right now on the web we ~kind of ~just Put out our data anywhere, but now you can be like, okay I only want to show them [00:15:00] 21 or even in person as well It's also a little bit more convenient, of course And ~um ~in terms of ~like ~traveling they do have something called digital travel credentials ~Um, I believe some like~ It's like different states are trying out different things or different countries as well.

So sometimes they'll do like different trials and they'll be like, okay, we want to try out like you being able to just go to the airport and instead of ~like ~showing your ticket and everything like that. I haven't tried this. I really wish ~like ~my airport would be able to, but they ~like ~scan,~ um, their, ~their digital travel credential.

It has the information about their flight, their ID and all of ~that. ~that. So it just makes it a much smoother experience for people. I know at one point Aruba was ~like ~trialing this as well.

Paul: So people could use the verifiable credential to link your itinerary and other like supplemental information instantly via ~like ~the airlines API. I'm not really sure how that would happen in the background. But the point is, it'll streamline it. And be able to look up information instantly. And [00:16:00] that's something that's not done with ~like ~IDs right now.

I guess they don't really like scan my ID all the time. No, they do. When I

Rizel: I do. Yeah, they put it in something. ~I don't ~I always want to see what's going on in the computer. What you doing over there? But yeah,

Paul: Because that has an ID, right? You could always map an ID to like,

Rizel: Yeah, they have ~like some kind of chip and I remember they have ~some kind of chip I talked to This guy from Accenture and he works on ~Like ~digital travel credentials and he said like passports and stuff like that. They have ~like ~this ~e ~Electronic thing, but,~ um, the, it's, ~it's just not as advanced as how a verifiable credential would have,~ like,~ those certain claims about you, about ~your, ~your itinerary or whatever,~ like,~ this is the flight you're going on, this is your,~ like,~ whatever information you needed to get on the plane, and then you would just scan it.

~So, yeah.~

Paul: So a verifiable credential~ in the~ in like the context of an airport because before we were just talking about it's ~like ~verify a driver's license is legit, so you could buy alcohol for the airport they want to verify more things than just ~like ~is your driver's license legit and the right age they want to verify like the things you just mentioned.

[00:17:00] Is there a new back and forth handshake or ~like ~JWT issued?

Rizel: That happens

Paul: To present all those extra claims to the airport or TSA or whoever.

Rizel: yeah, I think it would be a different one. ~So it wouldn't necessarily what depends on ~like it depends on how each airline is deciding ~like ~ what we're accepting some of them I think have only been accepting mobile driver's license and some of them have been like we want this digital travel credential With all these extra information.

You could really make a verifiable credential of anything like I can make a verifiable credential that said that ~like ~my favorite color is purple and I could sign it myself and be like, yeah, I confirmed this. So whatever information that the issuer and the verifier would need, ~like that's, ~that's what's inside of that verifiable credential.

Paul: Do you feel like we are moving towards a more standardized layout so that if ~we taught, let's say ~we had this podcast in five years and we talked about airports and the way they're using verifiable credentials, it's settled. In some ~like~ average, hey, yeah, we use ~like~ the verifiable credential from The driver's license [00:18:00] of your home state.

We use a verifiable credential from the airline We've taken all these different pieces of information sum them up and then we can make an executive decision Are we moving towards a standard? Is there any standard out there right now that any states or countries? adhere to

Rizel: Okay, good question. So for folks who are curious, verifiable credentials themselves are W3C standard, but the infant, like you're saying the information inside of them, not always standard, I think we're slowly moving towards that ~right. Um, ~right now, like the company I work at TBD slash block, they're working with a whole bunch of other companies, including, ~uh, National Institute.~

~It's ~ NIST. I always get mixed up. Is it National Institute of Technology? But basically they're working with them to ~basically like ~standardize,~ um,~ different things like mobile driver's license, how they're being used. ~Um, ~there's other like companies coming out. A lot of times like government agencies are just reaching out to companies who do some of this stuff and they're like, Oh, can you implement this for us?

~Um, ~I think there's a lot of work needed, [00:19:00] like personally for me, just my personal Opinion to standardize everything because I think right now a lot of companies are like, oh we want to like Is it for so many different things you can use it for like educational requirements like let's say, ~um ~to prove that you have a degree It's great if ~like ~let's say your school decides to shut down suddenly or even like your job or like Natural disaster happens. You still have that proof that you actually attended that school or you actually ~went to that Like ~worked at that company, but at the same time, ~like ~everybody's trying to do it their own way.

Everybody's trying to have their own different wallet. So I think right now we like just entered an era ~of people ~of organizations being like, let's just come together and ~like ~standardize all this. ~Um, ~and even Google recently came out. ~Like ~probably last week with this ~like ~digital credentials, API trial, I don't know that much information about it yet.

So don't ask me too much, but ~like, ~we can see some of ~like ~these larger companies starting to get invested in it. And ~then ~I think that's probably going to help push it forward as well to ~like, just ~[00:20:00] streamline and ~then ~standardize everything. ~Everything.~

Paul: Yeah, that was going to be a follow up question, Rizal, actually, which is like upcoming actual announcements or devs. So the Google one is neat to hear about. But are there any other like? Companies you could slap a name on that have brought this into the ball court

Rizel: ~Oh, I'm trying to~

Paul: ~for everybody~

Rizel: ~Um, right. ~Google is the only one that's really coming to mind, but I think in Europe, like these are going to be companies that people don't really know, but in Europe, they're really, ~they're ~big on verifiable credentials. ~Like ~they're coming out with ~a, ~What they're calling a UD wallet or whatever, but EU DI wallet, basically like a European wallet.

Anyone ~in like ~in Europe can basically hold all these different verifiable credentials inside of their phone. And ~like, ~there's all these different companies that ~like, ~we don't really know their name. ~Like this, like Sprint, ~like German companies and stuff like that, that I'm assuming ~like ~people in America don't really know, but they're all ~like ~trying to decide ~like, ~how are we going to set this wallet up?

How's ~like ~the verifiable credential ~is ~going to look like stuff like that. So ~like that ~Europe, I think is going to like do like the leading charge on all of that.

Paul: Do you feel like there's any [00:21:00] potential use cases for verifiable credentials that stray beyond like our initial Regular person Interpretation of how it's gonna make my life better like~ for me yet going to Logan Which is already pretty good by the way our airports the best I'm biased. It's~

Rizel: ~Wait, you're in Boston too? I didn't~

Paul: ~Yeah, yeah, we're yeah, yeah, log rocket, uh, Boston base.~

~So, all right. Airport's the best. Sorry, listener. Uh, but~ if I'm in like somewhere that it's really challenging my patients like Chicago or O'Hare, and I just need to like, get on the damn plane. Like I could definitely see this speeding up ~my, ~my journey there. ~And, and,~ but what else besides that? ~Like,~

Rizel: ~Yeah. Okay.~

Paul: ~yeah, the driver's license, you see this bleeding.~

~Yeah. Talk to me about that.~

Rizel: ~I got, ~I think it got a lot. I don't want to say too many because basically I ran like a live stream where I talked to different companies. I'm like, how are you using verifiable credentials or other things within this space? I started that just to ~like, ~help me even understand this space that I work in now.

~But there's this, ~there's one,~ um, ~company that,~ um, That they're using ~they use it for pharmaceuticals, right? So like the whole process apparently ~of ~for pharmacies is like ~they ~they have ~like ~this entire supply chain And they ~like ~exchange medicines back and forth ~Like ~if they run out like maybe if a pharmacist listens to this they're like, yo, you simplified it too much But like i'm imagining it like this ~like ~walgreens pharmacy is like yo cvs.

We need some more But [00:22:00] you can't just exchange with them. You need to make sure ~like ~this is real medicine. ~The person, the, the issuer or not the issuer, but~ the person you're exchanging with is a real pharmacist, like all this different stuff that like, this is a real pharmacy. And it's apparently ~like~ a really long process.

So they're like leveraging verifiable credentials to ~kind of ~streamline the process and make it a bit easier. ~Um, Um, uh, ~what are some other there's like crazy examples that ~like ~I've talked to people, but I thought the pharmaceutical one was like, interesting for me because I was like, Oh, I never ~like ~that never crossed my mind.

~Um,~

Paul: super interesting do you feel ~like ~Like in taking the pharmacy example, if it sounds like the biggest complexity is integrating the top of funnel Of using these JWTs in a verifiable credential,~ um,~ such as ~like, ~Hey, this pharmacist. Yeah, we verified them. They are a pharmacist. They have this driver's license.

We scanned it. They did like the facial point cloud. ~Um, ~it's like getting the end user on either side of the verifier and the issuer. ~Um, ~Signed and saying [00:23:00] they're legit. Once you ~ri ~arrive there. The actual underlying technologies is just a JWT. Like most, I'd say ~like ~95% of people listening to this podcast, like definitely know what A JWT is.

'cause it's, this is a web dev centric podcast. So it's ~like, ~that's not like new technology, but ~it, it, ~it's like how this is being used in the legal context ~is, ~is super fascinating. ~Uh, ~because the law has stepped into this new. Realm, I guess this new acceptance where it's saying, yeah, this is good enough for verifying in court that like due diligence was done to ensure these two parties are legitimate.

And,~ you know, ~back to my original statement, it sounds like a lot of this due diligence, a lot of the friction is the due diligence to ~like, ~say this pharmacist is this person. And now we're going to sign JWTs on their behalf because the pharmacist is not implementing the JWT. They're just using it. So Somebody's responsible for making that top a funnel of integrating them into this handshaking process between CVS.

~Um, ~I can imagine that is difficult to roll out because every domain is going to have a different way to verify the initial human [00:24:00] being that is then in the JWT dance.

Rizel: Yeah. ~I think, ~I think that's the part of the standardization that ~like, ~I see the industry struggling with a bit.~ Yeah, yeah, but, ~but yeah, like you said, it's ~like ~very familiar JSON web token. You know what it is? There's nothing crazy or new, even though the name verifiable credential sounds like this super technical thing, ~it's, ~it is familiar ~and yeah, you just, That, ~that part of ~like, ~there's so many different systems or applications being made for ~like, ~oh, here's how we're gonna,~ um, ~verify it this way and that way,~ like, ~I do think that standardization is needed.

I did think of ~like ~two more examples that I think

Paul: Oh, would love to hear them. ~Yeah,~

Rizel: cool. There's also the Content Authenticity Initiative. ~Um, ~so that's like adobe and a whole bunch of other companies and basically what they do is, ~you know, ~like how Ai you get like these ai generated images and stuff like that So basically they have ~like ~content what they're calling content credentials.

It's like a little What's that thing called? I don't know, ~you know, ~you got the little eye at the top of the picture I forget the name's not coming to me right now [00:25:00] like you can hover over it ~Um, ~it's ~like ~a let me see like a little info You Section ~but you can hover over it. Let me see if I i'm gonna i'm gonna google what that thing's~

Paul: ~Yeah, yeah,~

Rizel: ~you know what i'm~

Paul: ~seconds, see if you can find it.~

Rizel: ~Yeah, ~but basically you will hover over ~like ~some little like info section and it'll tell you like ~yo Um, ~this image was taken by Paul on October 22nd in this place and it's posted on his Instagram or something like that.

Or they will say ~like, ~this is an AI generated image. ~Um, ~that way it'll have like more information and people are ~like ~not as,~ um, ~misled ~by, by~

Paul: Oh, ~is that the um, ~Is that the ~CT~ C2 PA standard that Adobe rolling out with? ~Yeah.~

Rizel: Yes, that's it They're using verifiable credentials for that. Oh, i'm not finding what that thing is called. It's something simple and i'm like ~It's ~it's it's not coming to mind ~Uh, ~I don't know, but it's basically something that you're like, learn more about this image and then it tells you, yeah.

Paul: Cool. Okay. I didn't know that. So ~CTC. Oh my gosh. It's not CT. It's C2. ~C2 PA is using verifiable credentials. ~And what was the last one that you had top of mind?~

Rizel: ~the last one that I had top of mind. Um, um, um, um, um, dang it. No, I went away again, but yeah, those, that, those are the two that I can think~

Paul: ~Well, those, ~those are three good domains that we ~kind of ~covered. So driver's licenses, which is plain and simple. Everybody understands. Yeah. That's an ID's identity. ~Um, ~Could be [00:26:00] airlines building on that a little bit just to add some information and pull in some trip info We have the pharmacist example and then all the way up to ~like ~adobe Tagging content in this ai Revolution landscape that we're in.

So really a land sweeping technology. I can totally see why bringing this top of funnel, actually integrating it is so challenging because like none of those things are the same, they all require different, like lawyers in the initial business to say ~like, ~yeah, this is what you need to get, please get it.

~Um, ~so yeah, it's super fascinating to see how this is going to grow. ~Uh, ~Rizal, we are running up on time. ~So. ~I wanted to ask if the audience wants to hear more about this credentials how they're using because this is a very like business level conversation we had about how technology is being used. So people might be curious to.

~No, ~keep up to date. ~Uh, ~we have a lot of listeners that ~they ~build side projects. ~They, ~they build startups. So they want to ~like, ~learn about how this technology is being rolled out and leveraged. So do you write about it? If not, where can people find more about ~the, ~the verifiable credentials and where can people find more about your postings on socials, [00:27:00] even if they're not related to verifiable credentials, if they like the conversation.

Rizel: Yeah, good question. ~Um, ~so I would say if you even want to get started with building,~ um,~ verifiable credentials, you can go to developer. tbd. website that has a whole bunch of documentation that me and the rest of my team ~update or ~keep up to date. I tend to write on blackgirlbytes. dev It'll have multiple things, maybe stuff about Verifiable credentials, stuff about AI I like to write a lot And then,~ um,~ I will also say Tune in to,~ uh,~ The livestream that I do ~So, um, ~if you go on YouTube And you go to,~ like,~ at tbd.

videos In the livestream section I basically,~ like,~ post Every Friday talk to somebody who's doing something interesting in ~that ~that verifiable credential space.

Paul: Awesome. All right. And we can definitely link those in the show notes below. So they're easy for people to find. So we don't need to spell them out here with our voice. ~Um, ~Rizal, it was great having you on. I definitely learned something about verifiable credentials and how they're going to be [00:28:00] used in the world.

I didn't know they were coming so fast. Cause yeah, I also live in Massachusetts and haven't heard of this

Rizel: Yeah Massachusetts needs to step it up

Paul: Yeah. But thank you so much for your time. It was a pleasure having you.

Rizel: Thanks for having me it was great