I’ve spent several years focusing on decentralized Web3 patterns and protocols. The diversity of protocols and communities can be staggering, but the problems and issues are remarkably consistent.
I’ve been most attracted to discovering common patterns that can solve broad decentralization problems, and can in turn be applied and implemented by distinct protocols for better interoperability.
Most single-sign-on experiences today are siloed to a given organization or service. Ideally we could “sign-in once” across all applications and services that we engage with, and do so without having to rely on a centralized service like Google or Facebook (e.g. Login with Google, Login with Facebook).
The combination of decentralized identifiers like DIDs, and/or private material in a digital wallet, with compatible authentication protocols make this possible, but this area is emerging and in flux.
I’ve contributed to the Solid-OIDC Protocol, which extends the widely adopted OAuth2 and OpenID Connect standards for decentralized use cases, plugging well-known security issues (e.g. token replay) that are commonplace in decentralized scenarios via Demonstration of Proof of Possession (DPoP). I developed a Solid-OIDC Java Library for client authentication, and have contributed to efforts to add decentralized authentication (DPoP, DID, etc.) to Keycloak.
New extensions like SIOP2 and protocols like SIWE are exciting.
Decentralized data storage is an essential complement to distributed ledgers and the decentralized ecosystem as a whole. Much of my time has been devoted to the evolution of open-standards for decentralized data.
I’m a contributing author of the Solid Protocol, invented by Sir Tim Berners-Lee at MIT, which uses the existing infrastructure of the Web as a medium for decentralized data. I’ve spent considerable time applying application and data interoperability patterns across data protocols like Solid and IPFS.
In a robust, decentralized ecosystem, disparate applications should be able to interoperate over the same data. Specifically:
I co-authored the Shape Trees Specification, which provides self-identifying data structures that disparate machines can interpret, validate, read, and write without breaking compatibility with other applications. They pack resources into “little virtual trees” that provide machine to machine interoperability. These packages of data are easy for humans to understand, because they can be composed into familiar objects like medical records, notes, notebooks, calendars, and financial records.
I developed the shapetrees-java library which allows servers or clients to parse and apply shape tree validation against collections of resources.
Applications need to be able to express what type of data they want access to, and controllers must be able to securely decide whether they want to give them access to that data. This has to work for all kinds of data, and it needs to be easy to understand.
I co-authored the Application Interoperability Specification which details how data controllers can authorize disparate applications and services to access subsets of their data in decentralized personal data stores.
I developed the sai-java library which allows for the rapid creation of fully-interoperable, consent-aware, decentralized applications in the Solid ecosystem.
Working in close collaboration with RSA Labs, we’ve applied Verifiable Credentials to solve real-world problems in the decentralized ecosystem, and helped to establish RSA Mercury under RSA Labs, a suite of cloud-hosted services to enable companies to easily use verifiable credentials.