"Is 'acceptably non-dystopian' self-sovereign identity even possible?"

An essay about self-sovereign identity, decentralized identity, verifiable credentials, soulbound tokens, and all those other terms that have been flying around lately.

blog.mollywhite.net/is-accepta

@molly0xfff

How can centralization help implement privacy-preserving Sybil resistance? (Not rhetorical, I'm sometimes out of the loop with protocols such as escrow.)

If there's privacy, it's hard to know who people are even if you're centralized; Wikipedia for example (where the problem is called "sock puppets").

Sybil resistance sounds good to me, I'm getting sick of waking up in strange rooms in weird clothes trying to find my wallet and not recognizing the name on any of the ID cards.

@Sandra @molly0xfff I've been toying with the idea of verifiable credentials myself, for a good decade and a half, actually, and I genuinely think there is potential there. There are a couple of things the blockchain world gets very wrong, though, the first of which is that it needs to involve any kind of blockchain/record.

But the far more worrying thing is that they all seem to want to enforce things computationally about people. That's the dystopian bit.

Follow

@Sandra @molly0xfff Privacy and centralization is really more of a question of which data you reveal to whom. Let's say you do want to receive money to your bank account. As Swiss numbered bank accounts show, you really just need to provide an opaque identifier of sorts to achieve that.

You want to verify that it's at a particular bank? Have that bank sign it. You want to verify that it's owned by some person? Have the bank sign a hash over the person's id...

@jens

That part is super easy, barely an inconvenience but that doesn't address Sybil at all.


@molly0xfff

@Sandra It prevents such attacks if the person ID is issued via a similar system, sure. Have an opaque identifier signed by the state. The centralization of that signing provides the Sybill resistance. @molly0xfff

@Sandra It's also privacy preserving because each use case may require a different ID only. Back to the banking example, I may provide a person ID that the bank issued for me. Nobody needs to know my state issued person ID for a bank transfer. @molly0xfff

@Sandra @molly0xfff ... and the opaque identifier. You don't need the bank to provide the person ID, because the person will do so.

The problem I see in most approaches is that they're inflexible; they try to prove some global truth, and in order to capture enough use cases, they include and leak more data than is necessary for each individual use case.

Implementors should focus a lot more on how the offline world already operates.

As another example, in...

@jens

"You don't need the bank to provide the person ID, because the person will do so."

And that's not a solution, it's kicking the can down the road🤷🏻‍♀️

@Sandra Yes, actually, because it's about minimizing data. What else is privacy but that?

@jens

The problem was proving identity. "The bank has seen a proof of identity" isn't a solution to creating such proofs of identity in the first place.

@Sandra Of course it is. That's the whole point.

You don't need to prove identity in the vast majority of use cases, you just need to prove that such proof exists. You need to be able to trust that proof-of-proof, which means you need to trust someone else to issue trustworthy proof-of-proofs.

In the banking case, the obvious issuer is the bank; they have a vested interest in it after all. In other use cases, less centralisation may be better.

@Sandra The bank may wish to be a root of proof, or request a proof from the state. In either case, since the whole thing eventually ties back to the real world, it'll involve some real world ritual. Once per root. And only that root needs to know anything at all about you, the person.

This isn't even centralization in a lot of senses, because proofs can be issued such that the root doesn't have to be consulted, or any intermediary. It centralizes identity proving, yes.

@Sandra But equally, it's perfectly fine to have non-overlapping proof roots. It's the use case that needs to determine which root or roots are acceptable.

Voting may need a state operated root. You show your ID at the voting booth, after all.

Shopping does not, as a rule. I don't tend to show my ID at the checkout.

The big issue I see with most proposals is that they treat all identification issues as the same, and as the initial root proof.

@jens

"It centralizes identity proving, yes."

And how to implement that was what I was asking in the first place!

@Sandra OK, but... that's different in every legislation and has nothing at all to do with verifiable credentials. That's entirely in meat space.

Hereabouts it goes back to birth certificates. Your community registers each birth, and issues birth certificates from the data it registers. If you want an ID, birth certificate is the proof that you should get one.

You could bootstrap the digital ID by presenting one and a public key, and receive a signature over the pubkey.

@jens So be born in state-approved hospital. But that's still an issue for refugees and others. Kids born in taxis.

Also I'm getting sidetracked into how difficult and unsolved this is even in meatland when my original question was very specific to Molly's triangle diagram.

Usually with triangle diagrams the point is that you can have any two but not all three. And it's easy to see how you can have decentralized private identities that are Sybil vulnerable. But it's not easy (for me who is still struggling with understanding these protocols and issues) to understand how you can have Sybil resistance even without privacy or without decentralization. Sybil vulnerability seems like a difficult problem in any set of circumstances.

@Sandra OK, so meatspace identities have problems, true. Why should we expect digital identities to be *less* problematic? If they're bootstrapped off meatspace identities, they're "good enough" pretty much by definition. Yes that does kick the can down the road to meatspace, but doing anything else seems to ask too much, so I'm content with that.

The trilemma Molly presents relates to self-sovereign identities. In order *not* to bootstrap off meatspace, you have to...

@Sandra ... include enough data in an identifier to be verifiable as belonging to an individual by anyone, which means it's essentially public information (even if you do not share it with the world on a blockchain). And that is how centralization preserves privacy by bootstrapping (doesn't have to be meatspace).

@jens

This is a kinda difficult thing to do, is the problem.
@jens including enough data in an identifier to be verifiable as belonging to an individual

@Sandra Well, that's where the proposals to include retinal scans, etc come into play.

Honestly, I find the whole self-sovereign identity thing dumb.

What got me to rant is that they all seem to take a *single* identity for granted. I find it much more reasonable to make the system in such a way that anyone can be a root, but it's the use case that determines which roots to trust.

That way, you don't need self-sovereignty. If you introduce me to someone you know as Bob,...

@Sandra ... they'll be "Sandra knows them as Bob" to me. This pet names system also works for identity proofs for a lot of use cases.

There is no need for self-sovereignty here, IMHO.

Show newer
@jens "What got me to rant is that they all seem to take a *single* identity for granted."

But all your ranting was on stuff I already agreed with and understood and that's coming from someone who's still having trouble figuring out hire to solve this.

The situation in Sweden is a horror show. We're in the ID-pocalypse here. Doing taxes, getting doctor's referrals, paying phonebills, proving I own this apartment…

This is a heavy subject for me 💔

@Sandra Yeah, I understand. Well, I never really did, because the system in Germany works reasonably well.

It has obvious weaknesses, sure, but if the world can move on without addressing them, it's good enough.

If the situation in Sweden is worse, I can believe it. UK is a shitshow because they resist registries and IDs, but then they invite CCTV everywhere.

I think all nations are crazy in how they approach this, tbh.

@jens

That's not the point at all!

Like, here I am wondering how to make a painting and then all I hear is advice for how to picture frames over the mantle! And then when I'm like "How do I make paint" and you're like "How to hang the frame is of course the whole point."

@Sandra I'd be happy to phrase it differently, but I'm not sure what you're asking, then. Because the original proving of identity, the root I am referring to, is a solved problem. We've been doing variations of it long before the digital realm got involved.

@jens


"Because the original proving of identity, the root I am referring to, is a solved problem."

And I caveated as much in my original question; that I was not asking "whether" but "how".

Here in Sweden it's a huge issue.

ID is based on providing your last ID within five years of its issuing. If it lapses you're SOL, and they ask for employers, registered roommates, utility bills etc.

Digitally it's based on having a specific app from Play or Apple. It's Not Good.

And, if The State can't even figure it out, how can something like Wikipedia?

@Sandra @molly0xfff ... order to gain entrance to an adult-only event, maybe an identifier needs to include something the person can show as proof they're the subject, and a birth date. Actually, you don't need a birth date, you just need a boolean flag and a signing date. If the flag was true at the date of signing, it'll be true later.

The system really needs to be focused on providing just the bare minimum for a use case is my point.

Sign in to participate in the conversation
Finkhäuser Social

A private instance for the Finkhäuser family.