"Is 'acceptably non-dystopian' self-sovereign identity even possible?"

An essay about self-sovereign identity, decentralized identity, verifiable credentials, soulbound tokens, and all those other terms that have been flying around lately.

blog.mollywhite.net/is-accepta

@molly0xfff

How can centralization help implement privacy-preserving Sybil resistance? (Not rhetorical, I'm sometimes out of the loop with protocols such as escrow.)

If there's privacy, it's hard to know who people are even if you're centralized; Wikipedia for example (where the problem is called "sock puppets").

Sybil resistance sounds good to me, I'm getting sick of waking up in strange rooms in weird clothes trying to find my wallet and not recognizing the name on any of the ID cards.

@Sandra @molly0xfff I've been toying with the idea of verifiable credentials myself, for a good decade and a half, actually, and I genuinely think there is potential there. There are a couple of things the blockchain world gets very wrong, though, the first of which is that it needs to involve any kind of blockchain/record.

But the far more worrying thing is that they all seem to want to enforce things computationally about people. That's the dystopian bit.

@Sandra @molly0xfff Privacy and centralization is really more of a question of which data you reveal to whom. Let's say you do want to receive money to your bank account. As Swiss numbered bank accounts show, you really just need to provide an opaque identifier of sorts to achieve that.

You want to verify that it's at a particular bank? Have that bank sign it. You want to verify that it's owned by some person? Have the bank sign a hash over the person's id...

@Sandra @molly0xfff ... and the opaque identifier. You don't need the bank to provide the person ID, because the person will do so.

The problem I see in most approaches is that they're inflexible; they try to prove some global truth, and in order to capture enough use cases, they include and leak more data than is necessary for each individual use case.

Implementors should focus a lot more on how the offline world already operates.

As another example, in...

@jens

"You don't need the bank to provide the person ID, because the person will do so."

And that's not a solution, it's kicking the can down the road🤷🏻‍♀️

@Sandra Yes, actually, because it's about minimizing data. What else is privacy but that?

@jens

The problem was proving identity. "The bank has seen a proof of identity" isn't a solution to creating such proofs of identity in the first place.

@Sandra Of course it is. That's the whole point.

You don't need to prove identity in the vast majority of use cases, you just need to prove that such proof exists. You need to be able to trust that proof-of-proof, which means you need to trust someone else to issue trustworthy proof-of-proofs.

In the banking case, the obvious issuer is the bank; they have a vested interest in it after all. In other use cases, less centralisation may be better.

@Sandra The bank may wish to be a root of proof, or request a proof from the state. In either case, since the whole thing eventually ties back to the real world, it'll involve some real world ritual. Once per root. And only that root needs to know anything at all about you, the person.

This isn't even centralization in a lot of senses, because proofs can be issued such that the root doesn't have to be consulted, or any intermediary. It centralizes identity proving, yes.

@jens

"It centralizes identity proving, yes."

And how to implement that was what I was asking in the first place!

@Sandra OK, but... that's different in every legislation and has nothing at all to do with verifiable credentials. That's entirely in meat space.

Hereabouts it goes back to birth certificates. Your community registers each birth, and issues birth certificates from the data it registers. If you want an ID, birth certificate is the proof that you should get one.

You could bootstrap the digital ID by presenting one and a public key, and receive a signature over the pubkey.

@jens So be born in state-approved hospital. But that's still an issue for refugees and others. Kids born in taxis.

Also I'm getting sidetracked into how difficult and unsolved this is even in meatland when my original question was very specific to Molly's triangle diagram.

Usually with triangle diagrams the point is that you can have any two but not all three. And it's easy to see how you can have decentralized private identities that are Sybil vulnerable. But it's not easy (for me who is still struggling with understanding these protocols and issues) to understand how you can have Sybil resistance even without privacy or without decentralization. Sybil vulnerability seems like a difficult problem in any set of circumstances.

@Sandra OK, so meatspace identities have problems, true. Why should we expect digital identities to be *less* problematic? If they're bootstrapped off meatspace identities, they're "good enough" pretty much by definition. Yes that does kick the can down the road to meatspace, but doing anything else seems to ask too much, so I'm content with that.

The trilemma Molly presents relates to self-sovereign identities. In order *not* to bootstrap off meatspace, you have to...

@Sandra ... include enough data in an identifier to be verifiable as belonging to an individual by anyone, which means it's essentially public information (even if you do not share it with the world on a blockchain). And that is how centralization preserves privacy by bootstrapping (doesn't have to be meatspace).

@jens

This is a kinda difficult thing to do, is the problem.
@jens including enough data in an identifier to be verifiable as belonging to an individual

@Sandra Well, that's where the proposals to include retinal scans, etc come into play.

Honestly, I find the whole self-sovereign identity thing dumb.

What got me to rant is that they all seem to take a *single* identity for granted. I find it much more reasonable to make the system in such a way that anyone can be a root, but it's the use case that determines which roots to trust.

That way, you don't need self-sovereignty. If you introduce me to someone you know as Bob,...

@Sandra ... they'll be "Sandra knows them as Bob" to me. This pet names system also works for identity proofs for a lot of use cases.

There is no need for self-sovereignty here, IMHO.

@jens

The entire question was "wait, is this really a complete 'choose any two' triangle or is it just that Sybil is a 🐝?"

And the example I gave was Wikipedia, where Sybils can prop up and support a user who is doing uncool things.

@Sandra And I'll get back to the same answer, in a different form. If your use case needs to address Sybill, you need to solve it. Sure.

We've explored two options. Choose what's appropriate to the use case, IMHO.

But e.g. file sharing does not. Why would I care if I share the file only with Carol, even though I share it with three IDs?

@jens but that file sharing question is unrelated to my question and to the example I chose.

I already said that having privacy plus decentralization (and giving up Sybil resistance) was easy. The Carol files is just another example of that.

That doesn't mean that the other two corners of the triangle work.

For example, I can't present a gravity-defiance, cake, soda triangle and go. "Choose any two. If we can live with gravity, we can have cake and soda. QED. Choose any two." That doesn't mean we can walk on the ceiling like Fred Astaire just for giving up soda.

And it seems to me that the Sybil problem is like gravity. Now, @molly0xfff wrote resistance, not immunity, and it's true that it's a question of degree.

@Sandra I described above how centralization can preserve privacy; this should be sufficient to show that decentralization and privacy are opposed in this situation.

Both approaches provide Sybill resistance. You can give that up as in my file sharing example (that's why it's relevant) and have privacy and decentralization.

Your comparison to gravity is asking to provide a negative example where the trilemma doesn't exist. That's the holy grail.

@molly0xfff

@jens

"You can give that up as in my file sharing example (that's why it's relevant) and have privacy and decentralization."

But I already know that, it's as basic to me as having cake and soda. I've been working with that stuff (Carol and her files) for decades and I already know it works fine and great. And you should know that I know that.

"Your comparison to gravity is asking to provide a negative example where the trilemma doesn't exist. That's the holy grail."

Sybil-resistance + privacy is difficult with or without centralization, is my hunch here, so I wanted to ask Molly what the solution was to that.

Just as eating cake while defying gravity is difficult with or without soda. Unlike the old fast/good/cheap triangle, where all three of the edges do make sense.
Follow

@Sandra Yes, but I showed you how to do Sybill resistance with privacy. What part is where we miss each other?

@jens

Thank you, for that good, clear, and de-escalating question. ♥

I feel you're glossing over the difficult parts, and, much worse, over-explaining the easy parts. As I was trying to explain with the paint/frame analogy, I want paint and you're not obligated to give me paint but I get frustrated with the page up and page down of frame stuff, which also comes across as disparaging, as if I didn't know my frame stuff.

@Sandra I hope you know that I consider you knowledgeable if not wise on a variety of topics, but I also have no problem stating that clearly in public! Disparaging is definitely not the intent.

On the other hand, this conversation is public, plus I'm generally prone to over-explaining, so consider that part for other people? (I've had terrible experiences with under-explaining, TL;DR)

What I know I'm glossing over are things which seem to not have a universally ...

@Sandra ... applicable solution. How to bootstrap identity in meatspace, for example. There is so much legal history, it's impossible for me to present a solution that would apply everywhere.

(Furthermore, I don't think such a solution is desirable, which may be too long an aside.)

If there's something I'm glossing over that I'm not aware of, I would like to know. I can always improve how I speak about such things!

@jens

Like, the comment was that I'm not aware on how Wikipedia, which is centralized, could curb Sybils. And from that 49 pages of stuff that didn't really address that.

@Sandra OK.

Wikipedia's problem is, essentially, scale. They want a low threshold for participation, and high quality for the outcome (the articles)? The Sybill problem here is being overwhelmed with low quality/malicious content from a seemingly wide variety of sources.

Would you consider this a correct problem statement?

@jens Low thresh is an important parameter but to be specific about this problem, it's when there's conflict resolution and one person is a fuck but being backed up by twenty people who are all sawing "this guy is a real mench, I concur completely". Your basic sock-puppetry🤷🏻‍♀️
@jens But, again, the difficult part being glossed over was fine, the Carol 101 stuff was the more frustrating part.

"I wanna know how to make a soufflé" and you're like "here is easy how to chop an onion for kids"🤷🏻‍♀️

@Sandra Yeah, exactly.

This isn't really about digital identity and privacy, but of course it crosses over. Mainly it's about processes and in particular dispute management.

The solutions are always the same, but in various flavours. You have tiers and stages.

Stages refers to how something gets accepted. Your two basic mechanisms are either that it's accepted until disputed, or that it needs explicit approval. You may have to go through several stages to reach the...

@Sandra ... desired stage.

Wikipedia has an accepted until disputed approach by default, which addresses scale. So does the legal system. The scientific method is trying an explicit approval approach. In reality, these systems mix and can change from one stage to the next.

The general approach there is to incur a cost for moving to stages that are not strictly necessary. To dispute something, you have to give a good reason, or the dispute is dismissed. That kind of stuff.

@Sandra Tiers matter when the mechanisms in one tier no longer work, the issue gets bumped up a tier. In legal systems, that's the next higher court. In science, it's meta studies and systematic reviews.

So the identity problem is important when deciding what powers exist at which tier.

In Wikipedia, contributing should have the lowest requirements. Dispute resolution should have higher, and so forth.

That's where you need to introduce increasing trust in identity.

No?

@jens Yes, and since disputes are so costly, socks can be really disruptive 💔

@jens @Sandra I read the thread, and I'm not sure I see how you propose to solve it. You did state that it doesn't matter in most cases, which is probably true, but is there actually a solution? As best as I can tell, you can't have sybil resistance and privacy at the same time, since by definition you're going to have to rely on a mutual third party.

@loke @Sandra My view is that this depends on how you define privacy.

If your definition is absolute anonymity, then you can't have it. You're right.

If your definition is fine with some sort of pseudonymity, you can. The third party that produces a statement of "I believe this person is who they say they are" must be privy to identifying information or be untrustworthy.

But the crucial part that makes it private is that nobody else needs this info.

Sign in to participate in the conversation
Finkhäuser Social

A private instance for the Finkhäuser family.