[HN Gopher] The Future of Online Identity Is Decentralized ___________________________________________________________________ The Future of Online Identity Is Decentralized Author : Yolta Score : 210 points Date : 2020-07-12 14:30 UTC (8 hours ago) (HTM) web link (yarmo.eu) (TXT) w3m dump (yarmo.eu) | robbrown451 wrote: | "As tempting as the alternative is, making these changes will | improve your life" | | I know most people on HN believe this, or want to believe this, | or especially want everyone else to believe this, but I still | think the statement needs support. Or at least a qualifier like | "in my opinion." | rasengan wrote: | I have always felt identity, including online such as domain | names, should be decentralized -- it's too much power for a | central authority to dictate who gets (and doesn't get) a name. | Further, it's too easy for people to impersonate others online. | It even happened at reddit where the CEO masqueraded as users by | modifying their comments [1]. | | Handshake [2] is a great project that helps decentralize online | identity. Not only is naming distribution in the hands of the | people with Handshake which ends the deplatforming/censorship | debacle the world has been facing recently, but also, anything a | name does can be verified with signatures verifiable against the | blockchain. | | [1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo- | stev... | | [2] https://handshake.org | tdons wrote: | We have this in The Netherlands but it hasn't picked up yet. It's | promising though: https://privacybydesign.foundation/irma- | explanation/ | | The system is attribute based and requires an 'authority' to give | you the attribute. After that the attribute lives on your phone | and you can give it out to organisations or businesses asking | for....: - your name - whether you are >= | 18 - your address - etc. | | What's great about it is: - you can give out | minimal information - no 3rd party/intermediary required | after you've received an attribute | rat323 wrote: | It's a failure because everyone in Netherlands is stoned and | nothing gets done. | | Source: I'm Icelandic but have a cousin in NL. | charlieroth wrote: | https://urbit.org/ | jeroenhd wrote: | I see that they've updated their website since I last looked at | it. They still use some abstract art and meaningless pictures | of nature to explain their concepts, but at least the | description makes sense now. | | Sadly the system cannot be used easily for any applications | storing personal information since your identity is tied to a | blockchain and the GDPR requires companies to make information | deletable. | | The reliance on abstract art for trying to make their points | come across are still to vague for me to give the project a | try, but who knows, maybe in another year or two the project | and its concepts will actually be understandable enough for me | to give it a shot. | nanomonkey wrote: | Urbit does seem to have an over abundance of weird jargon and | glyphs that reinvent existing technologies, it just reeks of | techno-alchemy. | | As to your second point, I'm curious if any decentralized | system will ever allow for full deletion of information once | it has been replicated by another client. Any gossip | protocol, or decentralized CRDT document system has to take | into account that a client will go offline and retain | information once it has been released into the wild. Whether | or not a request to "delete" or hide that information is | followed through with is almost impossible to regulate. It's | perhaps more important to realize that what we publish, may | always exist out there. | | That being said, clients could randomly ask for "tombstoned" | information to verify that other clients comply to a delete | request, but it will likely always exist somewhere. | mirimir wrote: | > Built for individuals, I recently launched Keyoxide which uses | cryptographic keypairs to accomplish decentralized identity | verification. While it doesn't (and shouldn't!) link an account | to a person in the physical realm, it links accounts across | platforms. | | I'm glad to see this! Although it seems to be hugged to death | right now :( I had been using KeyBase for this, but after the | recent sale to Zoom, I've backed away. | fanf2 wrote: | It is tragic that Mozilla killed Persona just when it was | starting to take off. Sadly I didn't save the link to a | retrospective written by the project lead, in which it was | explained that they gave up because it was taking too long. But | internet standards aren't like a Megabar that you can foist on | everyone within 6 months, they take years. | weinzierl wrote: | _" Built for individuals, I recently launched Keyoxide which uses | cryptographic keypairs to accomplish decentralized identity | verification."_ | | So this is about the introduction of a new identity service. From | what I get looking into Keyoxide it basically strives to be what | Keybase originally intended to be. | | From their Keybase migration guide [1]: | | _" Keyoxide as a partial replacement for Keybase | | It's important to moderate expectations and state that Keyoxide | only replaces the subset of Keybase features that are considered | the "core" features: message encryption, signature verification | and identity proofs. | | Message decryption and signing are not supported features: they | would require you to upload your secret key to a website which is | a big no-no. | | Encrypted chat and cloud storage are not supported features: | there are plenty of dedicated alternative services. | | If you need any of these Keybase-specific supports, Keyoxide may | not be a full Keybase replacement for you but you could still | generate a profile and take advantage of distributed identity | proofs."_ | | [1] https://keyoxide.org/guides/migrating-from-keybase | ocdtrekkie wrote: | The key difference is that instead of the Keybase server | storing verifications, it looks like they tell you to add the | link to the proof directly to your key as a notation. | | This means the proof isn't dependent on a central server, which | seems like a significant improvement. | mirimir wrote: | Yes, I noticed that too. So yes, I believe that this improves | on Keybase. Even without the Zoom fail. | vmception wrote: | in before everyone shills their unnecessarily tokenized identity | cryptocurrency that nobody ever used and never ever will | smt88 wrote: | I 100% agree with you, but generally I find "in before..." | comments to be unhelpful at best and harmful to the discussion | at worst. In the latter case, it's typically because it's not | only attacking on a straw man, it's actually announcing, "Hey, | I'm creating a straw man!" at the beginning of the comment. | | If you do want to head off the crypto founders before they show | up, perhaps you could write a comment along the lines of, "In | case anyone is wondering, here are the reasons | cryptocurrency/identity makes no sense when solving this | problem..." | vmception wrote: | or | | "I predict from prior experience that a bunch of | cryptocurrency identity bagholders from 2017 will show up to | shill their useless project not realizing it will never catch | on and that product's adoption will never buoy their bags | even if it did catch on" | upofadown wrote: | Your identity is going to come down knowledge of the private key | from some sort of public key system. Why not just standardize | that? | | An excellent example of something perversely non-standardized for | identities can be found in messaging. Signal, Matrix, Whatsapp | and OMEMO are even supposedly based on the same protocol. In | terms of identity they are all complete silos. All the things you | establish about an identity on one system is completely unusable | on another. | | Creating systems to kludge this mess together seems to be a way | of avoiding the root problem here... | supertrope wrote: | What happens when the private key is lost? We can either have | certificate authorities issue you a new one, or you would need | to approach your peers and have e.g. three of them confirm that | you've changed keys. | nanomonkey wrote: | One could also use Shamir's Secret Sharing algorithm to have | a number of your peers hold your secret key without them | being able to access it. When you've lost the key, you have a | subset of the peers reproduce it for you, by sharing their | portion of the secret. Cryptography is pretty great. | mirimir wrote: | Yeah, that is a huge problem. Most people just don't do well | at managing keys and credentials. As much as I hate Signal's | phone number requirement, I appreciate the reason for it. | upofadown wrote: | Then you have lost that particular identity and would have to | start over with a new one for that particular aspect of your | online life. If you lose it and can get it back somehow then | it wasn't really yours in the first place. | | You can have as many passphrase protected backups of your | identity in as many places as you like so in practice the | more likely issue would be where someone else gets access to | your private key. So that means some sort of revocation | contingency. | johnmarcus wrote: | Keybase kludge's it together, and yet still, no one seems to | care or use it. | ThePhysicist wrote: | There's the "European" ID4Me project (https://id4me.org/), which | tries to add federation on top of OpenID Connect / OAuth2. The | idea is to give users globally valid IDs that contain a domain | name. Using a TXT record on that domain you then specify which | OpenID auth provider a service should use to authenticate the | user. If you have your own domain this enables you to switch ID | providers without having to update your accounts. | | In general I like the idea but since it's a EU-style project I | don't expect it to go anywhere to be honest. And personally I | don't think the benefit over e-mail based authentication is | marginal. That said there are some extensions in OpenID Connect | that can achieve something similar, and that (IMHO) are more | likely to actually get widely adopted. | rendaw wrote: | What does federation bring here? Aren't OpenID identities | already collision free? | | I'd love to have SSO under my own control, and while it was | theoretically possible with OpenID 2 things have gone backwards | with OIDC with everyone supporting it but restricting login to | just the big names (Google, Facebook, Apple). | | I put together a simple stateless OID2/OIDC identity provider: | https://gitlab.com/rendaw/oidle but I have yet to find a | website I can actually use it on. I still have hope though. | djsumdog wrote: | I had a classic OpenID server and every website I use to | authentication against using it has gotten rid of OpenID | support. Stackoverflow was the big one. I haven't tried | OpenID Connect yet. | | https://battlepenguin.com/tech/the-decline-of-openid/ | rendaw wrote: | By the way I wanted to say I read that blog post a bunch of | times while trying to put together that software! | OpenStreetMap and GnuSocial may really be everything on the | internet now. | | I'd almost sign up for a website at this point just to get | a chance to use my OID provider... | djsumdog wrote: | New Zealand had a program called Real Me. It's based on a | completely and totally broken SAML2 implementation, that only | gives you back a single token, and then you have to query | another web service to get more information. Oh and years ago | when we had to implement a product using it, their Identity | Providers would give us different responses randomly ... and it | once went down for two weeks straight. | mirimir wrote: | > On today's internet, the best we can do is make fully separated | accounts, link them using technologies like decentralized online | identity proofs and create our own online personas, with our own | open tools that ensure we maintain ownership over them. | | That's for sure how I see it :) It gives everyone the choice of | what mix of real names and ~anonymous personas to use, and how to | link them. | cs02rm0 wrote: | Feels like you'd have to lean significantly away from | anonymisation to want to leave public proofs of cross account | identities lying around. Maybe that's a more common use case for | businesses and high profile people though than wanting to link, | say, a pseudo-anonymous forum account with a payment account. | mirimir wrote: | I've been advocating online ~anonymity for many years, and | exploring relevant methods. But I also can't ignore the | downsides, particularly the role of authentication. | | I'll have more to say here. But for now, I'll just invite any who | are interested in further discussion to a Podaero group: | https://podaero.com/dashboard with invite code "44e5576d". | Kapura wrote: | I think one of the great parts of the internet is that it | promotes this identity decentralisation (or, as i have always | thought about it, identity fragmentation). You are allowed to | isolate online identity from the rest of your life, or from | separate online accounts/personae. | | Which is why I am confused as to why the author spent so much | time worrying about verifying identity. To me, that feels like | it's completely missing the point of fragmenting your online | experience. Is the author simply concerned with the amount of | power associated with their google login? | Steven-Clarke wrote: | https://www.hyperledger.org/use/hyperledger-indy | jeroenhd wrote: | Reading the comments, I learned that OpenID is not centralised | but rather provides federation support. I wish I'd known about | this sooner before it died, because it would've been fun to try | and use. | | I'm sure decentralized authentication won't come on commercial | platforms though. Maybe some developer-centric services will add | support once the Next Big Thing in authentication and | authorization comes along, but companies want to keep as much of | their account system under their control as possible. It might be | because of data mining, it might be because of bot prevention, it | might be because of fear of trusting external providers, but I | just don't see any reason why companies would accept such an | authentication system. | | The closest thing I can see happening is a federated | authentication platform like the EU is implementing with EIDAS. | Authentication with your home government for EU-wide services, | tied to your ID card. I don't think something like that will be | implemented for much more than government institutions and | banking, despite the idea having been proven to work. | | Simply put, as long as it doesn't make business sense to trust | another provider, businesses won't offer any decentralized | authentication methods. | Fiahil wrote: | A post on decentralized identity without talking about the | Decentralized Identity Foundation (https://identity.foundation/), | right there on the first page when you type "decentralized" and | "identity" in Google? | mirimir wrote: | Huh. Do they do more than establish standards? | kory wrote: | If anything, my bet is the future of identity is more | centralized. | | Decentralized solutions, as I've read about them in their current | form, require a significant amount of technical knowledge to | understand. That is, to understand both what they are and, more | importantly, their benefits ("why does this specific solution | matter to me?"). Past that, the user experience is extremely poor | in comparison to clicking "log in with Google", and I'm not | convinced it can ever fully get there. | | It is for those reasons that I think centralized identity is here | to stay long term. Most people aren't going to spend the time to | learn about this because they just want the easiest solution and | don't care about their data being sold. I know several people in | tech that fully understand the extent of how their data is used | by internet corps, and don't mind it because they prefer | convenience for free. And I think that's OK--it's their informed | choice. | | Personally, I try to login with email most of the time, and | that's the limit of my drive to care about the security of my | personal data. But my email is gmail, so I doubt it really makes | a difference from login with Google. | djhaskin987 wrote: | In the US, everyone uses credit cards (centralized identity) to | pay for stuff. | | In Mexico, credit cards are stolen and reamed for all they're | worth by criminals. As a result, everyone uses cash | (decentralized, anonymous, difficult to use). Everyone could | move to decentralized in the face of significant pressure, even | if centralized identity is more convenient. | [deleted] | kory wrote: | All central authorities are built on trust, fear, or | complacency. Americans are complacent with the credit card | system and trust it for the most part. The Experian breach | has shown that breaches of trust are easily overlooked in | favor of complacency, at least to a point. | | Considering how Americans view other Americans (I hear | "stupid" thrown around a lot), I strongly doubt that a | decentralized authority would ever gain enough trust in the | US to take hold today without a strong historical precedent. | | For what it's worth, cash is still centralized. It's made | "legitimate" by the power of the central government, and is | managed & controlled by that authority. Given, it is somewhat | "decentralized" because the value of fiat money comes from | the people's agreement that the currency has value. On the | other hand, the US dollar's global hegemony exists in large | part because of global US Military presence, which is | absolutely a "central authority". | maccard wrote: | > The Experian breach has shown that breaches of trust are | easily overlooked in favor of complacency, at least to a | point. | | I disagree that it matters for trust in CC's. It may have | damaged experians reputation, but people still trust | amex/MasterCard/visa and their banks, despite Experian | being useless. The fact that Experian is required to access | those systems is unfortunate, but most people don't deal | with Experian directly. | | I think people's day-to-day trust in banks is well placed, | for what it's worth. I banked with a large bank that fell | in 2008, and had less than 10,000 in my bank. My money | wasn't affected, I just had to find a new provider. | | I've had multiple incidents of fraudulent transactions on | debit and credit cards over the last 15 years, and in | _every_ instancr, my card provider has sided with me and | refunded me the money immediately (even in the one case I | was actually wrong and it was a billing mistake). Those | amounts we're almost always in the few hundreds. | asciident wrote: | Considering that the data breach was actually at a | completely different company than the one this thread | named leads me to believe that the reputation damage is | not as significant as you suggest. | twitch-chat wrote: | It's unfair to say we still use credit because we are | complacent. If you stop caring about building a credit | score, you will end up paying more money in things like | mortgages or car loans. There is a financial incentive to | use credit cards (if you don't miss payments) despite the | breach of trust. | kory wrote: | I didn't say it's just complacency that keeps the credit | system going. Low friction purchasing (complacency) | absolutely plays a strong role. Trust is important, too | (but is less strong than complacency) because the system | wouldn't be used at all without it, and, to your point, | fear absolutely plays a role as well. | mirimir wrote: | In the US, liability for fraudulent credit card use is | limited to $50. No matter how much was charged. | theamk wrote: | Bad example. In Australia, everyone was using credit cards.. | but they have PIN code + chip. | | If a centralized system is not inept, it can do all the same | things decentralized things do and better. | djhaskin987 wrote: | PIN codes and chips are used in the US as well, but I doubt | a PIN and better encryption would help you[1]. | | 1: https://xkcd.com/538/ | ohmaigad wrote: | Then with cash it is even easier as it doesn't leave any | digital trace. | johnmarcus wrote: | Yes, I suppose if we moved to becoming a lawless society | fuelled by drug lords....then yes, I can see how the hoops | could be worth it. | fwip wrote: | Beaker Browser is getting close to solving it. | | When you visit a website that works with it, to login, you just | grant the webpage access to one of your profiles. (I just use | one profile for everything, but you may wish to keep some | things separate). Then any activity you do can be associated | with that profile. No passwords or keys or even email addresses | to remember. | hunter-gatherer wrote: | As much as I'd like to see a decentralized solution, I agree | with you. I just spent 30 minutes helping my mom (age 60) and | brother (36) set up a microsoft family account so they can | dictate and monitor my nephews computer usage because [nephews] | are addicts. | | I didn't even know Microsoft family was a thing, but setting it | up and configuring it (from my perspective), was intuitive and | simple. My mother and brother however struggled to follow | along, an are stressed that they won't be able to manage it. | | Most users (even my spouse who is in her late 20's) readily | fall into this category. My point is that if configuration | requires any troubleshooting it won't reach mass adoption | unless it addresses a perceived necessity without an | alternative approach. | edoceo wrote: | Couldn't the UX just be improved and deliver the benefit while | hiding the complexity? | api wrote: | Yes, but that requires an economic model. UX is often well | over 90% of the work for a product and usually includes a ton | of work that is not much fun and people have to be paid to | do. | | Centralized has subscriptions, advertising, and "surveillance | capitalism." Decentralized has nothing. I had some hope that | cryptocurrency would provide some kind of mechanism, but | cryptocurrency was taken over and destroyed by scammers and | bad money drives out good. | | The lack of an economic model is IMHO why decentralized | solutions have not succeeded, not technical challenges. | | One possibility would be to abandon the free as in beer part | of open source ideology and go back to just charging for | software, but licensing and payment add friction and it's | very hard to compete with "free" options funded | surreptitiously via surveillance. | | BTW the fact that cryptocurrency was destroyed by scammers | and criminals highlights a second huge issue: it seems to | take the efficiency, executive ability, coordination, and | direct human guidance of a centralized system to resist bad | actors. This is why even the most democratic countries have | mechanisms to phase shift into dictatorships during emergency | or war. I have yet to see a decentralized system that became | popular and was not instantly destroyed by black hats. | EGreg wrote: | _The lack of an economic model is IMHO why decentralized | solutions have not succeeded, not technical challenges._ | | You're right. This lack needs to be addressed for us to | progress. | | How about this model? Would like feedback: | https://qbix.com/token | kory wrote: | The UX isn't the most looming problem, but it's one that | needs to be solved. My question is: How in the world would | you convince people to use keys to verify their accounts to | one unique, anonymous, identity, as the OP suggests? I just | don't see it being something people would spend the time to | do. Not to mention, getting to a "Login with Google" level of | UX, available as universally as "Login with Google", would be | extremely hard without a centralized authority. | | The bigger problem is convincing people that it's worth | switching. Apple is the closest to doing this with "sign in | with Apple". "Sign in with Apple" hides your identity from | the client site, the value prop is clear for the user, and | the process as close to frictionless as possible. But the | solution is still "centralized". Apple stores all of the | information to make the system as frictionless as it is. | summerlight wrote: | It's more about a fundamental design trade-off rather than | removing accidental complexity coming from UX. Currently, | most of us delegate the responsibility of identity management | (other than memorizing id and password) to one of big-techs, | presumably much better at this area than 99% of us. In the | fully decentralized world, the burden of proof is now up to | users. And they usually don't really care about the best | practice for security, privacy and reliability. Technology | may improve over time so the equation will get better, but I | don't expect this dynamic to change that much. | christophclarke wrote: | On the other hand, however, the outcomes of a breach are | vastly different. An individual who fails to secure their | information is liable for only their information. If a | "big-tech" is compromised, they are liable for everyone's | information. | | If users are still unwilling to run their own infra, then | that seems like a great opportunity for Identity as a | Service. I'd feel much more comfortable handing identity to | a firm whose entire business model revolves around securing | my information and protecting my privacy rather than a big- | tech. | tudorconstantin wrote: | "I'd feel much more comfortable handing identity to a | firm whose entire business model revolves around securing | my information and protecting my privacy rather than a | big-tech." - in order for that company to be rock solid, | trusted by most of the world and with a proven track | record of top notch security, would mean that the said | company is a big-tech. | | I would call okta, auth0 and iWelcome big-tech already, | even if they're not FAANG-level big tech yet. | kory wrote: | This is a great point that I hadn't thought of. Well said. | | I'd rather, as a company, risk managing all of my users' | identities (vulnerability to a data breach, mitigated by a | well-trained security team) than trust my users to manage | their own security well and inevitably deal with a mass | amount of compromised accounts. | | As a user, especially if I'm not technical, I'd have a | strong bias towards handing my identity to a team that's | spent years studying computer security. Managing my own | identity would involve learning a lot about computer | security. That would take a lot of time and I'd _really_ | have to care about it to do it "right". Regardless, I'd | likely get a lot of things wrong, leading to my identity | being more insecure than if I had just stored it with | someone like Apple. | sascha_sl wrote: | All people still somewhat understand is federated identity, and | that's becoming less prevalent. | | Though a weird set of coincidences I often get support tickets | about people using or enrolling in TOTP escalated to me. These | people have never used an authenticator, except for the | company-mandated Microsoft authenticator. Not only do they | simplify the concept thinking there's just one code for | everything (e.g. microsoft token are used for AWS, don't worry | these people only have access to some S3 stuff) they also | extrapolate that because Microsoft sends them a push | notifications, AWS must too, and they didn't get one, so it's | obviously broken. | | Email is slowly losing this awareness too. The only remaining | analogy that's probably not going away is getting your credit | card from a bank while they still work on the same network. | ryukafalz wrote: | I dunno, I think the UX for decentralized identity could be | made pretty good. The GNUnet project has one that runs locally | but exposes itself with an OIDC interface: | https://reclaim.gnunet.org/ | | It's still pretty early, but imagine a more polished version of | that with a user-friendly installer. If you had the software | installed and running, it'd behave pretty similarly to e.g. | Google's OIDC provider. Linux distros could even preinstall it. | (I have no hope that MS/Apple/Google would do the same since | they all have their own centralized providers.) | kory wrote: | That's so so many steps and requires knowledge of so many | things. It has the big two fundamental problems, and a major | third one: | | * Its value prop is poorly explained. As an engineer with a | CS degree, I still barely understand what it's talking about | (what's an "identity attribute"??) without some digging. | | * Even if the value prop was well-explained, it's still very | high friction compared to "Sign in with <Service I Already | Use>". Why would a user download an installer and deal with | managing all of their accounts? There's a secure, anonymous, | easy, centralized option that does it all for you (Sign in | with Apple). That service does it so well that you only have | to click a button to log in or sign up. Nothing else | required. That isn't achievable without a central authority | managing everything for you. | | * (this is the big one) Your local machine is a major point | of failure. If you lose your local machine and haven't backed | up your accounts, you just lose access, right? The only | solution is either set up a server with periodic backup (too | much friction for regular users) or a centralized authority | that stores them for you, which defeats the purpose of all of | this. | | This project, to me, falls into the "cool technical stuff | category". It's obviously built for "geeks" (lack of a better | term) and not for people. That's why centralized tech co's | will probably always do this better than open source. They | are customer focused just as much as technology focused. | | Unmonetized open source projects tend to focus more on | technology than user experience. That's why you see regular | people using monetized software and developers using open | source to build monetized software. | ryukafalz wrote: | >As an engineer with a CS degree, I still barely understand | what it's talking about (what's an "identity attribute"??) | without some digging. | | It's not really ready to be used widely at this point. | Given that, the fact that the documentation is currently | more oriented towards developers working on identity | software is fine, I think. | | >Even if the value prop was well-explained, it's still very | high friction compared to "Sign in with <Service I Already | Use>". Why would a user download an installer and deal with | managing all of their accounts? There's a secure, | anonymous, easy, centralized option that does it all for | you (Sign in with Apple). That service does it so well that | you only have to click a button to log in or sign up. | Nothing else required. That isn't achievable without a | central authority managing everything for you. | | Sure, installing software is higher-friction than using a | centralized service, but it's not _that_ much higher | friction. It 's not like people don't install software all | the time. (And again, this is something that could easily | be preinstalled by your OS vendor of choice, which would | make the experience very similar to the centralized | providers'.) | | >Your local machine is a major point of failure. If you | lose your local machine and haven't backed up your | accounts, you just lose access, right? The only solution is | either set up a server with periodic backup (too much | friction for regular users) or a centralized authority that | stores them for you, which defeats the purpose of all of | this. | | Yes, this is a big one. No, I don't think those are the | only two options. You could sync them between devices if | you have more than one (phone/laptop?), you could store | them on a user-specified data storage location (think MIT's | Solid), etc. I acknowledge that it's a problem, but I think | it's a tractable one. | | >This project, to me, falls into the "cool technical stuff | category". It's obviously built for "geeks" (lack of a | better term) and not for people. | | I think you're looking at the project as it is, and not as | it could be. | EGreg wrote: | So since you have one identifier, companies can track you | across all domains. | | They can find out if you are a user of sex.com or | dangerouspoliticalopinions.com | | They can do this by trying to register an account with your | email address, and being told it was already registered. | | Here is a tool that allows anyone to do it: | | https://www.quora.com/Is-there-a-way-to-know-which-all-sites... | | https://brandyourself.com/blog/privacy/find-all-accounts-lin... | kortilla wrote: | Everyone? Unless the sites publish a list of logins for | everyone to read the only one with that knowledge would be | the identity provider. | EGreg wrote: | Not at all. See above. | mirimir wrote: | Yes, exactly. Attempts to register with an email that's | already used will fail, and so adversaries check whatever | sites interest them. | | However, I believe that would fail for those using Google or | Facebook authentication. But I can't test that, given that I | don't have an account with either. | brentis wrote: | Agree.It is decentralized. You need to be able to maintain your | identity as a currency whereby you get compensated for access to | it vs. others who get to monitize your persona. Google, LinkedIn, | FB all do this. If you grant specific rights you maintain your | identity and get compensated directly for a business to gain | access to market, contact, or interact with you. | vasilakisfil wrote: | The future of online identity is indeed decentralized and not | distributed, meaning that users will always have some super nodes | to handle their identity on behalf of them. In my opinion | Facebook/Twitter/etc are not identity providers, they are silos. | Sure they are very successful ones and can even used as identity | providers at some places, but as long as they don't open up they | can easily die anytime. | | The author suggests that services built on top of these Silos | that provide proofs of connection between all the identities. I | welcome such initiatives and but I doubt they will lead anywhere, | cause they are built on top of silos. And a silo, as soon as it | figures out it loses money, it will cut down that connection. | | What won't die is decentralized published standards and protocols | that handle the Identity management through the internet. | Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and | on top of that we have frameworks that facilitate the identity | management like Oauth2, OpenID etc. All open and standardized. We | are getting there, we just need some more time I guess. | | That's why I always thought that, Google, who owns emails has | much more value than Facebook, that asks for your email. If | facebook dies, you lose one aspect of your digital social part. | If you lose your email though, you almost lose your online | identity. I really can't get how Zuckerberg has missed that. | sksksk wrote: | They did offer @facebook enails once, and it would integrate | with your messages app. | | It didn't really take off though, and I guess was quietly | withdrawn. | | https://techcrunch.com/2010/11/15/facebook-messaging/ | vasilakisfil wrote: | yeah I remember that but it was never really pushed forward | properly | mikedilger wrote: | Identitfier systems will always be distributed in that even in a | world where it is entirely centralized, someone can create | another one. Now it's distributed. The power is in your hands. | ChrisMarshallNY wrote: | I hardly ever use any OAuth logins. I use my GH login in a couple | of places, but I usually create an email/site-specific ID. | 1Password is a nice tool. | | That said, the last couple of years, I have gone to great lengths | to create a "digital personal brand," which is deliberately | designed to help people find me, and tie all of my digital | artifacts together. | | I think that OAuth logins actually work against that. I want to | leave "pointers" all over the place, that point to each other in | a public manner. OAuth logins "bury" these pointers, so only | "gatekeepers" can see the information. | | It definitely means that I have to be a lot more careful, these | days, than I used to be, in choosing what I write or expose | online, but I don't feel it's too difficult. I like to think that | I live a lifestyle that has very little to hide. | | I was reading about that Fox writer that just committed career | _seppuku_. I think that is a visceral example, showing that we | can 't trust the old cloak of anonymity to hide our trail, so it | might not be a bad idea to, as Twain said, "live that when we | come to die, even the undertaker will be sorry." | | It's part of a strategy that seems to be working. | | Works for me. YMMV | EGreg wrote: | Working on something like this: | | https://github.com/Qbix/auth | | The DID spec has been the one big success so far, but | implementations matter. Our implementation has been open sourced, | and is compatible with oAuth and other specs like DID: | | https://github.com/Qbix/Platform | uniqueid wrote: | In my ideal world, we have a framework for brick-and-mortar | businesses to act as internet notary service providers. | | If you want a general-purpose open-id style account, you visit a | notary, and provide them with a fee and proof of your identity. | You tell the notary how much information they can share (in | particular, whether they can release your name to the internet, | or just the "we verified this account is held by a real person" | boolean). | | The protocol would cover much more than passport info though. You | could have a notary vouch that you're a licensed driver, or have | a college degree, visited a certain country, etc. | | That might cut through some flavors of online nonsense. It would | also allow people to stay pseudonymous, and yet enable law | enforcement to subpoena their identity, if they go on a killing | spree, or hack a few million dollars worth of bitcoin. | horizin wrote: | It's possible to enable this setup using verifiable credentials | - an emerging W3C standard for creating and sharing | "attestations" about a person. | | https://www.w3.org/TR/vc-data-model/ | uniqueid wrote: | Holy mackerel! Thank you :) I've been thinking about this | issue for weeks. This standard looks very relevant! | orf wrote: | > You could have a notary vouch that you're a licensed driver, | or have a college degree, visited a certain country, etc. | | Humans, generally, are very bad at caching document fraud. It | wouldn't be a vouch for a licensed driver but instead it would | be a vouch for "a bit of plastic that looked like a driving | license to me". | | There is lots of sophisticated fraud and often automated | solutions have a much higher rate of detection than your | average person, even with some training against common attacks. | packet_nerd wrote: | Maybe have the DMV be the notary for driver's licenses? | supertrope wrote: | Certificate authorities with brick and mortar locations would | be an improvement over the current USA situation of SSN+DOB | as master password to all IRL accounts. Checking a drivers | license IRL is better than looking at an uploaded scan or | photo. They could use those box scanners casinos use. | | The main issue is minimizing cost. Dot com companies and | banks don't want to pay for this so they peg online | identities and account security to SMS effectively pushing | off the problem to cellular companies. Cellular companies | lack the competence to handle IAM. Opening a branch in every | city is very expensive and companies don't want to even pay | ~$10 for an offshore script reader to check a SMS code and | verify "public information" off a credit report. | | Credit card companies that are already liable for fraud | usually settle for SSN+DOB, ID scans and aforementioned | Equifax data verification because fraud losses are cheaper | than in person due diligence. | uniqueid wrote: | Absolutely! It would be far from perfect, and, but for the | worst-case scenario that the internet currently embodies, not | worth pursuing. But there's _so_ much room for improvement | today. Just placing a barrier against sock puppet accounts | would already be a huge win. | yunruse wrote: | It would create a small financial (and convenience) pressure to | use one identity. Careful design would be needed to ensure that | multiple identities are encouraged and accepted. | supertrope wrote: | There is enormous pressure to converge on one identity. IAM | has huge network effects. On-boarding customers is an expense | so businesses and governments rely heavily on existing rails | like email, SSN+DOB, Facebook, SMS, etc. If you don't want to | surrender SSN or your whole Facebook profile your only option | is to reject the service entirely. | mirimir wrote: | Facebook accounts are available for $1-$10, payable in | cryptocurrencies. | rendaw wrote: | It could also make things like online voting (like, for winners | in a contest or features in software) possible which would | otherwise be impossible due to multiple accounts. | aaron-santos wrote: | Who notarizes the notaries? | blotter_paper wrote: | Reputation? | supertrope wrote: | The people who consume the notarized documents. If too much | crap comes through they can reject the issuer. Kind of like | how Symantec CA got dropped by browser makers. | | Public notaries are licensed by US state governments. There | is generally a background check, brief training course, and | application fee. In at least some states they have strict | liability for theft of their stamp. | aaron-santos wrote: | What does it mean to reject the issuer when there are | around 4.4 million notaries in the US? What systems are in | place now or would need to be created in order to aggregate | trust and what are the pros and cons associated with those | systems? | supertrope wrote: | For individual notaries file a complaint about | incompetence or report them for fraud. Signatures, seals, | and watermarks aren't as good as public crypto but that's | okay because phone calls, clearinghouses, and the legal | system backstops them (especially for reversible | transactions). | | Rejecting issuers would be more applicable to repeated | transactions from a corporate certificate authority. | weinzierl wrote: | CAcert has a system in place that is close to what you | described[1]. Basically already verified users check the | identity documents of new users and vouch for their | authenticity. Their _" Assurer Handbook"_[2] is an interesting | read. When I became an assurer a few years ago the person that | trained me also took their task very seriously and I learned a | ton about how to check identity documents for forgeries. That | alone made it worth it. | | Since we have _Let 's Encrypt_ I'm not entirely sure what | CAcert's place and purpose is, but I think with an existing | network of trusted people they are in an ideal position to | pivot into a decentralized online identity system. | | Mark Shuttleworth's Web of Trust similarly had so called | _Thawte Notaries_ but I think it was discontinued a few years | ago. | | [1] http://wiki.cacert.org/FAQ/AssuringPeople | | [2] http://wiki.cacert.org/AssuranceHandbook2 | nsl73 wrote: | Why would I ever trust a notary? | | As a person being notarized it sounds like I have to give that | business more personal information about myself than I usually | have to do to get an online identity, as suggested by your | subpoena statement. | | As a service trying to verify accounts I now have to trust a | third party. Maybe the notary has a business that sells fake | IDs in the back that are then used in the notarizing process. | Maybe my competition set up a burner notary node in order to | flood my service with malicious accounts. It sounds like an | attack vector. | uniqueid wrote: | You've never provided any business with ID? How do you get | into nightclubs? | | The internet is important. When something is important | enough, it is worth the risk. That's why people share secrets | with their bank, lawyer, doctor, psychologist, etc. | | We are squandering most of the potential of social media, | because its design limits worthwhile conversation to | hypotheticals. Since there's no reason to trust the honesty | or motivations of anyone online, discussing actual data or | life-experience is pointless. | elric wrote: | > How do you get into nightclubs? | | Clubs don't care about identity. In some parts of the world | they care about age and outward signs of affluence and/or | attractiveness. | uniqueid wrote: | I was thinking of North America, where "carding" is still | standard practice. | supertrope wrote: | >Age | risyachka wrote: | In my ideal world I never have to deal with notaries and there | are no physical documents at all. | alex_young wrote: | TL;DR advice is to use email as your account ID method on various | sites, and author's new service to 'verify' the accounts in a | central place so people will know they are the same user between | sites. | | This isn't really decentralization is it?, it's a new kind of | account linking which requires one to trust the central | verification authority. | | Maybe I'm missing something. | Yolta wrote: | You wouldn't need to use your email as account id. The account | id could even be completely random, as long as you manage to | link back from that account to your key (in case of twitter, a | tweet with the key fingerprint), anything works! Just add a | link to that account to your key. | | With regards to decentralization: keyoxide doesn't hold the | proofs. Your key does. You can take your key to any | verification system, whether it is keyoxide website or some CLI | tool or an app, and have that verify the proofs. Yes, you do | need to trust the service. But that's where the open source and | hopefully one day, network effect comes into play. If enough | knowledgeable people trust it and talk about it, then less- | techy people might one day too. | | In the end, what is important to note is this: keyoxide is just | an implementation detail. If soon a different service becomes | much more popular and used, the "decentralized identity proofs" | ecosystem still wins! I would love to see apps get developed | where anyone can at the press of a button verify online | identities. That will be the next big milestone. | Trumpi wrote: | We literally had this with OpenID. If I remember correctly, it | pre-dated Facebook and the flurry of "Login with XXX" type | authentications. But the corporations like their walled gardens | too much and OpenID fell out of favor. | user5994461 wrote: | OpenID was replaced by OpenID Connect and SAML. | | They mostly operate in federations, which is neither | centralized nor decentralized. | mikedilger wrote: | Identity as a noun is problematic and IMHO usually reflects | miscomprehension. Identity is a relationship. The identity | function maps something onto itself. Authentication checks if the | current entity is an entity you remember. | mitchtbaum wrote: | Meh | djsumdog wrote: | I agree with a lot of this post. A lot of the left-leaning | intellectuals that are now criticizing the harder-left stances in | academia; people like Brent Weinstine, Jonathan Haidt, Sam | Harris, et. al. ... I've heard all of them say they want less | anonymity and more accounts tied to real identities. | | Whenever I hear this I think, "What? No! That's the opposite | direction we should be going." Identities that are hard locked to | real people makes it so easy to harass, mob, cancel and abuse | people. At least in the US, most employers are at-will, allowing | for Viewpoint Discrimination. | | Anonymity does have its issues. It also does allow people to | harass with more impunity. But in many ways, it also exposes more | of the deep self and the controversial ideas people have that | they are less and less likely to discuss outside of anonymity. | | Even semi-anonymous platforms like Reddit are going back on | previous commitments to free expression of ideas; and the effect | is that Reddit is becoming more one-sided/one-direction, just | like the platforms everyone is fleeing into. | | Always use your e-mail to sign up for things. I rarely ever allow | applications to connect via social media/OAuth. There was a time | on the Internet where we thought all identity providers could be | interchangeable. I ran an OpenID IDP for years, but fewer and | fewer sites allow OpenID logins: | | https://battlepenguin.com/tech/the-decline-of-openid/ | jessaustin wrote: | _...left-leaning intellectuals..._ | | Didn't you get the memo? We're supposed to like government | surveillance now. After all, now FBI/CIA/NSA are on our side | and we can totally trust them forever. | clairity wrote: | how about we have a whole range of options so that we can | express our full selves via the various venues made available? | | sometimes you want (pseudo-)anonymity and sometimes you don't. | being able to pick and choose seems to offer the greatest | freedom, rather than pigeon-holing everyone into one option. | jimkleiber wrote: | This! While sometimes I want to use a pseudonym, there are | many times I want to say "I am the human who I say I am," and | currently, that means hoping a platform will magically verify | me (if they even verify anyone) or, I suppose, posting a copy | of my ID to the internet, and even that doesn't work so well. | | While there are many routes to be semi-anonymous, there are | very few to being verified (or maybe I just don't know about | them) | julianeon wrote: | On the contrary, I advise everyone to use real-name identities | wherever they can. I understand that pseudonymous and real name | accounts have fundamentally different approaches, but I think, | for the majority of people, pseudonymous accounts are a | mistake. | | The reason is simple. In 2020, everybody is a brand. Things | have become competitive to the point that the inevitable | happened: business has occupied free time. We could lament | that, or we could accept it, because it's the reality today, | and I don't think we're ever going back. | | Personally I think pseudonyms are a legacy of a time when the | Internet was not taken seriously and whatsupdoggg69 was a | perfectly valid username in a place where nothing mattered and | Internet work had no monetary value. | | That's changed, a lot. That viewpoint - which, to be honest, | was probably questionable, even then - seems definitely wrong | now. It seems more and more like the wrong path, and you don't | have to go down it. | | You need to start posting under your real name, and then keep | doing that, so people know they can go to your advice, | expertise, friendship, a place to pay attention, etc. That has | a _lot_ of monetary value. | | My philosophy here is: unless you intentionally chose to leave | money on the table, you should never leave money on the table. | | So if you're working in 2020 at a prestigious or a first-mover | startup (which covers a lot of startups), don't go on reddit | and post memes under some name that will always be worth $0. | | Instead, go on Twitter, post under your real name, and start | becoming known as the go-to person for your niche of the | industry. | | If you are working at a startup, and building a name launched | out of a startup (no lawyer is going to attempt to claim your | real name social media handle), you can launch a consultancy, | just off that. | | Assuming your consultancy brings in 100k a year and businesses | often sell for 10x revenue (a pretty reasonably assumption), | then doing that over 10 years can build you a $1,000,000 | consultancy. | | Given those numbers, I think it's positively stupid to turn | down $1,000,000 for the sake of a few forgettable jokes and | political opinions that, let's face it, in the case of the | average person, are not changing anything. | | Instead, do the smart thing, claim that $1,000,000, and get | used to using real names & real name content for everything. | mirimir wrote: | Why not do both? | | As you say, using your real name builds your brand. However, | you must then be very careful to avoid saying stuff that | damages your brand. And as you basically say, you must | therefore censor yourself online. | | So why not do other stuff using pseudonyms? That's exactly | why I started using them. I'm retired now, so there's really | nothing about my meatspace identity to protect. But when | there was, having the freedom to express myself honestly | online was important to me. In particular, because I had to | police my meatspace behavior so carefully. | danso wrote: | How would people who want to be the next Haidt or Harris build | up authority (i.e. a reputation/brand) if identity becomes | decentralized and ephemeral? | bookmarkable wrote: | Correctly identified problem. | | Far too technical and obscure a solution for 99% of the world. | | I think Apple, while not a complete solution, shows a path | forward with Sign In with Apple allowing you to generate a relay | email. | | As always, whoever nails the user experience will win. | kevsim wrote: | Fully agree. I've had the opportunity to work on identity at 2 | former employers. We tried to push things in this direction as | part of exploration work including discussions with Mozilla | around Persona and much more. Unfortunately every time, we met | a fairly insurmountable problem - most users just don't get it, | and even if they get it, they don't care. | | I agree this is where things need to move, but we need to make | it so simple that users who don't care can still use it and | those who do can get the most out of it. | atlgator wrote: | Isn't identity already centralized? Just about every website with | a login system has self-asserted ID. | Animats wrote: | The future of online identity is centralized. | | China is already there. At age 16, you get your picture and | fingerprints taken. If you get a phone, its ID is tied to your | personal ID. Your WeChat account is tied to that ID. If you ride | the subway or bus in a major city, or a train, your ID is | recorded when you pay. A combination of phone tracking and facial | recognition records where you go in some cities. It's even used | to shame jaywalkers.[1] | | The US is getting there with Real ID. It's been postponed a year | due to the epidemic, but soon you will need a Real ID, checked | against your birth registration, to board even a domestic flight. | | [1] https://youtu.be/ectdRsyj-zI | closeparen wrote: | Real ID is a contract between the federal government and the | states about the security of their existing ID issuing | processes. It covers things like, don't leave ID printers and | card stock in podunk branch offices where $12/hour staff can | let in their friends at night. Use printing processes that are | sufficiently hard to replicate. If your freedom relied on stuff | like this, you were already an outlaw, the only implication of | Real ID is that now you will need stronger technical skills to | produce your next convincing fake. It has nothing to do with | where and whether IDs are required. Airport and courthouse | security have been requiring IDs for many years now. | jadbox wrote: | As the article mentions, centralized trust has proven that it | reaches a certain maximum before being plagued by political, | legal, and corruption. I don't know much about the China's | state ID system, but based on other systems they've rolled out, | I'm sure with enough money and the right contacts you can wipe, | fabricate, or change your ID (which is also true for the US). | Centralized systems have to also undertake the same problems as | decentralized ones, like ensuring records are kept updated, | which is no trivial task when providing identity for millions | of people(1) | | (1) https://www.washingtonpost.com/us-policy/2020/06/25/irs- | stim... | markus_zhang wrote: | Yes, it might be de-centralized, but in a different way. It will | simply be distributed to different | bureaucracies/aristocracies/warlords/agencies/etc. with each | jealously holds their part and tries to grab the rest from other | players. | motohagiography wrote: | Have worked in the identity space for a long time. Authentication | isn't a hard problem, but identity is. It will be decentralized | because if it is not fragmented, it is literally just oppression. | Trusting authentication is not trusting identity, and the origin | of identity is the Ur-problem because it comes down to questions | of recourse, collateral, risk, authority, and legitimacy - which | are all political economy questions and not technical ones. | | The technology can change the economics of identity, but identity | itself reduces to how you organize to provide recourse to people | within your scope. Sure, we can use escrow systems and smart | contracts, but these still require a means to organize and | provide adjudication. | | All the use cases for digital identity are about enforcement and | liability, and there are almost none that anyone would volunteer | for. In this sense, identity is necessarily imposed, so all | products in the space are necessarily aimed at a customer who is | imposing identity on a group. It's why I tell identity companies | who ask to find some other problem to solve because holding out | for some government to adopt your product as their source of | sovereignty is a waste of time. There is one other use case for | identity, and yes, it is decentralized and bottom-up, because it | is about dividing into secure, self-sovereign affinity groups, | and the reasons for doing that are on a very short list of uses. | Super fun, but basically a weapon. | coldtea wrote: | > _It will be decentralized because if it is not fragmented, it | is literally just oppression._ | | The conclusion ("It will be decentralized") doesn't follow from | the argument though ("because if it is not fragmented, it is | literally just oppression"). | | It could very well be "just oppression" and keep being that... | mirimir wrote: | Yeah, that's one of my top worries. It's already that way in | much of the world. And the "liberal democracy" sector is | teetering on the edge. Once we get seriously into the chaos | of global climate change, pandemics, mass migrations, war and | so on (aka Gibson's "Jackpot"), who knows? | Barrin92 wrote: | >All the use cases for digital identity are about enforcement | and liability, and there are almost none that anyone would | volunteer for. | | Everything from a LinkedIn or Facebook account to your personal | artist homepage with your CV on it establishes identity. People | obviously disclose identity voluntarily, because identity is | the primary means by which strangers establish trust. | | If your identity is not transparent to me, I won't enter a | relationship with you that requries me to know who you are, | which in practice is almost every one. I don't see how non- | fragmented identity is oppression. It can be for sure, but the | primary reason why identity is important in our interactions is | because it establishes trust and reputation. I've always | considered "non-imposed" identity a sort of oxymoron for that | reason, because if full control of identity is left to the | individual, identity essentially loses its primary purpose. | mirimir wrote: | It's not that simple. My meatspace identity is entirely | transparent. But online, I'm mostly Mirimir and other | pseudonyms. Even so, I've been Mirimir for long enough, and | have written enough about freedom, privacy and anonymity that | I have a substantial reputation. | | That is, one can have a range of identities, from entirely | transparent to stably pseudonymous to fleetingly anonymous. | user5994461 wrote: | Linkedin/Facebook/Email login establish that it is the same | "person" coming back. They don't guarantee the identity of | the person as in official name or address or date of birth. | Barrin92 wrote: | is this a distinction without a difference? Networks like | LinkedIn exist for the purpose of building real social | capital and that's how they're used by 99% of their users. | I don't see the incentive for someone to use a fake persona | (other than scamming). | | All those private firms are in many ways identity providers | just as real and official as governmental ones. | user5994461 wrote: | It's a massive difference. Consider linkedin vs national | UK login. | | The later one guarantees the identity: full name, date of | birth, address, verified phone number, last taxable | income, etc... | | It allows to request government benefits or open a bank | account online, because the identity is guaranteed. There | is a real verified person behind the account. (corollary: | you will be in troubles if somebody gets credit cards | under your UK identity). | | On the other hand, it's not great if that identity is | required to apply to a job. The company can see your | passport after they hire you. There is no need for every | job board and recruiter and company to systematically get | all your personal information in advance. | AlexandrB wrote: | > Networks like LinkedIn exist for the purpose of | building real social capital | | ??? | | No they don't. They exist for the purpose of selling | advertising. Any other purpose is either marketing copy | to get you to use it or an emergent property based on | people believing the marketing. Consider that LinkedIn | would continue to exist if it provided no social capital | whatsoever as long as it could still get ads in front of | eyeballs. | | Another observation: whether any specific social network | "builds social capital" depends on the demographics of | the audience and general "trendiness". People in high | school don't care about LinkedIn, professionals in their | 30s don't care about TikTok. Does this mean that TikTok | should be an "identity provider" to people under 20? | narag wrote: | _It will be decentralized because if it is not fragmented, it | is literally just oppression._ | | I've never understood that way of viewing things. For me | identity is a right. The government must provide me with the | means to prove who I am and my associated data like birth | certificates, academic titles, health (vaccination), real | estate and indirectly verifying identity for private contracts | that use my national id card number. | | In an oppressive state identity surely could be oppression, | just like everything else, but in a democratic country? Come | on. In the USA goverment and even private entities are | collecting massive databases of everybody's data. But there's | this panic about a centralized service providing identity. It | makes no sense. | pmoriarty wrote: | _" In an oppressive state identity surely could be | oppression, just like everything else, but in a democratic | country?"_ | | What makes you think a democracy can't be oppressive? | | Even in perfect democracies there is something called the | tyranny of the majority, where the majority can oppress the | minority. | | If we're talking about the US in particular, we have to | recognize first that it's not even a perfect democracy, and | there are many anti-democratic things about it such as the | electoral college, and plenty more things that hinder | democracy even where it exists (such as poor civic education, | money's outsize influence in elections, extremely biased | media, branches of government which shirk their balancing and | oversight roles, etc). | | Then, to get specifically to the oppressive aspects of the | US, they range from slavery and lack of women's rights from | its foundation, to segregation that existed in law up to the | middle of the 20th Century (and arguably still exists in fact | to some extent and in some places in the US even now), to the | imprisonment in concentration camps of Americans of Japanese | descent, to discrimination against people who weren't | heterosexual, to the War on Drugs and police brutality which | primarily impact minorities, to abuse, killing, and | imprisonment of people who come to the US from other | countries. | | All this oppression and more has happened in what is | ostensibly a democracy, and often likes to style itself as | the world's greatest democracy. | | And all of this oppression has had to do with identity, which | required identifying people's race, gender, sexual | preferences, or country of origin. | | Such identification is amplified and made all that much | easier in the age of computers, the internet, and gigantic | databases on everyone. It's a data trove just begging for | abuse. | chrisco255 wrote: | It's not meant to be purely democratic. The founders were | students of history and recognized the inherent instability | of pure democracies. There were no human rights recognized | anywhere in the world in 1776. The imperial era was still a | thing and Kings and queens still had vast influence over | European politics, with various other centralized power | structures in virtually all parts of the world. I get that | it's easy to point out the hypocrisy of the phrase "all men | are created equal" when slavery was still a thing in half | the states, but it was a very tenuous situation to go | against the crown of England in 1776. It was far from | guaranteed. A lot of people see the human rights we have | today as some sort of inevitable outcome of progress, but | China is case in point that progress and time do not | necessarily yield more rights for more people. China is | 4000 years old and they still don't even have basic freedom | of speech there. | | All of human history is filled with bloodshed, tyranny, | endless wars, conquering, slavery, piracy, vandalism, | raiding parties, human sacrifice, religious battles and | authoritarianism, with just a few punctuating moments of | anything resembling democracy and recognition of human | rights. That goes for every race, country, tribe, continent | and creed. No heritage is innocent of that. That's the | truth. 1776 didn't have to succeed. It very much could of | ended with being squelched by the Crown and then where | would we be today? Perhaps the Nazis would of won. Perhaps | the Soviets would have developed imperial ambition in the | absence of a strong US to keep them in check. Maybe the | world would be a darker place. I suspect that without the | U.S. that it would be, since that's the rule of history and | not the exception. | | Interning the Japanese Americans was of course wrong, but | when you're fighting a world war and tens of millions are | dying at the hands of Japanese (they slaughtered Chinese by | the tens of millions)...it's very touchy isn't it? The | lesser of two evils in that particular war was certainly | the U.S. | | Again, prior to world war 2 the world was still filled with | imperial forces itching to conquer and enslave other people | by the tens of millions. This is just 80 years ago...not | that long ago. There was no where else in the world living | up to the high ideals we seek to achieve today back then. | The U.S. was that place for so many people to escape to. | The Jews being one group. The Cubans being another. The | Vietnamese being another. The Koreans being another. If | you're going to paint the picture, paint it in the context | of the world at the time and the subsequent actions in the | wake of those problems. I think individuals deserve | forgiveness after some time, and the same goes with | nations, given that their behavior is corrected. There's | nothing wrong with the movement towards more civil rights. | But expecting things to go from millenia of imperialism to | utopian democracy overnight, especially one saddled with so | much legacy from that era, is naive. Again, it didn't have | to go so well. It could have very gone south and ended up | worse off for everyone. | pmoriarty wrote: | _" It's not meant to be purely democratic. The founders | were students of history and recognized the inherent | instability of pure democracies."_ | | Many of the founders were also elitists who didn't want | anyone but landowning white men to run the country. They | were wary of "mob rule" (ie. direct democracy), and | preferred to have the elites rule. The jury's still out | on whether they were right or whether direct democracy is | actually better. Considering how much power and wealth is | being concentrated in the hands of a tiny minority in the | US, I'm siding with having more direct democracy, not | less. | | _" I get that it's easy to point out the hypocrisy of | the phrase "all men are created equal" when slavery was | still a thing in half the states, but it was a very | tenuous situation to go against the crown of England in | 1776."_ | | The existence of slavery in the US wasn't just about | 1776.. it lasted until 1865. The US was one of the last | countries to end slavery. | | _" All of human history is filled with bloodshed, | tyranny, endless wars, conquering, slavery, piracy, | vandalism, raiding parties, human sacrifice, religious | battles and authoritarianism..."_ | | _" Interning the Japanese Americans was of course wrong, | but when you're fighting a world war and tens of millions | are dying at the hands of Japanese (they slaughtered | Chinese by the tens of millions)...it's very touchy isn't | it? The lesser of two evils in that particular war was | certainly the U.S."_ | | The point of my post wasn't to say there weren't reasons | (some might say excuses) for the US to behave the way it | did (extreme, widespread racism against minorities is one | such reason and excuse), nor to deny that some countries | were just as bad or even worse, but to recognize that | massive, serious oppression did in fact happen in the US, | despite it being some sort of a democracy. | | Oppression in the US is still happening, is likely to | continue, and will probably be greatly enabled by the | easy availability of identifying information on the | people within and without its borders. | arminiusreturns wrote: | I want to express a frustration with this type of | response I have. | | Inevitably, when this topic of discussion comes up, I | almost always see a response of this type, calling into | question the entire foundation of the USA on the basis of | the founding brothers being white slave owners, and it | really bugs me, but I'm having a hard time trying to | articulate it well... | | I think it mostly centers around a very superficial | understanding of the evolution of the enlightenment and | the renaissance into the culmination of those that was | the US. I would probably respond better if, when these | arguments get thrown about, I heard discussion of the | philosophical underpinnings the founders, in particular | Madison, based their proposals on. Discussion or | reference to individual liberty, natural law and natural | rights, and such, as learned from study of Socrates, | Plato, Aristotle, Thomas Aquinas, Locke, Hobbes and | Spinoza, Montesquieu, etc. | | I almost never see these referenced in this responses | though, and to me it seems very dangerously close to | "throwing the baby out with the bathwater", and I fear | that the sentiment is growing so rapidly, as shallow as | it may be, that the lack of understanding why America | truly is a revolutionary country and is exceptional in | history will potent some very turbulent times in the | future. | | Yes, the system was imperfect from the start, and has | been even more imperfect in implementation, but to say | then that the whole system (not saying you said this, but | it seems thinly veiled to that affect often) must be | thrown out is foolhardy at best. The shining light of | America is that it has, in it's founding documents, a | system designed to self-improve over time. I see our main | problem as being the lack of memory of why each piece of | that system is so important, and have allowed it to | become corrupted. The path forward then is in seeking to | enforce the core foundational principles the founders | thought very hard about (such as Montesquieu's checks and | balances system), and not to discard them just because | they came from people that were imperfect. | coldtea wrote: | > _I 've never understood that way of viewing things. For me | identity is a right._ | | Historically "identity" wasn't a right, but something imposed | on people, for better tracking and controlling them by | authorities... | | > _In an oppressive state identity surely could be | oppression, just like everything else, but in a democratic | country?_ | | Oppression is not about democratic vs totalitarian state. | McCarthy and Hoover, to mention just two examples, reigned | over others in the good ole democratic US of A. | | Not to mention very few (if any) countries have actual direct | democracy, or give the people say in how they want to be | governed, from the constitution and downwards. | mirimir wrote: | > Historically "identity" wasn't a right, but something | imposed on people, for better tracking and controlling them | by authorities... | | I used to own a wonderful book about the history of data | science. As I recall, starting in maybe the 1600s, experts | in France and Germany were tasked with tracking | populations, birth and death rates, economic activity, and | so on. And the primary goal was to aid in military | planning. Unfortunately, I've lost the book and forgotten | the title and author. And the search terms are so topical | as to be useless. | closeparen wrote: | Identity can't be "imposed," come on. Personhood is | continuous across time and space. All a system can | influence is your ability to lie about this. Ability to | deceive the state can protect your freedom but inability to | trust others also has a cost, there has to be a balance. | TehCorwiz wrote: | I can reasonably change my hardware, software, and habits to | avoid being matched with some corporate aglomerated profile | of "me". | | However, I cannot change my government provided identity. | | Right now I can have multiple identities: one for work, one | for my WoW guild, one for security research. | | With a single centralized identity provider I couldn't do | that. They wouldn't just be able, they would by default | associate my personal and professional associations. | | I feel that the risk of a single central (and especially | government run) identity provider is that it can chill | freedom of association by disallowing you to anonymously, or | if not anonymously then disconnectedly associate with people | or groups. | WealthVsSurvive wrote: | The problem is not that the data is centralized; the problem | is that centralization engenders a position of advantage, | which incentivizes perversion. This is why the problem | becomes political. The amount of privacy one should have is | relative to the ethics of humanity, society, to material | necessity and fact, etc. This is an unsolved problem. One | would need a series of blind oracles to solve it, unfettered | by the influence of living things. | Nextgrid wrote: | The problem with making government-issued ID easy to verify | online is that every website will start requiring it and | pseudonymity or anonymity would become a thing of the past, | even though it's necessary in some cases. | Spearchucker wrote: | Identity federation seemed to promise solutions to some of | these problems, but never quite took off. The part I liked most | was the ability to verify someone as being over 18 without | divulging their age or any other meta data. That was 10 years | ago though, and I have no idea what the citizen/consumer | identity space looks like now. | | Did the industry ever get around the sub-par SAML protocol | which had no support for the active requestor profile, and the | superior WS-Federation protocol which had to use the | technically superior SAML token? | jadbox wrote: | I'm surprised that BrightID or 3BOX aren't mentioned for | decentralized solutions: | | https://www.brightid.org/ | | https://3box.io/hub | identitywoman wrote: | The future is Decentralized - you have very large actors working | to deploy systems based on the Verifiable Credentials (VC) Data | Model (W3C Standard) and the Decentralized Identifiers (soon to | be W3C Standard) extensive work is being done on how the data is | exchanged (Credential Handler API, OpenID Connect Self Issued | Identity Provider (OIDC_SOIP) <- so any installed openID can | accept VCs and DID Communications (spec under development at the | Decentralized Identity Foundation). Actors supporting this work | include wester liberal governments, MSFT, IBM and many many | others many cool small startups. We gather twice a year at the | Internet Identity Workshop. Our archives for the last 10 years | are online. | foobar_ wrote: | Is it possible to add proofs for phone, credit card ? | magnusmagnusson wrote: | Urbit already done it. | nanomonkey wrote: | Can someone point me to a resource that cuts through all of the | jargon that Urbit uses and describe what it does that is new? | I've browsed through their website and Hoon, the programming | language, and can't find anything intriguing besides a bunch of | new names and glyphs for existing terminology. | | Is it just new age cabala of decentralized tech to generate | hype and intrigue? I've seen a lot of projects fall into this | techno-wizardry naming trap, and enjoyed it myself, but I'm | starting to get tired of the overhead of such abstractions. | riffic wrote: | ah, the TempleOS of decentralization. | mawise wrote: | Sounds a lot like IndieAuth, but with keys and math instead of | "centralized" DNS. | | https://en.m.wikipedia.org/wiki/IndieAuth | mirimir wrote: | > Removing the possibility for anonymity could solve the problem | of online toxicity. | | Except that it's not possible. And worse, it's just hard enough | to evade that only those with malicious goals will manage it. | | > Large internet corporations like Google and Facebook allow all | to create an account on condition that some personally | identifiable information is revealed, usually a phone number. | | Also Signal, sadly enough :( | | > The benefit is that it deters most from repeatably creating new | accounts when older accounts have been flagged or banned due to | improper behavior. These companies gain the function of "identity | provider": they manage your online identity that can be used to | login in different locations of the internet. We all know many | websites that offer a "Google login" or "Facebook login". | | Yes, it "deters most". And mainly it deters vulnerable people, | who need ~anonymity to protect themselves from adversaries. It | doesn't deter spammers, trolls, scammers, bot operators, and | such. There are just so many ways to use multiple phone numbers. | Ranging from free websites to SIM banks. And actually, it's | easier just to buy accounts, either fresh or old (which probably | means stolen). | | So even without getting into concerns about corporate | gatekeepers, it's clear that this is a misguided approach. | dmitshur wrote: | I'm happy to support IndieAuth (a decentralized identity protocol | built on top of OAuth 2.0) on my site and give people the option | to use their personal site, if they have one, as a way of | identifying themselves and performing authentication. | | I described the motivation in more detail at | https://github.com/shurcooL/home/issues/34. | Temasik wrote: | so when ico | synctext wrote: | "A Truly Self-Sovereign Identity System", our academic work with | Tor-like privacy[1]. | | This goes beyond owning your identity. Has government | sponsorship. The EU is currently taking the lead in this area, | search terms: "ESSIF: The European self-sovereign identity | framework". | | [1] https://arxiv.org/abs/2007.00415 | cirno wrote: | I feel like a domain is a nice way to link identities, with a | small nominal fee being a nice deterrant to botting. Not the most | user-friendly for those not tech savvy, but third-party services | could help with setting up such sites. | | Make a page on your domain with rel=me links to your social media | profiles, have the social media sites link back to your site with | a verified symbol next to the link when it scans and validates | the rel=me link. | | This puts you in control of your verification instead of | federating it to a service like Keybase or Keyoxide. | IbyvzOneoneh wrote: | This makes tracking slightly more difficult, but does it really | make significant difference when you consider all the tools at | tracking companies' disposal? | | How does it prevent linking those identities with real identities | by using tools like browser fingerprinting, tracking preferences | and stylometry? | | I don't really see a way to keep my commenting (and even browsing | to some extent) user friendly and disconnected from my real | persona, so I act accordingly. | | However, I'd like to be proved wrong. | vjeux wrote: | Maybe I'm missing something but the author mentioned using email | instead of Facebook/Google login. Why come up with a complex | crypto protocol instead of using email as the identity key? ___________________________________________________________________ (page generated 2020-07-12 23:00 UTC)