[HN Gopher] The Future of Online Identity Is Decentralized
___________________________________________________________________
The Future of Online Identity Is Decentralized
Author : Yolta
Score : 210 points
Date : 2020-07-12 14:30 UTC (8 hours ago)
(HTM) web link (yarmo.eu)
(TXT) w3m dump (yarmo.eu)
| robbrown451 wrote:
| "As tempting as the alternative is, making these changes will
| improve your life"
|
| I know most people on HN believe this, or want to believe this,
| or especially want everyone else to believe this, but I still
| think the statement needs support. Or at least a qualifier like
| "in my opinion."
| rasengan wrote:
| I have always felt identity, including online such as domain
| names, should be decentralized -- it's too much power for a
| central authority to dictate who gets (and doesn't get) a name.
| Further, it's too easy for people to impersonate others online.
| It even happened at reddit where the CEO masqueraded as users by
| modifying their comments [1].
|
| Handshake [2] is a great project that helps decentralize online
| identity. Not only is naming distribution in the hands of the
| people with Handshake which ends the deplatforming/censorship
| debacle the world has been facing recently, but also, anything a
| name does can be verified with signatures verifiable against the
| blockchain.
|
| [1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo-
| stev...
|
| [2] https://handshake.org
| tdons wrote:
| We have this in The Netherlands but it hasn't picked up yet. It's
| promising though: https://privacybydesign.foundation/irma-
| explanation/
|
| The system is attribute based and requires an 'authority' to give
| you the attribute. After that the attribute lives on your phone
| and you can give it out to organisations or businesses asking
| for....: - your name - whether you are >=
| 18 - your address - etc.
|
| What's great about it is: - you can give out
| minimal information - no 3rd party/intermediary required
| after you've received an attribute
| rat323 wrote:
| It's a failure because everyone in Netherlands is stoned and
| nothing gets done.
|
| Source: I'm Icelandic but have a cousin in NL.
| charlieroth wrote:
| https://urbit.org/
| jeroenhd wrote:
| I see that they've updated their website since I last looked at
| it. They still use some abstract art and meaningless pictures
| of nature to explain their concepts, but at least the
| description makes sense now.
|
| Sadly the system cannot be used easily for any applications
| storing personal information since your identity is tied to a
| blockchain and the GDPR requires companies to make information
| deletable.
|
| The reliance on abstract art for trying to make their points
| come across are still to vague for me to give the project a
| try, but who knows, maybe in another year or two the project
| and its concepts will actually be understandable enough for me
| to give it a shot.
| nanomonkey wrote:
| Urbit does seem to have an over abundance of weird jargon and
| glyphs that reinvent existing technologies, it just reeks of
| techno-alchemy.
|
| As to your second point, I'm curious if any decentralized
| system will ever allow for full deletion of information once
| it has been replicated by another client. Any gossip
| protocol, or decentralized CRDT document system has to take
| into account that a client will go offline and retain
| information once it has been released into the wild. Whether
| or not a request to "delete" or hide that information is
| followed through with is almost impossible to regulate. It's
| perhaps more important to realize that what we publish, may
| always exist out there.
|
| That being said, clients could randomly ask for "tombstoned"
| information to verify that other clients comply to a delete
| request, but it will likely always exist somewhere.
| mirimir wrote:
| > Built for individuals, I recently launched Keyoxide which uses
| cryptographic keypairs to accomplish decentralized identity
| verification. While it doesn't (and shouldn't!) link an account
| to a person in the physical realm, it links accounts across
| platforms.
|
| I'm glad to see this! Although it seems to be hugged to death
| right now :( I had been using KeyBase for this, but after the
| recent sale to Zoom, I've backed away.
| fanf2 wrote:
| It is tragic that Mozilla killed Persona just when it was
| starting to take off. Sadly I didn't save the link to a
| retrospective written by the project lead, in which it was
| explained that they gave up because it was taking too long. But
| internet standards aren't like a Megabar that you can foist on
| everyone within 6 months, they take years.
| weinzierl wrote:
| _" Built for individuals, I recently launched Keyoxide which uses
| cryptographic keypairs to accomplish decentralized identity
| verification."_
|
| So this is about the introduction of a new identity service. From
| what I get looking into Keyoxide it basically strives to be what
| Keybase originally intended to be.
|
| From their Keybase migration guide [1]:
|
| _" Keyoxide as a partial replacement for Keybase
|
| It's important to moderate expectations and state that Keyoxide
| only replaces the subset of Keybase features that are considered
| the "core" features: message encryption, signature verification
| and identity proofs.
|
| Message decryption and signing are not supported features: they
| would require you to upload your secret key to a website which is
| a big no-no.
|
| Encrypted chat and cloud storage are not supported features:
| there are plenty of dedicated alternative services.
|
| If you need any of these Keybase-specific supports, Keyoxide may
| not be a full Keybase replacement for you but you could still
| generate a profile and take advantage of distributed identity
| proofs."_
|
| [1] https://keyoxide.org/guides/migrating-from-keybase
| ocdtrekkie wrote:
| The key difference is that instead of the Keybase server
| storing verifications, it looks like they tell you to add the
| link to the proof directly to your key as a notation.
|
| This means the proof isn't dependent on a central server, which
| seems like a significant improvement.
| mirimir wrote:
| Yes, I noticed that too. So yes, I believe that this improves
| on Keybase. Even without the Zoom fail.
| vmception wrote:
| in before everyone shills their unnecessarily tokenized identity
| cryptocurrency that nobody ever used and never ever will
| smt88 wrote:
| I 100% agree with you, but generally I find "in before..."
| comments to be unhelpful at best and harmful to the discussion
| at worst. In the latter case, it's typically because it's not
| only attacking on a straw man, it's actually announcing, "Hey,
| I'm creating a straw man!" at the beginning of the comment.
|
| If you do want to head off the crypto founders before they show
| up, perhaps you could write a comment along the lines of, "In
| case anyone is wondering, here are the reasons
| cryptocurrency/identity makes no sense when solving this
| problem..."
| vmception wrote:
| or
|
| "I predict from prior experience that a bunch of
| cryptocurrency identity bagholders from 2017 will show up to
| shill their useless project not realizing it will never catch
| on and that product's adoption will never buoy their bags
| even if it did catch on"
| upofadown wrote:
| Your identity is going to come down knowledge of the private key
| from some sort of public key system. Why not just standardize
| that?
|
| An excellent example of something perversely non-standardized for
| identities can be found in messaging. Signal, Matrix, Whatsapp
| and OMEMO are even supposedly based on the same protocol. In
| terms of identity they are all complete silos. All the things you
| establish about an identity on one system is completely unusable
| on another.
|
| Creating systems to kludge this mess together seems to be a way
| of avoiding the root problem here...
| supertrope wrote:
| What happens when the private key is lost? We can either have
| certificate authorities issue you a new one, or you would need
| to approach your peers and have e.g. three of them confirm that
| you've changed keys.
| nanomonkey wrote:
| One could also use Shamir's Secret Sharing algorithm to have
| a number of your peers hold your secret key without them
| being able to access it. When you've lost the key, you have a
| subset of the peers reproduce it for you, by sharing their
| portion of the secret. Cryptography is pretty great.
| mirimir wrote:
| Yeah, that is a huge problem. Most people just don't do well
| at managing keys and credentials. As much as I hate Signal's
| phone number requirement, I appreciate the reason for it.
| upofadown wrote:
| Then you have lost that particular identity and would have to
| start over with a new one for that particular aspect of your
| online life. If you lose it and can get it back somehow then
| it wasn't really yours in the first place.
|
| You can have as many passphrase protected backups of your
| identity in as many places as you like so in practice the
| more likely issue would be where someone else gets access to
| your private key. So that means some sort of revocation
| contingency.
| johnmarcus wrote:
| Keybase kludge's it together, and yet still, no one seems to
| care or use it.
| ThePhysicist wrote:
| There's the "European" ID4Me project (https://id4me.org/), which
| tries to add federation on top of OpenID Connect / OAuth2. The
| idea is to give users globally valid IDs that contain a domain
| name. Using a TXT record on that domain you then specify which
| OpenID auth provider a service should use to authenticate the
| user. If you have your own domain this enables you to switch ID
| providers without having to update your accounts.
|
| In general I like the idea but since it's a EU-style project I
| don't expect it to go anywhere to be honest. And personally I
| don't think the benefit over e-mail based authentication is
| marginal. That said there are some extensions in OpenID Connect
| that can achieve something similar, and that (IMHO) are more
| likely to actually get widely adopted.
| rendaw wrote:
| What does federation bring here? Aren't OpenID identities
| already collision free?
|
| I'd love to have SSO under my own control, and while it was
| theoretically possible with OpenID 2 things have gone backwards
| with OIDC with everyone supporting it but restricting login to
| just the big names (Google, Facebook, Apple).
|
| I put together a simple stateless OID2/OIDC identity provider:
| https://gitlab.com/rendaw/oidle but I have yet to find a
| website I can actually use it on. I still have hope though.
| djsumdog wrote:
| I had a classic OpenID server and every website I use to
| authentication against using it has gotten rid of OpenID
| support. Stackoverflow was the big one. I haven't tried
| OpenID Connect yet.
|
| https://battlepenguin.com/tech/the-decline-of-openid/
| rendaw wrote:
| By the way I wanted to say I read that blog post a bunch of
| times while trying to put together that software!
| OpenStreetMap and GnuSocial may really be everything on the
| internet now.
|
| I'd almost sign up for a website at this point just to get
| a chance to use my OID provider...
| djsumdog wrote:
| New Zealand had a program called Real Me. It's based on a
| completely and totally broken SAML2 implementation, that only
| gives you back a single token, and then you have to query
| another web service to get more information. Oh and years ago
| when we had to implement a product using it, their Identity
| Providers would give us different responses randomly ... and it
| once went down for two weeks straight.
| mirimir wrote:
| > On today's internet, the best we can do is make fully separated
| accounts, link them using technologies like decentralized online
| identity proofs and create our own online personas, with our own
| open tools that ensure we maintain ownership over them.
|
| That's for sure how I see it :) It gives everyone the choice of
| what mix of real names and ~anonymous personas to use, and how to
| link them.
| cs02rm0 wrote:
| Feels like you'd have to lean significantly away from
| anonymisation to want to leave public proofs of cross account
| identities lying around. Maybe that's a more common use case for
| businesses and high profile people though than wanting to link,
| say, a pseudo-anonymous forum account with a payment account.
| mirimir wrote:
| I've been advocating online ~anonymity for many years, and
| exploring relevant methods. But I also can't ignore the
| downsides, particularly the role of authentication.
|
| I'll have more to say here. But for now, I'll just invite any who
| are interested in further discussion to a Podaero group:
| https://podaero.com/dashboard with invite code "44e5576d".
| Kapura wrote:
| I think one of the great parts of the internet is that it
| promotes this identity decentralisation (or, as i have always
| thought about it, identity fragmentation). You are allowed to
| isolate online identity from the rest of your life, or from
| separate online accounts/personae.
|
| Which is why I am confused as to why the author spent so much
| time worrying about verifying identity. To me, that feels like
| it's completely missing the point of fragmenting your online
| experience. Is the author simply concerned with the amount of
| power associated with their google login?
| Steven-Clarke wrote:
| https://www.hyperledger.org/use/hyperledger-indy
| jeroenhd wrote:
| Reading the comments, I learned that OpenID is not centralised
| but rather provides federation support. I wish I'd known about
| this sooner before it died, because it would've been fun to try
| and use.
|
| I'm sure decentralized authentication won't come on commercial
| platforms though. Maybe some developer-centric services will add
| support once the Next Big Thing in authentication and
| authorization comes along, but companies want to keep as much of
| their account system under their control as possible. It might be
| because of data mining, it might be because of bot prevention, it
| might be because of fear of trusting external providers, but I
| just don't see any reason why companies would accept such an
| authentication system.
|
| The closest thing I can see happening is a federated
| authentication platform like the EU is implementing with EIDAS.
| Authentication with your home government for EU-wide services,
| tied to your ID card. I don't think something like that will be
| implemented for much more than government institutions and
| banking, despite the idea having been proven to work.
|
| Simply put, as long as it doesn't make business sense to trust
| another provider, businesses won't offer any decentralized
| authentication methods.
| Fiahil wrote:
| A post on decentralized identity without talking about the
| Decentralized Identity Foundation (https://identity.foundation/),
| right there on the first page when you type "decentralized" and
| "identity" in Google?
| mirimir wrote:
| Huh. Do they do more than establish standards?
| kory wrote:
| If anything, my bet is the future of identity is more
| centralized.
|
| Decentralized solutions, as I've read about them in their current
| form, require a significant amount of technical knowledge to
| understand. That is, to understand both what they are and, more
| importantly, their benefits ("why does this specific solution
| matter to me?"). Past that, the user experience is extremely poor
| in comparison to clicking "log in with Google", and I'm not
| convinced it can ever fully get there.
|
| It is for those reasons that I think centralized identity is here
| to stay long term. Most people aren't going to spend the time to
| learn about this because they just want the easiest solution and
| don't care about their data being sold. I know several people in
| tech that fully understand the extent of how their data is used
| by internet corps, and don't mind it because they prefer
| convenience for free. And I think that's OK--it's their informed
| choice.
|
| Personally, I try to login with email most of the time, and
| that's the limit of my drive to care about the security of my
| personal data. But my email is gmail, so I doubt it really makes
| a difference from login with Google.
| djhaskin987 wrote:
| In the US, everyone uses credit cards (centralized identity) to
| pay for stuff.
|
| In Mexico, credit cards are stolen and reamed for all they're
| worth by criminals. As a result, everyone uses cash
| (decentralized, anonymous, difficult to use). Everyone could
| move to decentralized in the face of significant pressure, even
| if centralized identity is more convenient.
| [deleted]
| kory wrote:
| All central authorities are built on trust, fear, or
| complacency. Americans are complacent with the credit card
| system and trust it for the most part. The Experian breach
| has shown that breaches of trust are easily overlooked in
| favor of complacency, at least to a point.
|
| Considering how Americans view other Americans (I hear
| "stupid" thrown around a lot), I strongly doubt that a
| decentralized authority would ever gain enough trust in the
| US to take hold today without a strong historical precedent.
|
| For what it's worth, cash is still centralized. It's made
| "legitimate" by the power of the central government, and is
| managed & controlled by that authority. Given, it is somewhat
| "decentralized" because the value of fiat money comes from
| the people's agreement that the currency has value. On the
| other hand, the US dollar's global hegemony exists in large
| part because of global US Military presence, which is
| absolutely a "central authority".
| maccard wrote:
| > The Experian breach has shown that breaches of trust are
| easily overlooked in favor of complacency, at least to a
| point.
|
| I disagree that it matters for trust in CC's. It may have
| damaged experians reputation, but people still trust
| amex/MasterCard/visa and their banks, despite Experian
| being useless. The fact that Experian is required to access
| those systems is unfortunate, but most people don't deal
| with Experian directly.
|
| I think people's day-to-day trust in banks is well placed,
| for what it's worth. I banked with a large bank that fell
| in 2008, and had less than 10,000 in my bank. My money
| wasn't affected, I just had to find a new provider.
|
| I've had multiple incidents of fraudulent transactions on
| debit and credit cards over the last 15 years, and in
| _every_ instancr, my card provider has sided with me and
| refunded me the money immediately (even in the one case I
| was actually wrong and it was a billing mistake). Those
| amounts we're almost always in the few hundreds.
| asciident wrote:
| Considering that the data breach was actually at a
| completely different company than the one this thread
| named leads me to believe that the reputation damage is
| not as significant as you suggest.
| twitch-chat wrote:
| It's unfair to say we still use credit because we are
| complacent. If you stop caring about building a credit
| score, you will end up paying more money in things like
| mortgages or car loans. There is a financial incentive to
| use credit cards (if you don't miss payments) despite the
| breach of trust.
| kory wrote:
| I didn't say it's just complacency that keeps the credit
| system going. Low friction purchasing (complacency)
| absolutely plays a strong role. Trust is important, too
| (but is less strong than complacency) because the system
| wouldn't be used at all without it, and, to your point,
| fear absolutely plays a role as well.
| mirimir wrote:
| In the US, liability for fraudulent credit card use is
| limited to $50. No matter how much was charged.
| theamk wrote:
| Bad example. In Australia, everyone was using credit cards..
| but they have PIN code + chip.
|
| If a centralized system is not inept, it can do all the same
| things decentralized things do and better.
| djhaskin987 wrote:
| PIN codes and chips are used in the US as well, but I doubt
| a PIN and better encryption would help you[1].
|
| 1: https://xkcd.com/538/
| ohmaigad wrote:
| Then with cash it is even easier as it doesn't leave any
| digital trace.
| johnmarcus wrote:
| Yes, I suppose if we moved to becoming a lawless society
| fuelled by drug lords....then yes, I can see how the hoops
| could be worth it.
| fwip wrote:
| Beaker Browser is getting close to solving it.
|
| When you visit a website that works with it, to login, you just
| grant the webpage access to one of your profiles. (I just use
| one profile for everything, but you may wish to keep some
| things separate). Then any activity you do can be associated
| with that profile. No passwords or keys or even email addresses
| to remember.
| hunter-gatherer wrote:
| As much as I'd like to see a decentralized solution, I agree
| with you. I just spent 30 minutes helping my mom (age 60) and
| brother (36) set up a microsoft family account so they can
| dictate and monitor my nephews computer usage because [nephews]
| are addicts.
|
| I didn't even know Microsoft family was a thing, but setting it
| up and configuring it (from my perspective), was intuitive and
| simple. My mother and brother however struggled to follow
| along, an are stressed that they won't be able to manage it.
|
| Most users (even my spouse who is in her late 20's) readily
| fall into this category. My point is that if configuration
| requires any troubleshooting it won't reach mass adoption
| unless it addresses a perceived necessity without an
| alternative approach.
| edoceo wrote:
| Couldn't the UX just be improved and deliver the benefit while
| hiding the complexity?
| api wrote:
| Yes, but that requires an economic model. UX is often well
| over 90% of the work for a product and usually includes a ton
| of work that is not much fun and people have to be paid to
| do.
|
| Centralized has subscriptions, advertising, and "surveillance
| capitalism." Decentralized has nothing. I had some hope that
| cryptocurrency would provide some kind of mechanism, but
| cryptocurrency was taken over and destroyed by scammers and
| bad money drives out good.
|
| The lack of an economic model is IMHO why decentralized
| solutions have not succeeded, not technical challenges.
|
| One possibility would be to abandon the free as in beer part
| of open source ideology and go back to just charging for
| software, but licensing and payment add friction and it's
| very hard to compete with "free" options funded
| surreptitiously via surveillance.
|
| BTW the fact that cryptocurrency was destroyed by scammers
| and criminals highlights a second huge issue: it seems to
| take the efficiency, executive ability, coordination, and
| direct human guidance of a centralized system to resist bad
| actors. This is why even the most democratic countries have
| mechanisms to phase shift into dictatorships during emergency
| or war. I have yet to see a decentralized system that became
| popular and was not instantly destroyed by black hats.
| EGreg wrote:
| _The lack of an economic model is IMHO why decentralized
| solutions have not succeeded, not technical challenges._
|
| You're right. This lack needs to be addressed for us to
| progress.
|
| How about this model? Would like feedback:
| https://qbix.com/token
| kory wrote:
| The UX isn't the most looming problem, but it's one that
| needs to be solved. My question is: How in the world would
| you convince people to use keys to verify their accounts to
| one unique, anonymous, identity, as the OP suggests? I just
| don't see it being something people would spend the time to
| do. Not to mention, getting to a "Login with Google" level of
| UX, available as universally as "Login with Google", would be
| extremely hard without a centralized authority.
|
| The bigger problem is convincing people that it's worth
| switching. Apple is the closest to doing this with "sign in
| with Apple". "Sign in with Apple" hides your identity from
| the client site, the value prop is clear for the user, and
| the process as close to frictionless as possible. But the
| solution is still "centralized". Apple stores all of the
| information to make the system as frictionless as it is.
| summerlight wrote:
| It's more about a fundamental design trade-off rather than
| removing accidental complexity coming from UX. Currently,
| most of us delegate the responsibility of identity management
| (other than memorizing id and password) to one of big-techs,
| presumably much better at this area than 99% of us. In the
| fully decentralized world, the burden of proof is now up to
| users. And they usually don't really care about the best
| practice for security, privacy and reliability. Technology
| may improve over time so the equation will get better, but I
| don't expect this dynamic to change that much.
| christophclarke wrote:
| On the other hand, however, the outcomes of a breach are
| vastly different. An individual who fails to secure their
| information is liable for only their information. If a
| "big-tech" is compromised, they are liable for everyone's
| information.
|
| If users are still unwilling to run their own infra, then
| that seems like a great opportunity for Identity as a
| Service. I'd feel much more comfortable handing identity to
| a firm whose entire business model revolves around securing
| my information and protecting my privacy rather than a big-
| tech.
| tudorconstantin wrote:
| "I'd feel much more comfortable handing identity to a
| firm whose entire business model revolves around securing
| my information and protecting my privacy rather than a
| big-tech." - in order for that company to be rock solid,
| trusted by most of the world and with a proven track
| record of top notch security, would mean that the said
| company is a big-tech.
|
| I would call okta, auth0 and iWelcome big-tech already,
| even if they're not FAANG-level big tech yet.
| kory wrote:
| This is a great point that I hadn't thought of. Well said.
|
| I'd rather, as a company, risk managing all of my users'
| identities (vulnerability to a data breach, mitigated by a
| well-trained security team) than trust my users to manage
| their own security well and inevitably deal with a mass
| amount of compromised accounts.
|
| As a user, especially if I'm not technical, I'd have a
| strong bias towards handing my identity to a team that's
| spent years studying computer security. Managing my own
| identity would involve learning a lot about computer
| security. That would take a lot of time and I'd _really_
| have to care about it to do it "right". Regardless, I'd
| likely get a lot of things wrong, leading to my identity
| being more insecure than if I had just stored it with
| someone like Apple.
| sascha_sl wrote:
| All people still somewhat understand is federated identity, and
| that's becoming less prevalent.
|
| Though a weird set of coincidences I often get support tickets
| about people using or enrolling in TOTP escalated to me. These
| people have never used an authenticator, except for the
| company-mandated Microsoft authenticator. Not only do they
| simplify the concept thinking there's just one code for
| everything (e.g. microsoft token are used for AWS, don't worry
| these people only have access to some S3 stuff) they also
| extrapolate that because Microsoft sends them a push
| notifications, AWS must too, and they didn't get one, so it's
| obviously broken.
|
| Email is slowly losing this awareness too. The only remaining
| analogy that's probably not going away is getting your credit
| card from a bank while they still work on the same network.
| ryukafalz wrote:
| I dunno, I think the UX for decentralized identity could be
| made pretty good. The GNUnet project has one that runs locally
| but exposes itself with an OIDC interface:
| https://reclaim.gnunet.org/
|
| It's still pretty early, but imagine a more polished version of
| that with a user-friendly installer. If you had the software
| installed and running, it'd behave pretty similarly to e.g.
| Google's OIDC provider. Linux distros could even preinstall it.
| (I have no hope that MS/Apple/Google would do the same since
| they all have their own centralized providers.)
| kory wrote:
| That's so so many steps and requires knowledge of so many
| things. It has the big two fundamental problems, and a major
| third one:
|
| * Its value prop is poorly explained. As an engineer with a
| CS degree, I still barely understand what it's talking about
| (what's an "identity attribute"??) without some digging.
|
| * Even if the value prop was well-explained, it's still very
| high friction compared to "Sign in with <Service I Already
| Use>". Why would a user download an installer and deal with
| managing all of their accounts? There's a secure, anonymous,
| easy, centralized option that does it all for you (Sign in
| with Apple). That service does it so well that you only have
| to click a button to log in or sign up. Nothing else
| required. That isn't achievable without a central authority
| managing everything for you.
|
| * (this is the big one) Your local machine is a major point
| of failure. If you lose your local machine and haven't backed
| up your accounts, you just lose access, right? The only
| solution is either set up a server with periodic backup (too
| much friction for regular users) or a centralized authority
| that stores them for you, which defeats the purpose of all of
| this.
|
| This project, to me, falls into the "cool technical stuff
| category". It's obviously built for "geeks" (lack of a better
| term) and not for people. That's why centralized tech co's
| will probably always do this better than open source. They
| are customer focused just as much as technology focused.
|
| Unmonetized open source projects tend to focus more on
| technology than user experience. That's why you see regular
| people using monetized software and developers using open
| source to build monetized software.
| ryukafalz wrote:
| >As an engineer with a CS degree, I still barely understand
| what it's talking about (what's an "identity attribute"??)
| without some digging.
|
| It's not really ready to be used widely at this point.
| Given that, the fact that the documentation is currently
| more oriented towards developers working on identity
| software is fine, I think.
|
| >Even if the value prop was well-explained, it's still very
| high friction compared to "Sign in with <Service I Already
| Use>". Why would a user download an installer and deal with
| managing all of their accounts? There's a secure,
| anonymous, easy, centralized option that does it all for
| you (Sign in with Apple). That service does it so well that
| you only have to click a button to log in or sign up.
| Nothing else required. That isn't achievable without a
| central authority managing everything for you.
|
| Sure, installing software is higher-friction than using a
| centralized service, but it's not _that_ much higher
| friction. It 's not like people don't install software all
| the time. (And again, this is something that could easily
| be preinstalled by your OS vendor of choice, which would
| make the experience very similar to the centralized
| providers'.)
|
| >Your local machine is a major point of failure. If you
| lose your local machine and haven't backed up your
| accounts, you just lose access, right? The only solution is
| either set up a server with periodic backup (too much
| friction for regular users) or a centralized authority that
| stores them for you, which defeats the purpose of all of
| this.
|
| Yes, this is a big one. No, I don't think those are the
| only two options. You could sync them between devices if
| you have more than one (phone/laptop?), you could store
| them on a user-specified data storage location (think MIT's
| Solid), etc. I acknowledge that it's a problem, but I think
| it's a tractable one.
|
| >This project, to me, falls into the "cool technical stuff
| category". It's obviously built for "geeks" (lack of a
| better term) and not for people.
|
| I think you're looking at the project as it is, and not as
| it could be.
| EGreg wrote:
| So since you have one identifier, companies can track you
| across all domains.
|
| They can find out if you are a user of sex.com or
| dangerouspoliticalopinions.com
|
| They can do this by trying to register an account with your
| email address, and being told it was already registered.
|
| Here is a tool that allows anyone to do it:
|
| https://www.quora.com/Is-there-a-way-to-know-which-all-sites...
|
| https://brandyourself.com/blog/privacy/find-all-accounts-lin...
| kortilla wrote:
| Everyone? Unless the sites publish a list of logins for
| everyone to read the only one with that knowledge would be
| the identity provider.
| EGreg wrote:
| Not at all. See above.
| mirimir wrote:
| Yes, exactly. Attempts to register with an email that's
| already used will fail, and so adversaries check whatever
| sites interest them.
|
| However, I believe that would fail for those using Google or
| Facebook authentication. But I can't test that, given that I
| don't have an account with either.
| brentis wrote:
| Agree.It is decentralized. You need to be able to maintain your
| identity as a currency whereby you get compensated for access to
| it vs. others who get to monitize your persona. Google, LinkedIn,
| FB all do this. If you grant specific rights you maintain your
| identity and get compensated directly for a business to gain
| access to market, contact, or interact with you.
| vasilakisfil wrote:
| The future of online identity is indeed decentralized and not
| distributed, meaning that users will always have some super nodes
| to handle their identity on behalf of them. In my opinion
| Facebook/Twitter/etc are not identity providers, they are silos.
| Sure they are very successful ones and can even used as identity
| providers at some places, but as long as they don't open up they
| can easily die anytime.
|
| The author suggests that services built on top of these Silos
| that provide proofs of connection between all the identities. I
| welcome such initiatives and but I doubt they will lead anywhere,
| cause they are built on top of silos. And a silo, as soon as it
| figures out it loses money, it will cut down that connection.
|
| What won't die is decentralized published standards and protocols
| that handle the Identity management through the internet.
| Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and
| on top of that we have frameworks that facilitate the identity
| management like Oauth2, OpenID etc. All open and standardized. We
| are getting there, we just need some more time I guess.
|
| That's why I always thought that, Google, who owns emails has
| much more value than Facebook, that asks for your email. If
| facebook dies, you lose one aspect of your digital social part.
| If you lose your email though, you almost lose your online
| identity. I really can't get how Zuckerberg has missed that.
| sksksk wrote:
| They did offer @facebook enails once, and it would integrate
| with your messages app.
|
| It didn't really take off though, and I guess was quietly
| withdrawn.
|
| https://techcrunch.com/2010/11/15/facebook-messaging/
| vasilakisfil wrote:
| yeah I remember that but it was never really pushed forward
| properly
| mikedilger wrote:
| Identitfier systems will always be distributed in that even in a
| world where it is entirely centralized, someone can create
| another one. Now it's distributed. The power is in your hands.
| ChrisMarshallNY wrote:
| I hardly ever use any OAuth logins. I use my GH login in a couple
| of places, but I usually create an email/site-specific ID.
| 1Password is a nice tool.
|
| That said, the last couple of years, I have gone to great lengths
| to create a "digital personal brand," which is deliberately
| designed to help people find me, and tie all of my digital
| artifacts together.
|
| I think that OAuth logins actually work against that. I want to
| leave "pointers" all over the place, that point to each other in
| a public manner. OAuth logins "bury" these pointers, so only
| "gatekeepers" can see the information.
|
| It definitely means that I have to be a lot more careful, these
| days, than I used to be, in choosing what I write or expose
| online, but I don't feel it's too difficult. I like to think that
| I live a lifestyle that has very little to hide.
|
| I was reading about that Fox writer that just committed career
| _seppuku_. I think that is a visceral example, showing that we
| can 't trust the old cloak of anonymity to hide our trail, so it
| might not be a bad idea to, as Twain said, "live that when we
| come to die, even the undertaker will be sorry."
|
| It's part of a strategy that seems to be working.
|
| Works for me. YMMV
| EGreg wrote:
| Working on something like this:
|
| https://github.com/Qbix/auth
|
| The DID spec has been the one big success so far, but
| implementations matter. Our implementation has been open sourced,
| and is compatible with oAuth and other specs like DID:
|
| https://github.com/Qbix/Platform
| uniqueid wrote:
| In my ideal world, we have a framework for brick-and-mortar
| businesses to act as internet notary service providers.
|
| If you want a general-purpose open-id style account, you visit a
| notary, and provide them with a fee and proof of your identity.
| You tell the notary how much information they can share (in
| particular, whether they can release your name to the internet,
| or just the "we verified this account is held by a real person"
| boolean).
|
| The protocol would cover much more than passport info though. You
| could have a notary vouch that you're a licensed driver, or have
| a college degree, visited a certain country, etc.
|
| That might cut through some flavors of online nonsense. It would
| also allow people to stay pseudonymous, and yet enable law
| enforcement to subpoena their identity, if they go on a killing
| spree, or hack a few million dollars worth of bitcoin.
| horizin wrote:
| It's possible to enable this setup using verifiable credentials
| - an emerging W3C standard for creating and sharing
| "attestations" about a person.
|
| https://www.w3.org/TR/vc-data-model/
| uniqueid wrote:
| Holy mackerel! Thank you :) I've been thinking about this
| issue for weeks. This standard looks very relevant!
| orf wrote:
| > You could have a notary vouch that you're a licensed driver,
| or have a college degree, visited a certain country, etc.
|
| Humans, generally, are very bad at caching document fraud. It
| wouldn't be a vouch for a licensed driver but instead it would
| be a vouch for "a bit of plastic that looked like a driving
| license to me".
|
| There is lots of sophisticated fraud and often automated
| solutions have a much higher rate of detection than your
| average person, even with some training against common attacks.
| packet_nerd wrote:
| Maybe have the DMV be the notary for driver's licenses?
| supertrope wrote:
| Certificate authorities with brick and mortar locations would
| be an improvement over the current USA situation of SSN+DOB
| as master password to all IRL accounts. Checking a drivers
| license IRL is better than looking at an uploaded scan or
| photo. They could use those box scanners casinos use.
|
| The main issue is minimizing cost. Dot com companies and
| banks don't want to pay for this so they peg online
| identities and account security to SMS effectively pushing
| off the problem to cellular companies. Cellular companies
| lack the competence to handle IAM. Opening a branch in every
| city is very expensive and companies don't want to even pay
| ~$10 for an offshore script reader to check a SMS code and
| verify "public information" off a credit report.
|
| Credit card companies that are already liable for fraud
| usually settle for SSN+DOB, ID scans and aforementioned
| Equifax data verification because fraud losses are cheaper
| than in person due diligence.
| uniqueid wrote:
| Absolutely! It would be far from perfect, and, but for the
| worst-case scenario that the internet currently embodies, not
| worth pursuing. But there's _so_ much room for improvement
| today. Just placing a barrier against sock puppet accounts
| would already be a huge win.
| yunruse wrote:
| It would create a small financial (and convenience) pressure to
| use one identity. Careful design would be needed to ensure that
| multiple identities are encouraged and accepted.
| supertrope wrote:
| There is enormous pressure to converge on one identity. IAM
| has huge network effects. On-boarding customers is an expense
| so businesses and governments rely heavily on existing rails
| like email, SSN+DOB, Facebook, SMS, etc. If you don't want to
| surrender SSN or your whole Facebook profile your only option
| is to reject the service entirely.
| mirimir wrote:
| Facebook accounts are available for $1-$10, payable in
| cryptocurrencies.
| rendaw wrote:
| It could also make things like online voting (like, for winners
| in a contest or features in software) possible which would
| otherwise be impossible due to multiple accounts.
| aaron-santos wrote:
| Who notarizes the notaries?
| blotter_paper wrote:
| Reputation?
| supertrope wrote:
| The people who consume the notarized documents. If too much
| crap comes through they can reject the issuer. Kind of like
| how Symantec CA got dropped by browser makers.
|
| Public notaries are licensed by US state governments. There
| is generally a background check, brief training course, and
| application fee. In at least some states they have strict
| liability for theft of their stamp.
| aaron-santos wrote:
| What does it mean to reject the issuer when there are
| around 4.4 million notaries in the US? What systems are in
| place now or would need to be created in order to aggregate
| trust and what are the pros and cons associated with those
| systems?
| supertrope wrote:
| For individual notaries file a complaint about
| incompetence or report them for fraud. Signatures, seals,
| and watermarks aren't as good as public crypto but that's
| okay because phone calls, clearinghouses, and the legal
| system backstops them (especially for reversible
| transactions).
|
| Rejecting issuers would be more applicable to repeated
| transactions from a corporate certificate authority.
| weinzierl wrote:
| CAcert has a system in place that is close to what you
| described[1]. Basically already verified users check the
| identity documents of new users and vouch for their
| authenticity. Their _" Assurer Handbook"_[2] is an interesting
| read. When I became an assurer a few years ago the person that
| trained me also took their task very seriously and I learned a
| ton about how to check identity documents for forgeries. That
| alone made it worth it.
|
| Since we have _Let 's Encrypt_ I'm not entirely sure what
| CAcert's place and purpose is, but I think with an existing
| network of trusted people they are in an ideal position to
| pivot into a decentralized online identity system.
|
| Mark Shuttleworth's Web of Trust similarly had so called
| _Thawte Notaries_ but I think it was discontinued a few years
| ago.
|
| [1] http://wiki.cacert.org/FAQ/AssuringPeople
|
| [2] http://wiki.cacert.org/AssuranceHandbook2
| nsl73 wrote:
| Why would I ever trust a notary?
|
| As a person being notarized it sounds like I have to give that
| business more personal information about myself than I usually
| have to do to get an online identity, as suggested by your
| subpoena statement.
|
| As a service trying to verify accounts I now have to trust a
| third party. Maybe the notary has a business that sells fake
| IDs in the back that are then used in the notarizing process.
| Maybe my competition set up a burner notary node in order to
| flood my service with malicious accounts. It sounds like an
| attack vector.
| uniqueid wrote:
| You've never provided any business with ID? How do you get
| into nightclubs?
|
| The internet is important. When something is important
| enough, it is worth the risk. That's why people share secrets
| with their bank, lawyer, doctor, psychologist, etc.
|
| We are squandering most of the potential of social media,
| because its design limits worthwhile conversation to
| hypotheticals. Since there's no reason to trust the honesty
| or motivations of anyone online, discussing actual data or
| life-experience is pointless.
| elric wrote:
| > How do you get into nightclubs?
|
| Clubs don't care about identity. In some parts of the world
| they care about age and outward signs of affluence and/or
| attractiveness.
| uniqueid wrote:
| I was thinking of North America, where "carding" is still
| standard practice.
| supertrope wrote:
| >Age
| risyachka wrote:
| In my ideal world I never have to deal with notaries and there
| are no physical documents at all.
| alex_young wrote:
| TL;DR advice is to use email as your account ID method on various
| sites, and author's new service to 'verify' the accounts in a
| central place so people will know they are the same user between
| sites.
|
| This isn't really decentralization is it?, it's a new kind of
| account linking which requires one to trust the central
| verification authority.
|
| Maybe I'm missing something.
| Yolta wrote:
| You wouldn't need to use your email as account id. The account
| id could even be completely random, as long as you manage to
| link back from that account to your key (in case of twitter, a
| tweet with the key fingerprint), anything works! Just add a
| link to that account to your key.
|
| With regards to decentralization: keyoxide doesn't hold the
| proofs. Your key does. You can take your key to any
| verification system, whether it is keyoxide website or some CLI
| tool or an app, and have that verify the proofs. Yes, you do
| need to trust the service. But that's where the open source and
| hopefully one day, network effect comes into play. If enough
| knowledgeable people trust it and talk about it, then less-
| techy people might one day too.
|
| In the end, what is important to note is this: keyoxide is just
| an implementation detail. If soon a different service becomes
| much more popular and used, the "decentralized identity proofs"
| ecosystem still wins! I would love to see apps get developed
| where anyone can at the press of a button verify online
| identities. That will be the next big milestone.
| Trumpi wrote:
| We literally had this with OpenID. If I remember correctly, it
| pre-dated Facebook and the flurry of "Login with XXX" type
| authentications. But the corporations like their walled gardens
| too much and OpenID fell out of favor.
| user5994461 wrote:
| OpenID was replaced by OpenID Connect and SAML.
|
| They mostly operate in federations, which is neither
| centralized nor decentralized.
| mikedilger wrote:
| Identity as a noun is problematic and IMHO usually reflects
| miscomprehension. Identity is a relationship. The identity
| function maps something onto itself. Authentication checks if the
| current entity is an entity you remember.
| mitchtbaum wrote:
| Meh
| djsumdog wrote:
| I agree with a lot of this post. A lot of the left-leaning
| intellectuals that are now criticizing the harder-left stances in
| academia; people like Brent Weinstine, Jonathan Haidt, Sam
| Harris, et. al. ... I've heard all of them say they want less
| anonymity and more accounts tied to real identities.
|
| Whenever I hear this I think, "What? No! That's the opposite
| direction we should be going." Identities that are hard locked to
| real people makes it so easy to harass, mob, cancel and abuse
| people. At least in the US, most employers are at-will, allowing
| for Viewpoint Discrimination.
|
| Anonymity does have its issues. It also does allow people to
| harass with more impunity. But in many ways, it also exposes more
| of the deep self and the controversial ideas people have that
| they are less and less likely to discuss outside of anonymity.
|
| Even semi-anonymous platforms like Reddit are going back on
| previous commitments to free expression of ideas; and the effect
| is that Reddit is becoming more one-sided/one-direction, just
| like the platforms everyone is fleeing into.
|
| Always use your e-mail to sign up for things. I rarely ever allow
| applications to connect via social media/OAuth. There was a time
| on the Internet where we thought all identity providers could be
| interchangeable. I ran an OpenID IDP for years, but fewer and
| fewer sites allow OpenID logins:
|
| https://battlepenguin.com/tech/the-decline-of-openid/
| jessaustin wrote:
| _...left-leaning intellectuals..._
|
| Didn't you get the memo? We're supposed to like government
| surveillance now. After all, now FBI/CIA/NSA are on our side
| and we can totally trust them forever.
| clairity wrote:
| how about we have a whole range of options so that we can
| express our full selves via the various venues made available?
|
| sometimes you want (pseudo-)anonymity and sometimes you don't.
| being able to pick and choose seems to offer the greatest
| freedom, rather than pigeon-holing everyone into one option.
| jimkleiber wrote:
| This! While sometimes I want to use a pseudonym, there are
| many times I want to say "I am the human who I say I am," and
| currently, that means hoping a platform will magically verify
| me (if they even verify anyone) or, I suppose, posting a copy
| of my ID to the internet, and even that doesn't work so well.
|
| While there are many routes to be semi-anonymous, there are
| very few to being verified (or maybe I just don't know about
| them)
| julianeon wrote:
| On the contrary, I advise everyone to use real-name identities
| wherever they can. I understand that pseudonymous and real name
| accounts have fundamentally different approaches, but I think,
| for the majority of people, pseudonymous accounts are a
| mistake.
|
| The reason is simple. In 2020, everybody is a brand. Things
| have become competitive to the point that the inevitable
| happened: business has occupied free time. We could lament
| that, or we could accept it, because it's the reality today,
| and I don't think we're ever going back.
|
| Personally I think pseudonyms are a legacy of a time when the
| Internet was not taken seriously and whatsupdoggg69 was a
| perfectly valid username in a place where nothing mattered and
| Internet work had no monetary value.
|
| That's changed, a lot. That viewpoint - which, to be honest,
| was probably questionable, even then - seems definitely wrong
| now. It seems more and more like the wrong path, and you don't
| have to go down it.
|
| You need to start posting under your real name, and then keep
| doing that, so people know they can go to your advice,
| expertise, friendship, a place to pay attention, etc. That has
| a _lot_ of monetary value.
|
| My philosophy here is: unless you intentionally chose to leave
| money on the table, you should never leave money on the table.
|
| So if you're working in 2020 at a prestigious or a first-mover
| startup (which covers a lot of startups), don't go on reddit
| and post memes under some name that will always be worth $0.
|
| Instead, go on Twitter, post under your real name, and start
| becoming known as the go-to person for your niche of the
| industry.
|
| If you are working at a startup, and building a name launched
| out of a startup (no lawyer is going to attempt to claim your
| real name social media handle), you can launch a consultancy,
| just off that.
|
| Assuming your consultancy brings in 100k a year and businesses
| often sell for 10x revenue (a pretty reasonably assumption),
| then doing that over 10 years can build you a $1,000,000
| consultancy.
|
| Given those numbers, I think it's positively stupid to turn
| down $1,000,000 for the sake of a few forgettable jokes and
| political opinions that, let's face it, in the case of the
| average person, are not changing anything.
|
| Instead, do the smart thing, claim that $1,000,000, and get
| used to using real names & real name content for everything.
| mirimir wrote:
| Why not do both?
|
| As you say, using your real name builds your brand. However,
| you must then be very careful to avoid saying stuff that
| damages your brand. And as you basically say, you must
| therefore censor yourself online.
|
| So why not do other stuff using pseudonyms? That's exactly
| why I started using them. I'm retired now, so there's really
| nothing about my meatspace identity to protect. But when
| there was, having the freedom to express myself honestly
| online was important to me. In particular, because I had to
| police my meatspace behavior so carefully.
| danso wrote:
| How would people who want to be the next Haidt or Harris build
| up authority (i.e. a reputation/brand) if identity becomes
| decentralized and ephemeral?
| bookmarkable wrote:
| Correctly identified problem.
|
| Far too technical and obscure a solution for 99% of the world.
|
| I think Apple, while not a complete solution, shows a path
| forward with Sign In with Apple allowing you to generate a relay
| email.
|
| As always, whoever nails the user experience will win.
| kevsim wrote:
| Fully agree. I've had the opportunity to work on identity at 2
| former employers. We tried to push things in this direction as
| part of exploration work including discussions with Mozilla
| around Persona and much more. Unfortunately every time, we met
| a fairly insurmountable problem - most users just don't get it,
| and even if they get it, they don't care.
|
| I agree this is where things need to move, but we need to make
| it so simple that users who don't care can still use it and
| those who do can get the most out of it.
| atlgator wrote:
| Isn't identity already centralized? Just about every website with
| a login system has self-asserted ID.
| Animats wrote:
| The future of online identity is centralized.
|
| China is already there. At age 16, you get your picture and
| fingerprints taken. If you get a phone, its ID is tied to your
| personal ID. Your WeChat account is tied to that ID. If you ride
| the subway or bus in a major city, or a train, your ID is
| recorded when you pay. A combination of phone tracking and facial
| recognition records where you go in some cities. It's even used
| to shame jaywalkers.[1]
|
| The US is getting there with Real ID. It's been postponed a year
| due to the epidemic, but soon you will need a Real ID, checked
| against your birth registration, to board even a domestic flight.
|
| [1] https://youtu.be/ectdRsyj-zI
| closeparen wrote:
| Real ID is a contract between the federal government and the
| states about the security of their existing ID issuing
| processes. It covers things like, don't leave ID printers and
| card stock in podunk branch offices where $12/hour staff can
| let in their friends at night. Use printing processes that are
| sufficiently hard to replicate. If your freedom relied on stuff
| like this, you were already an outlaw, the only implication of
| Real ID is that now you will need stronger technical skills to
| produce your next convincing fake. It has nothing to do with
| where and whether IDs are required. Airport and courthouse
| security have been requiring IDs for many years now.
| jadbox wrote:
| As the article mentions, centralized trust has proven that it
| reaches a certain maximum before being plagued by political,
| legal, and corruption. I don't know much about the China's
| state ID system, but based on other systems they've rolled out,
| I'm sure with enough money and the right contacts you can wipe,
| fabricate, or change your ID (which is also true for the US).
| Centralized systems have to also undertake the same problems as
| decentralized ones, like ensuring records are kept updated,
| which is no trivial task when providing identity for millions
| of people(1)
|
| (1) https://www.washingtonpost.com/us-policy/2020/06/25/irs-
| stim...
| markus_zhang wrote:
| Yes, it might be de-centralized, but in a different way. It will
| simply be distributed to different
| bureaucracies/aristocracies/warlords/agencies/etc. with each
| jealously holds their part and tries to grab the rest from other
| players.
| motohagiography wrote:
| Have worked in the identity space for a long time. Authentication
| isn't a hard problem, but identity is. It will be decentralized
| because if it is not fragmented, it is literally just oppression.
| Trusting authentication is not trusting identity, and the origin
| of identity is the Ur-problem because it comes down to questions
| of recourse, collateral, risk, authority, and legitimacy - which
| are all political economy questions and not technical ones.
|
| The technology can change the economics of identity, but identity
| itself reduces to how you organize to provide recourse to people
| within your scope. Sure, we can use escrow systems and smart
| contracts, but these still require a means to organize and
| provide adjudication.
|
| All the use cases for digital identity are about enforcement and
| liability, and there are almost none that anyone would volunteer
| for. In this sense, identity is necessarily imposed, so all
| products in the space are necessarily aimed at a customer who is
| imposing identity on a group. It's why I tell identity companies
| who ask to find some other problem to solve because holding out
| for some government to adopt your product as their source of
| sovereignty is a waste of time. There is one other use case for
| identity, and yes, it is decentralized and bottom-up, because it
| is about dividing into secure, self-sovereign affinity groups,
| and the reasons for doing that are on a very short list of uses.
| Super fun, but basically a weapon.
| coldtea wrote:
| > _It will be decentralized because if it is not fragmented, it
| is literally just oppression._
|
| The conclusion ("It will be decentralized") doesn't follow from
| the argument though ("because if it is not fragmented, it is
| literally just oppression").
|
| It could very well be "just oppression" and keep being that...
| mirimir wrote:
| Yeah, that's one of my top worries. It's already that way in
| much of the world. And the "liberal democracy" sector is
| teetering on the edge. Once we get seriously into the chaos
| of global climate change, pandemics, mass migrations, war and
| so on (aka Gibson's "Jackpot"), who knows?
| Barrin92 wrote:
| >All the use cases for digital identity are about enforcement
| and liability, and there are almost none that anyone would
| volunteer for.
|
| Everything from a LinkedIn or Facebook account to your personal
| artist homepage with your CV on it establishes identity. People
| obviously disclose identity voluntarily, because identity is
| the primary means by which strangers establish trust.
|
| If your identity is not transparent to me, I won't enter a
| relationship with you that requries me to know who you are,
| which in practice is almost every one. I don't see how non-
| fragmented identity is oppression. It can be for sure, but the
| primary reason why identity is important in our interactions is
| because it establishes trust and reputation. I've always
| considered "non-imposed" identity a sort of oxymoron for that
| reason, because if full control of identity is left to the
| individual, identity essentially loses its primary purpose.
| mirimir wrote:
| It's not that simple. My meatspace identity is entirely
| transparent. But online, I'm mostly Mirimir and other
| pseudonyms. Even so, I've been Mirimir for long enough, and
| have written enough about freedom, privacy and anonymity that
| I have a substantial reputation.
|
| That is, one can have a range of identities, from entirely
| transparent to stably pseudonymous to fleetingly anonymous.
| user5994461 wrote:
| Linkedin/Facebook/Email login establish that it is the same
| "person" coming back. They don't guarantee the identity of
| the person as in official name or address or date of birth.
| Barrin92 wrote:
| is this a distinction without a difference? Networks like
| LinkedIn exist for the purpose of building real social
| capital and that's how they're used by 99% of their users.
| I don't see the incentive for someone to use a fake persona
| (other than scamming).
|
| All those private firms are in many ways identity providers
| just as real and official as governmental ones.
| user5994461 wrote:
| It's a massive difference. Consider linkedin vs national
| UK login.
|
| The later one guarantees the identity: full name, date of
| birth, address, verified phone number, last taxable
| income, etc...
|
| It allows to request government benefits or open a bank
| account online, because the identity is guaranteed. There
| is a real verified person behind the account. (corollary:
| you will be in troubles if somebody gets credit cards
| under your UK identity).
|
| On the other hand, it's not great if that identity is
| required to apply to a job. The company can see your
| passport after they hire you. There is no need for every
| job board and recruiter and company to systematically get
| all your personal information in advance.
| AlexandrB wrote:
| > Networks like LinkedIn exist for the purpose of
| building real social capital
|
| ???
|
| No they don't. They exist for the purpose of selling
| advertising. Any other purpose is either marketing copy
| to get you to use it or an emergent property based on
| people believing the marketing. Consider that LinkedIn
| would continue to exist if it provided no social capital
| whatsoever as long as it could still get ads in front of
| eyeballs.
|
| Another observation: whether any specific social network
| "builds social capital" depends on the demographics of
| the audience and general "trendiness". People in high
| school don't care about LinkedIn, professionals in their
| 30s don't care about TikTok. Does this mean that TikTok
| should be an "identity provider" to people under 20?
| narag wrote:
| _It will be decentralized because if it is not fragmented, it
| is literally just oppression._
|
| I've never understood that way of viewing things. For me
| identity is a right. The government must provide me with the
| means to prove who I am and my associated data like birth
| certificates, academic titles, health (vaccination), real
| estate and indirectly verifying identity for private contracts
| that use my national id card number.
|
| In an oppressive state identity surely could be oppression,
| just like everything else, but in a democratic country? Come
| on. In the USA goverment and even private entities are
| collecting massive databases of everybody's data. But there's
| this panic about a centralized service providing identity. It
| makes no sense.
| pmoriarty wrote:
| _" In an oppressive state identity surely could be
| oppression, just like everything else, but in a democratic
| country?"_
|
| What makes you think a democracy can't be oppressive?
|
| Even in perfect democracies there is something called the
| tyranny of the majority, where the majority can oppress the
| minority.
|
| If we're talking about the US in particular, we have to
| recognize first that it's not even a perfect democracy, and
| there are many anti-democratic things about it such as the
| electoral college, and plenty more things that hinder
| democracy even where it exists (such as poor civic education,
| money's outsize influence in elections, extremely biased
| media, branches of government which shirk their balancing and
| oversight roles, etc).
|
| Then, to get specifically to the oppressive aspects of the
| US, they range from slavery and lack of women's rights from
| its foundation, to segregation that existed in law up to the
| middle of the 20th Century (and arguably still exists in fact
| to some extent and in some places in the US even now), to the
| imprisonment in concentration camps of Americans of Japanese
| descent, to discrimination against people who weren't
| heterosexual, to the War on Drugs and police brutality which
| primarily impact minorities, to abuse, killing, and
| imprisonment of people who come to the US from other
| countries.
|
| All this oppression and more has happened in what is
| ostensibly a democracy, and often likes to style itself as
| the world's greatest democracy.
|
| And all of this oppression has had to do with identity, which
| required identifying people's race, gender, sexual
| preferences, or country of origin.
|
| Such identification is amplified and made all that much
| easier in the age of computers, the internet, and gigantic
| databases on everyone. It's a data trove just begging for
| abuse.
| chrisco255 wrote:
| It's not meant to be purely democratic. The founders were
| students of history and recognized the inherent instability
| of pure democracies. There were no human rights recognized
| anywhere in the world in 1776. The imperial era was still a
| thing and Kings and queens still had vast influence over
| European politics, with various other centralized power
| structures in virtually all parts of the world. I get that
| it's easy to point out the hypocrisy of the phrase "all men
| are created equal" when slavery was still a thing in half
| the states, but it was a very tenuous situation to go
| against the crown of England in 1776. It was far from
| guaranteed. A lot of people see the human rights we have
| today as some sort of inevitable outcome of progress, but
| China is case in point that progress and time do not
| necessarily yield more rights for more people. China is
| 4000 years old and they still don't even have basic freedom
| of speech there.
|
| All of human history is filled with bloodshed, tyranny,
| endless wars, conquering, slavery, piracy, vandalism,
| raiding parties, human sacrifice, religious battles and
| authoritarianism, with just a few punctuating moments of
| anything resembling democracy and recognition of human
| rights. That goes for every race, country, tribe, continent
| and creed. No heritage is innocent of that. That's the
| truth. 1776 didn't have to succeed. It very much could of
| ended with being squelched by the Crown and then where
| would we be today? Perhaps the Nazis would of won. Perhaps
| the Soviets would have developed imperial ambition in the
| absence of a strong US to keep them in check. Maybe the
| world would be a darker place. I suspect that without the
| U.S. that it would be, since that's the rule of history and
| not the exception.
|
| Interning the Japanese Americans was of course wrong, but
| when you're fighting a world war and tens of millions are
| dying at the hands of Japanese (they slaughtered Chinese by
| the tens of millions)...it's very touchy isn't it? The
| lesser of two evils in that particular war was certainly
| the U.S.
|
| Again, prior to world war 2 the world was still filled with
| imperial forces itching to conquer and enslave other people
| by the tens of millions. This is just 80 years ago...not
| that long ago. There was no where else in the world living
| up to the high ideals we seek to achieve today back then.
| The U.S. was that place for so many people to escape to.
| The Jews being one group. The Cubans being another. The
| Vietnamese being another. The Koreans being another. If
| you're going to paint the picture, paint it in the context
| of the world at the time and the subsequent actions in the
| wake of those problems. I think individuals deserve
| forgiveness after some time, and the same goes with
| nations, given that their behavior is corrected. There's
| nothing wrong with the movement towards more civil rights.
| But expecting things to go from millenia of imperialism to
| utopian democracy overnight, especially one saddled with so
| much legacy from that era, is naive. Again, it didn't have
| to go so well. It could have very gone south and ended up
| worse off for everyone.
| pmoriarty wrote:
| _" It's not meant to be purely democratic. The founders
| were students of history and recognized the inherent
| instability of pure democracies."_
|
| Many of the founders were also elitists who didn't want
| anyone but landowning white men to run the country. They
| were wary of "mob rule" (ie. direct democracy), and
| preferred to have the elites rule. The jury's still out
| on whether they were right or whether direct democracy is
| actually better. Considering how much power and wealth is
| being concentrated in the hands of a tiny minority in the
| US, I'm siding with having more direct democracy, not
| less.
|
| _" I get that it's easy to point out the hypocrisy of
| the phrase "all men are created equal" when slavery was
| still a thing in half the states, but it was a very
| tenuous situation to go against the crown of England in
| 1776."_
|
| The existence of slavery in the US wasn't just about
| 1776.. it lasted until 1865. The US was one of the last
| countries to end slavery.
|
| _" All of human history is filled with bloodshed,
| tyranny, endless wars, conquering, slavery, piracy,
| vandalism, raiding parties, human sacrifice, religious
| battles and authoritarianism..."_
|
| _" Interning the Japanese Americans was of course wrong,
| but when you're fighting a world war and tens of millions
| are dying at the hands of Japanese (they slaughtered
| Chinese by the tens of millions)...it's very touchy isn't
| it? The lesser of two evils in that particular war was
| certainly the U.S."_
|
| The point of my post wasn't to say there weren't reasons
| (some might say excuses) for the US to behave the way it
| did (extreme, widespread racism against minorities is one
| such reason and excuse), nor to deny that some countries
| were just as bad or even worse, but to recognize that
| massive, serious oppression did in fact happen in the US,
| despite it being some sort of a democracy.
|
| Oppression in the US is still happening, is likely to
| continue, and will probably be greatly enabled by the
| easy availability of identifying information on the
| people within and without its borders.
| arminiusreturns wrote:
| I want to express a frustration with this type of
| response I have.
|
| Inevitably, when this topic of discussion comes up, I
| almost always see a response of this type, calling into
| question the entire foundation of the USA on the basis of
| the founding brothers being white slave owners, and it
| really bugs me, but I'm having a hard time trying to
| articulate it well...
|
| I think it mostly centers around a very superficial
| understanding of the evolution of the enlightenment and
| the renaissance into the culmination of those that was
| the US. I would probably respond better if, when these
| arguments get thrown about, I heard discussion of the
| philosophical underpinnings the founders, in particular
| Madison, based their proposals on. Discussion or
| reference to individual liberty, natural law and natural
| rights, and such, as learned from study of Socrates,
| Plato, Aristotle, Thomas Aquinas, Locke, Hobbes and
| Spinoza, Montesquieu, etc.
|
| I almost never see these referenced in this responses
| though, and to me it seems very dangerously close to
| "throwing the baby out with the bathwater", and I fear
| that the sentiment is growing so rapidly, as shallow as
| it may be, that the lack of understanding why America
| truly is a revolutionary country and is exceptional in
| history will potent some very turbulent times in the
| future.
|
| Yes, the system was imperfect from the start, and has
| been even more imperfect in implementation, but to say
| then that the whole system (not saying you said this, but
| it seems thinly veiled to that affect often) must be
| thrown out is foolhardy at best. The shining light of
| America is that it has, in it's founding documents, a
| system designed to self-improve over time. I see our main
| problem as being the lack of memory of why each piece of
| that system is so important, and have allowed it to
| become corrupted. The path forward then is in seeking to
| enforce the core foundational principles the founders
| thought very hard about (such as Montesquieu's checks and
| balances system), and not to discard them just because
| they came from people that were imperfect.
| coldtea wrote:
| > _I 've never understood that way of viewing things. For me
| identity is a right._
|
| Historically "identity" wasn't a right, but something imposed
| on people, for better tracking and controlling them by
| authorities...
|
| > _In an oppressive state identity surely could be
| oppression, just like everything else, but in a democratic
| country?_
|
| Oppression is not about democratic vs totalitarian state.
| McCarthy and Hoover, to mention just two examples, reigned
| over others in the good ole democratic US of A.
|
| Not to mention very few (if any) countries have actual direct
| democracy, or give the people say in how they want to be
| governed, from the constitution and downwards.
| mirimir wrote:
| > Historically "identity" wasn't a right, but something
| imposed on people, for better tracking and controlling them
| by authorities...
|
| I used to own a wonderful book about the history of data
| science. As I recall, starting in maybe the 1600s, experts
| in France and Germany were tasked with tracking
| populations, birth and death rates, economic activity, and
| so on. And the primary goal was to aid in military
| planning. Unfortunately, I've lost the book and forgotten
| the title and author. And the search terms are so topical
| as to be useless.
| closeparen wrote:
| Identity can't be "imposed," come on. Personhood is
| continuous across time and space. All a system can
| influence is your ability to lie about this. Ability to
| deceive the state can protect your freedom but inability to
| trust others also has a cost, there has to be a balance.
| TehCorwiz wrote:
| I can reasonably change my hardware, software, and habits to
| avoid being matched with some corporate aglomerated profile
| of "me".
|
| However, I cannot change my government provided identity.
|
| Right now I can have multiple identities: one for work, one
| for my WoW guild, one for security research.
|
| With a single centralized identity provider I couldn't do
| that. They wouldn't just be able, they would by default
| associate my personal and professional associations.
|
| I feel that the risk of a single central (and especially
| government run) identity provider is that it can chill
| freedom of association by disallowing you to anonymously, or
| if not anonymously then disconnectedly associate with people
| or groups.
| WealthVsSurvive wrote:
| The problem is not that the data is centralized; the problem
| is that centralization engenders a position of advantage,
| which incentivizes perversion. This is why the problem
| becomes political. The amount of privacy one should have is
| relative to the ethics of humanity, society, to material
| necessity and fact, etc. This is an unsolved problem. One
| would need a series of blind oracles to solve it, unfettered
| by the influence of living things.
| Nextgrid wrote:
| The problem with making government-issued ID easy to verify
| online is that every website will start requiring it and
| pseudonymity or anonymity would become a thing of the past,
| even though it's necessary in some cases.
| Spearchucker wrote:
| Identity federation seemed to promise solutions to some of
| these problems, but never quite took off. The part I liked most
| was the ability to verify someone as being over 18 without
| divulging their age or any other meta data. That was 10 years
| ago though, and I have no idea what the citizen/consumer
| identity space looks like now.
|
| Did the industry ever get around the sub-par SAML protocol
| which had no support for the active requestor profile, and the
| superior WS-Federation protocol which had to use the
| technically superior SAML token?
| jadbox wrote:
| I'm surprised that BrightID or 3BOX aren't mentioned for
| decentralized solutions:
|
| https://www.brightid.org/
|
| https://3box.io/hub
| identitywoman wrote:
| The future is Decentralized - you have very large actors working
| to deploy systems based on the Verifiable Credentials (VC) Data
| Model (W3C Standard) and the Decentralized Identifiers (soon to
| be W3C Standard) extensive work is being done on how the data is
| exchanged (Credential Handler API, OpenID Connect Self Issued
| Identity Provider (OIDC_SOIP) <- so any installed openID can
| accept VCs and DID Communications (spec under development at the
| Decentralized Identity Foundation). Actors supporting this work
| include wester liberal governments, MSFT, IBM and many many
| others many cool small startups. We gather twice a year at the
| Internet Identity Workshop. Our archives for the last 10 years
| are online.
| foobar_ wrote:
| Is it possible to add proofs for phone, credit card ?
| magnusmagnusson wrote:
| Urbit already done it.
| nanomonkey wrote:
| Can someone point me to a resource that cuts through all of the
| jargon that Urbit uses and describe what it does that is new?
| I've browsed through their website and Hoon, the programming
| language, and can't find anything intriguing besides a bunch of
| new names and glyphs for existing terminology.
|
| Is it just new age cabala of decentralized tech to generate
| hype and intrigue? I've seen a lot of projects fall into this
| techno-wizardry naming trap, and enjoyed it myself, but I'm
| starting to get tired of the overhead of such abstractions.
| riffic wrote:
| ah, the TempleOS of decentralization.
| mawise wrote:
| Sounds a lot like IndieAuth, but with keys and math instead of
| "centralized" DNS.
|
| https://en.m.wikipedia.org/wiki/IndieAuth
| mirimir wrote:
| > Removing the possibility for anonymity could solve the problem
| of online toxicity.
|
| Except that it's not possible. And worse, it's just hard enough
| to evade that only those with malicious goals will manage it.
|
| > Large internet corporations like Google and Facebook allow all
| to create an account on condition that some personally
| identifiable information is revealed, usually a phone number.
|
| Also Signal, sadly enough :(
|
| > The benefit is that it deters most from repeatably creating new
| accounts when older accounts have been flagged or banned due to
| improper behavior. These companies gain the function of "identity
| provider": they manage your online identity that can be used to
| login in different locations of the internet. We all know many
| websites that offer a "Google login" or "Facebook login".
|
| Yes, it "deters most". And mainly it deters vulnerable people,
| who need ~anonymity to protect themselves from adversaries. It
| doesn't deter spammers, trolls, scammers, bot operators, and
| such. There are just so many ways to use multiple phone numbers.
| Ranging from free websites to SIM banks. And actually, it's
| easier just to buy accounts, either fresh or old (which probably
| means stolen).
|
| So even without getting into concerns about corporate
| gatekeepers, it's clear that this is a misguided approach.
| dmitshur wrote:
| I'm happy to support IndieAuth (a decentralized identity protocol
| built on top of OAuth 2.0) on my site and give people the option
| to use their personal site, if they have one, as a way of
| identifying themselves and performing authentication.
|
| I described the motivation in more detail at
| https://github.com/shurcooL/home/issues/34.
| Temasik wrote:
| so when ico
| synctext wrote:
| "A Truly Self-Sovereign Identity System", our academic work with
| Tor-like privacy[1].
|
| This goes beyond owning your identity. Has government
| sponsorship. The EU is currently taking the lead in this area,
| search terms: "ESSIF: The European self-sovereign identity
| framework".
|
| [1] https://arxiv.org/abs/2007.00415
| cirno wrote:
| I feel like a domain is a nice way to link identities, with a
| small nominal fee being a nice deterrant to botting. Not the most
| user-friendly for those not tech savvy, but third-party services
| could help with setting up such sites.
|
| Make a page on your domain with rel=me links to your social media
| profiles, have the social media sites link back to your site with
| a verified symbol next to the link when it scans and validates
| the rel=me link.
|
| This puts you in control of your verification instead of
| federating it to a service like Keybase or Keyoxide.
| IbyvzOneoneh wrote:
| This makes tracking slightly more difficult, but does it really
| make significant difference when you consider all the tools at
| tracking companies' disposal?
|
| How does it prevent linking those identities with real identities
| by using tools like browser fingerprinting, tracking preferences
| and stylometry?
|
| I don't really see a way to keep my commenting (and even browsing
| to some extent) user friendly and disconnected from my real
| persona, so I act accordingly.
|
| However, I'd like to be proved wrong.
| vjeux wrote:
| Maybe I'm missing something but the author mentioned using email
| instead of Facebook/Google login. Why come up with a complex
| crypto protocol instead of using email as the identity key?
___________________________________________________________________
(page generated 2020-07-12 23:00 UTC)