[DG-BSC] Notes from BSC telecon Tuesday, October 25

Eve Maler eve.maler at forgerock.com
Tue Oct 25 11:02:48 CDT 2016


http://kantarainitiative.org/confluence/display/BSC/2016-10+%28October+2016%29+Meetings#id-2016-10(October2016)Meetings-Tuesday,October25

Agenda:

   - Report
   <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group>
writing –
   Sovrin Foundation questionnaire answers discussion

Attending: Eve, Thomas, Matisse, Kathleen, SteveO, Thorsten

*Meeting logistics:* Just a reminder: No meeting this Thursday. Also, when
we take up meeting again next week, UK and Europe clocks will have changed,
but US clocks won't have, and US Pacific is our normative time zone (see
timeanddate.com <http://www.timeanddate.com/time/dst/2016.html> for
"summertime skew" details...). Please keep an eye on and/or subscribe to
our calendar <http://kantarainitiative.org/confluence/display/BSC/Calendar>!

*New book:* Don't miss Thomas's new book, called Trust::Data: A New
Framework for Identity and Data sharing
<https://www.amazon.com/Trust-Data-Framework-Identity-sharing/dp/153911421X/ref=sr_1_1?ie=UTF8&qid=1477408182&sr=8-1&keywords=hardjono>!
Wow. Congratulations!

*Sovrin answers:* You can find them in your inbox or in the email archive
<http://kantarainitiative.org/pipermail/dg-bsc/2016-October/000289.html>.
See also the paper
<https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/Sovrin--digital-identities-in-the-blockchain-era.pdf>
Thorsten mentioned in email.

Overall, Eve's question for each use case, differentially, is: How much
does limiting the risk of a "pure public blockchain technology" approach
impact the goals of the use case, and particularly in our case where the
use case goals are for empowerment? E.g., for some fintech use case where
you want to speed up business and protect against legal risk, maybe
limiting the "distributedness" of the blockchain to your enterprise – that
is, inside your firewall – could be fine. But for other use cases, that
could seriously harm you goal. So for today, given that Sovrin has a goal
of self-sovereign identity, have they been able to successfully mitigate
risk while enjoying/providing the benefits of blockchain ("walked the line
correctly")?

"Self-sovereign identity" sounds like an extension of the previous notion
of "user-centric identity".

Thomas's CoreID paper caused some people to accuse him of being a
communist  for proposing a blockchain identity system that enables
anonymous credentials. Eve's question is: What ecosystem that involves both
individuals and services could function without at least some (probably the
lion's share of) use cases of *identified* sharing?

There are some "anonymous authorization" (Shibboleth) and "claims-based
access control" (UMA) use cases, indeed. (And notice that these use cases
didn't require blockchain to be solved) But quite often, (empowered)
service operators do need to know who they're dealing with among (currently
disempowered) individuals. See Latanya Sweeney's research
<http://latanyasweeney.org/work/identifiability.html> on the ability to
re-correlate individuals from a few attributes; hence Eve's skepticism
about ZKP approaches (which Sovrin criticizes as well). Users also have
real incentives to share data with services in many cases because otherwise
the services can't function.

Are there any services accepting Sovrin credentials yet? These are
apparently called "stewards".

We looked at the Technical Foundations
<https://www.sovrin.org/The%20Technical%20Foundations%20of%20Sovrin.pdf>
paper. The observer/validator/governance paradigm seems well thought out.
Thomas noted that the widening circles of nodes looks like what Ripple has.
The governance model could perhaps be a model/template for other use cases
as well.

Not depending on IdPs sounds like a big benefit. People have been become
persona non grata on various services that function as IdPs (such as being
shadowbanned or outright banned on Twitter), or have been monitored by
government IdPs. However, the reality of many service providers is that
they rely heavily on these 30 social IdPs
<https://rpxnow.com/docs/providers#microsoftaccount> for a lot of what they
do, both the user population and the information provided by these service
sources. ("Social login" is when they rely totally on the incoming IdP for
information, and "social registration" is when they explicitly collect
additional information and do separate login thereafter.) What is the value
proposition for these RPs?

Also, how would legacy "federated SSO" work (a la SAML or OIDC) in this new
world?

*AI:* Everyone please continue to review the questionnaire answers (two
sections left to go) and provide thoughts in email. We can send our
questions to the Sovrin folks after our review is complete.


*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-bsc/attachments/20161025/7ddcb714/attachment.html>


More information about the DG-BSC mailing list