[DG-BSC] blockchain for identity

Eve Maler eve.maler at forgerock.com
Tue Jan 31 15:35:39 CST 2017

Thanks for the thoughts, Jeff (and thanks for the response, Thomas). By the
way, if you read our draft report thus far, I believe you won't see any
evidence of unvarnished excitement in it.

I had a conversation with a old friend last week while in SF for Data
Privacy Day. He was beyond frustrated over the overblown claims made for
blockchain technology, even though he's a fan. In his formulation, which I
thought was excellent, *all it is* is a system for verifying uniqueness of
digital objects.

Thus the affinity for "cash-simulating" use cases (no double-spending),
provenance-tracking use cases (if binding to physical objects is secure),
etc. Pretty much all the parts that identity professionals think of as
"identity and access management" (credential issuance, authentication,
authorization, etc.) and "federated identity" (the ability to have one
entity do an authentication or attribute issuance job and have an entity in
a different domain trust the result) pretty much still need to be done in
an analogous way.

A question we've discussed in this group many a time is whether
decentralization vs. (centralized servers in an architecture) *materially*
empowers individuals by its very existence. (You see this argument made all
over <https://blog.openbazaar.org/what-is-openbazaar/>.) When I gave my
example on one telecon of using an ATM in Barcelona with no network
markings and trusting to the magnetic-stripe gods to get cash with CC
liability protections, I think I showed that this isn't necessarily so...

*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Tue, Jan 31, 2017 at 10:00 AM, Thomas Hardjono <hardjono at mit.edu> wrote:

> Hi Jeff,
> You are not missing anything here :-)
> I think there are a lot of confusion about the meaning of (a) "identity"
> (as in unique human person) versus  (b) "identifier" (as in email-address,
> public-key, SSN, etc).
> >>> The notion of a user-controlled, distributed identity
> >>> mechanism strikes me as the holy grail in identity.
> Identity allocation is a social process based on a "social contract". A
> baby born in a village has his/her name allocated by his/her parents, and
> the parents declare it to the rest of the village.  The rest of the village
> (as relying parties) accepts the baby's name henceforth.
> The relying party (counterparty) in a 2-party transaction must asses both
> (b) and (a).  The pivot in the decision will be (a) and the
> source/provenance of the data/metadata supporting (a).
> So an individual may control the online-usage of his/her
> digital-identifier (as in (b)) but that individual has no control over the
> authoritative mapping between (b) and (a) above.
> >>> If I have a bad credit rating using one self-managed identity,
> >>> why don't I just create a new identity and seek credit for it?
> >>> As a newbie, I might not have a high rating, but it would likely
> >>> be better than a bad rating.
> This won't work because although you can self-manage your digital
> identifier (a), you have no control over the mapping between a new
> identifier and your person identity (a).
> Organizations such as Banks and Governments have tremendous leeway in the
> authoritative mapping between (b) and (a) above. This is because they are a
> source of business-trust and legal-trust.
> /thomas/
> ________________________________________
> From: dg-bsc-bounces at kantarainitiative.org [dg-bsc-bounces@
> kantarainitiative.org] on behalf of j stollman [stollman.j at gmail.com]
> Sent: Tuesday, January 31, 2017 12:36 PM
> To: dg-bsc at kantarainitiative.org
> Subject: [DG-BSC] blockchain for identity
> I am seeking some insight from this group on the viability of blockchain
> for identity.
> The notion of a user-controlled, distributed identity mechanism strikes me
> as the holy grail in identity.  But, like the holy grail, I am finding it
> difficult to believe that it is real.
> In particular, I don't see what the blockchain can add to identity.
> Yes, I recognize that blockchain does offer distributed consensus.  And I
> while I am not persuaded that proof-of-work and/or proof-of-stake are as
> bulletproof as most people accept, I am not focused on these concerns.
> My concerns stem from what value add the blockchain provides to the
> inscrutable problem of identity.  We can use blockchain to confirm that a
> particular transaction too place at a particular point in time.  For
> example, we can use it to confirm that Alice paid Bob the $1000 he owed her
> within the terms of their agreement.  This verification may be valuable in
> a subsequent credit transaction.  And we can use blockchain to confirm that
> someone claiming to be Alice passed a background check by Bob at a fixed
> point in time where the background check attests to aspects of her health,
> home address, financial stability, national loyalty, trustworthiness with
> confidential data, or some combination of these.  But even this information
> is only useful to someone who believes that Bob is trustworthy and thorough
> in his checking.  And since Bob can never be absolutely certain that the
> Alice who sat in front of his desk is the Alice she claims to be, Bob's
> assessment -- no matter how trustworthy and thorough he is -- is always
> subject to some doubt.  And how are we certain that it was really Bob who
> is asserting the claim on behalf of Alice and not an impostor Bob?  Do we
> believe that merely possessing his private key is sufficient proof to an
> organized attempt to create a false Alice?  I don't see anything about the
> blockchain that addresses these concerns which are - and always have been -
> at the root of identity and trust.
> So many people seem excited because blockchain offers a distributed
> governance model that uses economic incentives to encourage good behavior
> of vetting parties (e.g., miners).  But tracking a single crypto-currency
> is a much more simple task that vetting identifies and the vast array of
> attributes of interest to relying parties - depending on their business.
> And unlike measuring crypto currency transactions which either do or do not
> take place, identify attributes are not 0/1 transactions.  They are a
> collection of probabilities.  And using blockchain does not change this.
> If I have a bad credit rating using one self-managed identity, why don't I
> just create a new identity and seek credit for it?  As a newbie, I might
> not have a high rating, but it would likely be better than a bad rating.
> What am I missing here?
> Thank you.
> Jeff
> ---------------------------------
> Jeff Stollman
> stollman.j at gmail.com<mailto:stollman.j at gmail.com>
> +1 202.683.8699
> <mailto:stollman.j at gmail.com>
> Truth never triumphs — its opponents just die out.
> Science advances one funeral at a time.
>                                     Max Planck
> _______________________________________________
> DG-BSC mailing list
> DG-BSC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-bsc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-bsc/attachments/20170131/73165bea/attachment.html>

More information about the DG-BSC mailing list