[DG-BSC] blockchain for identity
hardjono at mit.edu
Tue Jan 31 16:31:06 CST 2017
>>> It is a reputation mechanism of the first order.
This is the one I don't quite get.
Consider the following:
(a) If Alice keep all her data (claims, attributes, etc. etc) in her private storage, and
(b) Alice only places the hashes of these data-items on a blockchain,
then how can Bob learn about the reputation of Alice?
All that Bob can see is these transactions (on past blocks) containing random-looking hash values.
From: dg-bsc-bounces at kantarainitiative.org [dg-bsc-bounces at kantarainitiative.org] on behalf of Adrian Gropper [agropper at healthurl.com]
Sent: Tuesday, January 31, 2017 5:13 PM
To: Eve Maler; j stollman
Cc: dg-bsc at kantarainitiative.org
Subject: Re: [DG-BSC] blockchain for identity
How can you consider a new animal like blockchain timestamps "just a system for verifying uniqueness of digital objects"? In the example above, note how blockchain timestamps encourage the participants in a transaction to maintain their own personal data store. This amplifies the incentive for individuals to own technology and redecentralize the internet. (My personal data store today and my personal authorization server tomorrow.)
A distributed public ledger is much more than a uniqueness verification mechanism. It is a reputation mechanism of the first order. Distributed identity is an emergent property as reputations are linked through blockchain transactions.
The linkage of attributes to distributed identity is not directly a blockchain benefit but the efficiency of managing attributes is improved by distributed identity as multiple verifiers can easily reference the same distributed public ledger for free. Blockchains, for example, can serve as a universal revocation mechanism.
Widespread adoption of blockchain math will clearly reduce the need for federations and will empower the individual that is willing to invest in technology that they own. The only question is how much and how fast.
On Tue, Jan 31, 2017 at 4:36 PM Eve Maler <eve.maler at forgerock.com<mailto:eve.maler at forgerock.com>> wrote:
Thanks for the thoughts, Jeff (and thanks for the response, Thomas). By the way, if you read our draft report thus far, I believe you won't see any evidence of unvarnished excitement in it.
I had a conversation with a old friend last week while in SF for Data Privacy Day. He was beyond frustrated over the overblown claims made for blockchain technology, even though he's a fan. In his formulation, which I thought was excellent, all it is is a system for verifying uniqueness of digital objects.
Thus the affinity for "cash-simulating" use cases (no double-spending), provenance-tracking use cases (if binding to physical objects is secure), etc. Pretty much all the parts that identity professionals think of as "identity and access management" (credential issuance, authentication, authorization, etc.) and "federated identity" (the ability to have one entity do an authentication or attribute issuance job and have an entity in a different domain trust the result) pretty much still need to be done in an analogous way.
A question we've discussed in this group many a time is whether decentralization vs. (centralized servers in an architecture) materially empowers individuals by its very existence. (You see this argument made all over<https://blog.openbazaar.org/what-is-openbazaar/>.) When I gave my example on one telecon of using an ATM in Barcelona with no network markings and trusting to the magnetic-stripe gods to get cash with CC liability protections, I think I showed that this isn't necessarily so...
ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
On Tue, Jan 31, 2017 at 10:00 AM, Thomas Hardjono <hardjono at mit.edu<mailto:hardjono at mit.edu>> wrote:
You are not missing anything here :-)
I think there are a lot of confusion about the meaning of (a) "identity" (as in unique human person) versus (b) "identifier" (as in email-address, public-key, SSN, etc).
>>> The notion of a user-controlled, distributed identity
>>> mechanism strikes me as the holy grail in identity.
Identity allocation is a social process based on a "social contract". A baby born in a village has his/her name allocated by his/her parents, and the parents declare it to the rest of the village. The rest of the village (as relying parties) accepts the baby's name henceforth.
The relying party (counterparty) in a 2-party transaction must asses both (b) and (a). The pivot in the decision will be (a) and the source/provenance of the data/metadata supporting (a).
So an individual may control the online-usage of his/her digital-identifier (as in (b)) but that individual has no control over the authoritative mapping between (b) and (a) above.
>>> If I have a bad credit rating using one self-managed identity,
>>> why don't I just create a new identity and seek credit for it?
>>> As a newbie, I might not have a high rating, but it would likely
>>> be better than a bad rating.
This won't work because although you can self-manage your digital identifier (a), you have no control over the mapping between a new identifier and your person identity (a).
Organizations such as Banks and Governments have tremendous leeway in the authoritative mapping between (b) and (a) above. This is because they are a source of business-trust and legal-trust.
From: dg-bsc-bounces at kantarainitiative.org<mailto:dg-bsc-bounces at kantarainitiative.org> [dg-bsc-bounces at kantarainitiative.org<mailto:dg-bsc-bounces at kantarainitiative.org>] on behalf of j stollman [stollman.j at gmail.com<mailto:stollman.j at gmail.com>]
Sent: Tuesday, January 31, 2017 12:36 PM
To: dg-bsc at kantarainitiative.org<mailto:dg-bsc at kantarainitiative.org>
Subject: [DG-BSC] blockchain for identity
I am seeking some insight from this group on the viability of blockchain for identity.
The notion of a user-controlled, distributed identity mechanism strikes me as the holy grail in identity. But, like the holy grail, I am finding it difficult to believe that it is real.
In particular, I don't see what the blockchain can add to identity.
Yes, I recognize that blockchain does offer distributed consensus. And I while I am not persuaded that proof-of-work and/or proof-of-stake are as bulletproof as most people accept, I am not focused on these concerns.
My concerns stem from what value add the blockchain provides to the inscrutable problem of identity. We can use blockchain to confirm that a particular transaction too place at a particular point in time. For example, we can use it to confirm that Alice paid Bob the $1000 he owed her within the terms of their agreement. This verification may be valuable in a subsequent credit transaction. And we can use blockchain to confirm that someone claiming to be Alice passed a background check by Bob at a fixed point in time where the background check attests to aspects of her health, home address, financial stability, national loyalty, trustworthiness with confidential data, or some combination of these. But even this information is only useful to someone who believes that Bob is trustworthy and thorough in his checking. And since Bob can never be absolutely certain that the Alice who sat in front of his desk is the Alice she claims to be, Bob's assessment -- no matter how trustworthy and thorough he is -- is always subject to some doubt. And how are we certain that it was really Bob who is asserting the claim on behalf of Alice and not an impostor Bob? Do we believe that merely possessing his private key is sufficient proof to an organized attempt to create a false Alice? I don't see anything about the blockchain that addresses these concerns which are - and always have been - at the root of identity and trust.
So many people seem excited because blockchain offers a distributed governance model that uses economic incentives to encourage good behavior of vetting parties (e.g., miners). But tracking a single crypto-currency is a much more simple task that vetting identifies and the vast array of attributes of interest to relying parties - depending on their business. And unlike measuring crypto currency transactions which either do or do not take place, identify attributes are not 0/1 transactions. They are a collection of probabilities. And using blockchain does not change this.
If I have a bad credit rating using one self-managed identity, why don't I just create a new identity and seek credit for it? As a newbie, I might not have a high rating, but it would likely be better than a bad rating.
What am I missing here?
stollman.j at gmail.com<mailto:stollman.j at gmail.com><mailto:stollman.j at gmail.com<mailto:stollman.j at gmail.com>>
<mailto:stollman.j at gmail.com<mailto:stollman.j at gmail.com>>
Truth never triumphs — its opponents just die out.
Science advances one funeral at a time.
DG-BSC mailing list
DG-BSC at kantarainitiative.org<mailto:DG-BSC at kantarainitiative.org>
DG-BSC mailing list
DG-BSC at kantarainitiative.org<mailto:DG-BSC at kantarainitiative.org>
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
More information about the DG-BSC