Getting started with decentralized identity
nathangould.comAs I said 48 days ago when this last came up on YC, the classic "Why your idea for stopping spam sucks" list applies.[1] Go re-read that and you'll see the same identity problems and proposed solutions.
If people can create and abandon identities cheaply. they will use those identities for annoyance or fraud. Hence spam, robocalls, etc. This is also why the "federated" social networks are not too useful.
On the other hand, publicly visible identities that are very strongly tied to a person or physical place lead to strong tracking and the abuses associated with that.
So, explain how "Web5" avoids those problems.
Bullshit on at least a couple fronts.
First, even when people strongly have their real identity tied to their digital or other activities, it amazingly often does nearly nothing at all to stop them from all kinds of spammy abuse, fraud, lying, trolling and all sorts of bad behavior. This happens across the board, world-wide in any non-personal social or digital setting.
Secondly, I'd argue that the ability to "decentralize" ID and anonymize oneself is more than worth having as at least a moderate bulwark against the pervasive parasitic, predatory modern corporate/government surveillance world that we increasingly live in. It's nice to talk about keeping people "respectful" with a strongly tied down identity but how ideal is this when these people live in a world of giant institutions that respect next to nothing whenever it's convenient for their interests?
Yeah, in no small part that "identity" is transferable. It can be stolen, resold to other parties for a profit, or rented out.
Decentralization is about decentralizing services, not identity. You have one identity, decentralization allows you to control how it’s used.
Is that based on any particular example? Off the top of my head, I can think of several mechanisms by which tying a pseudonym to a real identity could deter or address malicious behavior: law suit, jail time, loss of collateral, permanent ban of a human being from a service, etc.even when people strongly have their real identity tied to their digital or other activities, it amazingly often does nearly nothing [...]
Well, the downside is unstoppable crime, harassment, dis/misinformation... but let's entirely ignore all that, and just daydream about the valiant freedom fighters it will save from oppressive government /sthe ability to "decentralize" ID and anonymize oneself is more than worth [...]Connecting your digital identity opens you up to stalking, data mining, identity fraud and a host of other things not government related.
Sure, but a pseudonymous digital identity can provide decent protection for those problems. If government wants the user's personal details, that's different, since, even if the information were never stored on computer, one could obtain it via court order – but the ability to do that is partly the point.
Personally, I think the state being able to deanonymize users is an antifeature. A bug that needs fixing.
>>but let's entirely ignore all that, and just daydream about the valiant freedom fighters it will save from oppressive government /s
The threat from governments and other entities that obtain a monopoly on violence is one that is not naturally self limiting. There is no right governments cannot deprive people of, making most of the methods people use to defend themselves from a threat (e.g. being discriminating when choosing who to associate with, hiring private security, etc) ineffective when dealing with threats posed by governments. Therefore, I think mitigating the dangers posed by the state should be the highest priority.
One way we know that achieves this is eliminating, via disintermediation of centralized platforms, the bottlenecks that magnify the power of the state, and reduce the political cost for those who control the state to enforce mass-surveillance or censorship edicts.
I can think of many (admittedly anecdotal but I think valid enough) examples. Just off the top of my head, Facebook is full of people who plainly use their real name and operate their account within the context of their real, in-person or professional circles of friends. Despite this, many of these people regularly place comments or posts that are blatantly rude, racist, spammy, fraudulent and so forth. It's a very common phenomenon and with little repercussions in most contexts. Social media and many other digital media forums are also loaded with people who regularly defraud others in ambiguous ways with little to no legal consequences. Imagine, if you go to a typical city police station in, say, nearly any North American city and report a non-violent property crime, the police will often straight up tell you that aside from filing a report, they'll do next to nothing else. Now imagine how much less they usually care in the case of legally grey cases of digital fraud below a certain genuinely large or frequently repeated amount. Even if you have a person's completely real name to point to, many criminal investigators just won't care, it won't be worth their time unless it's part of a massive pattern, involves lots of money, or affected someone with major political or social clout. A lack of anonymity means nothing in these contexts. At the same time, a lack of anonymity does indeed expose many other people to all kinds of unfair abuse that they have little recourse against.
As for your second point: The topic of dis/misinformation is a whole separate can of worms that I won't go into in detail right now, aside from saying that it's loaded with assumptions and shifty, politically charged definitions of what really is disinformation. This aside from the fact that I sincerely believe people have a right to share even stupidly mistaken opinions of X or Y, regardless of what certain self-proclaimed intellectual betters think should be allowed. With regard to your other points about crime and harassment, I refer you to my point above: firmly verified IDs barely dent these things. However they definitively do open people up to surveillance, censorship and the illegal leaking of vast troves of sensitive personal data from hacks of "secure" ID verification systems run by governments and corporations. To me, the trade-off is clearly in favor of giving people a basic right to hiding their real identity in all but absolutely necessary situations..
> The process of binding a DID to something in the physical world, such as a person or an organization — for example, by using verifiable credentials with the same subject as that DID — is contemplated by this specification and further defined in the Verifiable Credentials Data Model [VC-DATA-MODEL].
https://www.w3.org/TR/did-core/#proving-control-and-binding
Here is the diagram:
https://www.w3.org/TR/vc-data-model/#lifecycle-details
The idea there is that identity providers and other authorities (governments, credit agencies, etc) issue credentials after the person authenticates with them.
This isn't much different than how it works today with, for example, a cookie on the Experian website, but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.
Wow now it sounds awful for other reasons.
Still pie-in-the-sky, but I still think we've been low ambition & not had good decentralized-identity-preconditions to begin exploring web-of-trust models. Past behavior is a huge indicator, one we can judge, & which many others will have judged. Trying to filter those other judges, decide what trust anchors we have & what biases to give, is a place where humanity would have a lot of freedom to tweak & explore, if we had these modest adequate technical underpinnings to begin to explore from.
But we just lost a decade to blockchain mania & consensus computing, rather than exploring anything actually genuinely distributed & decentralized & non-consensus. Also worth admitting AI just got good enough to convincingly fake being an online person fairly well, which can potentially massively outperform any attempt at moderation & seeking truth/genuineness that humans might ever make; said explicitly, bad/business-motivated actor's ability to fuck up anything but an ultra-conservative/paranoid web-of-trust has gone up orders of magnitudes in the past couple years.
> web-of-trust models
Been there, done that, seen it abused for SEO.
Hi John. Where has it been done distributedly ever and at any decent size of adoption?
To me, the premise that we start with some self soverign moderation opens to the door to endless creatives refinements & betterments we can collaboratively explore? Afaik Earth has never had that privilege, has never really tried this at any degree. We've had some keysigning parties but actual reputation & moderation... no.
Im not sure what evidence we have to stick a fork in this one & call it done. Doesnt feel to me like we hardly ever began.
Google's original backlink-based rating system was a web of trust model. A whole industry developed around gaming it.
> but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.
Or you know, like oauth.
Or if you want to really play up the credential angle, how tls client certificates work, if anyone would ever use them.
Perhaps TLS client certificates are unpopular because pretty much everyone uses some sort of anti-ddos or caching server in front of their services (cloud load balancers, fastly, akamai, cloudflare) so any TLS client certificate authentication and validation has to be baked into the service[0] (another possibility could be the service encoding the client's information and shipping it to the origin server via headers).
Another options for companies is only signing request bodies and validating a request signature in the header like discord does[1].
0: https://developers.cloudflare.com/api-shield/security/mtls/c...
1: https://discord.com/developers/docs/interactions/receiving-a...
TLS client certs were unpopular way before external TLS termination became popular.
Besides, it would be fairly easy to implement at a cdn layer. Just give it a list of valid CAs, and have it set some header.
The real reason is that UI challenges for client certs are really hard. You can see it in the fact that people actual do use client certs in server to server communication (e.g. like between cache and backend)
Having worked with TLS client certificates before, I like them, but I wouldn't inflict them on anyone else.
Would having all data produced by a DID being verifiable mean that I could stop any nugget of information coming out of that producer from reaching me just by a simple computation?
Urbit solves it by making the ID scarce with a cheap, but non-zero cost that makes spam prohibitively expensive.
It also makes blocking and moderation easy and the pseudonyms accrue reputation.
Yeah...wonder why it wasn't mentioned...
The digital identity infrastructure space is already crowded, with players like Apple, Google and Microsoft working with governments and institutions, because they own the devices we use, and the entire point is that people will be able to use their phones to identify themselves everywhere. Apple ID is already like 90% there, despite having to trust Apple with your personal data, which nobody has a problem with. The Web3 approach of having to trust nobody is not really practical to begin with. Blockchains are slow and expensive. Worst yet it's still up to you to verify the client and whether it's connected to the authoritative version of the blockchain, since blockchains can be replaced by a fork. At that point you might as well trust Apple.
In the long term I hope Apple does not win. The idea that we should just submit the world’s private data to Apple for the next century is… terrible.
Zero knowledge proofs are one of the more promising things starting to emerge from crypto and decentralized blockchain space. If desired, you can still trust Apple for the ZK proof generation and verification without having to store any private details on their servers.
Practical ZK is coming from cryptography, like this decentralized gun registry by the Brown University.
https://eprint.iacr.org/2021/107.pdf
People in the crypto space are coming from a different angle, they are franctically trying to find a legitimate use for cryptocurrencies, so far unsuccessfully, by constantly rebranding blockchain technologies without being able to address the challenges. It's not that we desire to trust Apple, it's that they get things done. They have actual solutions that work, not just empty promises aimed at greater fools. People in the crypto space never deliver.
I don’t see any reference to zero knowledge proof in there.
Look into modern research around succinct and generalized ZK proofs. SNARKs, STARKs, PLONK, zkVMs, MPC and secure setup ceremonies. All of this is coming from blockchain and crypto space and will transform some ways we manage privacy in the future. It does not need to be used with a blockchain but pairs well as the choices of arithmetic are often optimized to EVM.
“Apple is faster at delivering than a decentralized group of developers and researchers creating novel cryptographic protocols and open source software” - well, no shit.
> The Web3 approach of having to trust nobody is not really practical to begin with. Blockchains are slow and expensive.
I generally agree, for almost all uses blockchains are pretty bad.
But it has, so far, been an eventually consistent global write-only data store where reads have 100% uptime. I don't want a service layer on blockchain, don't want to be using the blockchain to transact, but if there's some small modicum of write-once globally-read-many datum (such as oh say, a cryptographic token I can use to sign things to prove my identity) where blockchain actually seems like a good match. The slow and expensive isn't a problem, if all I'm doing is proving an identity I made a long time ago.
I'm not super worried about people verifying me using a bad blockchain. These systems should be self-verifying & diverging for too long should trip systems.
Definitely possible that Apple will win the identity wars. That said, I don't agree with the characterization of web3/web5 as "having to trust nobody". If anything, all the efforts around identity are meant to allow for bringing IRL notions of trust onto the internet. In other words, the whole pseudonymity thing is not a result of using blockchain, but just the fact that nobody's bothered to add identity verification to a lot of stuff happening in web3. That's changing though.
Sheesh, "web5"? I guess we blew right past web4.
Normally i try to avoid low quality complaint comments like the one i am making, but blockchain naming is frustrating.
It's a little bit tongue and cheek. (Read the post.)
Maybe, but honestly in the article it seems less tounge in cheek, and more "its just a joke bro" to deflect criticism.
> Blockchains are slow and expensive.
Yeah. In every other situation, people try to improve the speed and efficiency of software.
In this case, it’s like people prefer to do bubble sort even if there is quick sort available. And then sell it as the best thing ever invented.
Blockchain. It's always blockchain. Can we just not?
How about we go back to web 1.0. TLS mutual cert auth with an ID card as a smart card, either from the government or from your favourite third party.
Or maybe we go back to web 2.0 with OpenID. Users pick their own identity providers and websites can pick which ones to trust and which ones not to trust. Actually, we already have that, and it's "sign in with Google/Facebook/Apple".
If you're a fan of stuffing Javascript everywhere you can, just use FIDO2/WebAuthn before or after validating the user through OAuth.
Solutions exist. Nobody wants to implement them, it seems. Inventing new ways to do what has been done before doesn't solve the problem, it just creates more dead protocols.
Well, one of the few plausibly-valuable additions to the world offered by blockchains are globally-distributed databases not owned/controlled/bound to any single organization. Why not make use of them for something other than scams, pump & dumps, etc.?
Blockchains are expensive in terms of money and energy consumption.
I'm not paying $10-$30 to store data on the ethereum blockchain every time I need to add some kind of datum (assuming the ethereum blockchain). That price will only go up once such a system actually becomes used by many parties, making the system even more expensive.
I'm already overpaying for getting the government to do stuff for me. I don't want to overpay some random servers all over the world instead of my government, that's just moving (and duplicating) the problem.
Because the times where a globally distributed non-controllable database is actually useful to solve problems is fairly limited.
Blockchain people are the epitome of the "when all you have is a hammer everything looks like a nail" proverb.
Blockchain has value here, essentially acting as a distributed collection of digital signatures.
If I need to prove my date of birth, why not present a credential, signed by the vital records agency of where I was born to prove it without any data broker in the middle?
Signatures exist outside of the blockchain. You can just send your signed data point, that's the point.
The only thing the blockchain protects against in these circumstances would be that the government is denying ever signing your date of birth and you losing your signed token. I don't think that's a problem in practice in most countries where an alternative trust system would even work.
Sure; vaccination credentials took this approach by establishing a registry of known signers.
That approach doesn’t scale.
It’s easy to shit on blockchain, but this particular area is one worth understanding.
I don't understand it though. What trust can you derive from the blockchain? If a user visits my site and says "I'm jeroenhd, Spooky23 verified it" then that means absolutely nothing to me. The blockchain may be unalterable (without hard forks, at least) but there's no reason why I'd trust the blockchain more than a piece of paper that says "I'm 18 you can sell me booze".
> That approach doesn’t scale.
Why not? Traditional PKI has generally met the scalability test, so this is a pretty bold claim.
> It’s easy to shit on blockchain, but this particular area is one worth understanding.
Sometimes i wonder if blockchain is really an edgy teenager in trenchcoat. Criticism is always met with "~ThEY jUSt donT UnderStAnD Meeee!!!~~~"
In case you didn't know, Git is effectively blockchain. It's just that 'breaking' the chain/rewriting history is as simple as `git push --force` and other clients can accept the rewritten history with `git reset origin/<branch> --hard`. Blockchain is (more) useful when artificial scarcity isn't involved.
Blockchain means there is also a consensus mechanism. That’s the whole point: resolving conflicts.
Git is basically a Merkel Tree, but not a blockchain.
Are blockchain people physically incapable of speaking plainly?
Its hard to cut theough the buzzword bullshit, but this sounds like they reinvented PKI and added 10 billion layers of indirection.
Is there more to it than that? Or is this really just taking the latest technogies of the 1990s, and explaining it badly so people think they have invented something new?
> Are blockchain people physically incapable of speaking plainly?
While I agree that blockchain technologies can quickly fall in bullshit buzzwords, there is still food for thoughts here, but you have to be somewhat familiar with the subject to understand it.
Let me try to explain it from software engineer to software engineer.
The core of web 5 is "self sovereign identity" . That means you (the user) gets to be in control of authentication, identification, and user data access and lifecycle.
Take a typical web 2.0 worflow:
- You sign up on a website / app by providing mail, password, and some other user data like address, phone, etc.
- The website / app stores your information + their own metadata (admin flag, purchase history, whatever) in their database somehow.
- When you log in, you are given a JWT which basically is just a subset of the data you provided + the website metadata, along with a signature to ensure you're not forging all that.
- The website / app have you perform API calls providing the JWT.
The whole idea of self sovereign identity is that you don't need the website / app to own any of your data and metadata in the first place.
If your data is stored in a place _you_ control, and where _you_ can delegate read access to them, as well as the capability for them to enhance it with their metadata that they can sign, then you can pretty much get rid of them storing anything at all about you.
This place where you store your data is a blockchain dedicated for that purpose. You can have all your information stored there, encrypted, and just encrypt for their public key what you are willing to share with them. If you don't want them to know you anymore, just remove the version of your data encrypted for them.
If they need to store additional metadata on you (say an "is_admin" flag), have them store it in your wallet and sign it.
You can pretty much see it as a blockchain of persistent JWT claims that you control. These claims would be accessed through a browser plug-in a-la-metamask.
The overall idea is that by switching to this model, websites / apps will become 99% front-end only, APIs will switch to smart contracts, and you will have total control of your data.
Hope that clarifies a bit the jargon of the article.
> then you can pretty much get rid of them storing anything at all about you.
But why would they want to?
If i understand, the premise of this idea is basically that we don't trust service providers with our data/to have our best interests at heart.
So we make a complex system where service providers (for the sake of argument, i dont know if i buy this) must respect our wishes.
Which raises the question, why would they?
Either a) service providers are good, and this system is pointless.
Or b) service providers are evil and they wouldn't use it and/or would subvert the intention.
> If you don't want them to know you anymore, just remove the version of your data encrypted for them.
Assuming they dont store it. Can't unring a bell.
> The overall idea is that by switching to this model, websites / apps will become 99% front-end only, APIs will switch to smart contracts, and you will have total control of your data.
Idk what y'all are smoking over there, but its clearly the good stuff.
>> then you can pretty much get rid of them storing anything at all about you.
> But why would they want to
Well the overall premise is that if they don't need to, it will become harder to justify to your users. The second premise is that legislation can be put in place to forbid the ad hoc storage of PIIs.
Europe already has in place legislation to allow users to have read and removal access to their PIIs stored by third parties, it does not seem inconceivable that a logical next step would be to actually enforce that users have real ownership of their PIIs by forbidding providers to store them at all.
> Either a) service providers are good, and this system is pointless.
Not really. The issue with personal data is not just good/bad. There is a spectrum in between.
You can be the best intentioned provider and still get hacked. When you think about it, it actually makes no sense to trust any service provider with your data considering 99% of them are not going to be able to properly store and secure them. Why not have a system that is secure by default.
And then there's the whole gray zone of what happens if the company sells your data, exploits it internally, gets bought by another company, changes EULA, shares with her parent company, etc.
> Idk what y'all are smoking over there, but its clearly the good stuff.
Try to be more open about it and don't get dragged on by the anti crypto trend blindly.
Sure there are a bunch of ridiculous things out there, but there's also actually good ideas.
> Well the overall premise is that if they don't need to, it will become harder to justify to your users. The second premise is that legislation can be put in place to forbid the ad hoc storage of PIIs.
If your system requires a government enforced monopoly, or some sort of class uprising, to succeed, its probably a bad system.
Literally any system, regardless of how good an idea it is, would succeed under those conditions.
Why not just store it on your own computer? Why even put it on the blockchain at all?
I like the idea that at least in web5, the term "wallet" might actually make sense, because the credentials or whatever actually "live" on your own device/node.
Web3 should really use "signet" rather than "wallet." Web3 is all about signing, attestation, and authentication through digital signatures. That's what signets are for, not wallets.
Coinkite recently switched to the term "signing device," but 1) that's lame, and 2) "signet" already exists and means the same thing.
At least with web5, the wallet analogy works.
Bingo! =)
For the "Learning resources" section, I would also recommend checking ION¹. I have tested a few DID Methods including Sovrin, Veres One, and ION, and the latter is the most spec-adherent and well-implemented, apart from receiving funding from companies like Microsoft and TBD (which is proposing web5 in the first place). And yes, it is the only DID Method to receive support from big tech (was incubated within Microsoft, then donated to the Decentralized Identity Foundation), and it also happens to be a technically better solution.
Why I think it is better: (1) don't need a new blockchain (re-uses Bitcoin's); and (2) implements DIDs / DID Documents with all needed features (e.g. last time I tried, Sovrin's implementation did not support serviceEndpoints!)
¹ https://identity.foundation/ion/
² https://www.coindesk.com/markets/2021/03/25/microsofts-ion-d...
ION makes bad choices that are disastrous for user privacy. They don't even acknowledge these problems, let alone propose a solution for them. See: https://news.ycombinator.com/item?id=32283529
DIDs recently became a web2 standard [1] that's also embraced in web3 e.g. by Cardano / Atala Prism [2].
Two weeks ago I was part of a small group that met at IPFS Thing in Iceland. One very promising specification missing from this article is UCAN (from Fission) which provides a set of custom claims that can be added to a JWT to allow delegation of privileges in a decentralized environment. Definitely worth a look!
Thanks, I hate it.
Web2 is not perfect but all the complexity brought by web>2 is just not worth the bits it’s written in.
Make something simple and easy to use and understand, dammit. I don’t want my mum to call me because her identity provider for Instagram is down.
What happened to web4
I hear it's part of Winamp 4 for Windows 9.
Obvious gap in the market for a promising startup to own
Follows the Winamp naming of web2 + web3 = web5.
The article completely misses the mark in creating some weird narrative about 'web3 turning into web5', all seemingly based on a wordplay announcement by Dorsey, thereby giving that project a lot of undue credibility.
In reality, many of the good projects and people referenced at the end of the article have been working for years without any notion that their projects are sprung out of some hyped but underspecified 'web3' technology.
Dorsey's 'web5' clamor is mostly about (barely [1]) implementing some existing technology and then writing a bit of slideware around it [2], which proposes to magically "allow individuals, organizations, and companies to publish credentials anyone can discover and independently verify" while not spending any thought on how such a PKI would be ("independently") governed without centralizing everything back again – an all too common failure mode of 'web3' [3].
Meanwhile, both Dorsey's slideware [4] and the actual specifications referenced [5][6] make bad technological choices with regard to privacy where users have stable identifiers (their public keys) which must be published, allowing them to be easily tracked across transactions.
While this can be used as a building block, no material on the 'web5' website or the TBD54566975 Github repository (I guess it's some other wordplay) indicates that they even recognize this as a problem, let alone that they propose how to solve it.
This is no new problem however: Sovrin – which many people referenced in the OP have worked on or with – has published a commentary on this back in 2018 [7]. There's also a great talk by Christopher Allen if you need to refresh your memory about what you need to consider when designing identity systems [8].
Otherwise the OP can be a great introduction to identity, but please don't feed the magical hypetrain.
[1] https://github.com/TBD54566975/ssi-service#whats-supported
[2] https://developer.tbd.website/docs/Decentralized%20Web%20Pla...
[3] https://moxie.org/2022/01/07/web3-first-impressions.html
[4] See the diagram on page 9 of [2]
[5] https://identity.foundation/decentralized-web-node/spec/
[6] https://identity.foundation/ion/
[7] https://sovrin.org/wp-content/uploads/2018/10/What-Goes-On-T...
OP here. Did not mean to imply that web5 sprung out of web3 in any sense. Really I just found web3 to be a useful reference point for explaining SSI. Lots of people understand how web3 works at this point, but there's way less mindshare around the idea of a digital wallet that actually holds credentials and not just private keys.
To that end, I'm generally happy to support the hype, and hope this stuff gets more attention from the web3 lot.
> Did not mean to imply that web5 sprung out of web3 in any sense.
It's really hard for anyone unfamiliar to the area to not read that in your article. To take three quotes out of the whole narrative: "But web5 takes it to the next level", "it's possible to keep the good parts of web3 while improving on its privacy properties (...) thats what web5 is all about", "In web5 (...) This is a radical departure from both web2 and web3".
I get that you wanted some nice story for your blogpost, but it's just not grounded in reality, and you're supporting the wrong actors here if you really want to claim that 'web5' is about privacy.
> I'm generally happy to support the hype
Happy to support privacy destroying technology by adopting their buzzwords while plenty of people – which you even reference at the end – do keep ethics in mind. Alrighty then.