If you want to have a decentralized DNS, a blockchain might make sense. However, a global consensus on who controls what name isn't as relevant as one would think. As more and more interactions are initiated online, the SSH model of accepting the key on the first connection becomes better suited.
How do I know I am connecting to my bank's website and not some phishing website? Because it presents me with a proof that it controls the identity of the website where I initially opened my account.
My point is that decentralized identity does not require a blockchain. This is the result of people thinking: "hey, what can I do with a blockchain?" rather than "How do I build a decentralized identity system".
The supreme irony is that Satoshi Nakamoto is the perfect proof that a secure online identity needs not depend on a central authority, or a blockchain.
Agreed 100% that this is someone looking for a problem to fit their solution. All you need for decentralized identity is a (collection of) public key(s) that can be referenced and cryptographic enforcement of authenticity+integrity. Although I might be a bit biased, because I'm working on a project that does this.[1] Such an identity system is simple enough that you can layer any naming mechanism on top of it without appreciable extra cost compared to a unified approach, at the advantage of not restricting yourself to a specific naming architecture. By all accounts, a blockchain is a tremendously inappropriate amount of bloat for the purpose of identity authentication.
I wouldn't say that naming requires consensus though. Naming requires a degree of trust in the entity declaring the name. Consensus is only one way to arrive at that trust. And different organizations will have different requirements for trust: for example your bank is going to have very different requirements to "name" your account than, say, Facebook. Informally I've called this the difference between identity authentication vs identity verification, but I know that's not ideal terminology -- does anyone have a better suggestion?
> Identity does not require consensus, naming does.
It's not just about global consensus on naming, but also global consensus on data associated with that name (which includes proofs/verifications/signed-statements etc). In other words, the system described in that post is not just "DNS for people", it is "DNS + PKI for people".
> Satoshi Nakamoto is the perfect proof that a secure online identity
The Satoshi Nakamoto secure identity you're describing is missing the human-readable part of Zooko's triangle. Not having human-readable names is a major limiting factor for practical adoption.
Decentralized identity revocation requires a blockchain. It's easy enough to give people statements that you control a given public key. It's hard for them to know whether they should still trust that key. Blockchains are the only systems that are censorship-resistant enough for us to rely on for this purpose.
Sure, lots of people have done lots of thought experiments about what to use blockchains for, some of which weren't the best. However, if you haven't gone through that period yourself, your blockchain use cases are probably too narrow.
To add to this, the author brought up another interesting point, the organization you belong to should not own the identity. This will allow the identity to be associated with 0..* organization and the data associated with your identity can travel, be shared, etc. This can be supported with a good authentication / authorization data model without decentralizing the identity.
To bring this back around, the identity does not require consensus, the naming does, and the claims about the identity does.
Satoshi Nakamoto is a case study in how confused everyone is about the concept of identity. Many of the engineers I talk to are at the point where they refuse to even use the term "digital identity" at all. (I think this is mostly what you are saying.)
>Because it can present a proof it controls the identity
Which proof are you referring to?
As far as I know, there is no way to prove that someone else doesn't have the same number as you (they may have even pilfered the number from you without your knowledge).
I think BlockchainID is a step in the right direction but is it even alive still? The only specification I know of is a draft that's now 9 months old and leaves the question of security up to users having a strong password. Beyond that I thought it was just proof of concepts.
As someone building an identity system on Ethereum, I'd like to remain interoperable, but I don't know where I would find info unless I dig through blog posts.
So, the linked BlockchainID, publicly stores all secrets in an encrypted format. Why would that be good, and even necessary for a decentralized identity?
It is trying to solve key storage and public identity at the same time. How could it possibly be a good idea to store secrets publicly?
Such a system exists for years and is called OpenID. You can use your own openid provider, or choose from an established provider —which is precisely what you do every time you login to a site with google or github for example.
OpenID has some fundamental problems that Mozilla tried to address somewhat with its Persona API, and was marginally successful until they decided to stop working on it, sadly. The fact that it doesn't use Bitcoin has almost nothing to do with OpenIDs flaws, though.
The biggest thing I see standing in the way of this vision of the future is that it seems to actively go against IT best practices that medium/big orgs have in place.
For instance, the github example in the article is cool but it seems like every company over ~100 employees switches to github enterprise or a similar self-hosted tool where every employee has an isolated account and it's only accessible on the corporate network/VPN.
I've looked around out of curiosity and I haven't really found any good information about building a secure IT organization while taking advantage of modern SAAS products (e.g. github, slack, circleci, docker hub, whatever else). It's basically taken as a given that if you want to be secure you'll have a corporate network in your physical office and all your important internal tools will be on that network (or an even more tightly locked down subnet). I'd love to read any resources to the contrary.
Medium and large organizations should just run their own services that parse the blockchain and turn the data embedded in to Bitcoin transactions in to the state of names and owners. This service would read from the public network and but could itself be only accessible on the corporate network/VPN.
This applies to all sorts of Bitcoin metadata protocols beyond just Blockshain ID, such as Open Assets, Blockcast, and Open Publish.
All of these systems use the public key infrastructure of native Bitcoin wallets for identification and authorization so it's in the ballpark of SSH, a proven approach in corporate settings.
Most companies will, understandably, shy away from letting you take your Salesforce info with you. Closed systems are beneficial to employers. Telling companies to throw away some of their competitive advantages (e.g. distribution lists, best customers, etc...) in the name of open-source, decentralized identity is, I believe, an impossible sell.
"Most companies will, understandably, shy away from letting you take your Salesforce info with you. Closed systems are beneficial to employers."
This is an old issue in sales. When a sales rep leaves, do they take their customers with them? It varies with the industry, and it's something that top sales people negotiate when they take a job. Since they will be bringing in customers, they insist on taking them when they leave.
While this is specifically referring to statistics in the OP:
This new setup makes it possible to take something with me. Github doesn’t exploit this yet (as far as I know), but for instance, it could allow me to keep some statistics, such as how many commits did I make to code of an organization. Or in the case of Salesforce, how much did I generate in leads or revenues.
it doesn't mention taking distribution lists or best customers, although nothing is really stopping you from taking those things even without distributed identity.
However, distributed identity is more valuable from the standpoint of authenticating someone. It is still up to the company/organization to manage the authorization aspects of their resources, binding specific capabilities and authorizations to their employees/users authentications.
Agree. But what if the concept is too important to be allowed to be owned by a company? What if TCP/IP were AOL/IP? Would we even be here now? I doubt it.
[+] [-] murbard2|10 years ago|reply
If you want to have a decentralized DNS, a blockchain might make sense. However, a global consensus on who controls what name isn't as relevant as one would think. As more and more interactions are initiated online, the SSH model of accepting the key on the first connection becomes better suited.
How do I know I am connecting to my bank's website and not some phishing website? Because it presents me with a proof that it controls the identity of the website where I initially opened my account.
My point is that decentralized identity does not require a blockchain. This is the result of people thinking: "hey, what can I do with a blockchain?" rather than "How do I build a decentralized identity system".
The supreme irony is that Satoshi Nakamoto is the perfect proof that a secure online identity needs not depend on a central authority, or a blockchain.
[+] [-] nbadg|10 years ago|reply
I wouldn't say that naming requires consensus though. Naming requires a degree of trust in the entity declaring the name. Consensus is only one way to arrive at that trust. And different organizations will have different requirements for trust: for example your bank is going to have very different requirements to "name" your account than, say, Facebook. Informally I've called this the difference between identity authentication vs identity verification, but I know that's not ideal terminology -- does anyone have a better suggestion?
[1] https://github.com/Muterra/doc-muse
[+] [-] muneeb|10 years ago|reply
It's not just about global consensus on naming, but also global consensus on data associated with that name (which includes proofs/verifications/signed-statements etc). In other words, the system described in that post is not just "DNS for people", it is "DNS + PKI for people".
> Satoshi Nakamoto is the perfect proof that a secure online identity
The Satoshi Nakamoto secure identity you're describing is missing the human-readable part of Zooko's triangle. Not having human-readable names is a major limiting factor for practical adoption.
[+] [-] natrius|10 years ago|reply
Sure, lots of people have done lots of thought experiments about what to use blockchains for, some of which weren't the best. However, if you haven't gone through that period yourself, your blockchain use cases are probably too narrow.
[+] [-] omgitstom|10 years ago|reply
To bring this back around, the identity does not require consensus, the naming does, and the claims about the identity does.
[+] [-] dvanduzer|10 years ago|reply
I still trot this link out as a primer whenever the subject comes up: http://stpeter.im/journal/1035.html
[+] [-] jsprogrammer|10 years ago|reply
Which proof are you referring to?
As far as I know, there is no way to prove that someone else doesn't have the same number as you (they may have even pilfered the number from you without your knowledge).
[+] [-] shea256|10 years ago|reply
For example, how would you imagine a system could implement key revocation and signed statement revocation?
[+] [-] rabbyte|10 years ago|reply
As someone building an identity system on Ethereum, I'd like to remain interoperable, but I don't know where I would find info unless I dig through blog posts.
[+] [-] exo762|10 years ago|reply
AFAIR they have moved from Namecoin to Bitcoin blockchain some time ago.
[0] http://blog.onename.com/
[+] [-] muneeb|10 years ago|reply
Checkout: https://github.com/blockstack
for implementation of different software components and protocol documentation!
[+] [-] ludbb|10 years ago|reply
It is trying to solve key storage and public identity at the same time. How could it possibly be a good idea to store secrets publicly?
[+] [-] andmarios|10 years ago|reply
Alas it doesn't use bitcoin...
[+] [-] nickbauman|10 years ago|reply
[+] [-] dcosson|10 years ago|reply
For instance, the github example in the article is cool but it seems like every company over ~100 employees switches to github enterprise or a similar self-hosted tool where every employee has an isolated account and it's only accessible on the corporate network/VPN.
I've looked around out of curiosity and I haven't really found any good information about building a secure IT organization while taking advantage of modern SAAS products (e.g. github, slack, circleci, docker hub, whatever else). It's basically taken as a given that if you want to be secure you'll have a corporate network in your physical office and all your important internal tools will be on that network (or an even more tightly locked down subnet). I'd love to read any resources to the contrary.
[+] [-] williamcotton|10 years ago|reply
This applies to all sorts of Bitcoin metadata protocols beyond just Blockshain ID, such as Open Assets, Blockcast, and Open Publish.
All of these systems use the public key infrastructure of native Bitcoin wallets for identification and authorization so it's in the ballpark of SSH, a proven approach in corporate settings.
[+] [-] rubidium|10 years ago|reply
[+] [-] Animats|10 years ago|reply
This is an old issue in sales. When a sales rep leaves, do they take their customers with them? It varies with the industry, and it's something that top sales people negotiate when they take a job. Since they will be bringing in customers, they insist on taking them when they leave.
[+] [-] thwarted|10 years ago|reply
This new setup makes it possible to take something with me. Github doesn’t exploit this yet (as far as I know), but for instance, it could allow me to keep some statistics, such as how many commits did I make to code of an organization. Or in the case of Salesforce, how much did I generate in leads or revenues.
it doesn't mention taking distribution lists or best customers, although nothing is really stopping you from taking those things even without distributed identity.
However, distributed identity is more valuable from the standpoint of authenticating someone. It is still up to the company/organization to manage the authorization aspects of their resources, binding specific capabilities and authorizations to their employees/users authentications.
[+] [-] nickbauman|10 years ago|reply
[+] [-] josteink|10 years ago|reply
To gain traction, you need to explain it to people, and not just techies.
And most people (even most techies) either don't get 1. why it matters or 2. what the heck it means.
It's usually also offered with a loss coherent and more confusing user-experience than the centralized options.
I'd love for more decentralized systems taking hold, but I'm not optimistic enough to believe in it yet.
[+] [-] jdshutt|10 years ago|reply
http://www.fastcompany.com/3051088/elasticity/relateiq-sales...