Have worked in the identity space for a long time. Authentication isn't a hard problem, but identity is. It will be decentralized because if it is not fragmented, it is literally just oppression. Trusting authentication is not trusting identity, and the origin of identity is the Ur-problem because it comes down to questions of recourse, collateral, risk, authority, and legitimacy - which are all political economy questions and not technical ones.
The technology can change the economics of identity, but identity itself reduces to how you organize to provide recourse to people within your scope. Sure, we can use escrow systems and smart contracts, but these still require a means to organize and provide adjudication.
All the use cases for digital identity are about enforcement and liability, and there are almost none that anyone would volunteer for. In this sense, identity is necessarily imposed, so all products in the space are necessarily aimed at a customer who is imposing identity on a group. It's why I tell identity companies who ask to find some other problem to solve because holding out for some government to adopt your product as their source of sovereignty is a waste of time. There is one other use case for identity, and yes, it is decentralized and bottom-up, because it is about dividing into secure, self-sovereign affinity groups, and the reasons for doing that are on a very short list of uses. Super fun, but basically a weapon.
>It will be decentralized because if it is not fragmented, it is literally just oppression.
The conclusion ("It will be decentralized") doesn't follow from the argument though ("because if it is not fragmented, it is literally just oppression").
It could very well be "just oppression" and keep being that...
>All the use cases for digital identity are about enforcement and liability, and there are almost none that anyone would volunteer for.
Everything from a LinkedIn or Facebook account to your personal artist homepage with your CV on it establishes identity. People obviously disclose identity voluntarily, because identity is the primary means by which strangers establish trust.
If your identity is not transparent to me, I won't enter a relationship with you that requries me to know who you are, which in practice is almost every one. I don't see how non-fragmented identity is oppression. It can be for sure, but the primary reason why identity is important in our interactions is because it establishes trust and reputation. I've always considered "non-imposed" identity a sort of oxymoron for that reason, because if full control of identity is left to the individual, identity essentially loses its primary purpose.
It will be decentralized because if it is not fragmented, it is literally just oppression.
I've never understood that way of viewing things. For me identity is a right. The government must provide me with the means to prove who I am and my associated data like birth certificates, academic titles, health (vaccination), real estate and indirectly verifying identity for private contracts that use my national id card number.
In an oppressive state identity surely could be oppression, just like everything else, but in a democratic country? Come on. In the USA goverment and even private entities are collecting massive databases of everybody's data. But there's this panic about a centralized service providing identity. It makes no sense.
Identity federation seemed to promise solutions to some of these problems, but never quite took off. The part I liked most was the ability to verify someone as being over 18 without divulging their age or any other meta data. That was 10 years ago though, and I have no idea what the citizen/consumer identity space looks like now.
Did the industry ever get around the sub-par SAML protocol which had no support for the active requestor profile, and the superior WS-Federation protocol which had to use the technically superior SAML token?
> There is one other use case for identity, and yes, it is decentralized and bottom-up, because it is about dividing into secure, self-sovereign affinity groups, and the reasons for doing that are on a very short list of uses. Super fun, but basically a weapon.
A weapon against who? A self sovereign affinity group could just be a community trying to self organize without relying on non-owned infrastructure. Aka prepper stuff.
If anything, my bet is the future of identity is more centralized.
Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.
It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.
Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.
In the US, everyone uses credit cards (centralized identity) to pay for stuff.
In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.
As much as I'd like to see a decentralized solution, I agree with you. I just spent 30 minutes helping my mom (age 60) and brother (36) set up a microsoft family account so they can dictate and monitor my nephews computer usage because [nephews] are addicts.
I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.
Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.
When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.
I dunno, I think the UX for decentralized identity could be made pretty good. The GNUnet project has one that runs locally but exposes itself with an OIDC interface: https://reclaim.gnunet.org/
It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)
All people still somewhat understand is federated identity, and that's becoming less prevalent.
Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.
Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.
In my ideal world, we have a framework for brick-and-mortar businesses to act as internet notary service providers.
If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).
The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.
CAcert has a system in place that is close to what you described[1]. Basically already verified users check the identity documents of new users and vouch for their authenticity. Their "Assurer Handbook"[2] is an interesting read. When I became an assurer a few years ago the person that trained me also took their task very seriously and I learned a ton about how to check identity documents for forgeries. That alone made it worth it.
Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.
Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.
> You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".
There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.
As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.
As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.
> If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity.
This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.
It would create a small financial (and convenience) pressure to use one identity. Careful design would be needed to ensure that multiple identities are encouraged and accepted.
It could also make things like online voting (like, for winners in a contest or features in software) possible which would otherwise be impossible due to multiple accounts.
The system is attribute based and requires an 'authority' to give you the attribute. After that the attribute lives on your phone and you can give it out to organisations or businesses asking for....:
- your name
- whether you are >= 18
- your address
- etc.
What's great about it is:
- you can give out minimal information
- no 3rd party/intermediary required after you've received an attribute
China is already there. At age 16, you get your picture and fingerprints taken. If you get a phone, its ID is tied to your personal ID. Your WeChat account is tied to that ID. If you ride the subway or bus in a major city, or a train, your ID is recorded when you pay. A combination of phone tracking and facial recognition records where you go in some cities. It's even used to shame jaywalkers.[1]
The US is getting there with Real ID. It's been postponed a year due to the epidemic, but soon you will need a Real ID, checked against your birth registration, to board even a domestic flight.
As the article mentions, centralized trust has proven that it reaches a certain maximum before being plagued by political, legal, and corruption. I don't know much about the China's state ID system, but based on other systems they've rolled out, I'm sure with enough money and the right contacts you can wipe, fabricate, or change your ID (which is also true for the US). Centralized systems have to also undertake the same problems as decentralized ones, like ensuring records are kept updated, which is no trivial task when providing identity for millions of people(1)
Real ID is a contract between the federal government and the states about the security of their existing ID issuing processes. It covers things like, don’t leave ID printers and card stock in podunk branch offices where $12/hour staff can let in their friends at night. Use printing processes that are sufficiently hard to replicate. If your freedom relied on stuff like this, you were already an outlaw, the only implication of Real ID is that now you will need stronger technical skills to produce your next convincing fake. It has nothing to do with where and whether IDs are required. Airport and courthouse security have been requiring IDs for many years now.
I think one of the great parts of the internet is that it promotes this identity decentralisation (or, as i have always thought about it, identity fragmentation). You are allowed to isolate online identity from the rest of your life, or from separate online accounts/personae.
Which is why I am confused as to why the author spent so much time worrying about verifying identity. To me, that feels like it's completely missing the point of fragmenting your online experience. Is the author simply concerned with the amount of power associated with their google login?
There's the "European" ID4Me project (https://id4me.org/), which tries to add federation on top of OpenID Connect / OAuth2. The idea is to give users globally valid IDs that contain a domain name. Using a TXT record on that domain you then specify which OpenID auth provider a service should use to authenticate the user. If you have your own domain this enables you to switch ID providers without having to update your accounts.
In general I like the idea but since it's a EU-style project I don't expect it to go anywhere to be honest. And personally I don't think the benefit over e-mail based authentication is marginal. That said there are some extensions in OpenID Connect that can achieve something similar, and that (IMHO) are more likely to actually get widely adopted.
New Zealand had a program called Real Me. It's based on a completely and totally broken SAML2 implementation, that only gives you back a single token, and then you have to query another web service to get more information. Oh and years ago when we had to implement a product using it, their Identity Providers would give us different responses randomly ... and it once went down for two weeks straight.
> Removing the possibility for anonymity could solve the problem of online toxicity.
Except that it's not possible. And worse, it's just hard enough to evade that only those with malicious goals will manage it.
> Large internet corporations like Google and Facebook allow all to create an account on condition that some personally identifiable information is revealed, usually a phone number.
Also Signal, sadly enough :(
> The benefit is that it deters most from repeatably creating new accounts when older accounts have been flagged or banned due to improper behavior. These companies gain the function of "identity provider": they manage your online identity that can be used to login in different locations of the internet. We all know many websites that offer a "Google login" or "Facebook login".
Yes, it "deters most". And mainly it deters vulnerable people, who need ~anonymity to protect themselves from adversaries. It doesn't deter spammers, trolls, scammers, bot operators, and such. There are just so many ways to use multiple phone numbers. Ranging from free websites to SIM banks. And actually, it's easier just to buy accounts, either fresh or old (which probably means stolen).
So even without getting into concerns about corporate gatekeepers, it's clear that this is a misguided approach.
"Built for individuals, I recently launched Keyoxide which uses cryptographic keypairs to accomplish decentralized identity verification."
So this is about the introduction of a new identity service. From what I get looking into Keyoxide it basically strives to be what Keybase originally intended to be.
From their Keybase migration guide [1]:
"Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.
Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs."
The key difference is that instead of the Keybase server storing verifications, it looks like they tell you to add the link to the proof directly to your key as a notation.
This means the proof isn't dependent on a central server, which seems like a significant improvement.
I have always felt identity, including online such as domain names, should be decentralized — it’s too much power for a central authority to dictate who gets (and doesn’t get) a name. Further, it’s too easy for people to impersonate others online. It even happened at reddit where the CEO masqueraded as users by modifying their comments [1].
Handshake [2] is a great project that helps decentralize online identity. Not only is naming distribution in the hands of the people with Handshake which ends the deplatforming/censorship debacle the world has been facing recently, but also, anything a name does can be verified with signatures verifiable against the blockchain.
The future is Decentralized - you have very large actors working to deploy systems based on the Verifiable Credentials (VC) Data Model (W3C Standard) and the Decentralized Identifiers (soon to be W3C Standard) extensive work is being done on how the data is exchanged (Credential Handler API, OpenID Connect Self Issued Identity Provider (OIDC_SOIP) <- so any installed openID can accept VCs and DID Communications (spec under development at the Decentralized Identity Foundation). Actors supporting this work include wester liberal governments, MSFT, IBM and many many others many cool small startups. We gather twice a year at the Internet Identity Workshop. Our archives for the last 10 years are online.
The DID and VC specs are the most advanced tools we have now to implement decentralized identity, plus there are many startups applying these in real world, solving problems and generating open source implementations.
I hardly ever use any OAuth logins. I use my GH login in a couple of places, but I usually create an email/site-specific ID. 1Password is a nice tool.
That said, the last couple of years, I have gone to great lengths to create a "digital personal brand," which is deliberately designed to help people find me, and tie all of my digital artifacts together.
I think that OAuth logins actually work against that. I want to leave "pointers" all over the place, that point to each other in a public manner. OAuth logins "bury" these pointers, so only "gatekeepers" can see the information.
It definitely means that I have to be a lot more careful, these days, than I used to be, in choosing what I write or expose online, but I don't feel it's too difficult. I like to think that I live a lifestyle that has very little to hide.
I was reading about that Fox writer that just committed career seppuku. I think that is a visceral example, showing that we can't trust the old cloak of anonymity to hide our trail, so it might not be a bad idea to, as Twain said, "live that when we come to die, even the undertaker will be sorry."
Your identity is going to come down knowledge of the private key from some sort of public key system. Why not just standardize that?
An excellent example of something perversely non-standardized for identities can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even supposedly based on the same protocol. In terms of identity they are all complete silos. All the things you establish about an identity on one system is completely unusable on another.
Creating systems to kludge this mess together seems to be a way of avoiding the root problem here...
I feel like a domain is a nice way to link identities, with a small nominal fee being a nice deterrant to botting. Not the most user-friendly for those not tech savvy, but third-party services could help with setting up such sites.
Make a page on your domain with rel=me links to your social media profiles, have the social media sites link back to your site with a verified symbol next to the link when it scans and validates the rel=me link.
This puts you in control of your verification instead of federating it to a service like Keybase or Keyoxide.
The future of online identity is indeed decentralized and not distributed, meaning that users will always have some super nodes to handle their identity on behalf of them. In my opinion Facebook/Twitter/etc are not identity providers, they are silos. Sure they are very successful ones and can even used as identity providers at some places, but as long as they don't open up they can easily die anytime.
The author suggests that services built on top of these Silos that provide proofs of connection between all the identities. I welcome such initiatives and but I doubt they will lead anywhere, cause they are built on top of silos. And a silo, as soon as it figures out it loses money, it will cut down that connection.
What won't die is decentralized published standards and protocols that handle the Identity management through the internet. Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that facilitate the identity management like Oauth2, OpenID etc. All open and standardized. We are getting there, we just need some more time I guess.
That's why I always thought that, Google, who owns emails has much more value than Facebook, that asks for your email. If facebook dies, you lose one aspect of your digital social part. If you lose your email though, you almost lose your online identity. I really can't get how Zuckerberg has missed that.
I believe that in this day and age we probably all need at least two identities: the birth/official transparent, trusted one for official/professional use and an anonymous one for unofficial/online things.
But this is because I think nobody should be fired, de-platformed, banned or "canceled" for opinions/thoughts outside of those contexts.
Sure you could be fired from your work if you started shouting your opinions on your workplace. No you shouldn't be fired from your work for anything that happened outside that work.
Anonymity is needed for the sake of free thinking as a shield to any current/future mob that could ruin your life/career for just any reason at all.
In 10 Years you might find yourself ostracized because someone found some 20yo old snippet of code you wrote with "banned words" in them.
I used to think it was an acquired thing that you could have free opinions with your official identity (political or anything) and not risk your livelihood for opinions but the thought enforcing mobs are now everywhere and most companies will bend the knee to their bidding.
And obviously this identity needs to be decentralized to also protect that identity itself from being ruined by the various de-platforming attempts.
These days, I'm genuinely more concerned about the current mob rule mentality than government oppression.
Reading the comments, I learned that OpenID is not centralised but rather provides federation support. I wish I'd known about this sooner before it died, because it would've been fun to try and use.
I'm sure decentralized authentication won't come on commercial platforms though. Maybe some developer-centric services will add support once the Next Big Thing in authentication and authorization comes along, but companies want to keep as much of their account system under their control as possible. It might be because of data mining, it might be because of bot prevention, it might be because of fear of trusting external providers, but I just don't see any reason why companies would accept such an authentication system.
The closest thing I can see happening is a federated authentication platform like the EU is implementing with EIDAS. Authentication with your home government for EU-wide services, tied to your ID card. I don't think something like that will be implemented for much more than government institutions and banking, despite the idea having been proven to work.
Simply put, as long as it doesn't make business sense to trust another provider, businesses won't offer any decentralized authentication methods.
I’m happy to support IndieAuth (a decentralized identity protocol built on top of OAuth 2.0) on my site and give people the option to use their personal site, if they have one, as a way of identifying themselves and performing authentication.
"A Truly Self-Sovereign Identity System", our academic work with Tor-like privacy[1].
This goes beyond owning your identity. Has government sponsorship. The EU is currently taking the lead in this area, search terms: "ESSIF: The European self-sovereign identity framework".
Agree.It is decentralized. You need to be able to maintain your identity as a currency whereby you get compensated for access to it vs. others who get to monitize your persona. Google, LinkedIn, FB all do this. If you grant specific rights you maintain your identity and get compensated directly for a business to gain access to market, contact, or interact with you.
[+] [-] motohagiography|5 years ago|reply
The technology can change the economics of identity, but identity itself reduces to how you organize to provide recourse to people within your scope. Sure, we can use escrow systems and smart contracts, but these still require a means to organize and provide adjudication.
All the use cases for digital identity are about enforcement and liability, and there are almost none that anyone would volunteer for. In this sense, identity is necessarily imposed, so all products in the space are necessarily aimed at a customer who is imposing identity on a group. It's why I tell identity companies who ask to find some other problem to solve because holding out for some government to adopt your product as their source of sovereignty is a waste of time. There is one other use case for identity, and yes, it is decentralized and bottom-up, because it is about dividing into secure, self-sovereign affinity groups, and the reasons for doing that are on a very short list of uses. Super fun, but basically a weapon.
[+] [-] coldtea|5 years ago|reply
The conclusion ("It will be decentralized") doesn't follow from the argument though ("because if it is not fragmented, it is literally just oppression").
It could very well be "just oppression" and keep being that...
[+] [-] Barrin92|5 years ago|reply
Everything from a LinkedIn or Facebook account to your personal artist homepage with your CV on it establishes identity. People obviously disclose identity voluntarily, because identity is the primary means by which strangers establish trust.
If your identity is not transparent to me, I won't enter a relationship with you that requries me to know who you are, which in practice is almost every one. I don't see how non-fragmented identity is oppression. It can be for sure, but the primary reason why identity is important in our interactions is because it establishes trust and reputation. I've always considered "non-imposed" identity a sort of oxymoron for that reason, because if full control of identity is left to the individual, identity essentially loses its primary purpose.
[+] [-] narag|5 years ago|reply
I've never understood that way of viewing things. For me identity is a right. The government must provide me with the means to prove who I am and my associated data like birth certificates, academic titles, health (vaccination), real estate and indirectly verifying identity for private contracts that use my national id card number.
In an oppressive state identity surely could be oppression, just like everything else, but in a democratic country? Come on. In the USA goverment and even private entities are collecting massive databases of everybody's data. But there's this panic about a centralized service providing identity. It makes no sense.
[+] [-] Spearchucker|5 years ago|reply
Did the industry ever get around the sub-par SAML protocol which had no support for the active requestor profile, and the superior WS-Federation protocol which had to use the technically superior SAML token?
[+] [-] reidjs|5 years ago|reply
[+] [-] git_rancher|5 years ago|reply
A weapon against who? A self sovereign affinity group could just be a community trying to self organize without relying on non-owned infrastructure. Aka prepper stuff.
[+] [-] kory|5 years ago|reply
Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.
It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.
Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.
[+] [-] djhaskin987|5 years ago|reply
In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.
[+] [-] hunter-gatherer|5 years ago|reply
I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.
Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.
[+] [-] fwip|5 years ago|reply
When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.
[+] [-] ryukafalz|5 years ago|reply
It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)
[+] [-] sascha_sl|5 years ago|reply
Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.
Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.
[+] [-] edoceo|5 years ago|reply
[+] [-] EGreg|5 years ago|reply
They can find out if you are a user of sex.com or dangerouspoliticalopinions.com
They can do this by trying to register an account with your email address, and being told it was already registered.
Here is a tool that allows anyone to do it:
https://www.quora.com/Is-there-a-way-to-know-which-all-sites...
https://brandyourself.com/blog/privacy/find-all-accounts-lin...
[+] [-] uniqueid|5 years ago|reply
If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).
The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.
[+] [-] weinzierl|5 years ago|reply
Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.
Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.
[1] http://wiki.cacert.org/FAQ/AssuringPeople
[2] http://wiki.cacert.org/AssuranceHandbook2
[+] [-] horizin|5 years ago|reply
https://www.w3.org/TR/vc-data-model/
[+] [-] orf|5 years ago|reply
Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".
There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.
[+] [-] risyachka|5 years ago|reply
[+] [-] aaron-santos|5 years ago|reply
[+] [-] nsl73|5 years ago|reply
As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.
As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.
[+] [-] perryizgr8|5 years ago|reply
This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.
[+] [-] yunruse|5 years ago|reply
[+] [-] rendaw|5 years ago|reply
[+] [-] tdons|5 years ago|reply
The system is attribute based and requires an 'authority' to give you the attribute. After that the attribute lives on your phone and you can give it out to organisations or businesses asking for....:
What's great about it is:[+] [-] rat323|5 years ago|reply
[deleted]
[+] [-] Animats|5 years ago|reply
China is already there. At age 16, you get your picture and fingerprints taken. If you get a phone, its ID is tied to your personal ID. Your WeChat account is tied to that ID. If you ride the subway or bus in a major city, or a train, your ID is recorded when you pay. A combination of phone tracking and facial recognition records where you go in some cities. It's even used to shame jaywalkers.[1]
The US is getting there with Real ID. It's been postponed a year due to the epidemic, but soon you will need a Real ID, checked against your birth registration, to board even a domestic flight.
[1] https://youtu.be/ectdRsyj-zI
[+] [-] jadbox|5 years ago|reply
(1) https://www.washingtonpost.com/us-policy/2020/06/25/irs-stim...
[+] [-] closeparen|5 years ago|reply
[+] [-] Kapura|5 years ago|reply
Which is why I am confused as to why the author spent so much time worrying about verifying identity. To me, that feels like it's completely missing the point of fragmenting your online experience. Is the author simply concerned with the amount of power associated with their google login?
[+] [-] ThePhysicist|5 years ago|reply
In general I like the idea but since it's a EU-style project I don't expect it to go anywhere to be honest. And personally I don't think the benefit over e-mail based authentication is marginal. That said there are some extensions in OpenID Connect that can achieve something similar, and that (IMHO) are more likely to actually get widely adopted.
[+] [-] djsumdog|5 years ago|reply
[+] [-] mirimir|5 years ago|reply
Except that it's not possible. And worse, it's just hard enough to evade that only those with malicious goals will manage it.
> Large internet corporations like Google and Facebook allow all to create an account on condition that some personally identifiable information is revealed, usually a phone number.
Also Signal, sadly enough :(
> The benefit is that it deters most from repeatably creating new accounts when older accounts have been flagged or banned due to improper behavior. These companies gain the function of "identity provider": they manage your online identity that can be used to login in different locations of the internet. We all know many websites that offer a "Google login" or "Facebook login".
Yes, it "deters most". And mainly it deters vulnerable people, who need ~anonymity to protect themselves from adversaries. It doesn't deter spammers, trolls, scammers, bot operators, and such. There are just so many ways to use multiple phone numbers. Ranging from free websites to SIM banks. And actually, it's easier just to buy accounts, either fresh or old (which probably means stolen).
So even without getting into concerns about corporate gatekeepers, it's clear that this is a misguided approach.
[+] [-] weinzierl|5 years ago|reply
So this is about the introduction of a new identity service. From what I get looking into Keyoxide it basically strives to be what Keybase originally intended to be.
From their Keybase migration guide [1]:
"Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.
Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs."
[1] https://keyoxide.org/guides/migrating-from-keybase
[+] [-] ocdtrekkie|5 years ago|reply
This means the proof isn't dependent on a central server, which seems like a significant improvement.
[+] [-] rasengan|5 years ago|reply
Handshake [2] is a great project that helps decentralize online identity. Not only is naming distribution in the hands of the people with Handshake which ends the deplatforming/censorship debacle the world has been facing recently, but also, anything a name does can be verified with signatures verifiable against the blockchain.
[1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo-stev...
[2] https://handshake.org
[+] [-] identitywoman|5 years ago|reply
[+] [-] geonnave|5 years ago|reply
The DID and VC specs are the most advanced tools we have now to implement decentralized identity, plus there are many startups applying these in real world, solving problems and generating open source implementations.
Btw, I joined the Internet Identity Workshop last spring and it was an incredible experience. (https://internetidentityworkshop.com/)
[+] [-] ChrisMarshallNY|5 years ago|reply
That said, the last couple of years, I have gone to great lengths to create a "digital personal brand," which is deliberately designed to help people find me, and tie all of my digital artifacts together.
I think that OAuth logins actually work against that. I want to leave "pointers" all over the place, that point to each other in a public manner. OAuth logins "bury" these pointers, so only "gatekeepers" can see the information.
It definitely means that I have to be a lot more careful, these days, than I used to be, in choosing what I write or expose online, but I don't feel it's too difficult. I like to think that I live a lifestyle that has very little to hide.
I was reading about that Fox writer that just committed career seppuku. I think that is a visceral example, showing that we can't trust the old cloak of anonymity to hide our trail, so it might not be a bad idea to, as Twain said, "live that when we come to die, even the undertaker will be sorry."
It's part of a strategy that seems to be working.
Works for me. YMMV
[+] [-] upofadown|5 years ago|reply
An excellent example of something perversely non-standardized for identities can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even supposedly based on the same protocol. In terms of identity they are all complete silos. All the things you establish about an identity on one system is completely unusable on another.
Creating systems to kludge this mess together seems to be a way of avoiding the root problem here...
[+] [-] cirno|5 years ago|reply
Make a page on your domain with rel=me links to your social media profiles, have the social media sites link back to your site with a verified symbol next to the link when it scans and validates the rel=me link.
This puts you in control of your verification instead of federating it to a service like Keybase or Keyoxide.
[+] [-] tatersolid|5 years ago|reply
$10/year * 4 Gigapeople online.
Mandate that much free revenue to the likes of godaddy? No thanks.
[+] [-] vasilakisfil|5 years ago|reply
The author suggests that services built on top of these Silos that provide proofs of connection between all the identities. I welcome such initiatives and but I doubt they will lead anywhere, cause they are built on top of silos. And a silo, as soon as it figures out it loses money, it will cut down that connection.
What won't die is decentralized published standards and protocols that handle the Identity management through the internet. Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that facilitate the identity management like Oauth2, OpenID etc. All open and standardized. We are getting there, we just need some more time I guess.
That's why I always thought that, Google, who owns emails has much more value than Facebook, that asks for your email. If facebook dies, you lose one aspect of your digital social part. If you lose your email though, you almost lose your online identity. I really can't get how Zuckerberg has missed that.
[+] [-] sksksk|5 years ago|reply
It didn’t really take off though, and I guess was quietly withdrawn.
https://techcrunch.com/2010/11/15/facebook-messaging/
[+] [-] Cantbekhan|5 years ago|reply
But this is because I think nobody should be fired, de-platformed, banned or "canceled" for opinions/thoughts outside of those contexts.
Sure you could be fired from your work if you started shouting your opinions on your workplace. No you shouldn't be fired from your work for anything that happened outside that work.
Anonymity is needed for the sake of free thinking as a shield to any current/future mob that could ruin your life/career for just any reason at all.
In 10 Years you might find yourself ostracized because someone found some 20yo old snippet of code you wrote with "banned words" in them.
I used to think it was an acquired thing that you could have free opinions with your official identity (political or anything) and not risk your livelihood for opinions but the thought enforcing mobs are now everywhere and most companies will bend the knee to their bidding.
And obviously this identity needs to be decentralized to also protect that identity itself from being ruined by the various de-platforming attempts.
These days, I'm genuinely more concerned about the current mob rule mentality than government oppression.
[+] [-] jeroenhd|5 years ago|reply
I'm sure decentralized authentication won't come on commercial platforms though. Maybe some developer-centric services will add support once the Next Big Thing in authentication and authorization comes along, but companies want to keep as much of their account system under their control as possible. It might be because of data mining, it might be because of bot prevention, it might be because of fear of trusting external providers, but I just don't see any reason why companies would accept such an authentication system.
The closest thing I can see happening is a federated authentication platform like the EU is implementing with EIDAS. Authentication with your home government for EU-wide services, tied to your ID card. I don't think something like that will be implemented for much more than government institutions and banking, despite the idea having been proven to work.
Simply put, as long as it doesn't make business sense to trust another provider, businesses won't offer any decentralized authentication methods.
[+] [-] dmitshur|5 years ago|reply
I described the motivation in more detail at https://github.com/shurcooL/home/issues/34.
[+] [-] synctext|5 years ago|reply
This goes beyond owning your identity. Has government sponsorship. The EU is currently taking the lead in this area, search terms: "ESSIF: The European self-sovereign identity framework".
[1] https://arxiv.org/abs/2007.00415
[+] [-] brentis|5 years ago|reply