WingNews logo WingNews
top | item 27595575

(no title)

jeremie | 4 years ago

This should be v0.1 based on the actual utility of the spec, just because it's been incubated for so long doesn't magically make it useful.

DIDs are fundamentally antithetical to privacy and will only enable a deeper and more obscure level of tracking to all applications that use them. They were originally inspired for mapping public blockchain use-cases, but IMO personal identity and related keys should _never_ be put on a public chain, who thinks this could ever be a good idea or architecture?

All of the suggested "workarounds" to layer on privacy to DIDs are just lip service in the spec, there's zero technical requirements for an implementation.

I worry that DIDs based on this spec will be deeply harmful if widely deployed with the multiple layers of abstraction, required dependencies on massively complex things like JSON-LD, and abundance of implementation-time choices. It's such an easy "spec" to embrace and extend by big tech, it has no teeth to prevent tracking abuse and it should develop those as hard normative implementation MUSTs before v1.0 versus the non-normative "Privacy _Considerations_" it has now.

Identity is too important to have it done wrong.

discuss

order

naravara|4 years ago

> DIDs are fundamentally antithetical to privacy and will only enable a deeper and more obscure level of tracking to all applications that use them. They were originally inspired for mapping public blockchain use-cases, but IMO personal identity and related keys should _never_ be put on a public chain, who thinks this could ever be a good idea or architecture?

Functionally, how different would this be from the status quo? Between the FAANGs basically already having near-universal identifiers for all of us and everyone's information being leaked in a variety of breaches to where it's essentially public knowledge to any black hats or state actors I'm not sure how down the downsides are?

infominer|4 years ago

DIDs make use of public key encryption, which does not require storing private data on a public chain to be useful. All that's needed is a public key directory for public entities, everything else can be verified based on said pubkey of those entities who issue credentials

a new identifier (pubkey) can be created for each organization you engage with

OPs argument seems based on imagination has nothing to do with how DIDs are meant to work

ghoshbishakh|4 years ago

Well DID spec doesn't tell us to put identity or related keys in public. DIDs coupled with the VC model (https://www.w3.org/TR/vc-data-model/) allows identity credentials issued by any "trusted" issuer to be validated. Here trusted means whoever the user trusts, be it government or big tech or anything else.

dwaite|4 years ago

The issue is not other identity information in the DID, it is the identifier mandate itself is antithetical to privacy.

Having a global identifier as you go about the internet means that parties can correlate and share information about you.

Trying to solve that by isolation (using a DID per party you want to interact with) negative affects their usability and privacy properties with verifiable credentials.

witweb|4 years ago

But what would be the solution? I've already played around with DIDs and Verifiable Credentials in the SSI-context and I like it from a tech perspective. I am also not sure if the spec should be held accountable to potential privacy misuses – the user should be. Additionally, you don't have to use the big tech solutions. The tech is inherently open, just look at the many DID methods.

But what I am concerned of are consortium (identity) networks like Sovrin which are run by a hand full of companies. At least in Germany, the government is starting to like what they are doing which is horrible imo. The identity layer of a state should not be governed by a consortium of private companies, no matter what fancy governance model they have.

rad_gruchalski|4 years ago

> The identity layer of a state should not be governed by a consortium of private companies, no matter what fancy governance model they have.

It’s the same with gaia-x.

lalchandran|4 years ago

The assumption that DID has to be in a public chain is flawed. You should really look at DID use as a mechanism to decentralised the use of certificates. In my mind its definitely not not very different from PKI based certificates or any token based solution like OAuth. The difference is its potential to be decentralised.

tty7|4 years ago

DIDs do not specify keys should be written to a public chain, another commented mentioned the VC spec.

Another thing to look at is the did:peer method, it allows you to have a direct connection with a party for secure communication. Either party could root their did against a public key (eg a public organisation) but that is not required.