Its hard to say how many times in my life in this role (as Identity Woman) that folks have walked up to me and suggested that they have “the answer” digital identity.
If you are saying this it means you don’t understand the problem because it isn’t “solvable” with “the answer” because it can’t be – the problem isn’t that simple. I also know because it is such an incredibly hard problem to solve we need lots of really smart folks who have thought about it to collaborate together to find solutions to different aspects of the problem/challenge. I always take time to listen to understand how they see the problem and explain their solution. I usually share who else I know working on that aspect of the problem and suggest they connect/join the part of the community working on it.
COVID means that this now happens in virtual ways with tweets. I got one today and it was a post to a long medium post suggesting a new group was going to solve the problem and inviting everyone to join…(yes I’ve heard that before). We already have a network – depending on how you count it of about 13 .orgs working in the field and well over 100 companies and several thousand people. They are in an interesting mesh/network that is hard to see from the outside – but it is quite real and a humming hive of activity with real cross polination. The open standards are finally emerging and becoming going in to real world deployments its quite exciting.
On the other hand its hard to see what these solutions are and where things are figured out because there is so much activity not a lot of high level sense making going on to help those from the outside see clearly.
So here is my response to the question I was asked about what I thought about this new effort focused on creating Universal Identity.
Up and coming blockchain-based identity platforms such as Sovrin and overlaying applications such as uPort on Ethereum, promise to be a universal, permissionless and decentralized solution to the identity problem, however due to their blockchain-based design, they especially fail to provide the adequate privacy required by the consumer and early adopter markets.
– the internet’s missing identity layer
This quote means we haven’t communicated something really really important about where the puck moved. It used to be that projects were talking about putting Decentralized Identifiers for “on ledger” and that this on ledger identifier would be used across applications/services/websites. This is not true any more. All the SSI projects are basically moving the direction of NOT putting any decentralized identifiers for people on ledger ever.
What does happen now is consumers created a new Pair-Wise DIDs per interaction with any site/service/application that they want to access and use DID-Auth to authenticate using their private keys. All between their wallet and the site.
There has also been an evolution in how Verifiable Credentials are Issued and presented that preserves privacy and means that if they are issued to DIDs (those are not on ledger). So before writing on the current technology that has some tiny sprinkles of blockchains it is important to understand that most of it isn’t about them but rather the crypto and exchanges between people and sites/organizations with usable PKI and wallets that help them manage all that in a usable way.
Just reading things like “A truly universal identity system” makes me wonder if they have read Kim Cameron’s Laws of Identity where he talks about the qualities of an identity meta system- if not then how do we figure out how folks encountering our space find this germinal work.
So…SSI changes how “account creation” and “login” happen rather dramatically – this shift – away from user-names and passwords (and additional 2nd factors) to presentation of – pairwise credentials per-site/service that leverage DIDAuth to just authenticated using DIDs/Keys generated by the user in their wallet will be a big deal. <– its super private by the way. Even framing in the context of how facebook login works means that how things will work isn’t fully understood yet. We will not longer have “login with” – just don’t need it any more (this was an artifact of OpenID Connect/OAuth and was the best we could do at the time for identity portability.
The internet’s identity layer should allow users to mange and utilize the master list of their mutual personal and commercial connections.
Check out JLINC and what they have working at JLINC Labs. All about this type of tracking and being able to see what you share with who. Also check on the pair-wise connection enabled with DIDComm and the possibility of having a unique secure channel with all commercial and organizational entities you interact with via your Agent (see Aires Agent code base).
One of the biggest barriers to reducing migration friction for users who want to move between competing web service providers is the lack of a standard personal data store solution.
I couldn’t agree more. There is a reason that over a decade ago I founded a group of 50 companies who at the time were working on this, Personal Data Ecosystem Consortium and liaised with the World Economic Forum’s Rethinking Personal Data Project on their behalf. Ther are still many companies working on this the MyData Operators Group just wrote a paper identifying 48 companies who have some sort of service in this realm. I co-chair the secure data store working group where we are working on standardizing Encrypted Data Vaults and “identity hubs” (new names coming this week…btw) .
Before joining yet another organization claiming it will “solve” all the problems. I really hope the folks working on this actually work hard to understand the work that has already been done and join work in progress that will make the vision real.
See you at IIW next week.