Distributed ID

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A means to distribute the sources of Identifiers and Attributes while giving more choice to Users.

Context

Every one knows the problem with identities on the internet. They are not under the control of users, who are extremely interested in their own Identity and want their own Privacy.

The following evaluation is based on the goals as listed in the spec.

# Goal Description in draft of 2020-01-22 Status
1 Decentralization Eliminate the requirement for centralized authorities or single point failure in identifier management, including the registration of globally unique identifiers, public verification keys, service endpoints, and other metadata. Spec does not achieve this
2 Control Give entities, both human and non-human, the power to directly control their digital identifiers without the need to rely on external authorities. Some authority needs to validate user agent code. There appears to be not reason to allow untrusted connections on the web, that is HTTPS which depends on identifier of the web site.
3 Privacy Enable entities to control the privacy of their information, including minimal, selective, and progressive disclosure of attributes or other data. Originally not even compliant with GDPR See update in problems below.
4 Security Enable sufficient security for relying parties to depend on DID documents for their required level of assurance. No provision for assurance
5 Proof-based Enable DID subjects to provide cryptographic proof when interacting with other entities. all they can do is sign assertions, no other proof in this spec
6 Discoverability Make it possible for entities to discover DIDs for other entities to learn more about or interact with those entities. Only if universal resolver is deployed. Even then the did method may not convey the information needed to know if the did can be supported, eg did:web and did:indy.
7 Interoperability Use interoperable standards so DID infrastructure can make use of existing tools and software libraries designed for interoperability. where existing only means libraries written specifically to support DID only
8 Portability Be system and network-independent and enable entities to use their digital identifiers with any system that supports DIDs and DID methods. Only at sites that support their chosen method and it looks like there will be several hundred methods which this is deployed.
9 Simplicity Favor a reduced set of simple features to make the technology easier to understand, implement, and deploy. Not even close
10 Extensibility Where possible, enable extensibility provided it does not greatly hinder interoperability, portability, or simplicity. Possibly true, needs validated

Problems

  • The big problem is Trust where there are no standards or examples of any trust without a history of trusted behavior.
  • Proof of Persistent Identity must be provided. This can be little more than the inclusion of a public key in a block chain, but that cannot provide any Assurance of protection of the Credential.
  • DID are designed to be tied to a did method (e.g. Sovrin) which means that a life-long ID requires life-long methods with no means to migrate, even when the method dies out or is proven defective.
  • Assurance is mentioned only one time in the DID core spec; as a goal. It is not further defined.
  • Privacy Considerations have eliminated all information about the DID except the public key. That means that it is not possible to determine if the subject is a natural person. "The group is attempting to minimize the information in a DID Document to avoid privacy laws kicking in to protect an individual. The group has achieved consensus on the above." quote Manu Sporny in the comments to the document mark-up. (2020-12-08)
  • Original comment that "DIDs are designed to come with all sorts of attributes and service points of that particular user. It is highly unlikely that this can be accomplished without leaking the real identity of the subject of the DID" was reduced to just service endpoint by 2020-12. The upshot of the change is that the did cannot even say that the subject is coved by privacy regulations since no indication that the user is a natural person is permitted.

Solutions

References

  1. Decentralized Digital Identities and Blockchain perspective from Microsoft
  2. Decentralized Identifiers (DIDs) v1.0 Core Data Model and Syntaxes
    Decentralized identifiers (DIDs) are a new type of identifier to provide verifiable, decentralized digital identity. These new identifiers are designed to enable the controller of a DID to prove control over it and to be implemented independently of any centralized registry, identity provider, or certificate authority. DIDs are URLs that relate a DID subject to a DID document allowing trustable interactions with that subject. DID documents are simple documents describing how to use that specific DID. Each DID document can express cryptographic material, verification methods, or service endpoints, which provide a set of mechanisms enabling a DID controller to prove control of the DID. Service endpoints enable trusted interactions with the DID subject.