
Why Decentralized Identity Matters - taylorwc
http://continuations.com/post/131622514215/why-decentralized-identity-matters-githubs
======
murbard2
Identity does not require consensus, naming does.

If you want to have a decentralized DNS, a blockchain might make sense.
However, a global consensus on who controls what name isn't as relevant as one
would think. As more and more interactions are initiated online, the SSH model
of accepting the key on the first connection becomes better suited.

How do I know I am connecting to my bank's website and not some phishing
website? Because it presents me with a proof that it controls the identity of
the website where I initially opened my account.

My point is that decentralized identity does not require a blockchain. This is
the result of people thinking: "hey, what can I do with a blockchain?" rather
than "How do I build a decentralized identity system".

The supreme irony is that Satoshi Nakamoto is the perfect proof that a secure
online identity needs not depend on a central authority, or a blockchain.

~~~
natrius
Decentralized identity _revocation_ requires a blockchain. It's easy enough to
give people statements that you control a given public key. It's hard for them
to know whether they should still trust that key. Blockchains are the only
systems that are censorship-resistant enough for us to rely on for this
purpose.

Sure, lots of people have done lots of thought experiments about what to use
blockchains for, some of which weren't the best. However, if you haven't gone
through that period yourself, your blockchain use cases are probably too
narrow.

~~~
murbard2
Anyone can get Edward Snowden's public key on the Internet, so no, Blockchains
clearly aren't the only system which is censorship resistant enough to achieve
this goal.

I've been thinking about blockchain use cases pretty extensively for the past
two years and written extensively both personally and pseudonymously on the
topic. That doesn't mean I have to be right, but if I'm wrong, it's not for a
lack of reflection on the matter.

~~~
natrius
I said things about key revocation. You said nothing about key revocation. How
is that a retort?

------
rabbyte
I think BlockchainID is a step in the right direction but is it even alive
still? The only specification I know of is a draft that's now 9 months old and
leaves the question of security up to users having a strong password. Beyond
that I thought it was just proof of concepts.

As someone building an identity system on Ethereum, I'd like to remain
interoperable, but I don't know where I would find info unless I dig through
blog posts.

~~~
muneeb
Very much alive :-)

Checkout: [https://github.com/blockstack](https://github.com/blockstack)

for implementation of different software components and protocol
documentation!

~~~
rabbyte
Thanks. I did not notice the repo with the wiki, tho I'm still not sure if
this constitutes a spec or a user manual.

------
ludbb
So, the linked BlockchainID, publicly stores all secrets in an encrypted
format. Why would that be good, and even necessary for a decentralized
identity?

It is trying to solve key storage and public identity at the same time. How
could it possibly be a good idea to store secrets publicly?

------
andmarios
Such a system exists for years and is called OpenID. You can use your own
openid provider, or choose from an established provider —which is precisely
what you do every time you login to a site with google or github for example.

Alas it doesn't use bitcoin...

~~~
nickbauman
OpenID has some fundamental problems that Mozilla tried to address somewhat
with its Persona API, and was marginally successful until they decided to stop
working on it, sadly. The fact that it doesn't use Bitcoin has almost nothing
to do with OpenIDs flaws, though.

~~~
artlogic
I've heard vague mentions of OpenIDs fundamental problems, but is there a
breakdown somewhere? I've had a hard time finding a detailed technical
description of why OpenID failed.

I do understand that it confused the hell out of users that they had to login
in with a URL, but that seems like branding and education more than a
technical flaw.

~~~
Navarr
I have always thought that OpenID would be wildly more successful if:

1\. User puts in their email address

2\. Website does a lookup on DNS for the email to find an OpenID endpoint (via
SRV or TXT or whatever else)

3\. If OpenID connector is found, user gets redirected to authenticate

4\. If not, generic create account method.

~~~
icebraining
I think that's essentially Persona, except they do some extra work to avoid
informing the Authentication endpoint about the sites you're logging in to.

------
dcosson
The biggest thing I see standing in the way of this vision of the future is
that it seems to actively go against IT best practices that medium/big orgs
have in place.

For instance, the github example in the article is cool but it seems like
every company over ~100 employees switches to github enterprise or a similar
self-hosted tool where every employee has an isolated account and it's only
accessible on the corporate network/VPN.

I've looked around out of curiosity and I haven't really found any good
information about building a secure IT organization while taking advantage of
modern SAAS products (e.g. github, slack, circleci, docker hub, whatever
else). It's basically taken as a given that if you want to be secure you'll
have a corporate network in your physical office and all your important
internal tools will be on that network (or an even more tightly locked down
subnet). I'd love to read any resources to the contrary.

~~~
williamcotton
Medium and large organizations should just run their own services that parse
the blockchain and turn the data embedded in to Bitcoin transactions in to the
state of names and owners. This service would read from the public network and
but could itself be only accessible on the corporate network/VPN.

This applies to all sorts of Bitcoin metadata protocols beyond just Blockshain
ID, such as Open Assets, Blockcast, and Open Publish.

All of these systems use the public key infrastructure of native Bitcoin
wallets for identification and authorization so it's in the ballpark of SSH, a
proven approach in corporate settings.

~~~
ludbb
There's a big gap in parsing the bitcoin blockchain vs parsing a local
database.

The blockchain is a public ledger so any (encrypted or not) information you
store there can be retrieved by anyone. Downloading it is very slow, and
parsing it in a reliable way, i.e. using bitcoind's rpc, is even slower. So
you'll want to build an index from it, which you'll happen to store in a local
database. So after all that you end up with a local database and public
information that anyone can access.

How is that useful for this purpose?

------
rubidium
Most companies will, understandably, shy away from letting you take your
Salesforce info with you. Closed systems are beneficial to employers. Telling
companies to throw away some of their competitive advantages (e.g.
distribution lists, best customers, etc...) in the name of open-source,
decentralized identity is, I believe, an impossible sell.

~~~
nickbauman
Agree. But what if the concept is too important to be allowed to be owned by a
company? What if TCP/IP were AOL/IP? Would we even be here now? I doubt it.

~~~
jsprogrammer
See PUP [0].

[0]
[https://en.wikipedia.org/wiki/PARC_Universal_Packet](https://en.wikipedia.org/wiki/PARC_Universal_Packet)

------
josteink
The problem with decentralized _anything_ is gainging traction.

To gain traction, you need to explain it to people, and not just techies.

And most people (even most techies) either don't get 1. why it matters or 2.
what the heck it means.

It's usually also offered with a loss coherent and more confusing user-
experience than the centralized options.

I'd love for more decentralized systems taking hold, but I'm not optimistic
enough to believe in it yet.

------
jdshutt
Salesforce actually does use a multi-organization identity model for
SalesforceIQ (formerly RelateIQ).

[http://www.fastcompany.com/3051088/elasticity/relateiq-
sales...](http://www.fastcompany.com/3051088/elasticity/relateiq-
salesforces-390-million-siri-for-business-grows-up)

