
The Asymmetry of Internet Identity - cxr
https://crawshaw.io/blog/identity-stack
======
carapace
There's a book, "Mystery of Capital", wherein the author points out is that in
order for identity and contracts to work there has to be "something to lose"
for the parties involved.

E.g. the power company can't supply power to slums not because of technical
limits, but rather economic limits: because the residents don't have titles or
leases or bank accounts there's no way to shut off the power to a household
for non-payment. There's no leverage without paperwork.

It's relatively established how to do this IRL with deeds and titles and
contracts and such. On the Internet it's not even clear that identity is
_possible_ to establish. Our computer systems leak like sieves and people get
hacked all the time.

I was imagining just yesterday starting an MLM system based on reselling
yubikeys and establishing a hardware-backed web-of-trust. I wouldn't even try
to make it a pyramid: just resell the keys to your "downline" at wholesale
plus the upline uh payment (I don't know the terminology.) Any infrastructure
is provisioned by open bid and paid for by simple equal division among all
current members. I would imagine it would amount to about a dollar or two per
month per person at the very most, flat rate, not part of the MLM.

The whole point is to self-fund a hardware-backed p2p-IRL identity
authentication network.

~~~
gotodengo
This has interesting ramifications in areas which do have the ability to
support power supply, but haven't implemented our style of loans tied to
collateral (Edit: Or rather haven't implemented automated billing, pre or post
paid, tied to an identity.).

I saw this in play in Mozambique. Few people had bank accounts, even fewer had
mailing addresses, but many still had power.

Once a month or so you went down to the market and bought a little scratch off
ticket worth X amount of power, I assume with the same one time use keys used
on gift cards. When a house wanted hooked up to the grid they'd be supplied
with a power meter which had a keypad. Type the numbers from your scratch off
into the box, and it'd update it's counter with how much electric you had
left.

A lot of things worked on this scratch off system, and it's one of the things
I really liked. It enabled the power company to trust in their hardware
instead of having to place trust in an individual. So the individual didn't
have to provide any collateral. There was no credit check to get a new phone
plan, because you either bought a scratch off that month or you didn't. No one
came around to check your power meter unless there was something wrong with
it, and they company didn't much care what it was supplying power to. I
watched my neighbor build a new house and transfer his live box (quite
dangerously) from his old to the new. The power company trusted the hardware,
not a person or house it was tied to, so it didn't matter and there was never
any record of what he was powering with it in the first place.

------
zokier
Personally I think good identity system should have these properties:

* Identity provider should not see which services users authenticate to. Afaik this is now a major issue with current "Log in with X" systems

* Services should not be able to discover which other services user has authenticated to, i.e. the identity presented to service A should not be linkable to identity presented to service B

* Identities should be relatively stable. The identity presented to certain service at certain point in time should be the same identity presented to the same service in some other point of time.

* The system probably needs to be able to allow users to reveal additional information about their identity. This is problematic requirement because in wider use it is ripe for abuse by service providers

* Optionally it'd be nice if the system would have some facilities for offline usage, where neither user nor service needs to talk to identity provider.

This is fairly hairy problem, with many more concerns in the details and other
people probably having different requirements. From a quick search,
Credenticas (now MS) U-Prove system comes closest, but I haven't delved really
into it to see if it actually matches my thoughts.

------
gnode
This article seems to present the state of the Internet as a kind of
feudalism, where one must swear fealty to an established "brand", and carving
out a life as a freeman is practically unattainable. I'd say the reality is
that it's easy to join the Internet land-owning class (buy a domain; get a
cert; run services), yet most people prefer to rent because they are not so
inclined.

Email is widely used, HTTPS is widely used, and they don't require you use a
gatekeeper brand. Many instant messaging platforms, while run by brands, allow
you to bring your own email address as an identity.

I don't think authentication of identities is a feature that ties people to
brands. A phone number is pseudonymous, and acts as an identity for many
mobile messaging applications. Authentication in many cases is performed
socially: you got the number from them, from a mutual friend, or they told you
who they are and you were convinced.

~~~
danShumway
> _Email is widely used_

Setting up your own email server is notoriously difficult, and requires
coordination with major brands. Importantly, people who use brands like GMail
can't choose to whitelist you. There's no setting in GMail saying, "I trust
everything coming from Bob's domain, don't bounce them." Emails get rejected
on the protocol level.

Effectively, if your friend is using Gmail, then they're using a brand, and
you won't be able to talk to them unless you also use a brand that Google
respects.

> _HTTPS is widely used_

The DNS system is probably one of the things I'm _least_ worried about online,
but it doesn't make sense to describe it as anything except as a brand.
Domains aren't permanent -- you have to continue leasing them. That makes
sense for a brand because you don't want companies to take over an entire
space, but it makes no sense for an identity, because you should be able to
permanently own an identity. Additionally, DNS is optimized for brand
recognition, not for identity verification. It makes a ton of security
compromises (think ally vs a11y) that make identity verification harder, but
brand recognition easier.

I would also disagree that phone numbers are good identity systems. Most
people keep their phone number permanently, and it's trivial to tie a number
to a real world identity. I would hesitate to call it pseudonymous. There's a
real conflict between phone numbers being treated like a permanently owned
identity and phone numbers being a thing you need to maintain and carry with
you. In general, I try very, very hard not to allow any business to tie my
identity to a number, because I think it's blatantly insecure.

I do think the first point you're getting at is correct, in a sense:

> _I 'd say the reality is that it's easy to join the Internet land-owning
> class (buy a domain; get a cert; run services), yet most people prefer to
> rent because they are not so inclined._

I agree. However, it's not that identity management online is good. What
you're describing is that it's relatively easy to build a _brand_. It's
relatively easy for me to set up a domain, grab my username on new services as
they come up, and make sure that when someone searches me on Google I show up
near the top. That's not identity, that's brand management.

The reality is that the current Internet is adapted to brands, but because
it's not a massive problem for technical people to invest into making their
own brand, we just kind of tolerate it. And non-technical people prefer to
rent space on other people's brands instead of building their own. But in both
cases, we haven't really built personal identities that are disassociated from
advertising or word-of-mouth.

~~~
JohnFen
It really sounds like you're using the word "brand" to mean "service" here.

~~~
zbentley
They are, because the article in the topic (re)defines it that way.

------
human20190310
> There is no good way for a person to identify another person without first
> mutually agreeing on Brand identities.

How is this absence not a _good_ thing? If someone wants to be identified,
they have to go through the trouble of creating an identity. In fact, it would
be preferable to also not have a permanent or consistent personal identity
with respect to brands either.

------
JohnFen
I think I get what the article is trying to say, but I have to admit that
bringing in the concept of "brand" seriously derails it for me.

My identity is not a "brand", the identifiers I use online are not a "brand",
and I don't interact with "brands". I interact with people.

What I'm not sure about is whether I'm just having a reaction to the use of
the concept of "brand" that is obscuring a meaningful and accurate point for
me.

Now that I've written all of this, though, I'm not sure that I understood what
the article was trying to say at all.

EDIT: now that I've read it a couple of times, I'm pretty sure that I don't
understand what it's really saying. Can someone explain like I'm five?

~~~
TeMPOraL
Your on-line identity consists of one or more brands and associated brand-
specific identifiers. For instance, to me right now, you're HN!JohnFen. HN, or
news.ycombinator.com, is the brand. Right now I'm speaking to you also using
HN brand, as HN!TeMPOraL. HN is the brand through which the communication
happens. I can't use my Twitter!TeMPOraL_PL account to talk to you, because
there's no transport between Twitter and HN. And even if it was, now _two_
brands would be involved in communication.

If you think about it, you'll notice that there's no way you and me can ever
talk with one another without a brand intermediary, unless we accidentally
meet somewhere physically, or unless some direct connection details could be
exchanged through a chain of our physical acquaintances (essentially
performing an IP routing over meatspace social network).

~~~
JohnFen
I think I see what I was missing here -- he's talking about _identity
services_ , not actual identities. I see a large difference there.

In any case, thank you for helping to clear that up.

> If you think about it, you'll notice that there's no way you and me can ever
> talk with one another without a brand intermediary

I think that this is a matter of worldview or perspective. I don't see it that
way at all, but I understand how others might.

The use of the term "brand" here is very confusing to me, as a brand is a
constructed and projected image, not a solid thing. As another commenter here
said, "institution" may be better. "Company" might be even better than that.

~~~
TeMPOraL
I think "brand" is used here because it's a bit more accurate than "company"
or "institution". Consider an Instagram account and a Facebook account. Both
are owned by the same company - though they weren't in the past - and yet they
create their separate communication networks. What the author calls "a brand"
can change its owner, and multiple distinct "brands" can be owned by the same
organization. The example with Alice and Bob tells you that an individual can
also establish such a "brand".

I don't know of a better term to use here.

~~~
JohnFen
Well, in the sense that you've explained, the article is talking about
identity and communications channels as if they are related, so perhaps
"communications channel" would be the most accurate term?

~~~
TeMPOraL
Not sure. Take the two e-mail addresses I still use; one is on GMail, the
other under my domain. There are two "brands" (GMail and my domain), but one
communication channel (e-mail).

(From my point of view, there are perhaps _three_ "brands" \- I own the
domain, but the address under my domain is handled by Fastmail.)

Let me turn the question around: what about the author's use of the word
"brand" seems to conflict with the usual use of that word? Especially when you
include the extended meaning that gives rise to terms like "personal brand"?

The way the author uses that word intuitively clicks with me, but then again,
I could be wrong about what the word "brand" means in general.

~~~
JohnFen
> Take the two e-mail addresses I still use; one is on GMail, the other under
> my domain. There are two "brands"

Hmm, I don't see email as an example of a "branded" communications at all. If
we're exchanging emails, it doesn't matter to either of us who our email
provider is. The identity is our email address, which is not necessarily
linked to what email provider we're using.

> what about the author's use of the word "brand" seems to conflict with the
> usual use of that word? Especially when you include the extended meaning
> that gives rise to terms like "personal brand"?

A "brand" is a marketing thing -- it's the sum total of the iconography, art,
marketing, and so forth of a product or company. It is distinct from the
actual product or company.

I don't have a "personal brand" at all, because I don't market myself in a way
that would require one.

This is clearly not what the author means, though, which is why I find its use
to be confusing -- I don't really know exactly what he means by the term.

~~~
basch
The author means brand to mean authoritative identity holder. It means an
institution that 1) doesnt allow two people to use the same name and 2) at a
very basic level will reactivity correct fraud

It is being used similar to the way we think of banks, as a provider of trust,
and a custodian. Now that I think about it, custodian is a much better word
than institution or brand.

------
synctext
Really good read. Provides a new abstraction model that we've not seen before.
It shows the depth of the problem and why we have never solved it since the
days of PGP, 1991. It does not mention the idea of owning your own
identity[1], a possible solution. [1] [https://wiki.p2pfoundation.net/Self-
Sovereign_Identity](https://wiki.p2pfoundation.net/Self-Sovereign_Identity)

------
Mathnerd314
The discussion leaves out account/identity recovery, which in practice is the
most important part. You can use a PGP keypair as your identity, but if you
lose access to it then you're screwed. So from an identity perspective the
"brands" he mentions are a set of account recovery services of varying
effectiveness, consisting of email, SMS, phone, and more
complicated/unreliable methods like begging technical support.

At the end he mentions a statistical analysis in Mathematica and a text
adventure in PHP. The second seems easy enough to share by just giving out an
IP or using a dynamic DNS service. Mathematica is less clear, because it's
proprietary, but it comes with a cloud subscription so presumably one would
just upload it to the cloud. It's pointless to complain about a "brand" when
the software itself is the brand.

And the last part where he talks about identifying people is also really
simple. Everyone has a phone, so just using GPS narrows down the space to a
few hundred, wherein one can use other methods like scrolling through the
list. The hard part is doing it in a way doesn't allow user tracking, but
that's a privacy rather than an identity issue.

------
raxxorrax
I don't necessarily want to rely on brands to use the jargon of the article to
facilitate informational exchange.

As a user I certainly am interested to exclude the brand wherever I can,
because it is a security flaw and allows for countless attack vectors.

I know about the current ambitions of identity providers and I make use of
them because I am lazy too and don't know enough about security to match their
services. But it is still a concession.

I think keeping the logistical perspective of key exchange can work for new
ideas, while this perspective obfuscates ambitions the brand could want to see
realized.

Quote from the link in the text:

> User-centric designs turned centralized identities into interoperable
> federated identities with centralized control, while also respecting some
> level of user consent about how to share an identity (and with whom).

... "while also respecting ~some~ level of user consent" is the issue where
legislation for informational self determination is needed.

Again, if this problem is transparently presented, I would have less issue
with this new perspective.

You can already upload everything to Amazon beanstalk and use Amazon cognito
as an identity provider. Hacked together but very usable. I already sold my
soul countless times but there is still one problem: Amazon.

~~~
basch
Institution may have been a better word than Brand.

~~~
TeMPOraL
It's not. Consider e.g. Instagram and Facebook, both currently owned by the
same company, yet being distinct Brands both in the regular meaning of the
word, and in the meaning used by the article.

------
metalliqaz
I like this article. It is concise and really lays out the issue in an
organized way that explains a lot. I've understood this as a problem for so
long, but I've not had the perspective to think about it clearly.

------
dusted
This is lovely. I've always considered myself an internet person, I own a few
domain names, I have a few servers, actual, physical pieces of hardware,
connected to the Internet through my private internet connection. Sure, it
took a bit of effort to get it up the first time, to figure out how to
configure routers, to configured postfix and setup mail accounts, figuring out
how to do DKIM in and DNS, but, now the bar for entry is extremely low..

If I write a PHP adventure in an hour, it won't take more than 5 minutes to
put it online for the world to see, and those who know me, know my
domain/brand, and I can easily link it to them.

If alice wants to talk to bob, she can just send those IP packets to his
computer! If alice and bob are good friends, they probably exchanged
certificates at some point.

In retrospect, I used to be rather arrogant about this, not proud, just
annoyed why everyone didn't just do that. But I've realized that I probably
didn't find any of it easy, I just happened to find it fun and interesting.
It'd have been torture if it was not fun for me to do.

So yeah, we should maybe think hard about how to get to that point, where
everyone who are online can have that amount of freedom, without having to
rely on third parties, and without dedicating days to learning _that_much_
technical stuff. We don't need a new service trying to do this for us on the
old Internet, we need some fundamental change, maybe it is not even to the
network itself, maybe it is to the way we use or think about it.. Maybe it is
just concepts we are missing? Maybe it is tools. Maybe it is really a
fundamental change to the network itself. All must be free and equal on the
capital I-Internet.

------
VintageVibes
I was surprised this post didn't even mention the existence or development
around decentralized P2P technologies for identity management. We have the
tech, it's mostly a problem of marketing and network effect. Large centralized
brands like Google or Facebook are convenient active hubs of interconnected
identities, but these centralized apps have the major downside of eventually
leaking personal data that we don't want them too. Not to mention at some
point it just gets so tiresome to create yet another account, for yet another
brand. We need secure means to manage our own online identity in a way that
can interoperate with all the brands out there with minimal risk.

------
basch
Layer 5 belongs before Layer 4, its more like a half layer similar to IP vs
MAC. OAuth is a way to communicate someones registered personhood securely.

The last layer should be "Persona" and be about how people present their
personality and behavior, having potentially multiple identities, characters,
depending on the service, context, how much anonymity exists, etc and it would
be akin to Layer 7 Applications, running on top of our wetware. Steven Colbert
vs Steven T Colbert.

~~~
pwinnski
I can be name@mydomain.com without using "Inter-brand Identity protocols," so
the layers seem to be in the right order to me.

~~~
basch
name@mydomain.com would be layer 3 correct? using the oauth services of
mydomain.com to authenticate yourself as name@mydomain.com should be layer
3.5, not layer 5. To me that comes before the "person" layer 4.

------
jart
DNSSEC. It's the solution to walled garden brands. The problem is that it
needs the support of the big brands to be successful, and the big brands don't
want competition.

~~~
tptacek
The solution to walled garden brands is to have registrars and world
governments take over identity? If DNSSEC had been widely deployed a few years
ago, Muammar Gaddafi would have owned BIT.LY's CA. If a CA misbehaves, Google
and Mozilla can nuke them from orbit --- as they just did with several of the
industry's largest CAs. If .COM misbehaves --- a thing that has happened
repeatedly in the last 10 years, because the DoJ owns it --- Google does,
what? Move to .IO? Oh, wait, that's a Five Eyes TLD as well!

You've got one thing right, though: virtually no major Internet tech
companies, save Cloud Flare (which sells DNSSEC services) and Paypal (but not
their subsidiaries like Braintree or Venmo) use DNSSEC. Not Microsoft, Google,
or Apple; not Mozilla, Stripe, or Square; not Facebook, not Cisco, not Oracle;
not Salesforce, not Twitter; not Netflix. If there's a conspiracy against
DNSSEC, it is _deep_.

Firefox, Chromium, and Apple piloted DNSSEC years ago, and then _withdrew_
support. It's been 25 years with DNSSEC. He's dead, Jim. Let him go.

~~~
jart
No conspiracy theories please. DNSSEC is operated by a non-profit called ICANN
which manages its key-signing-keys in publicly recorded ceremonies comprised
of community representatives from each continent. If you believe Google and
Mozilla have legitimacy to govern cryptography affairs in the third-world,
then by all means continue supporting the status quo. Also anyone registering
novelty names should be aware of the risks.

~~~
tptacek
I don't know what DNSSEC you could possibly be referring to, because it's not
the one that exists in reality. The reality-based DNSSEC does in fact have a
silly security-theater ritual managed by ICANN to set the keys for the root,
but --- and, this gets a little arcane and involves knowing some intricate
details of DNS --- hanging off the root are the TLDs, like "com" and "uk", and
there is no publicly recorded key signing ceremony for the TLDs. Nor could
there be, because the owners of the most popular TLDs publicly assert their
right to control the contents of those zones for public policy; see, for
instance, every DOJ domain takedown ever.

I do however enjoy pointing out that, all this aside, you could post the root
keys, the product of these elaborate key signing rituals, on Pastebin tomorrow
and no real-world security engineers would have to come in on the weekend;
they could pick the Jira ticket up to "figure out whether we care that all
security in DNSSEC has been revoked" sometime during the next work week and be
perfectly OK. Because, of course, nothing in the reality-based reality
actually depends on DNSSEC.

