Re: "Identity" from Joe Andrieu on 2017-06-01 (public-credentials@w3.org from June 2017)

From: Joe Andrieu <joe@joeandrieu.com>
Date: Wed, 31 May 2017 23:28:04 -0700
To: public-credentials@w3.org
Message-Id: <1496298484.951990.995012816.317AB97A@webmail.messagingengine.com>
[edited for brevity]

On Wed, May 31, 2017, at 06:01 PM, Manu Sporny wrote:
> I don't think anyone is meaning to imply that "Identity" is off-topic
> for the conversation. What was mentioned on the VCWG call today was
> specifically about aligning terminology that was used in the spec
> because it was schizophrenic about whether it was talking about an
> "identity" or an "entity".

Actually, I like the PR with the switch to entity for most terms. I was 
reacting to your quoting of "Identity" in the presentation you asked for 
feedback about and the term "tar pit of identity" and similar dismissive 
comments.

> Many of us know that Verifiable Claims are going to be used for some
> aspects of what we call "identity" (and I'm using the term in a very
> broad and vague sense here).
> 
> Let's fast forward to a point where this community has properly defined
> "identity" in a coherent way. Here are the problems that we will still
> face:
> 
> 1. Some other community has defined it in some other way that makes
> sense to them and they are unwilling to change the definition... and
> we're back to not having a unified definition.
> 
> 2. Those that do not want this work to succeed due to self interest will
> twist the mere fact that we are "working on identity" to demonize the
> work.
> 
> It's #2 above that concerns me the most because it was exactly that
> mechanism that was used to delay the work for a year.

This I understand. The motivation is sound but I think the key isn't to
avoid
identity, but rather to figure out how to be rigorous in how we discuss
it. If 
we can be clear and cogent in how VC do and do not impact identity,
it will be harder for opponents to label VC as "working on identity"
while
also easing the privacy concerns of those who understand that claims
can compromise identity in unexpected ways if not dealt with properly.

> We don't need to define or make "identity" prominent to build a
> technology that will be useful for meeting many "identity use cases".

At first this rankled me. But then I realized you may be right if you
mean in 
our glossary. We may be able to avoid defining the term in the glossary,
but
 it will likely serve our conversations if we have a cogent way to 
discuss what identity is and isn't so we can preempt impassioned rants 
that distract rather than advance the technical work. 

I certainly agree with most of the edits suggested in your PR reframing 
"identity profile" as "entity profile". That, to me, is *exactly* what
being rigorous about identity would lead us to do. The majority of
"identity 
professionals" in the standards/conference/workshop conversations tend 
to get lazy about using "identity" as a shorthand for vaguely referring
to
stuff that may relate to identity. I think we did that in our previous
usage.

> > I don't see wholesale exorcism as the right way to move the 
> > conversation forward either.
> 
> Agreed.
> 
> > So, my request is to please work with me to find a way to avoid the 
> > rathole without demonizing the term itself, for example, by putting 
> > it in "quotes" and adding caveats every time it is used.
> 
> Good proposal... now propose some solid spec text where you see the
> problem unfolding. That's the best way to get this concept into the spec.

I have proposed text in a comment on your PR. The trigger here was how 
the conversation was being managed prior to that, which I felt did a 
disservice to my own work in the area. I didn't take it personally, but 
wanted to call it out and find our common ground.

> > My current focus is on framing the conversation it terms of how 
> > identity functions rather than what it means culturally, 
> > psychologically, politically, or metaphysically. I also distinguish 
> > "Identity" and "Digital Identity", the latter being a tool to 
> > facilitate the former. That may or may not work for the groups in 
> > this conversation, but I believe it is a promising direction.
> 
> -1 to "Digital Identity" as it feels too similar to "Identity".

I'm not sure what distinction you're making. People currently use
the term "identity" when they clearly mean "digital identity". 
So does ISO. This is a huge mistake that I've repeatedly seen confuse
laypeople. So, if you are referring to digital identity, say that. Don't
call it "identity".

> I like your "functions" approach and don't mind phrases like:
> 
> "...to establish that the individual is above the age of 18..."
> 
> "...to authenticate the employment status of a person..."
> 
> "...to verify the shipping address of a customer..."
> 
> Those are all specific statements that are a part of what many would
> consider an identity. The benefit in the statements above is that
> they're not vague and so there is little room for re-interpretation in a
> negative way.

You are correct about what many would consider an identity. Because 
most treat identity as a collection of attributes. Which aligns easily
with 
digital identity but is not at all a good representation of identity
beyond 
the digital realm.  I call this the compositional notion of identity,
that is, 
 identity as the collection of attributes related to subject. In
 contrast, 
functional identity is based on the subjective notion of identity, that
our 
identity resides in the subjective recognition of everyone who knows us. 
In that perspective, you can never represent the aggregate identity in 
terms of attributes. All you can ever do is approximate a subset of what
can be represented in attributes.

When we accept the attributes are insufficient to capture our true
identity,
it triggers a natural hue and cry from engineers: that may be true, but
how 
do we possibly engineer an identity system if not based on attributes?!?
This,
in fact, was Phil Windley's response when I shared my work on
"correlation"
as the foundation of identity rather than attributes.

The answer is that we focus on how identity works and how we use it: on 
the function of identity. From there we can build tools that enhance
that 
functionality without ever being blindsided by the limitations of 
compositional identity, such as imagining that regulations around a
subset
of information called PII would be sufficient to address privacy issues.

> My primary concern with these "identity" discussions are:
> 
> 1. Unless they help us produce specs and code, they belong in a more
>    academic forum. At best they are a distraction and at worst, they
>    prevent the technical discussions we need to have from happening.
>    We do need to talk about enough of it so that the specs stick
>    together in a coherent way.

Respectfully, this is is the problem. The multi-decade "tar pit of
identity", 
not just at IIW, but also apparently at the W3C, is based on engineers
failing
to find a rigorous way to talk about identity that holds up under actual 
implementation and collaboration.  It isn't an academic problem, it is
an 
engineers' problem. If we can't figure out how to be rigorous in our use
of 
the term, the systems we build will miss the mark and either trigger 
legitimate attacks for technical shortcomings or political attacks
because 
we ignored the inevitable hot buttons rather than calmly placing them 
in their proper place.

> 2. If we /do/ define "identity" and make it a central topic of the
>    group, then it opens us up to a wide range of political attacks that
>    /will/ slow things down (as they have over the past year). I'm
>    personally not fond of having to deal with the fallout from that
>    stuff because it 1) happens behind closed doors and 2) saps energy
>    from those trying to build this stuff.

I don't think it should be a central topic of the group. Identity is a
thing.
It exists. Its part of human society. We aren't going to "fix it". Heck,
we've
done a great job of sidestepping even the delusion that we are going 
"fix" online identity. That's a strong point of how we've come this far.

My point is that if we attempt to slide identity under the rug without
being rigorous about how and when we use the term, we are setting
ourselves up for conflict later.

> So, +1 to not making the discussion around "identity" verboten, but
> within reason. I'm sure we'll find the right balance in time, but until
> we do, let's try to leave the controversial bits out of the spec.

+1 to leaving the controversial bits out of the spec. I didn't 
mean to imply that.  Just that it would be nice if instead of treating 
identity as a "tar pit" and putting it in quotes to highlight its
ambiguity,
we learn to be rigorous, and use it sparingly but accurately.

On the whole, I think we're mostly on the same page when it comes to 
the focus of the group and what goes into the specifications. I just
think 
there are definitely discussions where we're going to need to talk about
"identity" and for that, it will serve us to avoid demonizing the term
and 
instead find a way to use it with rigor.

-j

-- 
Joe Andrieu, PMP
joe@joeandrieu.com
+1(805)705-8651
http://blog.joeandrieu.com
Received on Thursday, 1 June 2017 06:28:33 UTC