W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity"

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 01 Jun 2017 06:49:14 +0000
Message-ID: <CAM1Sok0jVcx_zqH37hH1nTYkj6fGTcf9VAsqq998QAMs7S6X1Q@mail.gmail.com>
To: Joe Andrieu <joe@joeandrieu.com>, public-credentials@w3.org
Ok.

So we don't "fix identity" (poorly worded, but anyhow).

Does that mean the group is focusing on DRM human applied ACL to be stored
by existing (incorporated) entities and/or their systems.

Which I know to be an ethical nonsense.

Tim.h.

On Thu., 1 Jun. 2017, 4:29 pm Joe Andrieu, <joe@joeandrieu.com> wrote:

> [edited for brevity]
>
> On Wed, May 31, 2017, at 06:01 PM, Manu Sporny wrote:
> > I don't think anyone is meaning to imply that "Identity" is off-topic
> > for the conversation. What was mentioned on the VCWG call today was
> > specifically about aligning terminology that was used in the spec
> > because it was schizophrenic about whether it was talking about an
> > "identity" or an "entity".
>
> Actually, I like the PR with the switch to entity for most terms. I was
> reacting to your quoting of "Identity" in the presentation you asked for
> feedback about and the term "tar pit of identity" and similar dismissive
> comments.
>
> > Many of us know that Verifiable Claims are going to be used for some
> > aspects of what we call "identity" (and I'm using the term in a very
> > broad and vague sense here).
> >
> > Let's fast forward to a point where this community has properly defined
> > "identity" in a coherent way. Here are the problems that we will still
> > face:
> >
> > 1. Some other community has defined it in some other way that makes
> > sense to them and they are unwilling to change the definition... and
> > we're back to not having a unified definition.
> >
> > 2. Those that do not want this work to succeed due to self interest will
> > twist the mere fact that we are "working on identity" to demonize the
> > work.
> >
> > It's #2 above that concerns me the most because it was exactly that
> > mechanism that was used to delay the work for a year.
>
> This I understand. The motivation is sound but I think the key isn't to
> avoid
> identity, but rather to figure out how to be rigorous in how we discuss
> it. If
> we can be clear and cogent in how VC do and do not impact identity,
> it will be harder for opponents to label VC as "working on identity"
> while
> also easing the privacy concerns of those who understand that claims
> can compromise identity in unexpected ways if not dealt with properly.
>
> > We don't need to define or make "identity" prominent to build a
> > technology that will be useful for meeting many "identity use cases".
>
> At first this rankled me. But then I realized you may be right if you
> mean in
> our glossary. We may be able to avoid defining the term in the glossary,
> but
>  it will likely serve our conversations if we have a cogent way to
> discuss what identity is and isn't so we can preempt impassioned rants
> that distract rather than advance the technical work.
>
> I certainly agree with most of the edits suggested in your PR reframing
> "identity profile" as "entity profile". That, to me, is *exactly* what
> being rigorous about identity would lead us to do. The majority of
> "identity
> professionals" in the standards/conference/workshop conversations tend
> to get lazy about using "identity" as a shorthand for vaguely referring
> to
> stuff that may relate to identity. I think we did that in our previous
> usage.
>
> > > I don't see wholesale exorcism as the right way to move the
> > > conversation forward either.
> >
> > Agreed.
> >
> > > So, my request is to please work with me to find a way to avoid the
> > > rathole without demonizing the term itself, for example, by putting
> > > it in "quotes" and adding caveats every time it is used.
> >
> > Good proposal... now propose some solid spec text where you see the
> > problem unfolding. That's the best way to get this concept into the spec.
>
> I have proposed text in a comment on your PR. The trigger here was how
> the conversation was being managed prior to that, which I felt did a
> disservice to my own work in the area. I didn't take it personally, but
> wanted to call it out and find our common ground.
>
> > > My current focus is on framing the conversation it terms of how
> > > identity functions rather than what it means culturally,
> > > psychologically, politically, or metaphysically. I also distinguish
> > > "Identity" and "Digital Identity", the latter being a tool to
> > > facilitate the former. That may or may not work for the groups in
> > > this conversation, but I believe it is a promising direction.
> >
> > -1 to "Digital Identity" as it feels too similar to "Identity".
>
> I'm not sure what distinction you're making. People currently use
> the term "identity" when they clearly mean "digital identity".
> So does ISO. This is a huge mistake that I've repeatedly seen confuse
> laypeople. So, if you are referring to digital identity, say that. Don't
> call it "identity".
>
> > I like your "functions" approach and don't mind phrases like:
> >
> > "...to establish that the individual is above the age of 18..."
> >
> > "...to authenticate the employment status of a person..."
> >
> > "...to verify the shipping address of a customer..."
> >
> > Those are all specific statements that are a part of what many would
> > consider an identity. The benefit in the statements above is that
> > they're not vague and so there is little room for re-interpretation in a
> > negative way.
>
> You are correct about what many would consider an identity. Because
> most treat identity as a collection of attributes. Which aligns easily
> with
> digital identity but is not at all a good representation of identity
> beyond
> the digital realm.  I call this the compositional notion of identity,
> that is,
>  identity as the collection of attributes related to subject. In
>  contrast,
> functional identity is based on the subjective notion of identity, that
> our
> identity resides in the subjective recognition of everyone who knows us.
> In that perspective, you can never represent the aggregate identity in
> terms of attributes. All you can ever do is approximate a subset of what
> can be represented in attributes.
>
> When we accept the attributes are insufficient to capture our true
> identity,
> it triggers a natural hue and cry from engineers: that may be true, but
> how
> do we possibly engineer an identity system if not based on attributes?!?
> This,
> in fact, was Phil Windley's response when I shared my work on
> "correlation"
> as the foundation of identity rather than attributes.
>
> The answer is that we focus on how identity works and how we use it: on
> the function of identity. From there we can build tools that enhance
> that
> functionality without ever being blindsided by the limitations of
> compositional identity, such as imagining that regulations around a
> subset
> of information called PII would be sufficient to address privacy issues.
>
> > My primary concern with these "identity" discussions are:
> >
> > 1. Unless they help us produce specs and code, they belong in a more
> >    academic forum. At best they are a distraction and at worst, they
> >    prevent the technical discussions we need to have from happening.
> >    We do need to talk about enough of it so that the specs stick
> >    together in a coherent way.
>
> Respectfully, this is is the problem. The multi-decade "tar pit of
> identity",
> not just at IIW, but also apparently at the W3C, is based on engineers
> failing
> to find a rigorous way to talk about identity that holds up under actual
> implementation and collaboration.  It isn't an academic problem, it is
> an
> engineers' problem. If we can't figure out how to be rigorous in our use
> of
> the term, the systems we build will miss the mark and either trigger
> legitimate attacks for technical shortcomings or political attacks
> because
> we ignored the inevitable hot buttons rather than calmly placing them
> in their proper place.
>
> > 2. If we /do/ define "identity" and make it a central topic of the
> >    group, then it opens us up to a wide range of political attacks that
> >    /will/ slow things down (as they have over the past year). I'm
> >    personally not fond of having to deal with the fallout from that
> >    stuff because it 1) happens behind closed doors and 2) saps energy
> >    from those trying to build this stuff.
>
> I don't think it should be a central topic of the group. Identity is a
> thing.
> It exists. Its part of human society. We aren't going to "fix it". Heck,
> we've
> done a great job of sidestepping even the delusion that we are going
> "fix" online identity. That's a strong point of how we've come this far.
>
> My point is that if we attempt to slide identity under the rug without
> being rigorous about how and when we use the term, we are setting
> ourselves up for conflict later.
>
> > So, +1 to not making the discussion around "identity" verboten, but
> > within reason. I'm sure we'll find the right balance in time, but until
> > we do, let's try to leave the controversial bits out of the spec.
>
> +1 to leaving the controversial bits out of the spec. I didn't
> mean to imply that.  Just that it would be nice if instead of treating
> identity as a "tar pit" and putting it in quotes to highlight its
> ambiguity,
> we learn to be rigorous, and use it sparingly but accurately.
>
> On the whole, I think we're mostly on the same page when it comes to
> the focus of the group and what goes into the specifications. I just
> think
> there are definitely discussions where we're going to need to talk about
> "identity" and for that, it will serve us to avoid demonizing the term
> and
> instead find a way to use it with rigor.
>
> -j
>
> --
> Joe Andrieu, PMP
> joe@joeandrieu.com
> +1(805)705-8651
> http://blog.joeandrieu.com
>
>
Received on Thursday, 1 June 2017 06:50:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC