W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity"

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 01 Jun 2017 06:49:14 +0000
Message-ID: <CAM1Sok0jVcx_zqH37hH1nTYkj6fGTcf9VAsqq998QAMs7S6X1Q@mail.gmail.com>
To: Joe Andrieu <joe@joeandrieu.com>, public-credentials@w3.org

So we don't "fix identity" (poorly worded, but anyhow).

Does that mean the group is focusing on DRM human applied ACL to be stored
by existing (incorporated) entities and/or their systems.

Which I know to be an ethical nonsense.


On Thu., 1 Jun. 2017, 4:29 pm Joe Andrieu, <joe@joeandrieu.com> wrote:

> [edited for brevity]
> On Wed, May 31, 2017, at 06:01 PM, Manu Sporny wrote:
> > I don't think anyone is meaning to imply that "Identity" is off-topic
> > for the conversation. What was mentioned on the VCWG call today was
> > specifically about aligning terminology that was used in the spec
> > because it was schizophrenic about whether it was talking about an
> > "identity" or an "entity".
> Actually, I like the PR with the switch to entity for most terms. I was
> reacting to your quoting of "Identity" in the presentation you asked for
> feedback about and the term "tar pit of identity" and similar dismissive
> comments.
> > Many of us know that Verifiable Claims are going to be used for some
> > aspects of what we call "identity" (and I'm using the term in a very
> > broad and vague sense here).
> >
> > Let's fast forward to a point where this community has properly defined
> > "identity" in a coherent way. Here are the problems that we will still
> > face:
> >
> > 1. Some other community has defined it in some other way that makes
> > sense to them and they are unwilling to change the definition... and
> > we're back to not having a unified definition.
> >
> > 2. Those that do not want this work to succeed due to self interest will
> > twist the mere fact that we are "working on identity" to demonize the
> > work.
> >
> > It's #2 above that concerns me the most because it was exactly that
> > mechanism that was used to delay the work for a year.
> This I understand. The motivation is sound but I think the key isn't to
> avoid
> identity, but rather to figure out how to be rigorous in how we discuss
> it. If
> we can be clear and cogent in how VC do and do not impact identity,
> it will be harder for opponents to label VC as "working on identity"
> while
> also easing the privacy concerns of those who understand that claims
> can compromise identity in unexpected ways if not dealt with properly.
> > We don't need to define or make "identity" prominent to build a
> > technology that will be useful for meeting many "identity use cases".
> At first this rankled me. But then I realized you may be right if you
> mean in
> our glossary. We may be able to avoid defining the term in the glossary,
> but
>  it will likely serve our conversations if we have a cogent way to
> discuss what identity is and isn't so we can preempt impassioned rants
> that distract rather than advance the technical work.
> I certainly agree with most of the edits suggested in your PR reframing
> "identity profile" as "entity profile". That, to me, is *exactly* what
> being rigorous about identity would lead us to do. The majority of
> "identity
> professionals" in the standards/conference/workshop conversations tend
> to get lazy about using "identity" as a shorthand for vaguely referring
> to
> stuff that may relate to identity. I think we did that in our previous
> usage.
> > > I don't see wholesale exorcism as the right way to move the
> > > conversation forward either.
> >
> > Agreed.
> >
> > > So, my request is to please work with me to find a way to avoid the
> > > rathole without demonizing the term itself, for example, by putting
> > > it in "quotes" and adding caveats every time it is used.
> >
> > Good proposal... now propose some solid spec text where you see the
> > problem unfolding. That's the best way to get this concept into the spec.
> I have proposed text in a comment on your PR. The trigger here was how
> the conversation was being managed prior to that, which I felt did a
> disservice to my own work in the area. I didn't take it personally, but
> wanted to call it out and find our common ground.
> > > My current focus is on framing the conversation it terms of how
> > > identity functions rather than what it means culturally,
> > > psychologically, politically, or metaphysically. I also distinguish
> > > "Identity" and "Digital Identity", the latter being a tool to
> > > facilitate the former. That may or may not work for the groups in
> > > this conversation, but I believe it is a promising direction.
> >
> > -1 to "Digital Identity" as it feels too similar to "Identity".
> I'm not sure what distinction you're making. People currently use
> the term "identity" when they clearly mean "digital identity".
> So does ISO. This is a huge mistake that I've repeatedly seen confuse
> laypeople. So, if you are referring to digital identity, say that. Don't
> call it "identity".
> > I like your "functions" approach and don't mind phrases like:
> >
> > "...to establish that the individual is above the age of 18..."
> >
> > "...to authenticate the employment status of a person..."
> >
> > "...to verify the shipping address of a customer..."
> >
> > Those are all specific statements that are a part of what many would
> > consider an identity. The benefit in the statements above is that
> > they're not vague and so there is little room for re-interpretation in a
> > negative way.
> You are correct about what many would consider an identity. Because
> most treat identity as a collection of attributes. Which aligns easily
> with
> digital identity but is not at all a good representation of identity
> beyond
> the digital realm.  I call this the compositional notion of identity,
> that is,
>  identity as the collection of attributes related to subject. In
>  contrast,
> functional identity is based on the subjective notion of identity, that
> our
> identity resides in the subjective recognition of everyone who knows us.
> In that perspective, you can never represent the aggregate identity in
> terms of attributes. All you can ever do is approximate a subset of what
> can be represented in attributes.
> When we accept the attributes are insufficient to capture our true
> identity,
> it triggers a natural hue and cry from engineers: that may be true, but
> how
> do we possibly engineer an identity system if not based on attributes?!?
> This,
> in fact, was Phil Windley's response when I shared my work on
> "correlation"
> as the foundation of identity rather than attributes.
> The answer is that we focus on how identity works and how we use it: on
> the function of identity. From there we can build tools that enhance
> that
> functionality without ever being blindsided by the limitations of
> compositional identity, such as imagining that regulations around a
> subset
> of information called PII would be sufficient to address privacy issues.
> > My primary concern with these "identity" discussions are:
> >
> > 1. Unless they help us produce specs and code, they belong in a more
> >    academic forum. At best they are a distraction and at worst, they
> >    prevent the technical discussions we need to have from happening.
> >    We do need to talk about enough of it so that the specs stick
> >    together in a coherent way.
> Respectfully, this is is the problem. The multi-decade "tar pit of
> identity",
> not just at IIW, but also apparently at the W3C, is based on engineers
> failing
> to find a rigorous way to talk about identity that holds up under actual
> implementation and collaboration.  It isn't an academic problem, it is
> an
> engineers' problem. If we can't figure out how to be rigorous in our use
> of
> the term, the systems we build will miss the mark and either trigger
> legitimate attacks for technical shortcomings or political attacks
> because
> we ignored the inevitable hot buttons rather than calmly placing them
> in their proper place.
> > 2. If we /do/ define "identity" and make it a central topic of the
> >    group, then it opens us up to a wide range of political attacks that
> >    /will/ slow things down (as they have over the past year). I'm
> >    personally not fond of having to deal with the fallout from that
> >    stuff because it 1) happens behind closed doors and 2) saps energy
> >    from those trying to build this stuff.
> I don't think it should be a central topic of the group. Identity is a
> thing.
> It exists. Its part of human society. We aren't going to "fix it". Heck,
> we've
> done a great job of sidestepping even the delusion that we are going
> "fix" online identity. That's a strong point of how we've come this far.
> My point is that if we attempt to slide identity under the rug without
> being rigorous about how and when we use the term, we are setting
> ourselves up for conflict later.
> > So, +1 to not making the discussion around "identity" verboten, but
> > within reason. I'm sure we'll find the right balance in time, but until
> > we do, let's try to leave the controversial bits out of the spec.
> +1 to leaving the controversial bits out of the spec. I didn't
> mean to imply that.  Just that it would be nice if instead of treating
> identity as a "tar pit" and putting it in quotes to highlight its
> ambiguity,
> we learn to be rigorous, and use it sparingly but accurately.
> On the whole, I think we're mostly on the same page when it comes to
> the focus of the group and what goes into the specifications. I just
> think
> there are definitely discussions where we're going to need to talk about
> "identity" and for that, it will serve us to avoid demonizing the term
> and
> instead find a way to use it with rigor.
> -j
> --
> Joe Andrieu, PMP
> joe@joeandrieu.com
> +1(805)705-8651
> http://blog.joeandrieu.com
Received on Thursday, 1 June 2017 06:50:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC