Re: "Identity" from Joe Andrieu on 2017-06-01 (public-credentials@w3.org from June 2017)

From: Joe Andrieu <joe@joeandrieu.com>
Date: Thu, 01 Jun 2017 09:06:18 -0700
To: public-credentials@w3.org
Message-Id: <1496333178.1084096.995592104.587FDE2B@webmail.messagingengine.com>
On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
> On 01/06/2017 07:48, Joe Andrieu wrote:
> > On Wed, May 31, 2017, at 11:20 PM, David Chadwick wrote:
> >> On 01/06/2017 02:01, Manu Sporny wrote:
>
> > Sadly, as I discussed in my other longer email, the ISO definition of
> > identity [1] is
> > "set of attributes related to an entity."
> > 
> > This is *at best* a valid definition of a digital identity as
> > represented in an ICT, a limitation that the standard at least states
> > clearly: "An identity is the information used to represent an entity in
> > an ICT system." [ICT: Information and Communication Technology]
> 
> I have to disagree with you. The ISO definition is very generic
> (purposefully), since an attribute can be anything that describes the
> entity. Consequently this very generic definition applies to any and
> every ICT system. Why are we doing VCs? Because we want to move from
> paper based systems to ICT systems.
> 
> So we need a definition that is applicable to ICT, which is surely the
> purpose of the VC work.
> 
> > 
> > The problem is that our identities are much larger than what is stored
> > in any given ICT. 
> 
> But why is that of interest to the VC group that is working on DIGITAL
> identities?

If we mean "digital identity", then say it. Don't confuse it with
"identity".

The objections to "identity" are often because of conflation of the two.
We discuss A when we mean B. We discuss "identity" when what we really
mean is "the isolated domain-specific digital identity that only applies
to 
this particular ICT system".

The problem is that these digital identities don't stay isolated.

They don't stay in the domain they were created or intended for.

Similarly, rights and privileges tied to our real identities are often
ignored
or dismantled because *in a given system* it didn't seem relevant
to the engineers who designed and built it. Identity is innately 
trans-system. Any given "digital identity" may not be, but our real
world "identity" absolutely is. By its very nature. We have an identity
completely independent of any system or authority.

As stated previously, Verifiable Claims will be used as part of 
various identity systems. In fact, there are numerous examples
of VCs being used to bridge previously separate identity systems
by creating a digital equivalence of real-world credentials and tokens
like driver's licenses, passports, and prescriptions. Our work WILL
be affecting "identity" and not just "digital identity".

> > Many of our privacy problems are driven by this very
> > fact. ISO treats identity as a domain-specific concept, but when our
> > privacy is compromised, it because information leaks from one context to
> > another. 
> 
> Please explain what you mean by domain-specific, and please explain
> which other domains, apart from ICT, are of interest to the VC work.

By domain I mean a specific ICT system, aligned with the W3C mental 
model of security by domain isolation as a response to things like 
cross-site scripting hacks.

> > Perhaps even more important, because ISO and others think of identity as
> > domain-specific, they fail to see the relevance of how bad decisions in
> > identity systems compromise human dignity. The myopia of "the ICT
> > system" externalizes the consequences of design choices on people's
> > identities beyond that system.
> 
> I think this is an entirely different issue. The bad design of anything
> (e.g. a knife that unintentionally cuts the user rather than the meat, a
> car that hits objects because it has protruding parts invisible to the
> driver etc.) is a design issue and not a domain issue. ICT systems are
> designed to be used by humans in the physical world so obviously impact
> the physical world (and are necessarily part of it). You should view the
> ICT system in its environment of use as the system, and not the ICT
> system in isolation.

I'm suggesting that the limited view that "Identity" is the same as the
digital identity in a given ICT system is the isolation that leads to 
bad design. 

If we want to make sure we don't undermine beneficial--or unwittingly 
enable undesired--aspects of real-world identity, we need to acknowledge
that identity is inevitably more than the digital identity in
any given system. Building systems without that awareness is
exactly why we've have such push back on privacy issues related to
cross-domain identifiers and have been warned off of solving "identity".

> > I'm working with several other identity professionals to try and shift
> > the ISO language on this, but that will not be a short effort. 
> 
> Perhaps because the current definition is an excellent one!

It's a fine definition of "digital identity" for a single ICT system. It 
falls far short of the mark for identity as it pertains to humans
interacting 
with other humans across multiple ICTs and non-ICT domains.

> > [1] ISO/IEC 24760-1 (Information technology -- Security techniques -- A
> > framework for identity management Section 3.1.2
> > http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html and
> > directly at
> > http://standards.iso.org/ittf/PubliclyAvailableStandards/c057914_ISO_IEC_24760-1_2011.zip

-j

-- 
Joe Andrieu, PMP
joe@joeandrieu.com
+1(805)705-8651
http://blog.joeandrieu.com
Received on Thursday, 1 June 2017 16:06:47 UTC