Re: Unique Personhood Requirement for some DID Use Cases from Bohdan Andriyiv on 2018-06-13 (public-credentials@w3.org from June 2018)

From: Bohdan Andriyiv <bohdan.andriyiv@validbook.org>
Date: Wed, 13 Jun 2018 11:34:48 +0300
To: Christopher Allen <ChristopherA@lifewithalacrity.com>
Cc: Credentials Community Group <public-credentials@w3.org>, Nicolas Gailly <nikkolasg@gmail.com>, Phil Barker <phil.barker@pjjk.co.uk>, "bryan.ford@epfl.ch" <bryan.ford@epfl.ch>, "eleftherios.kokoriskogias@epfl.ch" <eleftherios.kokoriskogias@epfl.ch>, "linus.gasser@epfl.ch" <linus.gasser@epfl.ch>, "maria.borgechavez@epfl.ch" <maria.borgechavez@epfl.ch>, "philipp.jovanovic@epfl.ch" <philipp.jovanovic@epfl.ch>
Message-ID: <CALqw9pWNw1SqPK2tL6g=n+DjALf3J6ufqFX_PMoEX1mwp4FuBQ@mail.gmail.com>

I am all for discussing Unique Personhood.

I am quite skeptical regarding pseudonymous parties though. They are hard
to organize and scale. Democratic elections are actually pseudonymous
parties. I have been an observer to a few elections, and I know this is *a
lot of work*. It can be rigged on many steps. In reality it is a complex
process watched by members of election commission and observers (which have
competing interests and should not collude).
Pseudonymous parties might have a place in small community setting. Like,
let's choose a captain of a football team, but then why would you use
digital means for this, when you can use "paper and a hat", unless you have
some digital turn-key app.

I think the way to go with Unique Personhood in most of the cases is by
using Verifiable Credentials and Zero Knowledge Proofs.
You can have Verifiable Credentials that say for example: "Digital Identity
to which this credential is issued represents a citizen John Smith of
country A", or "Digital Identity to which this credential is issued uniquely
represents a living human individual". Now these credentials must be signed
by someone that you can trust, for example an official from Passport Office
or Validbook Arbiter/Algorithm. The question here is who you can trust to
sign these credentials and why do you trust them.

Then by using ZKP we can issue anonymous tokens based on these credentials,
that we can use in elections for example.
I'll have to admit that I am not sure how ZKP really works in the real
world. Probably, it can be made to work. The question here is how to make
ZKP truly unbreakable and unlinkable.

In conclusion, IMO the topic of making possible Unique Personhood (to be
more generic - unique representation of someone/something in some context)
comes down to 2 questions:
- Who signs verifiable credential that says this Digital Identity
represents X and why we trust them?
- How to issue anonymous tokens based on verifiable credentials?

--Bohdan Andriyiv


On Tue, Jun 12, 2018 at 9:29 PM, Christopher Allen <
ChristopherA@lifewithalacrity.com> wrote:

> A number of DID (Decentralized Indentifier)  use cases being discussed
> here seem to explicitly or implicitly require unique personhood, in
> particular scenarios requiring voting.
>
> Personally I call this “Proof of Unique Natural pPerson in a Context”.
> Given a context (say member of W3C) there is one, and only one, unique
> natural person representing each membership. I believe that it is possible
> to do this in a privacy preserving way using web-of-trust claims that is
> statistically highly accurate (99%+) though not absolutely
> deterministically, which I believe to be sufficient for many voting
> scenarios.
>
> There has also been some research on the topic of unique personhood that
> I’ve been interested in, mostly related my hopes for pseudonymous
> web-of-trust support in the DID BTCR Method & Verifiable Claims.
>
> These ideas are talked about the academic paper  “Proof of Personhood”
> from Bryan Ford’s Group at EPFL in Switzerland.
>
> https://www.zerobyte.io/publications/2017-BKJGGF-pop.pdf
>
> Also pseudonym parties:
> http://ww.bford.info/log/2007/0327-PseudonymParties.pdf
>
> Maybe we should schedule an upcoming W3C Credentials CG
> https://w3c-ccg.github.io meeting on the topic of unique personhood, and
> get Bryan (or someone from his team) to present, along with Bohdan’s
> thoughts on unique identity (SURLHI - Statement of Unique Representation
> of Living Human Individual), and my hopes for BTCR.
>
> I also would love to have something basic that is implementable to test
> using DID BTCR architectures by #RebootingWebOfTrust for week of September
> in 24th in Toronto. Maybe a pseudonym party!
>
> — Christopher Allen
>
> On Tue, Jun 12, 2018 at 10:35 AM Bohdan Andriyiv <
> bohdan.andriyiv@validbook.org> wrote:
>
>> Presumably there is a use case for someone to be able to assert that
>>> their DID represents the same person as an ORCID or ISNI?
>>
>>
>>
>> We do this on Validbook by using Validbook Statement of Ownership.
>> Basically, this is a Verifiable Credential with evidence that you control
>> some digital asset. Where evidence is a satisfaction of some challenge -
>> publish random number on or by using that digital asset.
>> Mainly, these Statements of Ownership are used to prove that DID/SSI
>> controls social networking account or blog, but of course they can be used
>> to assert ownership over ORCID, ISNI also.
>>
>> Bohdan
>>
>> On Tue, Jun 12, 2018 at 8:09 PM, Phil Barker <phil.barker@pjjk.co.uk>
>> wrote:
>>
>>> Presumably there is a use case for someone to be able to assert that
>>> their DID represents the same person as an ORCID or ISNI?
>>>
>>> Phil
>>>
>>> On 12/06/18 18:03, Steven Rowat wrote:
>>>
>>> On 2018-06-12 8:50 AM, Siegman, Tzviya wrote:
>>>
>>> Hi All,
>>>
>>> I’m seeing a lot of use cases for persistent identifiers for people. In
>>> the STEM world, the ORCID [1] is widely used. Some publishers (like the one
>>> I work for) require authors to have an ORCID. There is an overlapping
>>> system called ISNI [2]. These are real-world scenarios that already have
>>> ecosystems supporting them.
>>>
>>>
>>> That's very interesting, and the Wikipedia page for it shows that it's
>>> widespread and increasing rapidly.
>>>
>>> https://en.wikipedia.org/wiki/ORCID
>>>
>>> But it seems to me that it's happening at a different logical layer than
>>> DID, and that DID will have different capabilities; and so both could be
>>> used together if DID becomes widespread.
>>>
>>> For example, the ORCHID doesn't appear to support pseudonymous use, or
>>> multiple use, or to be safe for web commerce (via public/private keys); or
>>> Self-Sovereign Identity in general; the control of the data is by the
>>> ORCHID organization, which is centralized.
>>>
>>> These are just first impressions; perhaps I'm mistaken. But I don't
>>> think it's solving the same problem DID can potentially solve. ORCHID
>>> appears to be for researchers embedded in institutions who are using
>>> publisher organizations, whereas DID is attempting to be useful -- though
>>> admittedly in a similar way at some points -- for everybody on the
>>> internet.
>>>
>>> Steven
>>>
>>>
>>>
>>> Tzviya
>>>
>>> [1] https://orcid.org/
>>>
>>> [2] http://www.isni.org/
>>>
>>> *Tzviya Siegman*
>>>
>>> Information Standards Lead
>>>
>>> Wiley
>>>
>>> 201-748-6884
>>>
>>> tsiegman@wiley.com <mailto:tsiegman@wiley.com> <tsiegman@wiley.com>
>>>
>>>
>>>
>>> --
>>>
>>> Phil Barker <http://people.pjjk.net/phil>. http://people.pjjk.net/phil
>>> PJJK Limited <https://www.pjjk.co.uk>: technology to enhance learning;
>>> information systems for education.
>>> CETIS LLP <https://www.cetis.org.uk>: a cooperative consultancy for
>>> innovation in education technology.
>>>
>>> PJJK Limited is registered in Scotland as a private limited company,
>>> number SC569282.
>>> CETIS is a co-operative limited liability partnership, registered in
>>> England number OC399090
>>>
>>

Received on Wednesday, 13 June 2018 08:35:13 UTC