W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

Re: Principal Authority – new article on Wyoming law defining Digital Identity

From: Bob Wyman <bob@wyman.us>
Date: Thu, 16 Sep 2021 17:04:54 -0400
Message-ID: <CAA1s49Xu4hdZ-1eNmLiz_4T6_vXskO4+UQ+iTa8eq4N8ad1yug@mail.gmail.com>
To: Alan Karp <alanhkarp@gmail.com>
Cc: Christopher Allen <ChristopherA@lifewithalacrity.com>, Credentials Community Group <public-credentials@w3.org>, Chris Rothfuss <Chris.Rothfuss@wyoleg.gov>, Dazza Greenwood <dazza@civics.com>, Clare Sullivan <cls268@law.georgetown.edu>
We should be careful with the way language is used to discuss "identity" in
order to ensure that we don't attempt to build technological solutions that
don't map usefully onto the world as we know it and as it is likely to be.

The reality is that there is no means by which I may become you. My
identity and yours will be forever different. No matter what we may do, my
identity will always be distinct from yours. However, it is clear that
there are means by which you might grant, or delegate, to me the right or
privilege to do something as if I were you. But, even if you grant me an
unlimited right to act as you, I will maintain my own identity distinct
from yours. I may exercise what would otherwise be a right of yours, but I
exercise that right as myself, not as you. (i.e. one with unlimited power
of attorney signs documents with their own name, adding an annotation that
the signature is provided on behalf of, or with the permission of,
another.) This process of granting the rights associated with an identity
pushes the "identity" discussion into the realm of "rights management," in
which realm I first patented processes for the delegation of rights over 30
years ago. (i.e. they are all now expired. Not a problem.)

The language of "identity" becomes confused when we speak about abstract
identities that are more appropriately considered "roles" rather than
identities. For instance, we typically speak of the "CEO of Company X" when
what we really mean is "That person who currently exercises the rights
associated with the office of CEO." These abstract identities are most
appropriately seen as attributes that someone may possess, but that are not
inherent to the identity or the subject of the identity. The same can be
said of the identities which can be shared simultaneously. For instance,
one's identity as a citizen of a country or an employee of a company. For
each of the commonly held identities, or roles, we see that there is some
package of rights and privileges whose possession becomes an attribute of
some entity that has an identity. Becoming the grantee for such a package
of rights allows us to say: "I may do X since I am a citizen of the USA."
or "I may do Y because I am an employee of Company X." Similarly , an
assistant who schedules a meeting on their bosses calendar should never do
so "as" the boss, but always "as the assistant, acting with permission of
the boss." It is not our identity which empowers us, but rather it is the
granting of rights, either implicitly or explicitly, that empowers us.

We should not seek to delegate "identity" and we should be careful to
ensure that the language of identity and rights management is carefully
distinguished.

bob wyman



On Thu, Sep 16, 2021 at 4:15 PM Alan Karp <alanhkarp@gmail.com> wrote:

> Delegating an identity sounds like a problem.  Does my CPA get access to
> my medical records?  Does my doctor end up with access to my financial
> information?
>
> --------------
> Alan Karp
>
>
> On Thu, Sep 16, 2021 at 12:42 PM Christopher Allen <
> ChristopherA@lifewithalacrity.com> wrote:
>
>> W3C Credentials Community:
>>
>> I've been involved in the Wyoming legislature's *Select Committee on
>> Blockchain, Financial Technology & Digital Innovation Technology* to
>> help form a new legal basis for future digital identity legislation in
>> Wyoming.
>>
>> There has been strong support in the legislature for concept of
>> self-sovereign identity, but the challenge has been what existing legal
>> framework & precedents can we build new laws from. In particular, we wanted
>> to avoid introducing any new laws under property rights frameworks.
>>
>> What we've found as a good framework is the concept of "Principal
>> Authority" which comes from the Laws of Agency, which allows us to leverage
>> fiduciary style Laws of Custom to define requirements for practices when
>> digital identity is delegated to others (whether for authorization or for
>> use of data).
>>
>> I've written up a layman's article (as I am not a lawyer) introducing
>> this topic at:
>>
>> https://www.blockchaincommons.com/articles/Principal-Authority/
>>
>>
>> In summary:
>>
>> Wyoming passed earlier this year the first legal definition for digital
>> identity https://wyoleg.gov/Legislation/2021/SF0039 — a key quote:
>>
>> "the intangible digital representation of, by and for a natural person,
>> over which he has principal authority and through which he intentionally
>> communicates or acts."
>>
>>
>> So where's the self-sovereign identity in this concept of Principal
>> Authority? In short: Principal Authority *recognizes a Principal*, which *acknowledges
>> the existence* of an entity at the heart of a digital identity.
>>
>> There's a lot more using this legal framework this implies.
>> Since Principal Authority comes from the Laws of Agency, this allows us to
>> show that this entity has Authority over that digital identity. In my
>> option, that is self-sovereign identity in a nutshell!
>>
>> Also, because Principal Authority is drawn from the Laws of Agency, it
>> says that that Authority is delegatable. Other people can make use of your
>> digital identity.
>>
>> Delegation of identity happens already when you construct an account on a
>> social media service. The difference? When it's your recognized Principal
>> Authority that is being used, your delegates must work to your benefit.
>> Like a CPA or doctor, their choices must be in your interest.
>>
>> That's also what self-sovereign identity is all about: a digital identity
>> that benefits you. That's not what we have today, where social media and
>> other internet sites are using your identity to benefit themselves.
>>
>> There's more detail to this, many unanswered questions, and some subtlety
>> on what control really means and how duties of care can be established.
>> Take a look at the article, and let me know what you think!
>>
>> We will be having a public meeting on the topic of Digital Identity &
>> Principal Authority with the Wyoming Select Committee next Wednesday
>> (September 22nd) at 2pm MT. Details about the meeting and a link to live
>> stream will be published next week at
>> https://www.wyoleg.gov/Committees/2021/S19 . You can also request to
>> offer your own public testimony during this session by emailing
>> lso@wyoleg.gov.
>>
>> Bottom line: The concept of delegatable Principal Authority that works to
>> your benefit may offer a new legal framework for digital identity. If you
>> are interested in this topic, let me know.
>>
>> In addition, the co-chair of Select Committee and leader of the Digital
>> Identity subcommittee Chris Rothfuss <Chris.Rothfuss@wyoleg.gov> is
>> likely open to greater participation from those with legal drafting
>> experience to work on applying this concept into customs, best practices,
>> and duties of care for consideration by the Wyoming Legislature in the
>> coming year. Let him know if you can help. (Like the CCG, we need more
>> drafters than talkers!).
>>
>> -- Christopher Allen
>>
>> P.S. Establishing self-sovereign identity is part of the work that we're
>> doing at Blockchain Commons. If this is important to you, please become a
>> monthly patron! Even $20 a month as an individual (or $100 for a
>> corporation) makes a difference!
>>
>>
Received on Thursday, 16 September 2021 21:05:20 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC