W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

RE: Principal Authority – new article on Wyoming law defining Digital Identity

From: <steve.e.magennis@gmail.com>
Date: Fri, 17 Sep 2021 08:59:04 -0700
To: <daniel.hardman@gmail.com>, "'Christopher Allen'" <ChristopherA@lifewithalacrity.com>
Cc: "'Credentials Community Group'" <public-credentials@w3.org>
Message-ID: <01d001d7abdc$f10747e0$d315d7a0$@gmail.com>
The language ‘projecting oneself into an interaction using a proxy’ resonates with me in terms of discussing the concepts of delegation of {*}. It seems the phrase can cover a lot of ground both were I utilize a proxy to my benefit and where I am utilized as a proxy to another’s benefit:

*	Instructions to my broker to buy 100 shares of Acme stock at $10.00/share

*	Oneself == me, Proxy == my broker

*	Instructions to my financial manager to buy and sell whatever they want as long as it optimizes my portfolio according to my goals

*	Oneself == me, Proxy == my financial manager

*	Authority to run Acme corp as CEO

*	Oneself == corporate board, Proxy == me

*	Executive Assistant Permission to schedule meetings on behalf of the CEO

*	Oneself == CEO, Proxy == EA

*	Medical power of attorney over an incapacitated family member

*	Oneself == family member, Proxy == me

*	Authority of police to demand to see my driver’s license

*	Oneself==State government, Proxy == Police officer

A more generalized phrase might be something like: ‘projecting the will (agency?) of an authority into an interaction through a proxy.’


From: Daniel Hardman <daniel.hardman@gmail.com> 
Sent: Friday, September 17, 2021 12:03 AM
To: Christopher Allen <ChristopherA@lifewithalacrity.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Subject: Re: Principal Authority – new article on Wyoming law defining Digital Identity


I just wanted to chime in to say that I applaud this effort, and that the dynamic at the heart of Wyoming's effort is the reason I've enthused about "agents" for so long. IMO "agent" is an imperfect term (associated with several definitions beside the one I intend), so my note here is not intended to advocate terminology. But I do find the conceptual space crucial.


I once had an interesting discussion with Joe A about the dangers of using the word "fiduciary", so I've stopped using that word, too. But whether we call it "fiduciary" or "principal authority" or "power of attorney" or invent an entirely new term, I think the underlying principle is that when a person (or institution) projects themself into an interaction using human proxies or software/hardware, the goal is to model the intended scope of projection faithfully, neither adding to nor subtracting from the trust that the projected entity is trying to achieve. (This may have been what was originally intended by the term "user agent" in browser land, but today user agents on the web are far, far from embodying this ideal. So I consider equating that term with this concept to be harmful.)


Anyway, this is why I have always been cautious about the intersection between hosted services and self-sovereignty. I think it is possible to do that intersection "right" -- in a way that correctly models the intent of the Wyoming law, for example. But it is also possible (and extremely tempting) to do it wrong, where the user gets services but there is no guarantee of alignment of duties/intent, no guarantee of limited representation, and inadequate recourse for the represented entity.


On Thu, Sep 16, 2021 at 9:41 PM Christopher Allen <ChristopherA@lifewithalacrity.com <mailto:ChristopherA@lifewithalacrity.com> > wrote:

W3C Credentials Community:


I've been involved in the Wyoming legislature's Select Committee on Blockchain, Financial Technology & Digital Innovation Technology to help form a new legal basis for future digital identity legislation in Wyoming.


There has been strong support in the legislature for concept of self-sovereign identity, but the challenge has been what existing legal framework & precedents can we build new laws from. In particular, we wanted to avoid introducing any new laws under property rights frameworks.


What we've found as a good framework is the concept of "Principal Authority" which comes from the Laws of Agency, which allows us to leverage fiduciary style Laws of Custom to define requirements for practices when digital identity is delegated to others (whether for authorization or for use of data).


I've written up a layman's article (as I am not a lawyer) introducing this topic at:




In summary: 


Wyoming passed earlier this year the first legal definition for digital identity https://wyoleg.gov/Legislation/2021/SF0039 — a key quote:


"the intangible digital representation of, by and for a natural person, over which he has principal authority and through which he intentionally communicates or acts."


So where's the self-sovereign identity in this concept of Principal Authority? In short: Principal Authority recognizes a Principal, which acknowledges the existence of an entity at the heart of a digital identity.

There's a lot more using this legal framework this implies. Since Principal Authority comes from the Laws of Agency, this allows us to show that this entity has Authority over that digital identity. In my option, that is self-sovereign identity in a nutshell!


Also, because Principal Authority is drawn from the Laws of Agency, it says that that Authority is delegatable. Other people can make use of your digital identity.

Delegation of identity happens already when you construct an account on a social media service. The difference? When it's your recognized Principal Authority that is being used, your delegates must work to your benefit. Like a CPA or doctor, their choices must be in your interest.

That's also what self-sovereign identity is all about: a digital identity that benefits you. That's not what we have today, where social media and other internet sites are using your identity to benefit themselves.

There's more detail to this, many unanswered questions, and some subtlety on what control really means and how duties of care can be established. Take a look at the article, and let me know what you think!


We will be having a public meeting on the topic of Digital Identity & Principal Authority with the Wyoming Select Committee next Wednesday (September 22nd) at 2pm MT. Details about the meeting and a link to live stream will be published next week at https://www.wyoleg.gov/Committees/2021/S19 . You can also request to offer your own public testimony during this session by emailing lso@wyoleg.gov <mailto:lso@wyoleg.gov> .


Bottom line: The concept of delegatable Principal Authority that works to your benefit may offer a new legal framework for digital identity. If you are interested in this topic, let me know.


In addition, the co-chair of Select Committee and leader of the Digital Identity subcommittee Chris Rothfuss <Chris.Rothfuss@wyoleg.gov <mailto:Chris.Rothfuss@wyoleg.gov> > is likely open to greater participation from those with legal drafting experience to work on applying this concept into customs, best practices, and duties of care for consideration by the Wyoming Legislature in the coming year. Let him know if you can help. (Like the CCG, we need more drafters than talkers!).


-- Christopher Allen


P.S. Establishing self-sovereign identity is part of the work that we're doing at Blockchain Commons. If this is important to you, please become a monthly patron! Even $20 a month as an individual (or $100 for a corporation) makes a difference!

Received on Friday, 17 September 2021 15:59:20 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC