W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

Re: Principal Authority – new article on Wyoming law defining Digital Identity

From: Bob Wyman <bob@wyman.us>
Date: Fri, 17 Sep 2021 12:34:38 -0400
Message-ID: <CAA1s49V1safhjLncYp+pZXB4AxEZ_SmbkKHSWLUwdeDhOZRX-w@mail.gmail.com>
To: steve.e.magennis@gmail.com
Cc: daniel.hardman@gmail.com, Christopher Allen <ChristopherA@lifewithalacrity.com>, Credentials Community Group <public-credentials@w3.org>
I think we can simplify the language, and make things much more
understandable, if we clearly distinguish between:

   - Identity Management, which is the discipline of determining which
   distinct entities exist and how they will be recognized. (i.e.
   Authentication)
   - Rights Management, which determines what identified entities may do in
   various contexts. (i.e. Authorization)

These two sets of issues are very much related at the same time that they
are orthogonal.

I'm concerned about phrases like "projecting the will (agency?) of an
authority ... through a proxy" since the verb ("project") ascribes the
action to the originating authority when it is, in fact, the proxy who
acts. We may consider the action of the proxy to have the same effect as
though it was the authority who acted, but, we shouldn't lose sight of the
fact that it is the proxy, not the authority, who actually acts. Even
though the proxy may be permitted to exercise rights which are associated
with the authority, the proxy does not "become" the authority. (A proxy
benefits from one or more of the authorities' rights, not from the
authorities' identity.) The interesting "Rights Management" questions that
arise with proxies are things like "What right was granted?" or "How and
when was the proxy granted that right?" These questions are independent of
the identity of either the proxy or the authority.

bob wyman


On Fri, Sep 17, 2021 at 12:01 PM <steve.e.magennis@gmail.com> wrote:

> The language ‘projecting *oneself* into an interaction using a *proxy’*
> resonates with me in terms of discussing the concepts of delegation of {*}.
> It seems the phrase can cover a lot of ground both were I utilize a proxy
> to my benefit and where I am utilized as a proxy to another’s benefit:
>
>    - Instructions to my broker to buy 100 shares of Acme stock at
>    $10.00/share
>       - *Oneself* == me, *Proxy* == my broker
>    - Instructions to my financial manager to buy and sell whatever they
>    want as long as it optimizes my portfolio according to my goals
>       - *Oneself* == me, *Proxy* == my financial manager
>    - Authority to run Acme corp as CEO
>       - *Oneself* == corporate board, *Proxy* == me
>    - Executive Assistant Permission to schedule meetings on behalf of the
>    CEO
>       - *Oneself *== CEO,* Proxy *== EA
>    - Medical power of attorney over an incapacitated family member
>       - *Oneself* == family member, *Proxy* == me
>    - Authority of police to demand to see my driver’s license
>       - *Oneself*==State government, *Proxy* == Police officer
>
> A more generalized phrase might be something like: ‘projecting the will
> (agency?) of an authority into an interaction through a proxy.’
>
>
>
> *From:* Daniel Hardman <daniel.hardman@gmail.com>
> *Sent:* Friday, September 17, 2021 12:03 AM
> *To:* Christopher Allen <ChristopherA@lifewithalacrity.com>
> *Cc:* Credentials Community Group <public-credentials@w3.org>
> *Subject:* Re: Principal Authority – new article on Wyoming law defining
> Digital Identity
>
>
>
> I just wanted to chime in to say that I applaud this effort, and that the
> dynamic at the heart of Wyoming's effort is the reason I've enthused about
> "agents" for so long. IMO "agent" is an imperfect term (associated with
> several definitions beside the one I intend), so my note here is not
> intended to advocate terminology. But I do find the conceptual space
> crucial.
>
>
>
> I once had an interesting discussion with Joe A about the dangers of using
> the word "fiduciary", so I've stopped using that word, too. But whether we
> call it "fiduciary" or "principal authority" or "power of attorney" or
> invent an entirely new term, I think the underlying principle is that when
> a person (or institution) projects themself into an interaction using human
> proxies or software/hardware, the goal is to model the intended scope of
> projection faithfully, neither adding to nor subtracting from the trust
> that the projected entity is trying to achieve. (This may have been what
> was originally intended by the term "user agent" in browser land, but today
> user agents on the web are far, far from embodying this ideal. So I
> consider equating that term with this concept to be harmful.)
>
>
>
> Anyway, this is why I have always been cautious about the intersection
> between hosted services and self-sovereignty. I think it is possible to do
> that intersection "right" -- in a way that correctly models the intent of
> the Wyoming law, for example. But it is also possible (and extremely
> tempting) to do it wrong, where the user gets services but there is no
> guarantee of alignment of duties/intent, no guarantee of
> limited representation, and inadequate recourse for the represented entity.
>
>
>
> On Thu, Sep 16, 2021 at 9:41 PM Christopher Allen <
> ChristopherA@lifewithalacrity.com> wrote:
>
> W3C Credentials Community:
>
>
>
> I've been involved in the Wyoming legislature's *Select Committee on
> Blockchain, Financial Technology & Digital Innovation Technology* to help
> form a new legal basis for future digital identity legislation in Wyoming.
>
>
>
> There has been strong support in the legislature for concept of
> self-sovereign identity, but the challenge has been what existing legal
> framework & precedents can we build new laws from. In particular, we wanted
> to avoid introducing any new laws under property rights frameworks.
>
>
>
> What we've found as a good framework is the concept of "Principal
> Authority" which comes from the Laws of Agency, which allows us to leverage
> fiduciary style Laws of Custom to define requirements for practices when
> digital identity is delegated to others (whether for authorization or for
> use of data).
>
>
>
> I've written up a layman's article (as I am not a lawyer) introducing this
> topic at:
>
>
>
> https://www.blockchaincommons.com/articles/Principal-Authority/
>
>
>
> In summary:
>
>
>
> Wyoming passed earlier this year the first legal definition for digital
> identity https://wyoleg.gov/Legislation/2021/SF0039 — a key quote:
>
>
>
> "the intangible digital representation of, by and for a natural person,
> over which he has principal authority and through which he intentionally
> communicates or acts."
>
>
>
> So where's the self-sovereign identity in this concept of Principal
> Authority? In short: Principal Authority *recognizes a Principal*, which *acknowledges
> the existence* of an entity at the heart of a digital identity.
>
>
> There's a lot more using this legal framework this implies.
> Since Principal Authority comes from the Laws of Agency, this allows us to
> show that this entity has Authority over that digital identity. In my
> option, that is self-sovereign identity in a nutshell!
>
>
>
> Also, because Principal Authority is drawn from the Laws of Agency, it
> says that that Authority is delegatable. Other people can make use of your
> digital identity.
>
> Delegation of identity happens already when you construct an account on a
> social media service. The difference? When it's your recognized Principal
> Authority that is being used, your delegates must work to your benefit.
> Like a CPA or doctor, their choices must be in your interest.
>
> That's also what self-sovereign identity is all about: a digital identity
> that benefits you. That's not what we have today, where social media and
> other internet sites are using your identity to benefit themselves.
>
> There's more detail to this, many unanswered questions, and some subtlety
> on what control really means and how duties of care can be established.
> Take a look at the article, and let me know what you think!
>
>
>
> We will be having a public meeting on the topic of Digital Identity &
> Principal Authority with the Wyoming Select Committee next Wednesday
> (September 22nd) at 2pm MT. Details about the meeting and a link to live
> stream will be published next week at
> https://www.wyoleg.gov/Committees/2021/S19 . You can also request to
> offer your own public testimony during this session by emailing
> lso@wyoleg.gov.
>
>
>
> Bottom line: The concept of delegatable Principal Authority that works to
> your benefit may offer a new legal framework for digital identity. If you
> are interested in this topic, let me know.
>
>
>
> In addition, the co-chair of Select Committee and leader of the Digital
> Identity subcommittee Chris Rothfuss <Chris.Rothfuss@wyoleg.gov> is
> likely open to greater participation from those with legal drafting
> experience to work on applying this concept into customs, best practices,
> and duties of care for consideration by the Wyoming Legislature in the
> coming year. Let him know if you can help. (Like the CCG, we need more
> drafters than talkers!).
>
>
>
> -- Christopher Allen
>
>
>
> P.S. Establishing self-sovereign identity is part of the work that we're
> doing at Blockchain Commons. If this is important to you, please become a
> monthly patron! Even $20 a month as an individual (or $100 for a
> corporation) makes a difference!
>
>
>
>
Received on Friday, 17 September 2021 16:36:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC