W3C home > Mailing lists > Public > www-tag@w3.org > June 2021

Re: Principles of Identity in Web Architecture

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 8 Jun 2021 17:41:55 +0200
Message-ID: <CAKaEYhJERWyj-d7Fg-5W_sK3RgVktYAc67S47MmjKPXY=Vbe1A@mail.gmail.com>
To: Philip Sheldrake <philip@eulerpartners.com>
Cc: TAG List <www-tag@w3.org>
On Mon, 7 Jun 2021 at 12:48, Philip Sheldrake <philip@eulerpartners.com>
wrote:

> Thanks Melvin. I will try to rise up to your invitation by exploring the
> broader context.
>
> Timbl’s 2007 post
> <https://web.archive.org/web/20160713021037/http://dig.csail.mit.edu/breadcrumbs/node/215>
> on the “giant global graph” includes the progression:
>
>    - "It isn't the cables, it is the computers which are interesting"
>    - “It isn't the computers, but the documents which are interesting"
>    - "It's not the documents, it is the things they are about which are
>    important"
>
> “Biologists are interested in proteins, drugs, genes. Businesspeople are
> interested in customers, products, sales. We are all interested in friends,
> family, colleagues, and acquaintances.”
>

You picked out the parts of the post that I like the most, thanks for
highlighting that

As the web can be used to create a graph of things.  One of those things is
an identity.


>
> The likes of Facebook and LinkedIn typify "the social graph" in the web 2
> paradigm. Famously, Facebook popularized the term in 2007 when it was used
> to explain how Facebook would take advantage of the relationships between
> individuals to offer a richer online experience. Facebook values 'its'
> social graph more than it does any individual user / used-by. No further
> comment is needed on this undertaking.
>

Yes, it was a popular term in 2007, we had a group called social network
portability in which the term "social graph" was used.  To be fair,
facebook's (open) graph protocol technically does pretty good job of
creating a graph of different things, to it's largely centralized,
controlled by one company, and with that comes other issues, such as
privacy concerns etc.


>
> The web 2 use of the term has cemented the idea that any given social
> network has one social graph, albeit dynamic. The delimited network becomes
> the singular lens by which ‘the graph’ is supposedly constructed,
> maintained, and contextualised, and some would consider the web to
> constitute the ultimate social network.
>
> Of course, such delimiting is entirely artificial. There are many other
> contexts unavoidably in play, not least the non-technologised. Any boundary
> drawn around 'a network' of one million people does not have one social
> graph but rather many millions of social graphs at any moment. Any
> technical development working to the contrary can only serve to shackle
> rather than liberate.
>
> Perhaps the most efficient way to throw a light on the inappropriate
> framing of human identity by information technologists in general is to
> point out that, other than in bureaucratised contexts, human identity is
> edge- not node-centric. It is co-constitutive and reciprocally defining
> with relationships and information exchange (and so contexts); from which
> we can also determine that — again outside legal framing — there is no such
> thing as personal data in the real world, only interpersonal data.
>

> Gregory Bateson observed that relationships are immanent in information
> exchange [Steps to an Ecology of Mind, 1972]. Riffing off Margaret
> Wheatley’s work [A Simpler Way, 1998], identities are immanent in
> relationships immanent in information exchange. Any attempt to insert the
> engineering maxim of separation of concerns is destined to fail miserably
> at great cost (see my Good-ID post
> <https://www.good-id.org/en/articles/how-the-separation-and-unseparation-of-concerns-contribute-to-ssis-dystopian-promise/>
> ).
>

I read through this post and your chapter, "The dystopia of self-sovereign
identity (SSI)"

There was quite a lot of ground covered

You raised some persuasive concerns about SSI, which I suppose is one of
many brands of identity on the web.  I found myself agreeing with much of
what you wrote.  I'm personally not a huge fan of SSI, but my focus is more
around interoperability and network effects.  I should perhaps state more
clearly that interoperability is a goal.

The architecture I am describing would be a super set of that, of which SSI
might be one set of implementations

There were some philosophical points mentioned, some of which were quite
nebulous

Regarding the question, are we a noun or a verb, is an age old question in
philosophy.  As we all learnt from the fairy tale, "rumpelstiltskin", by
naming something, we can achieve power over it.  However, IMHO, the
conclusion is not to say that naming is always wrong, but rather, that
sometimes you may not wish to

If we are verbs I would say it's impractical, at this time, to build
interoperable systems.  Our data systems will have predicates, but not
subjects.  You will end up building a branded silo.  If we are to believe
that the value proposition of the web is unexpected reuse, you set yourself
up for limitations in this regard


>
> Your reply here notes that “Alice can have many identities.” I would say
> that there’s no “can” about it, and *sameAs* approaches may work to deny
> this left unconstrained.
>
> You note a complexity explosion. Quite. Unavoidably. And I suspect far
> greater, hopefully, than many might consider from your observation.
> To treat human identity as node-like, to consider it separable from
> relationships and information exchange (and context), is to bureaucratise
> all human relations given the ease with which the frictionlessness of
> digitalization eases its way into things. In the context of SSI, I call out
> this emergent effect for what it is — malignant.
>

IMHO, your claim that giving someone an identity is harmful, seemed to be
quite teleological, and perhaps a weaker part of the thesis.  Yes,
sometimes it can be harmful, and other times it can be useful


>
> Not all “things” are equal, and in the context here we must distinguish
> human beings (no pun intended). When it comes to human identity, it’s not
> the things documents describe that’s important, but diverse
> sociotechnological capabilities to support and grow psychological,
> sociological, and ecological health.
>
> For me, this challenge and opportunity represents the beating heart of Web
> Science.
>

One thing I've taken away from your post is that using URIs as subjects may
be harmful.  I think that's quite valid.  However, it does seem to, at the
same time, be a fundamental part of web architecture.  I'm not sure how to
reconcile that paradox, other than to have notes saying that identifiers
can be used negatively as well as positively.


>
>
> On Sun, 6 Jun 2021 at 15:50, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
>>
>>
>> On Sun, 6 Jun 2021 at 14:02, Philip Sheldrake <philip@eulerpartners.com>
>> wrote:
>>
>>> Hi Melvin,
>>>
>>> I dedicate some good time at the AKASHA Foundation and with the Web
>>> Science Institute at Southampton researching identity. I am also the author
>>> of the only dissenting chapter in the new SSI book.
>>>
>>> https://www.manning.com/books/self-sovereign-identity
>>>
>>> May I ask, in what ways are your goals different from those of the SSI
>>> community?
>>>
>>
>> Hi Philip
>>
>> The aim of the discussion is around architectural principles, rather than
>> a single branding with specific features.  So SSI could be part of a system
>> which uses Identifiers and attaches attributes to them.  I suspect it
>> probably does already.  Not all identities are self sovereign, but many are
>> part of the web
>>
>> The aim is to try and get various actors on the web, both in the http:
>> space and in other spaces such as P2P systems to more readily be able to
>> interact, and benefit from unexpected reuse
>>
>> Ideally, I'd like to make a short document that could given to
>> implementers, or let's say a check list or scorecard to see how easy it is
>> to interop with heterogeneous systems.  Because that isnt happening at the
>> moment.  We have a balkanization.
>>
>>
>>>
>>> It is reassuring to see you distinguish “identity” and identifiers in
>>> the context of humans, but your email here indicates to me that you still
>>> consider Alice to have just the one identity. This aligns of course with
>>> the comparatively recent (centuries) bureaucratisation of identity, aka
>>> legal identity, and the imperative for Sybil resistance in democratic,
>>> taxation, and wealth distribution contexts, but I have yet to find another
>>> discipline beyond law and information technology conceiving identity as
>>> either singular or enduring. Quite the opposite.
>>>
>>
>> You raise a good point.  Alice can have many identities.  Some systems
>> have a "sameAs" term which allows identities to be "smushed" together in a
>> certain way.  I didnt mention this in the post, simply because I wanted to
>> limit it to a few items.  And composite identity does explode the complexity
>>
>>
>>>
>>> There is no such thing as 'digital identity' in the context of humans,
>>> only digitally mediated and augmented human identity, but that mediation
>>> and augmentation goes to the heart of the human condition with consequences
>>> for our psychological, sociological, and ecological health. This is
>>> existential stuff.
>>>
>>> See https://generative-identity.org
>>>
>>> The SSI community claims to be creating the “identity layer” omitted by
>>> both the designers of the Internet and the designers of the Web. On the
>>> basis that we still have no widespread appreciation for the complexities,
>>> let alone agreement on how best to digitally mediate and augment human
>>> identity for psychological, sociological, and ecological health, I
>>> celebrate those designers for pushing it out. Nevertheless, it appears the
>>> time is upon us.
>>>
>>> Please let me know if and how I and the AKASHA Foundation may help.
>>>
>>
>> I'd love to hear how many of the 5 principles that I lay out could apply
>> to your architecture, and see where the gaps are
>>
>>
>>>
>>> Best wishes,
>>>
>>> Philip Sheldrake.
>>>
>>>
>>> On Sun, 6 Jun 2021 at 12:03, Melvin Carvalho <melvincarvalho@gmail.com>
>>> wrote:
>>>
>>>> At TPAC 2012 I proposed to timbl, a modular approach to Identity on the
>>>> Web.
>>>>
>>>> Back then the majority of systems tightly coupled together, Identity,
>>>> authorization and authentication.  My proposal was that the Identity part
>>>> should stand on its own merits, and be a modular piece of a wider
>>>> architecture
>>>>
>>>> To my surprise and delight, he agreed with this, and persuaded our
>>>> group to take this approach, and rewrite specs into what was to become the
>>>> WebID suite
>>>>
>>>> *Architectural Principles*
>>>>
>>>> I wanted now to propose some further architectural principles, based on
>>>> what we've learnt in the following decade, and align it with web
>>>> architecture.  They are as follows:
>>>>
>>>> 1. Separate identifiers from identity
>>>> 2. Identifiers are a string of characters, a global primary key
>>>> 3. Your identity are keys,values,links tied to your identifer
>>>> 4. Your identity is protocol, medium and transport agnostic
>>>> 5. Separate data and protocol meta data from identity data
>>>>
>>>> Applying these 5 architectural principles, I believe it would be
>>>> possible for every identity system on the web to be largely interoperable.
>>>> And by web I include other URI schemes that http, and the P2P web
>>>>
>>>> A few words on each point
>>>>
>>>> *1. Separate identifiers from Identity*
>>>>
>>>> Identity comes in many shapes and forms.  People tend to talk about
>>>> identity and identifiers interchangeably and we seem not to have a common
>>>> vocabulary that everyone can live with.  I'll use the term identifier
>>>> loosely to be a string of characters to denote a user (or agent).  And
>>>> Identity are attributes associated with that.
>>>>
>>>> *2. Identifiers are a string of characters, a global primary key*
>>>>
>>>> When talking about identifiers in a system, it's important to actually
>>>> get down to what that identifier looks like.  What is the string of
>>>> characters.  In order to interoperate with other systems, this must be well
>>>> defined, and should be a primary key to your system.  Too often this is not
>>>> done and there is more than one primary key, or overloading occurs, "your
>>>> public key is your identity".  Ideally this should be a URI, tho not all
>>>> large systems on the web will use a URI, which leads to balkanization.
>>>> Many databases work on the principle of primary and foreign keys.  Identity
>>>> needs this.
>>>>
>>>> *3. Your identity are attributes, values, links tied to your identifier*
>>>>
>>>> I'm going to loosely describe your identity as attributes, values and
>>>> links tied to your identifier.  Most identity systems do this under the
>>>> hood.  For a while RDF was recommended by the TAG as the solution to this,
>>>> but different systems will use different solutions such as JSON(-LD) or
>>>> CBOR.  What's important I think is the Entity Attribute Value (EAV) model
>>>> of tying attributes to an identifier.  Also important that links are
>>>> allowed in that structure.  Unfortunately JSON doesnt have a native syntax
>>>> for links like turtle does.  Perhaps this is an area of standardization.
>>>> Links enable heterogeneous systems to work together
>>>>
>>>> *4. Your identity is protocol, medium and transport agnostic*
>>>>
>>>> When people talk about the web they talk about http.  However, there is
>>>> every indication, that web was designed to bring together many large
>>>> systems.  http: URIs working with file:,  irc:, ftp: etc.  It should even
>>>> work with systems that have UUIDs and not (yet) URIs.  The principle is
>>>> that any data that you want to share should not include anything about the
>>>> transport.  Instead, that can get cleanly separated into meta data
>>>>
>>>> *5. Separate data and protocol meta data from identity data*
>>>>
>>>> The http/html web quite cleanly separates a document from its data, and
>>>> protocol from content.  It does this using headers for a document.  Also
>>>> within the document HEAD and BODY tags aim to cleanly separate data about
>>>> the document from data about the thing within.  In http the thing within is
>>>> cleanly separated from the protocol data using the "#" character.  In
>>>> JSON-LD 1.1 you can do something similar using "@id" : "".  Put your meta
>>>> data in there, and your identity data is linked to that.  In this way it
>>>> can be reused in different systems, publishing, messaging, ledgers, auth,
>>>> leading to increased functionality for the end user, tied together
>>>> seamlessly
>>>>
>>>> *Summary*
>>>>
>>>> There's growing interest in using the web in a more distributed and
>>>> decentralized way.  IMHO, by employing some or all of the 5 rough
>>>> architectural principles above, it's possible to bring together different
>>>> systems operating on the internet in a more distributed and decentralized
>>>> way
>>>>
>>>> Related:  timbl's essay on the giant global graph:
>>>> https://web.archive.org/web/20160713021037/http://dig.csail.mit.edu/breadcrumbs/node/215
>>>>
>>>> Feedback on any or all of the points welcome!
>>>>
>>>>
Received on Tuesday, 8 June 2021 15:44:16 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 8 June 2021 15:45:20 UTC