Draft open problem statement: Identity Verification, Abstracted

[miyazono]

Identity Verification, Abstracted

Verifying who you are online is usually a trade-off between security and convenience. Passwords end up being overly simple, written on post-it notes, forgotten, or hopefully stored in a secure password manager. However, a password can be mishandled on the server side and later stolen, as we have seen many times. Most government-based identification systems are far worse, like a social security number, which has become a de-facto identification number in the US with a history of being targeted or grossly mishandled. Alternatively, many technologies have moved toward biometric security, which has its own set of vulnerabilities.

I argue that it should be possible to make a single secure, decentralized, identity verification system that abstracts identity verification from services in a transparent and trustless way that solves all these problems, useable across all services.

Solution constraints

• Secure:
  • Given an arbitrary number of previous verifications, it is (computationally) difficult for an attacker to produce a valid verification.
  • Given the information needed to verify identity, it should be (cryptographically) difficult to forge a valid verification.
• Voluntary: Cannot be taken without the person's knowledge and permission
• Transparent: As an open source and hopefully decentralized system, the code is inherently auditable

Ideally it would be nice to have

• Tabula Rasa: There exists a mechanism by which an individual can create a new identity by invalidating the previous identity. (i.e. a witsec clause)
• Personal: Linked to the individual in some way, such that one individual is unable to assume the identity of another, even with the cooperation of the other

Note that the "Voluntary" condition precludes solutions that rely solely on biometrics or hardware keys

[Stebalien]

Personally, I prefer zero-knowledge attribute verification over identity verification for privacy reasons. For example, I should be able to prove that I'm over 21 without showing an ID (or that I'm authorized to use some account).

Under this model, "identity" just becomes another attribute.

(sorry if this is off topic)

[miyazono]

@Stebalien, I'm a huge fan of that abstraction. It really highlights the fact that every attribute (citizenship or age) is going to be endorsed in some way, and you could accept different types or levels of endorsement for different systems.

[ark1]

@Stebalien @flyingzumwalt @jbenet Identity is a not a fixed construct. There are many variables such as Trust, Risk and Authority. The solution to this problem is in two parts. The first being a technical solution, one that you guys have the capacity to build. The other requires an understanding of the social, economic and psychological aspects of Human Nature. We all love Open Source but "the" Identity Solution will need to go beyond that if it is to succeed. At times there will exist an uncomfortable trade off between the ability to Audit Code and the greater good. We can all point to software that wasn't open source but did mankind a great service and open source software that has unleashed havoc. How do you ensure the solution will be fair? Will the PII data of someone in Palo Alto have the same value as a Syrian or African refugee the same way a US passport is worth more than a Venezuelan one?
WARNING!! If we are not careful, the centralized totalitarianism that blockchain and cryptocurrency is supposed to save us from will be the very tools by which we are enslaved.

Ok before we go to far down the rabbit hole. I have almost solved the problem just need to figure out how to build some aspects of it, hence why I am here.

[miyazono]

@ark1, I see your claim, and I think that we're operating off different definitions or expectations of identity. This problem is really just regarding a login: the decentralized equivalent of the "use google to sign-in" functionality.

I think your complaints about open source are ill-founded here; it's more reasonable to expect fairness from an open-source, decentralized solution because anyone can, at any point, provide an improved solution that's compatible with applications, and users can choose to switch. Any endeavor is influenced by the method by which contributors are incentivized to participate, and open source software is one of the few systems in which the incentives are aligned to produce products that are the most fair and friendly to the users.

Furthermore, I don't think the sale of personally identifiable information is an aspect of this problem. It's also worth noting that I wouldn't consider this problem "solved" if the proposed solution allowed identity to be transferred like a passport. This is explicitly stated as the "Personal" constraint in the problem statement.

[silvianetobessa]

Hi all, thank you for your comments 🚀 We are now closing the issue, feel free to reopen it in the future if you want to restart the conversation on this topic.