This document proposes an overview of Digital Identities on the Web and an analysis through different use cases of the systemic impact on both the market side and the human side, as well as the role that Web standardization may play in managing that impact
I'd recommend considering a single definition of identity.
The current discussion just leaves everything open, with an unfortunate mis-statement about the Verifiable Credentials non-definition of "identity".
While VCs do provide a data model that is consistent with the "Attibute" mental model of identity, the VCDM explicitly avoided defining identity. (See Five Mental Models of Identity for discussion)
I'd also avoid invoking dictionaries as a source for defining identity. I know it seems counter-intuitive, but in turns out that dictionary definitions are only there to help you disambiguate between different potential spellings... they really don't provide you the kind of rigor that you would expect in a technical specification, a court of law, or a scientific journal. I've done the same in my own work when I began exploring the challenge, because trying to make sense of the different ways people use "identity" is a challenge, but a dictionary is really only ever a starting point for a rigourous axiomatic definition.
The definition I'd propose is called Functional Identity:
Identity is how we recognize, remember, and respond to specific people and things, including ourselves, no matter the mechanism.
As you'll read about in that paper, the definition was distilled from conversations across multiple different industry conversations, including IIW, RWOT, W3C CCG, VCWG and DIDWG. We have yet to find a version of "identity" that doesn't fit into this framework. While it may be "weird" at first to shift from a concrete, object-based notion of identity to a subjective, procedural one, we believe the Functional approach makes for simpler, clearer conversations that address more of the engineering requirements than otherwise.
In particular, we favor the functional definition of Identity because it captures better the actual verbs that are involved: Recognize, Remember, and Respond, which gives us operational traction with how we can set and enforce policy about those actions. It's our opinion that the historical fixation on attributes in a database is one of the leading reasons for privacy harms in modern IT systems: when engineers are paid to focus just on their own data in their own system, they inevitably under-consider the processes using that data in ways that connect that data to other systems, whether inadvertent or intentional.
In short, I don't think we can make much headway with "identity on the web" without a single, formal definition of identity.
I put forth Functional Identity as one such definition that accurately and rigorously includes all five mental models we've come across, including the legacy attribute mental model enshrined in ISO standards.
I'd recommend considering a single definition of identity.
The current discussion just leaves everything open, with an unfortunate mis-statement about the Verifiable Credentials non-definition of "identity".
While VCs do provide a data model that is consistent with the "Attibute" mental model of identity, the VCDM explicitly avoided defining identity. (See Five Mental Models of Identity for discussion)
I'd also avoid invoking dictionaries as a source for defining identity. I know it seems counter-intuitive, but in turns out that dictionary definitions are only there to help you disambiguate between different potential spellings... they really don't provide you the kind of rigor that you would expect in a technical specification, a court of law, or a scientific journal. I've done the same in my own work when I began exploring the challenge, because trying to make sense of the different ways people use "identity" is a challenge, but a dictionary is really only ever a starting point for a rigourous axiomatic definition.
The definition I'd propose is called Functional Identity:
Identity is how we recognize, remember, and respond to specific people and things, including ourselves, no matter the mechanism.
You can read about this in the RWOT Primer https://bit.ly/FunctionalIdentityPrimer or at its dedicated website https://functionalidentity.org
As you'll read about in that paper, the definition was distilled from conversations across multiple different industry conversations, including IIW, RWOT, W3C CCG, VCWG and DIDWG. We have yet to find a version of "identity" that doesn't fit into this framework. While it may be "weird" at first to shift from a concrete, object-based notion of identity to a subjective, procedural one, we believe the Functional approach makes for simpler, clearer conversations that address more of the engineering requirements than otherwise.
In particular, we favor the functional definition of Identity because it captures better the actual verbs that are involved: Recognize, Remember, and Respond, which gives us operational traction with how we can set and enforce policy about those actions. It's our opinion that the historical fixation on attributes in a database is one of the leading reasons for privacy harms in modern IT systems: when engineers are paid to focus just on their own data in their own system, they inevitably under-consider the processes using that data in ways that connect that data to other systems, whether inadvertent or intentional.
To see how this perspective led to the first definition of privacy that integrates identity, see this article https://www.corporatecomplianceinsights.com/functional-privacy-new-concept/
In short, I don't think we can make much headway with "identity on the web" without a single, formal definition of identity.
I put forth Functional Identity as one such definition that accurately and rigorously includes all five mental models we've come across, including the legacy attribute mental model enshrined in ISO standards.