AdrianAt IIW, Eve and I facilitated a session on outsourcing GDPR using UMA http://iiw.idcommons.net/Outsourcing_GDPR_Using_UMA . For some medium and large enterprises, the personal data they control looks more like a toxic asset than a profit opportunity. They will benefit from outsourcing data control to a user-specified agent by reducing their costs of compliance regardless of whether they compete on privacy or not.3. The economic incentives are huge as companies that produce actual stuff, like Apple, decide they want to compete on privacy rather than reducing their price through surveillance capitalism. Social networks are not the business model for humanity. As one of the senators said during the Zuckeberg hearings, we have a choice between Ford and Chevy. Their willingness as a relying party to honor our self-sovereign UMA authorization server will become a differentiating factor.The HIE of One self-sovereign technology stack separates out the mobile layer from the agent layer. Both layers have secure elements but only the mobile one has biometrics and a UI, and only the agent layer looks like an addressable server always on-line. The same could apply to SII as long as the standards around it recognize the utility of having separate mobile and addressable agents.2. I'm not familiar with Self-Issued IdP (SII) but it's important to note that the HIE of One authorization server as a relying party benefits from federated identity of the requesting parties but does not depend on it. The whitelisiting of IdPs is entirely up to the individual owner of the AS.1. We do own all of the data that is in our heads, our secure elements, and our self-sovereign authorization servers as agents of our heads and secure elements combined. We may not own much else, but by combining these three **totally** private elements into a self-sovereign technology stack the is **standards-based** (no walled garden) we gain immense agency over the entities we transact with. To use a blockchain analogy, humans become the "miners" in a decentralized and censorship-free ecosystem where our power derives from the computing ability of our networked agents.To the three points:It's not about identity, it's about agency. It's not about SSI, it's about self-sovereign technology (SST).I don't think it's easy to understand the novelty of SSI unless you include agency (UMA) and credentials as part of a self-sovereign technology stack that gives individuals calves the ability to feed each other. (Sorry, Doc, this is where the analogy no longer serves :-)It may not be easy to understand SSI in the context of social media where the network effect is arguably "the only thing" and ownership of information (the unilateral right to change it or deleted it) is weak. It's much easier to understand SSI through the eyes of agency over one's implant, health record, or connected car. In all of these less social cases, the ability to transact peer-to-peer is the root of agency and human dignity.HIE of One as an example of a self-sovereign technology stack was born out of the utter failure of federated identity in healthcare. It demonstrates standards for an issuer (licensing board) to issue a verifiable credential that can be presented (by a licensed professional) as part of a claim to another individual's (patient's) authorization server. Both the presenter (human) and the relying party (human) are able to be represented by self-sovereign agents in the transaction.
In the self-sovereign technology use-case, there need not be any institutions other than the issuers of the credentials and the courts that hold wrongdoers accountable. They are the relying parties that have to be willing to accept a self-sovereign ID and link it to a credential. All of the other institutional entities (laboratories, hospitals, merchants, automakers...) don't need federation at all. They can issue pairwise pseudonymous credentials to the humans with whatever level of security, privacy, and convenience they compete on.On Sun, Apr 15, 2018 at 10:25 AM, Mark Lizar < " target="_blank"> > wrote:Hi Doc,Self Soverign It does seem misleading - self Soverign is about Identifier ownership, appears to make the mis-represtation that we are owners of our own data. Which is not the same thing.Self Soverign provides people with the impression that they are Master Controllers as oppose to Data Subjects of our their own information.. In my opinion its dangerous to mis lead on this topic, and perhaps both self-sovereign and master data control can be combined with the use of rights to make something closer to the hype.Importantly, existing policy infrastructure, i.e. CRM systems, need to have the Master Controller side of the equation to enable VRM, which remains my long standing position on this topic.Hopefully this chat will dispel some of the myths and take a bit more of a holistic view of the infrastructure needed for humans.(Thanks for asking)- Mark
On 15 Apr 2018, at 14:14, Doc Searls < " target="_blank"> > wrote:Hey team.I’m on this panel at KuppingerCole’s EIC conference in May, along with Joni Brennan, Kim Cameron, Eve Maler, Joerg Resch, Andy Tobin and Nat Sakimura, some of whom are on this list too:The title is "Informational Self-Determination in a Post Facebook/Cambridge Analytica Era,” in the Ownership of Data track.Framing the topic is this challenge from Nat to self-sovereign identity (SSI) and distributed identifiers (DID), published at the session link above:The hype and hysteria around blockchain, blockchain identity and Facebook/Cambridge Analytica scandal have been quite interesting to watch. It did and is still showing a lot about people's understanding of the space, which is actually a bit different than what I think.
For example, people think that they own their data and ought to have sovereignty over their data and some people think that Blockchain identity and DID can achieve it.
I do not think so in general.
It is because of three reasons.1. The assertion that we own our data is wrong.
There are very few data that falls into "I have full right to control" category. Most of the time, the data is actually shared among people, as they form relationships. For example, your DNA sequence is shared with your relatives. You do not have right to disclose it publicly as the result. Your location data is shared with someone you are with, and disclosing your location would disclose her location as well. Do you have a full right to disclose it? Probably not. Not only because people do not read the terms, because of this shared data aspect, "consent" is an unreliable mechanism for the data processing. And the Facebook/Cambridge Analytica scandal's root cause actually is here. It was not a hack. People "consented" to provide "his data". His data, in this case, included data about his friends.2. I do not see anything particularly new in SSI
The basic model of SSI, as I understand, is that you write your identifier and claims location on a Blockchain. So, the blockchain works as the registry. People can then search the registry to find the location of the associated claims. Claims are not written to the blockchain. It is hosted off-chain. Does it not resemble something? It has just replaced DNS with a consortia run blockchain and Identity (=set of claims) Provider with Claims Provider. It just looks to me like the same model with new tools and some nice marketing phrases. Since it is easy for the authority to take down the claims provider, in such a situation, it is likely that the guy will be left only with his identifier, which is rather useless. Worse, the fact that most crypto-currency traders do not manage their keys themselves but use "online wallets" provided by cryptocurrency exchanges will make me think that they will probably use the Claim Provider as the online wallet and we are back to the square one. Welcome to the good old Online Identity Providers. Compared to this, Self-issued IdP (SII) in OpenID Connect looks much more radical. We got rid of the registry. It is completely distributed. It lives on your handset. We do not need a shared database like blockchain to find claims providers because the SSI can provide the claims or claims locations locally. These claims can be signed by the source so it is verifiable as well. It can be deployed without blockchain so we do not have to worry about the numerous technical issues of the blockchain that are not solved yet. Actually, Cardspace was on a similar model.3. There are no economic incentives for RPs and Users to start using it.
As I explained above, this "self-issued" model is not new. SII has been there since 2014 and I know of only one large-scale deployment (It started this February, by the way). Cardspace was even pushed through Windows 7 installations and it still did not fly. Why? It probably is because there are no incentives for RPs to accept self-issued identities while the population coverage is not large. The investment to start accepting SII cannot be justified. The converse is true for the users. If there is no RP, then there are no incentives for the users to install and use SII. It is a classic chicken-and-egg problem. Do you remember how Google got their identity flying? It was through a killer RP service called Gmail. After there were enough users, then RPs started to have incentives to start accepting Google identity. The same applies to Facebook.Unless there is a way for the Self-sovereign identity to break through this problem, I do not see any reason why it should fly.Before I jerk my knee in response to this (and in prep for doing something more thoughtful than that on the panel), I’d like to get your thoughts, in faith that those will improve my own.Thanks.Doc--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
Archive powered by MHonArc 2.6.19.