Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version 12

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel3
minLevel2
separatorpipe

Tuesday, October 25

Agenda:

  • Report writing – Sovrin Foundation questionnaire answers discussion

Attending: Eve, Thomas, Matisse, Kathleen, SteveO, Thorsten

No meeting Thursday: Just a reminder...

New book: Don't miss Thomas's new book, called Trust::Data: A New Framework for Identity and Data sharing! Wow.

Sovrin answers: You can find them forwarded to the email archive. See also the paper Thorsten mentioned.

Overall, Eve's question for each use case, differentially, is: How much does limiting the risk of a "pure public blockchain technology" approach impact the goals of the use case, and particularly in our case where the use case goals are for empowerment? E.g., for some fintech use case where you want to speed up business and protect against legal risk, maybe limiting the "distributedness" of the blockchain to your enterprise – that is, inside your firewall – could be fine. But for other use cases, that could seriously harm you goal. So for today, given that Sovrin has a goal of self-sovereign identity, have they been able to successfully mitigate risk while enjoying/providing the benefits of blockchain ("walked the line correctly")?

"Self-sovereign identity" sounds like an extension of the previous notion of "user-centric identity".

Thomas's CoreID paper caused some people to accuse him of being a communist (smile) for proposing a blockchain identity system that enables anonymous credentials. Eve's question is: What ecosystem that involves both individuals and services could function without at least some (probably the lion's share of) use cases of identified sharing?

There are some "anonymous authorization" (Shibboleth) and "claims-based access control" (UMA) use cases, indeed. And notice that these use cases didn't require blockchain for resolution! But quite often, (empowered) service operators do need to know who they're dealing with among (currently disempowered) individuals. See Latanya Sweeney's research on the ability to re-correlate individuals from a few attributes (hence Eve's skepticism about ZKP, which Sovrin criticizes as well!).

Are there any services accepting Sovrin credentials yet? These are apparently called "stewards".

We looked at the Technical Foundations paper. The observer/validator/governance paradigm seems well thought out. Thomas noted that the widening circles of nodes looks like what Ripple has. The governance model could perhaps be a model/template for other use cases as well.

Not depending on IdPs sounds like a big benefit. People have been become persona non grata on various services that function as IdPs (such as being shadowbanned or outright banned on Twitter), or have been monitored by government IdPs. However, the reality of many service providers is that they rely heavily on these 30 social IdPs for a lot of what they do, both the user population and the information provided by these service sources. ("Social login" is when they rely totally on the incoming IdP for information, and "social registration" is when they explicitly collect additional information and do separate login thereafter.) What is the value proposition for these RPs?

Also, how would legacy "federated SSO" work (a la SAML or OIDC) in this new world?

AI: Everyone please continue to review the questionnaire answers (two sections left to go) and provide thoughts in email. We can send our questions to the Sovrin folks after our review is complete.

Thursday, October 13

Agenda:

...