1/n 🌐👤 A guide to self-sovereign identity:
+ Why this shit is interesting,
+ Unique Identifiers, Authentication, & Authorization
+ "The World is Just Claims"
+ Tokenized Authorization
👇👇👇
+ Why this shit is interesting,
+ Unique Identifiers, Authentication, & Authorization
+ "The World is Just Claims"
+ Tokenized Authorization
👇👇👇
2/ The primary innovation of blockchain is digital scarcity and the decentralization of access control via cryptography, aka "true digital ownership"
+ 21 million Bitcoin
+ unique, persistent digital identity
+ non fungible assets
all cryptographically owned
+ 21 million Bitcoin
+ unique, persistent digital identity
+ non fungible assets
all cryptographically owned
3/ This maps pretty damn well to the (my?) three aspects of self-sovereignty:
+ self-sovereign *currency*
+ self-sovereign *identity*
+ self-sovereign *assets*
+ self-sovereign *currency*
+ self-sovereign *identity*
+ self-sovereign *assets*
4/ aside: to be fair, both currency and identity are "assets" but these ownership concepts are separate metaphors data structures.
Identities don't behave like in-game items.
Currency is fungible and does not behave like identity.
In-game items won't be hard money.
Identities don't behave like in-game items.
Currency is fungible and does not behave like identity.
In-game items won't be hard money.
5/ We'll focus on identity and assets, because they go together particularly well; what you own is as much a signal about your identity as is everything else you attach to it, like citizenship or your social graph or your payment history.
6/ Idealistically, self-sovereign identity is a paradigm shift in the way we interact with the world. It ties your digital identity to _you_, and not your relation to a company or government. It can represent a person or business and can be portable across and between lifetimes.
7/ Self-sovereign identity is practically useful for a multitude of reasons like universal logins and better security surface.
It's not popular, yet, because identity is a high-network effect business and this isn't a problem most people think they have.
It's not popular, yet, because identity is a high-network effect business and this isn't a problem most people think they have.
8/ Self-sovereign identity breaks down into three primary aspects:
+ a unique, persistant identifier,
+ authentication,
+ and authorization.
These go together like RT&J; a good identity framework will include each of these.
+ a unique, persistant identifier,
+ authentication,
+ and authorization.
These go together like RT&J; a good identity framework will include each of these.
9/ A unique identifier is globally, indisputably unique. In traditional, centralized identity systems, this looks like an "account id" or a unique username (like Twitter). With decentralized blockchains we have the ability to solve zooko's triangle trilemma (say, via ENS).
10/
Authentication is answering the question:
"is this person who they are claiming to be?".
Authorization is answering the question:
"can this person, who we've authenticated as Person A, access this resource?".
Authentication is answering the question:
"is this person who they are claiming to be?".
Authorization is answering the question:
"can this person, who we've authenticated as Person A, access this resource?".
11/ Concretely:
Unique ID: @mattgcondon (& associated email)
Authentication: proving I'm @mattgcondon by logging into Twitter with my password.
Authorization: Twitter realizing that I have the ability to write tweets and post them to my feed (but not yours).
Unique ID: @mattgcondon (& associated email)
Authentication: proving I'm @mattgcondon by logging into Twitter with my password.
Authorization: Twitter realizing that I have the ability to write tweets and post them to my feed (but not yours).
12/ This distinction is super important; too many poorly designed systems conflate the two. See: USA social security numbers. This is a _unique identifier_ being used for both authentication and authorization.
13/ Imagine being able to log into someone's Twitter account by guessing their associated email address: that's what "use a unique identifier as authentication and authorization" looks like. It's patently absurd.
14/ Having a single public key is minimum viable unique identifier. The associated private key is minimum viable authentication. It is the simplest possible way to prove that you have control of a unique identifier. This comes with a variety of (well discussed) security concerns.
15/ With a decentralized network using a blockchain, we have, for the first time, the ability to trustlessly agree on shared state. This means we can replace the authentication mechanisms of central servers with decentralized public key infrastructure.
16/ Now, instead of using your public key as your unique identifier and your Ethereum private key as authentication, you replace this with a more complex "authorized keys" scenario, where different keys can have different roles and security assumptions.
17/ But we've lost our unique identifier when using multiple keys! Enter Decentralized Identifiers (DIDs). DIDs just look like "did:my-schema:some-identifier" and tell apps how to find your identity and perform authentication & authorization.
18/ So now we've solved authentication and we have a unique identifier... but nobody wants to reference "did:my-schema:0xabcd..." (anyone remember OpenID?). Combine this key management with a human-readable, global, and secure identifier using something like ENS; tada!
19/ Nice! What's left? Authorization!
We need to help anyone using this identity framework answer the question: "is this identity allowed to do this thing".
We need to help anyone using this identity framework answer the question: "is this identity allowed to do this thing".
20/ For some apps, this means deciding whether or not your identity is an accredited investor. For some, it might be "are you above 21". Others might want to prove that you own some ZRX tokens before you can post on the 0x forum.
21/ Here's where we get to
+ Ownership
+ Verifiable Claims
+ Ownership
+ Verifiable Claims
22/ Ownership is pretty straightforward, and maps to our understanding of physical space pretty well: I own a ticket to a music venue, and that's my authorization (I've paid, and should be let in).
23/ "Ownership" as authorization works _really well_ in specific cases, notably cases where authorization can be _transferred_ between unique identities. My music ticket can be sold to my friend. My accredited investor status for investing in shitcoin ICOs cannot be transferred.
24/ In the case of "accredited investor status", I don't "own" this status. What I actually "own" is a non-transferrable statement from VerifiyCorpXYZ saying that Matt Condon (rather, my unique identifier) is an accredited investor, according to their process.
25/ I can't send this accredited investor status to my friend, and I can't auction it off to the next highest bidder. It is a property of my identity, and should follow my identity wherever it goes.
26/ Likewise for something like a passport. Common sense says that we "own" a passport, and that's what lets me past the border.
But, what you _actually_ possess is an attestation (or "claim") from the government claiming that you are a citizen of that country.
But, what you _actually_ possess is an attestation (or "claim") from the government claiming that you are a citizen of that country.
27/ My passport is just a collection of claims that I've been to certain countries. It is a _medium_, not the metaphor.
I can't give my passport to another entity, because those claims are tied to _me_.
I can't give my passport to another entity, because those claims are tied to _me_.
28/ Once you start thinking in the "verifiable claim" metaphor, you'll notice it everywhere:
Me following you on Twitter? That's a claim.
Friends on Facebook? Mutually reinforcing friendship claims.
Visas? Claims with an expiry that say I'm allowed to enter a country.
Me following you on Twitter? That's a claim.
Friends on Facebook? Mutually reinforcing friendship claims.
Visas? Claims with an expiry that say I'm allowed to enter a country.
29/ Things like credit scores, degrees, citizenship, all certifications, my gym membership, all of my achievements and levels in video games: these are all claims.
They are "owned" but they are _not_ tokens, because they cannot be transferred between unique identities.
They are "owned" but they are _not_ tokens, because they cannot be transferred between unique identities.
30/ Authorization-related things that make sense to "tokenize":
+ transferrable keys to, say, houses
+ membership to clubs, online and off
+ pretty much all transferrable tickets for events
if it can be transferred between identities, it can be a token
+ transferrable keys to, say, houses
+ membership to clubs, online and off
+ pretty much all transferrable tickets for events
if it can be transferred between identities, it can be a token
31/ Anyway, that's what the ideal self-sovereign identity framework looks like:
+ Unique Identifier
+ Authentication using Authorized Keys
+ Authorization using Ownership & Verifiable Claims
neat.
+ Unique Identifier
+ Authentication using Authorized Keys
+ Authorization using Ownership & Verifiable Claims
neat.
