Layer 5 belongs before Layer 4, its more like a half layer similar to IP vs MAC. OAuth is a way to communicate someones registered personhood securely.
The last layer should be "Persona" and be about how people present their personality and behavior, having potentially multiple identities, characters, depending on the service, context, how much anonymity exists, etc and it would be akin to Layer 7 Applications, running on top of our wetware. Steven Colbert vs Steven T Colbert.
name@mydomain.com would be layer 3 correct? using the oauth services of mydomain.com to authenticate yourself as name@mydomain.com should be layer 3.5, not layer 5. To me that comes before the "person" layer 4.
> There is no good way for a person to identify another person without first mutually agreeing on Brand identities.
How is this absence not a good thing? If someone wants to be identified, they have to go through the trouble of creating an identity. In fact, it would be preferable to also not have a permanent or consistent personal identity with respect to brands either.
I like this article. It is concise and really lays out the issue in an organized way that explains a lot. I've understood this as a problem for so long, but I've not had the perspective to think about it clearly.
Really good read.
Provides a new abstraction model that we've not seen before. It shows the depth of the problem and why we have never solved it since the days of PGP, 1991. It does not mention the idea of owning your own identity[1], a possible solution.
[1] https://wiki.p2pfoundation.net/Self-Sovereign_Identity
I don't necessarily want to rely on brands to use the jargon of the article to facilitate informational exchange.
As a user I certainly am interested to exclude the brand wherever I can, because it is a security flaw and allows for countless attack vectors.
I know about the current ambitions of identity providers and I make use of them because I am lazy too and don't know enough about security to match their services. But it is still a concession.
I think keeping the logistical perspective of key exchange can work for new ideas, while this perspective obfuscates ambitions the brand could want to see realized.
Quote from the link in the text:
> User-centric designs turned centralized identities into interoperable federated identities with centralized control, while also respecting some level of user consent about how to share an identity (and with whom).
... "while also respecting ~some~ level of user consent" is the issue where legislation for informational self determination is needed.
Again, if this problem is transparently presented, I would have less issue with this new perspective.
You can already upload everything to Amazon beanstalk and use Amazon cognito as an identity provider. Hacked together but very usable. I already sold my soul countless times but there is still one problem: Amazon.
It's not. Consider e.g. Instagram and Facebook, both currently owned by the same company, yet being distinct Brands both in the regular meaning of the word, and in the meaning used by the article.
DNSSEC. It's the solution to walled garden brands. The problem is that it needs the support of the big brands to be successful, and the big brands don't want competition.
The solution to walled garden brands is to have registrars and world governments take over identity? If DNSSEC had been widely deployed a few years ago, Muammar Gaddafi would have owned BIT.LY's CA. If a CA misbehaves, Google and Mozilla can nuke them from orbit --- as they just did with several of the industry's largest CAs. If .COM misbehaves --- a thing that has happened repeatedly in the last 10 years, because the DoJ owns it --- Google does, what? Move to .IO? Oh, wait, that's a Five Eyes TLD as well!
You've got one thing right, though: virtually no major Internet tech companies, save Cloud Flare (which sells DNSSEC services) and Paypal (but not their subsidiaries like Braintree or Venmo) use DNSSEC. Not Microsoft, Google, or Apple; not Mozilla, Stripe, or Square; not Facebook, not Cisco, not Oracle; not Salesforce, not Twitter; not Netflix. If there's a conspiracy against DNSSEC, it is deep.
Firefox, Chromium, and Apple piloted DNSSEC years ago, and then withdrew support. It's been 25 years with DNSSEC. He's dead, Jim. Let him go.
No conspiracy theories please. DNSSEC is operated by a non-profit called ICANN which manages its key-signing-keys in publicly recorded ceremonies comprised of community representatives from each continent. If you believe Google and Mozilla have legitimacy to govern cryptography affairs in the third-world, then by all means continue supporting the status quo. Also anyone registering novelty names should be aware of the risks.
I don't know what DNSSEC you could possibly be referring to, because it's not the one that exists in reality. The reality-based DNSSEC does in fact have a silly security-theater ritual managed by ICANN to set the keys for the root, but --- and, this gets a little arcane and involves knowing some intricate details of DNS --- hanging off the root are the TLDs, like "com" and "uk", and there is no publicly recorded key signing ceremony for the TLDs. Nor could there be, because the owners of the most popular TLDs publicly assert their right to control the contents of those zones for public policy; see, for instance, every DOJ domain takedown ever.
I do however enjoy pointing out that, all this aside, you could post the root keys, the product of these elaborate key signing rituals, on Pastebin tomorrow and no real-world security engineers would have to come in on the weekend; they could pick the Jira ticket up to "figure out whether we care that all security in DNSSEC has been revoked" sometime during the next work week and be perfectly OK. Because, of course, nothing in the reality-based reality actually depends on DNSSEC.
The discussion leaves out account/identity recovery, which in practice is the most important part. You can use a PGP keypair as your identity, but if you lose access to it then you're screwed. So from an identity perspective the "brands" he mentions are a set of account recovery services of varying effectiveness, consisting of email, SMS, phone, and more complicated/unreliable methods like begging technical support.
At the end he mentions a statistical analysis in Mathematica and a text adventure in PHP. The second seems easy enough to share by just giving out an IP or using a dynamic DNS service. Mathematica is less clear, because it's proprietary, but it comes with a cloud subscription so presumably one would just upload it to the cloud. It's pointless to complain about a "brand" when the software itself is the brand.
And the last part where he talks about identifying people is also really simple. Everyone has a phone, so just using GPS narrows down the space to a few hundred, wherein one can use other methods like scrolling through the list. The hard part is doing it in a way doesn't allow user tracking, but that's a privacy rather than an identity issue.
This article seems to present the state of the Internet as a kind of feudalism, where one must swear fealty to an established "brand", and carving out a life as a freeman is practically unattainable. I'd say the reality is that it's easy to join the Internet land-owning class (buy a domain; get a cert; run services), yet most people prefer to rent because they are not so inclined.
Email is widely used, HTTPS is widely used, and they don't require you use a gatekeeper brand. Many instant messaging platforms, while run by brands, allow you to bring your own email address as an identity.
I don't think authentication of identities is a feature that ties people to brands. A phone number is pseudonymous, and acts as an identity for many mobile messaging applications. Authentication in many cases is performed socially: you got the number from them, from a mutual friend, or they told you who they are and you were convinced.
Setting up your own email server is notoriously difficult, and requires coordination with major brands. Importantly, people who use brands like GMail can't choose to whitelist you. There's no setting in GMail saying, "I trust everything coming from Bob's domain, don't bounce them." Emails get rejected on the protocol level.
Effectively, if your friend is using Gmail, then they're using a brand, and you won't be able to talk to them unless you also use a brand that Google respects.
> HTTPS is widely used
The DNS system is probably one of the things I'm least worried about online, but it doesn't make sense to describe it as anything except as a brand. Domains aren't permanent -- you have to continue leasing them. That makes sense for a brand because you don't want companies to take over an entire space, but it makes no sense for an identity, because you should be able to permanently own an identity. Additionally, DNS is optimized for brand recognition, not for identity verification. It makes a ton of security compromises (think ally vs a11y) that make identity verification harder, but brand recognition easier.
I would also disagree that phone numbers are good identity systems. Most people keep their phone number permanently, and it's trivial to tie a number to a real world identity. I would hesitate to call it pseudonymous. There's a real conflict between phone numbers being treated like a permanently owned identity and phone numbers being a thing you need to maintain and carry with you. In general, I try very, very hard not to allow any business to tie my identity to a number, because I think it's blatantly insecure.
I do think the first point you're getting at is correct, in a sense:
> I'd say the reality is that it's easy to join the Internet land-owning class (buy a domain; get a cert; run services), yet most people prefer to rent because they are not so inclined.
I agree. However, it's not that identity management online is good. What you're describing is that it's relatively easy to build a brand. It's relatively easy for me to set up a domain, grab my username on new services as they come up, and make sure that when someone searches me on Google I show up near the top. That's not identity, that's brand management.
The reality is that the current Internet is adapted to brands, but because it's not a massive problem for technical people to invest into making their own brand, we just kind of tolerate it. And non-technical people prefer to rent space on other people's brands instead of building their own. But in both cases, we haven't really built personal identities that are disassociated from advertising or word-of-mouth.
I wasn't suggesting that you need to run your own email or web servers. It's easy (albeit costly) to pay a service to host your email (e.g. Protonmail; Rackspace; many domain registrars), and there are countless web hosting providers. However, this isn't identity (the identity is still yourdomain.net), and you don't need the hosting provider to be well-known. As I understand it, acceptance by the likes of Gmail is a case of jumping through technical compliance hoops, rather than brand stature.
I wouldn't consider DNS names as brands. Brands are names which become identifying through familiarity, whereas DNS names become identifying simply by purchase; they're more similar to land registration: you are identifiable by a street address because you own / rent / lease it, not because it is widely known.
My point is that I can buy a domain, buy some email and web hosting, then masquerade as i@myself.me, put up whatever files on my website. Nothing about this requires me to build a brand, any more than buying a house to which I can invite people requires a brand. We visit websites we have never heard of all the time.
HTTPS does require you to use a gatekeeper brand; even going through Let's Encrypt (which is a brand, per article's use of the term) means you're now involving an extra bunch of intermediary brands. After all, the whole point is to have someone else to vouch that you are who you say you are.
I was surprised this post didn't even mention the existence or development around decentralized P2P technologies for identity management. We have the tech, it's mostly a problem of marketing and network effect. Large centralized brands like Google or Facebook are convenient active hubs of interconnected identities, but these centralized apps have the major downside of eventually leaking personal data that we don't want them too. Not to mention at some point it just gets so tiresome to create yet another account, for yet another brand. We need secure means to manage our own online identity in a way that can interoperate with all the brands out there with minimal risk.
I think I get what the article is trying to say, but I have to admit that bringing in the concept of "brand" seriously derails it for me.
My identity is not a "brand", the identifiers I use online are not a "brand", and I don't interact with "brands". I interact with people.
What I'm not sure about is whether I'm just having a reaction to the use of the concept of "brand" that is obscuring a meaningful and accurate point for me.
Now that I've written all of this, though, I'm not sure that I understood what the article was trying to say at all.
EDIT: now that I've read it a couple of times, I'm pretty sure that I don't understand what it's really saying. Can someone explain like I'm five?
Your on-line identity consists of one or more brands and associated brand-specific identifiers. For instance, to me right now, you're HN!JohnFen. HN, or news.ycombinator.com, is the brand. Right now I'm speaking to you also using HN brand, as HN!TeMPOraL. HN is the brand through which the communication happens. I can't use my Twitter!TeMPOraL_PL account to talk to you, because there's no transport between Twitter and HN. And even if it was, now two brands would be involved in communication.
If you think about it, you'll notice that there's no way you and me can ever talk with one another without a brand intermediary, unless we accidentally meet somewhere physically, or unless some direct connection details could be exchanged through a chain of our physical acquaintances (essentially performing an IP routing over meatspace social network).
I think I see what I was missing here -- he's talking about identity services, not actual identities. I see a large difference there.
In any case, thank you for helping to clear that up.
> If you think about it, you'll notice that there's no way you and me can ever talk with one another without a brand intermediary
I think that this is a matter of worldview or perspective. I don't see it that way at all, but I understand how others might.
The use of the term "brand" here is very confusing to me, as a brand is a constructed and projected image, not a solid thing. As another commenter here said, "institution" may be better. "Company" might be even better than that.
I think "brand" is used here because it's a bit more accurate than "company" or "institution". Consider an Instagram account and a Facebook account. Both are owned by the same company - though they weren't in the past - and yet they create their separate communication networks. What the author calls "a brand" can change its owner, and multiple distinct "brands" can be owned by the same organization. The example with Alice and Bob tells you that an individual can also establish such a "brand".
Well, in the sense that you've explained, the article is talking about identity and communications channels as if they are related, so perhaps "communications channel" would be the most accurate term?
Not sure. Take the two e-mail addresses I still use; one is on GMail, the other under my domain. There are two "brands" (GMail and my domain), but one communication channel (e-mail).
(From my point of view, there are perhaps three "brands" - I own the domain, but the address under my domain is handled by Fastmail.)
Let me turn the question around: what about the author's use of the word "brand" seems to conflict with the usual use of that word? Especially when you include the extended meaning that gives rise to terms like "personal brand"?
The way the author uses that word intuitively clicks with me, but then again, I could be wrong about what the word "brand" means in general.
I have or can have a single authentication identity to instagram/facebook and youtube/gmail/google. I might have a separate profile/persona on instagram/facebook or youtube/gmail but the sign in is the same identity. Yes instagram does have its own segregated identity infrastructure, but its identity brand doesnt get reused anywhere but instagram.
This article was about identification and authentication, not necessarily what you do with the services once you are logged in.
> Take the two e-mail addresses I still use; one is on GMail, the other under my domain. There are two "brands"
Hmm, I don't see email as an example of a "branded" communications at all. If we're exchanging emails, it doesn't matter to either of us who our email provider is. The identity is our email address, which is not necessarily linked to what email provider we're using.
> what about the author's use of the word "brand" seems to conflict with the usual use of that word? Especially when you include the extended meaning that gives rise to terms like "personal brand"?
A "brand" is a marketing thing -- it's the sum total of the iconography, art, marketing, and so forth of a product or company. It is distinct from the actual product or company.
I don't have a "personal brand" at all, because I don't market myself in a way that would require one.
This is clearly not what the author means, though, which is why I find its use to be confusing -- I don't really know exactly what he means by the term.
The author means brand to mean authoritative identity holder. It means an institution that 1) doesnt allow two people to use the same name and 2) at a very basic level will reactivity correct fraud
It is being used similar to the way we think of banks, as a provider of trust, and a custodian. Now that I think about it, custodian is a much better word than institution or brand.
> I can't use my Twitter!TeMPOraL_PL account to talk to you, because there's no transport between Twitter and HN. And even if it was, now two brands would be involved in communication.
You could almost do it if things like the Keybase identity graph were widely used. It seems like that concept would lift the identity out of the brands. As long as you linked back to an identity chain from your identity on each brand.
There's a book, "Mystery of Capital", wherein the author points out is that in order for identity and contracts to work there has to be "something to lose" for the parties involved.
E.g. the power company can't supply power to slums not because of technical limits, but rather economic limits: because the residents don't have titles or leases or bank accounts there's no way to shut off the power to a household for non-payment. There's no leverage without paperwork.
It's relatively established how to do this IRL with deeds and titles and contracts and such. On the Internet it's not even clear that identity is possible to establish. Our computer systems leak like sieves and people get hacked all the time.
I was imagining just yesterday starting an MLM system based on reselling yubikeys and establishing a hardware-backed web-of-trust. I wouldn't even try to make it a pyramid: just resell the keys to your "downline" at wholesale plus the upline uh payment (I don't know the terminology.) Any infrastructure is provisioned by open bid and paid for by simple equal division among all current members. I would imagine it would amount to about a dollar or two per month per person at the very most, flat rate, not part of the MLM.
The whole point is to self-fund a hardware-backed p2p-IRL identity authentication network.
This has interesting ramifications in areas which do have the ability to support power supply, but haven't implemented our style of loans tied to collateral (Edit: Or rather haven't implemented automated billing, pre or post paid, tied to an identity.).
I saw this in play in Mozambique. Few people had bank accounts, even fewer had mailing addresses, but many still had power.
Once a month or so you went down to the market and bought a little scratch off ticket worth X amount of power, I assume with the same one time use keys used on gift cards. When a house wanted hooked up to the grid they'd be supplied with a power meter which had a keypad. Type the numbers from your scratch off into the box, and it'd update it's counter with how much electric you had left.
A lot of things worked on this scratch off system, and it's one of the things I really liked. It enabled the power company to trust in their hardware instead of having to place trust in an individual. So the individual didn't have to provide any collateral. There was no credit check to get a new phone plan, because you either bought a scratch off that month or you didn't. No one came around to check your power meter unless there was something wrong with it, and they company didn't much care what it was supplying power to. I watched my neighbor build a new house and transfer his live box (quite dangerously) from his old to the new. The power company trusted the hardware, not a person or house it was tied to, so it didn't matter and there was never any record of what he was powering with it in the first place.
Personally I think good identity system should have these properties:
* Identity provider should not see which services users authenticate to. Afaik this is now a major issue with current "Log in with X" systems
* Services should not be able to discover which other services user has authenticated to, i.e. the identity presented to service A should not be linkable to identity presented to service B
* Identities should be relatively stable. The identity presented to certain service at certain point in time should be the same identity presented to the same service in some other point of time.
* The system probably needs to be able to allow users to reveal additional information about their identity. This is problematic requirement because in wider use it is ripe for abuse by service providers
* Optionally it'd be nice if the system would have some facilities for offline usage, where neither user nor service needs to talk to identity provider.
This is fairly hairy problem, with many more concerns in the details and other people probably having different requirements. From a quick search, Credenticas (now MS) U-Prove system comes closest, but I haven't delved really into it to see if it actually matches my thoughts.
This is lovely.
I've always considered myself an internet person, I own a few domain names, I have a few servers, actual, physical pieces of hardware, connected to the Internet through my private internet connection.
Sure, it took a bit of effort to get it up the first time, to figure out how to configure routers, to configured postfix and setup mail accounts, figuring out how to do DKIM in and DNS, but, now the bar for entry is extremely low..
If I write a PHP adventure in an hour, it won't take more than 5 minutes to put it online for the world to see, and those who know me, know my domain/brand, and I can easily link it to them.
If alice wants to talk to bob, she can just send those IP packets to his computer! If alice and bob are good friends, they probably exchanged certificates at some point.
In retrospect, I used to be rather arrogant about this, not proud, just annoyed why everyone didn't just do that.
But I've realized that I probably didn't find any of it easy, I just happened to find it fun and interesting. It'd have been torture if it was not fun for me to do.
So yeah, we should maybe think hard about how to get to that point, where everyone who are online can have that amount of freedom, without having to rely on third parties, and without dedicating days to learning _that_much_ technical stuff.
We don't need a new service trying to do this for us on the old Internet, we need some fundamental change, maybe it is not even to the network itself, maybe it is to the way we use or think about it.. Maybe it is just concepts we are missing? Maybe it is tools. Maybe it is really a fundamental change to the network itself. All must be free and equal on the capital I-Internet.
The last layer should be "Persona" and be about how people present their personality and behavior, having potentially multiple identities, characters, depending on the service, context, how much anonymity exists, etc and it would be akin to Layer 7 Applications, running on top of our wetware. Steven Colbert vs Steven T Colbert.
reply