The technology can change the economics of identity, but identity itself reduces to how you organize to provide recourse to people within your scope. Sure, we can use escrow systems and smart contracts, but these still require a means to organize and provide adjudication.
All the use cases for digital identity are about enforcement and liability, and there are almost none that anyone would volunteer for. In this sense, identity is necessarily imposed, so all products in the space are necessarily aimed at a customer who is imposing identity on a group. It's why I tell identity companies who ask to find some other problem to solve because holding out for some government to adopt your product as their source of sovereignty is a waste of time. There is one other use case for identity, and yes, it is decentralized and bottom-up, because it is about dividing into secure, self-sovereign affinity groups, and the reasons for doing that are on a very short list of uses. Super fun, but basically a weapon.
The conclusion ("It will be decentralized") doesn't follow from the argument though ("because if it is not fragmented, it is literally just oppression").
It could very well be "just oppression" and keep being that...
Everything from a LinkedIn or Facebook account to your personal artist homepage with your CV on it establishes identity. People obviously disclose identity voluntarily, because identity is the primary means by which strangers establish trust.
If your identity is not transparent to me, I won't enter a relationship with you that requries me to know who you are, which in practice is almost every one. I don't see how non-fragmented identity is oppression. It can be for sure, but the primary reason why identity is important in our interactions is because it establishes trust and reputation. I've always considered "non-imposed" identity a sort of oxymoron for that reason, because if full control of identity is left to the individual, identity essentially loses its primary purpose.
That is, one can have a range of identities, from entirely transparent to stably pseudonymous to fleetingly anonymous.
There are two things about this that don't require centralized identity.
The first is that it's very commonly not true at all. If you want to sign up for an account for an online service (e.g. email, YouTube, gaming), they don't need the name on your driver's license for anything. They don't need to know anything about you. You create an account, set up authentication to prove you're the account holder in the future, and that's it. The identity you use can be created along with the account; it doesn't have to exist beforehand or be associated with anything else.
Second, even where reputation is important, you still don't need a single identity, it's just that an identity without any history would be untrusted.
Suppose you go to the bank to take out a loan. If you tell them your name is Barrin92 and you have no financial history, they're not going to give you one unless you get some more trusted party to cosign it or you post enough collateral that they can be assured to recover their principal if you default.
But then you start off with a small loan with a large amount of collateral, or a cosigner, and build a credit history as "Barrin92" with financial institutions. Now you can get a bigger loan, or one without a cosigner or as much collateral. Until you default. Then "Barrin92" would no longer be creditworthy and you'd be back to square one.
This works fine even if you have a thousand separate identities, because identities with no credit or bad credit aren't trusted and good credit is valuable so that you lose something significant (the creditworthiness of that identity) if you default.
People having multiple identities is effectively just equivalent to the ability to declare bankruptcy. It doesn't really break any good important thing and it does break some important mechanisms of oppression that we should want to break.
I've never understood that way of viewing things. For me identity is a right. The government must provide me with the means to prove who I am and my associated data like birth certificates, academic titles, health (vaccination), real estate and indirectly verifying identity for private contracts that use my national id card number.
In an oppressive state identity surely could be oppression, just like everything else, but in a democratic country? Come on. In the USA goverment and even private entities are collecting massive databases of everybody's data. But there's this panic about a centralized service providing identity. It makes no sense.
What makes you think a democracy can't be oppressive?
Even in perfect democracies there is something called the tyranny of the majority, where the majority can oppress the minority.
If we're talking about the US in particular, we have to recognize first that it's not even a perfect democracy, and there are many anti-democratic things about it such as the electoral college, and plenty more things that hinder democracy even where it exists (such as poor civic education, money's outsize influence in elections, extremely biased media, branches of government which shirk their balancing and oversight roles, etc).
Then, to get specifically to the oppressive aspects of the US, they range from slavery and lack of women's rights from its foundation, to segregation that existed in law up to the middle of the 20th Century (and arguably still exists in fact to some extent and in some places in the US even now), to the imprisonment in concentration camps of Americans of Japanese descent, to discrimination against people who weren't heterosexual, to the War on Drugs and police brutality which primarily impact minorities, to abuse, killing, and imprisonment of people who come to the US from other countries.
All this oppression and more has happened in what is ostensibly a democracy, and often likes to style itself as the world's greatest democracy.
And all of this oppression has had to do with identity, which required identifying people's race, gender, sexual preferences, or country of origin.
Such identification is amplified and made all that much easier in the age of computers, the internet, and gigantic databases on everyone. It's a data trove just begging for abuse.
However, I cannot change my government provided identity.
Right now I can have multiple identities: one for work, one for my WoW guild, one for security research.
With a single centralized identity provider I couldn't do that. They wouldn't just be able, they would by default associate my personal and professional associations.
I feel that the risk of a single central (and especially government run) identity provider is that it can chill freedom of association by disallowing you to anonymously, or if not anonymously then disconnectedly associate with people or groups.
Historically "identity" wasn't a right, but something imposed on people, for better tracking and controlling them by authorities...
>In an oppressive state identity surely could be oppression, just like everything else, but in a democratic country?
Oppression is not about democratic vs totalitarian state. McCarthy and Hoover, to mention just two examples, reigned over others in the good ole democratic US of A.
Not to mention very few (if any) countries have actual direct democracy, or give the people say in how they want to be governed, from the constitution and downwards.
The existence of centralized identity is what enables those databases. They're all indexed by the centralized identity. You give Facebook your "real name" and location and the same thing to your bank and they correlate them in a database. If you were using a different identity for each one they couldn't do that.
On the other hand, creating some kind of national ID authentication system would make it much worse, because then things would require that. You couldn't sign up under a pseudonym, so now even the things that are currently separate or that you can keep separate if you want to would be forced into being correlated with everything else about you in those databases. It's an attack.
In Belgium, changing your name is virtually impossible. The king (ostensibly) has to grant permission; you need to provide a "valid reason". This never made sense to me.
Did the industry ever get around the sub-par SAML protocol which had no support for the active requestor profile, and the superior WS-Federation protocol which had to use the technically superior SAML token?
There are a couple of companies that are using hyper ledger to federate identity providers like banks, governments, and other institutions, but the scope of that identity is still local to the federation participants who are a walled garden of their own.
The prefix "ur" is derived from old high German "ur", old Nordic "ōr" or Gothic "us": "from, out of".
That there's an ancient city of that name is purely incidental.
A weapon against who? A self sovereign affinity group could just be a community trying to self organize without relying on non-owned infrastructure. Aka prepper stuff.
Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.
It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.
Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.
In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.
Considering how Americans view other Americans (I hear "stupid" thrown around a lot), I strongly doubt that a decentralized authority would ever gain enough trust in the US to take hold today without a strong historical precedent.
For what it's worth, cash is still centralized. It's made "legitimate" by the power of the central government, and is managed & controlled by that authority. Given, it is somewhat "decentralized" because the value of fiat money comes from the people's agreement that the currency has value. On the other hand, the US dollar's global hegemony exists in large part because of global US Military presence, which is absolutely a "central authority".
If a centralized system is not inept, it can do all the same things decentralized things do and better.
I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.
Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.
When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.
It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)
* Its value prop is poorly explained. As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.
* Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.
* (this is the big one) Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.
This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people. That's why centralized tech co's will probably always do this better than open source. They are customer focused just as much as technology focused.
Unmonetized open source projects tend to focus more on technology than user experience. That's why you see regular people using monetized software and developers using open source to build monetized software.
Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.
Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.
The bigger problem is convincing people that it's worth switching. Apple is the closest to doing this with "sign in with Apple". "Sign in with Apple" hides your identity from the client site, the value prop is clear for the user, and the process as close to frictionless as possible. But the solution is still "centralized". Apple stores all of the information to make the system as frictionless as it is.
Centralized has subscriptions, advertising, and "surveillance capitalism." Decentralized has nothing. I had some hope that cryptocurrency would provide some kind of mechanism, but cryptocurrency was taken over and destroyed by scammers and bad money drives out good.
The lack of an economic model is IMHO why decentralized solutions have not succeeded, not technical challenges.
One possibility would be to abandon the free as in beer part of open source ideology and go back to just charging for software, but licensing and payment add friction and it's very hard to compete with "free" options funded surreptitiously via surveillance.
BTW the fact that cryptocurrency was destroyed by scammers and criminals highlights a second huge issue: it seems to take the efficiency, executive ability, coordination, and direct human guidance of a centralized system to resist bad actors. This is why even the most democratic countries have mechanisms to phase shift into dictatorships during emergency or war. I have yet to see a decentralized system that became popular and was not instantly destroyed by black hats.
They can find out if you are a user of sex.com or dangerouspoliticalopinions.com
They can do this by trying to register an account with your email address, and being told it was already registered.
Here is a tool that allows anyone to do it:
https://www.quora.com/Is-there-a-way-to-know-which-all-sites...
https://brandyourself.com/blog/privacy/find-all-accounts-lin...
However, I believe that would fail for those using Google or Facebook authentication. But I can't test that, given that I don't have an account with either.
If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).
The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.
Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.
Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.
Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".
There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.
The main issue is minimizing cost. Dot com companies and banks don't want to pay for this so they peg online identities and account security to SMS effectively pushing off the problem to cellular companies. Cellular companies lack the competence to handle IAM. Opening a branch in every city is very expensive and companies don't want to even pay ~$10 for an offshore script reader to check a SMS code and verify "public information" off a credit report.
Credit card companies that are already liable for fraud usually settle for SSN+DOB, ID scans and aforementioned Equifax data verification because fraud losses are cheaper than in person due diligence.
Public notaries are licensed by US state governments. There is generally a background check, brief training course, and application fee. In at least some states they have strict liability for theft of their stamp.
As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.
As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.
The internet is important. When something is important enough, it is worth the risk. That's why people share secrets with their bank, lawyer, doctor, psychologist, etc.
We are squandering most of the potential of social media, because its design limits worthwhile conversation to hypotheticals. Since there's no reason to trust the honesty or motivations of anyone online, discussing actual data or life-experience is pointless.
This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.
The system is attribute based and requires an 'authority' to give you the attribute. After that the attribute lives on your phone and you can give it out to organisations or businesses asking for....:
- your name
- whether you are >= 18
- your address
- etc.
- you can give out minimal information
- no 3rd party/intermediary required after you've received an attributeChina is already there. At age 16, you get your picture and fingerprints taken. If you get a phone, its ID is tied to your personal ID. Your WeChat account is tied to that ID. If you ride the subway or bus in a major city, or a train, your ID is recorded when you pay. A combination of phone tracking and facial recognition records where you go in some cities. It's even used to shame jaywalkers.[1]
The US is getting there with Real ID. It's been postponed a year due to the epidemic, but soon you will need a Real ID, checked against your birth registration, to board even a domestic flight.
(1) https://www.washingtonpost.com/us-policy/2020/06/25/irs-stim...
Which is why I am confused as to why the author spent so much time worrying about verifying identity. To me, that feels like it's completely missing the point of fragmenting your online experience. Is the author simply concerned with the amount of power associated with their google login?
In general I like the idea but since it's a EU-style project I don't expect it to go anywhere to be honest. And personally I don't think the benefit over e-mail based authentication is marginal. That said there are some extensions in OpenID Connect that can achieve something similar, and that (IMHO) are more likely to actually get widely adopted.
I'd love to have SSO under my own control, and while it was theoretically possible with OpenID 2 things have gone backwards with OIDC with everyone supporting it but restricting login to just the big names (Google, Facebook, Apple).
I put together a simple stateless OID2/OIDC identity provider: https://gitlab.com/rendaw/oidle but I have yet to find a website I can actually use it on. I still have hope though.
Except that it's not possible. And worse, it's just hard enough to evade that only those with malicious goals will manage it.
> Large internet corporations like Google and Facebook allow all to create an account on condition that some personally identifiable information is revealed, usually a phone number.
Also Signal, sadly enough :(
> The benefit is that it deters most from repeatably creating new accounts when older accounts have been flagged or banned due to improper behavior. These companies gain the function of "identity provider": they manage your online identity that can be used to login in different locations of the internet. We all know many websites that offer a "Google login" or "Facebook login".
Yes, it "deters most". And mainly it deters vulnerable people, who need ~anonymity to protect themselves from adversaries. It doesn't deter spammers, trolls, scammers, bot operators, and such. There are just so many ways to use multiple phone numbers. Ranging from free websites to SIM banks. And actually, it's easier just to buy accounts, either fresh or old (which probably means stolen).
So even without getting into concerns about corporate gatekeepers, it's clear that this is a misguided approach.
So this is about the introduction of a new identity service. From what I get looking into Keyoxide it basically strives to be what Keybase originally intended to be.
From their Keybase migration guide [1]:
"Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.
Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs."
This means the proof isn't dependent on a central server, which seems like a significant improvement.
Handshake [2] is a great project that helps decentralize online identity. Not only is naming distribution in the hands of the people with Handshake which ends the deplatforming/censorship debacle the world has been facing recently, but also, anything a name does can be verified with signatures verifiable against the blockchain.
[1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo-stev...
The DID and VC specs are the most advanced tools we have now to implement decentralized identity, plus there are many startups applying these in real world, solving problems and generating open source implementations.
Btw, I joined the Internet Identity Workshop last spring and it was an incredible experience. (https://internetidentityworkshop.com/)
That said, the last couple of years, I have gone to great lengths to create a "digital personal brand," which is deliberately designed to help people find me, and tie all of my digital artifacts together.
I think that OAuth logins actually work against that. I want to leave "pointers" all over the place, that point to each other in a public manner. OAuth logins "bury" these pointers, so only "gatekeepers" can see the information.
It definitely means that I have to be a lot more careful, these days, than I used to be, in choosing what I write or expose online, but I don't feel it's too difficult. I like to think that I live a lifestyle that has very little to hide.
I was reading about that Fox writer that just committed career seppuku. I think that is a visceral example, showing that we can't trust the old cloak of anonymity to hide our trail, so it might not be a bad idea to, as Twain said, "live that when we come to die, even the undertaker will be sorry."
It's part of a strategy that seems to be working.
Works for me. YMMV
An excellent example of something perversely non-standardized for identities can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even supposedly based on the same protocol. In terms of identity they are all complete silos. All the things you establish about an identity on one system is completely unusable on another.
Creating systems to kludge this mess together seems to be a way of avoiding the root problem here...
You can have as many passphrase protected backups of your identity in as many places as you like so in practice the more likely issue would be where someone else gets access to your private key. So that means some sort of revocation contingency.
Make a page on your domain with rel=me links to your social media profiles, have the social media sites link back to your site with a verified symbol next to the link when it scans and validates the rel=me link.
This puts you in control of your verification instead of federating it to a service like Keybase or Keyoxide.
$10/year * 4 Gigapeople online.
Mandate that much free revenue to the likes of godaddy? No thanks.
The author suggests that services built on top of these Silos that provide proofs of connection between all the identities. I welcome such initiatives and but I doubt they will lead anywhere, cause they are built on top of silos. And a silo, as soon as it figures out it loses money, it will cut down that connection.
What won't die is decentralized published standards and protocols that handle the Identity management through the internet. Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that facilitate the identity management like Oauth2, OpenID etc. All open and standardized. We are getting there, we just need some more time I guess.
That's why I always thought that, Google, who owns emails has much more value than Facebook, that asks for your email. If facebook dies, you lose one aspect of your digital social part. If you lose your email though, you almost lose your online identity. I really can't get how Zuckerberg has missed that.
It didn’t really take off though, and I guess was quietly withdrawn.
But this is because I think nobody should be fired, de-platformed, banned or "canceled" for opinions/thoughts outside of those contexts.
Sure you could be fired from your work if you started shouting your opinions on your workplace. No you shouldn't be fired from your work for anything that happened outside that work.
Anonymity is needed for the sake of free thinking as a shield to any current/future mob that could ruin your life/career for just any reason at all.
In 10 Years you might find yourself ostracized because someone found some 20yo old snippet of code you wrote with "banned words" in them.
I used to think it was an acquired thing that you could have free opinions with your official identity (political or anything) and not risk your livelihood for opinions but the thought enforcing mobs are now everywhere and most companies will bend the knee to their bidding.
And obviously this identity needs to be decentralized to also protect that identity itself from being ruined by the various de-platforming attempts.
These days, I'm genuinely more concerned about the current mob rule mentality than government oppression.
I'm sure decentralized authentication won't come on commercial platforms though. Maybe some developer-centric services will add support once the Next Big Thing in authentication and authorization comes along, but companies want to keep as much of their account system under their control as possible. It might be because of data mining, it might be because of bot prevention, it might be because of fear of trusting external providers, but I just don't see any reason why companies would accept such an authentication system.
The closest thing I can see happening is a federated authentication platform like the EU is implementing with EIDAS. Authentication with your home government for EU-wide services, tied to your ID card. I don't think something like that will be implemented for much more than government institutions and banking, despite the idea having been proven to work.
Simply put, as long as it doesn't make business sense to trust another provider, businesses won't offer any decentralized authentication methods.
I described the motivation in more detail at https://github.com/shurcooL/home/issues/34.
This goes beyond owning your identity. Has government sponsorship. The EU is currently taking the lead in this area, search terms: "ESSIF: The European self-sovereign identity framework".
[1] https://www.w3.org/TR/vc-data-model/, https://www.w3.org/TR/did-core/
[1] https://github.com/decentralized-identity, https://github.com/mattrglobal/
[2] https://spaceman.id/, https://www.transmute.industries/, https://www.evernym.com/, https://sovrin.org/, https://mattr.global/
And it'll continue to mostly be 'account management' and not 'identity management' proper. We are going to want to 'share less' in a way, as the only real means really to keep our privacy.
Your bank account info is effectively secure, so are your medical records. So are your images if you store them with the right provider. The rest ... not so much.
It's neither utopian, nor dystopian, just 'what it is'.
Sorry, but no. I do not trust Random Website where I create an account for occasional usage to keep my email and password combo safe. I do trust Google and Facebook to do that. I also enjoy the great experience they offer when I have to delete said account: just go to google account page and delete the website from "my logins" or whatever they call it. Most websites don't even have a procedure to delete account.
How does it prevent linking those identities with real identities by using tools like browser fingerprinting, tracking preferences and stylometry?
I don't really see a way to keep my commenting (and even browsing to some extent) user friendly and disconnected from my real persona, so I act accordingly.
However, I'd like to be proved wrong.
I'm glad to see this! Although it seems to be hugged to death right now :( I had been using KeyBase for this, but after the recent sale to Zoom, I've backed away.
The DID spec has been the one big success so far, but implementations matter. Our implementation has been open sourced, and is compatible with oAuth and other specs like DID:
That's for sure how I see it :) It gives everyone the choice of what mix of real names and ~anonymous personas to use, and how to link them.
I know most people on HN believe this, or want to believe this, or especially want everyone else to believe this, but I still think the statement needs support. Or at least a qualifier like "in my opinion."
They mostly operate in federations, which is neither centralized nor decentralized.
Far too technical and obscure a solution for 99% of the world.
I think Apple, while not a complete solution, shows a path forward with Sign In with Apple allowing you to generate a relay email.
As always, whoever nails the user experience will win.
I agree this is where things need to move, but we need to make it so simple that users who don't care can still use it and those who do can get the most out of it.
I'll have more to say here. But for now, I'll just invite any who are interested in further discussion to a Podaero group: https://podaero.com/dashboard with invite code "44e5576d".
This way sign-up is as seamless as login. Is there anything like this I can use? Are websites not doing this because of spam and other issues?
1. https://docs.ethhub.io/built-on-ethereum/identity/identity-o...
This isn't really decentralization is it?, it's a new kind of account linking which requires one to trust the central verification authority.
Maybe I'm missing something.
With regards to decentralization: keyoxide doesn't hold the proofs. Your key does. You can take your key to any verification system, whether it is keyoxide website or some CLI tool or an app, and have that verify the proofs. Yes, you do need to trust the service. But that's where the open source and hopefully one day, network effect comes into play. If enough knowledgeable people trust it and talk about it, then less-techy people might one day too.
In the end, what is important to note is this: keyoxide is just an implementation detail. If soon a different service becomes much more popular and used, the "decentralized identity proofs" ecosystem still wins! I would love to see apps get developed where anyone can at the press of a button verify online identities. That will be the next big milestone.
Whenever I hear this I think, "What? No! That's the opposite direction we should be going." Identities that are hard locked to real people makes it so easy to harass, mob, cancel and abuse people. At least in the US, most employers are at-will, allowing for Viewpoint Discrimination.
Anonymity does have its issues. It also does allow people to harass with more impunity. But in many ways, it also exposes more of the deep self and the controversial ideas people have that they are less and less likely to discuss outside of anonymity.
Even semi-anonymous platforms like Reddit are going back on previous commitments to free expression of ideas; and the effect is that Reddit is becoming more one-sided/one-direction, just like the platforms everyone is fleeing into.
Always use your e-mail to sign up for things. I rarely ever allow applications to connect via social media/OAuth. There was a time on the Internet where we thought all identity providers could be interchangeable. I ran an OpenID IDP for years, but fewer and fewer sites allow OpenID logins:
sometimes you want (pseudo-)anonymity and sometimes you don't. being able to pick and choose seems to offer the greatest freedom, rather than pigeon-holing everyone into one option.
While there are many routes to be semi-anonymous, there are very few to being verified (or maybe I just don't know about them)
The reason is simple. In 2020, everybody is a brand. Things have become competitive to the point that the inevitable happened: business has occupied free time. We could lament that, or we could accept it, because it's the reality today, and I don't think we're ever going back.
Personally I think pseudonyms are a legacy of a time when the Internet was not taken seriously and whatsupdoggg69 was a perfectly valid username in a place where nothing mattered and Internet work had no monetary value.
That's changed, a lot. That viewpoint - which, to be honest, was probably questionable, even then - seems definitely wrong now. It seems more and more like the wrong path, and you don't have to go down it.
You need to start posting under your real name, and then keep doing that, so people know they can go to your advice, expertise, friendship, a place to pay attention, etc. That has a lot of monetary value.
My philosophy here is: unless you intentionally chose to leave money on the table, you should never leave money on the table.
So if you're working in 2020 at a prestigious or a first-mover startup (which covers a lot of startups), don't go on reddit and post memes under some name that will always be worth $0.
Instead, go on Twitter, post under your real name, and start becoming known as the go-to person for your niche of the industry.
If you are working at a startup, and building a name launched out of a startup (no lawyer is going to attempt to claim your real name social media handle), you can launch a consultancy, just off that.
Assuming your consultancy brings in 100k a year and businesses often sell for 10x revenue (a pretty reasonably assumption), then doing that over 10 years can build you a $1,000,000 consultancy.
Given those numbers, I think it's positively stupid to turn down $1,000,000 for the sake of a few forgettable jokes and political opinions that, let's face it, in the case of the average person, are not changing anything.
Instead, do the smart thing, claim that $1,000,000, and get used to using real names & real name content for everything.
As you say, using your real name builds your brand. However, you must then be very careful to avoid saying stuff that damages your brand. And as you basically say, you must therefore censor yourself online.
So why not do other stuff using pseudonyms? That's exactly why I started using them. I'm retired now, so there's really nothing about my meatspace identity to protect. But when there was, having the freedom to express myself honestly online was important to me. In particular, because I had to police my meatspace behavior so carefully.
Didn't you get the memo? We're supposed to like government surveillance now. After all, now FBI/CIA/NSA are on our side and we can totally trust them forever.
Is it just new age cabala of decentralized tech to generate hype and intrigue? I've seen a lot of projects fall into this techno-wizardry naming trap, and enjoyed it myself, but I'm starting to get tired of the overhead of such abstractions.
Sadly the system cannot be used easily for any applications storing personal information since your identity is tied to a blockchain and the GDPR requires companies to make information deletable.
The reliance on abstract art for trying to make their points come across are still to vague for me to give the project a try, but who knows, maybe in another year or two the project and its concepts will actually be understandable enough for me to give it a shot.
As to your second point, I'm curious if any decentralized system will ever allow for full deletion of information once it has been replicated by another client. Any gossip protocol, or decentralized CRDT document system has to take into account that a client will go offline and retain information once it has been released into the wild. Whether or not a request to "delete" or hide that information is followed through with is almost impossible to regulate. It's perhaps more important to realize that what we publish, may always exist out there.
That being said, clients could randomly ask for "tombstoned" information to verify that other clients comply to a delete request, but it will likely always exist somewhere.