If people can create and abandon identities cheaply. they will use those identities for annoyance or fraud. Hence spam, robocalls, etc. This is also why the "federated" social networks are not too useful.
On the other hand, publicly visible identities that are very strongly tied to a person or physical place lead to strong tracking and the abuses associated with that.
So, explain how "Web5" avoids those problems.
First, even when people strongly have their real identity tied to their digital or other activities, it amazingly often does nearly nothing at all to stop them from all kinds of spammy abuse, fraud, lying, trolling and all sorts of bad behavior. This happens across the board, world-wide in any non-personal social or digital setting.
Secondly, I'd argue that the ability to "decentralize" ID and anonymize oneself is more than worth having as at least a moderate bulwark against the pervasive parasitic, predatory modern corporate/government surveillance world that we increasingly live in. It's nice to talk about keeping people "respectful" with a strongly tied down identity but how ideal is this when these people live in a world of giant institutions that respect next to nothing whenever it's convenient for their interests?
even when people strongly have their real identity tied to
their digital or other activities, it amazingly often does
nearly nothing [...]
the ability to "decentralize" ID and anonymize oneself is more than worth [...]
https://www.w3.org/TR/did-core/#proving-control-and-binding
Here is the diagram:
https://www.w3.org/TR/vc-data-model/#lifecycle-details
The idea there is that identity providers and other authorities (governments, credit agencies, etc) issue credentials after the person authenticates with them.
This isn't much different than how it works today with, for example, a cookie on the Experian website, but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.
Still pie-in-the-sky, but I still think we've been low ambition & not had good decentralized-identity-preconditions to begin exploring web-of-trust models. Past behavior is a huge indicator, one we can judge, & which many others will have judged. Trying to filter those other judges, decide what trust anchors we have & what biases to give, is a place where humanity would have a lot of freedom to tweak & explore, if we had these modest adequate technical underpinnings to begin to explore from.
But we just lost a decade to blockchain mania & consensus computing, rather than exploring anything actually genuinely distributed & decentralized & non-consensus. Also worth admitting AI just got good enough to convincingly fake being an online person fairly well, which can potentially massively outperform any attempt at moderation & seeking truth/genuineness that humans might ever make; said explicitly, bad/business-motivated actor's ability to fuck up anything but an ultra-conservative/paranoid web-of-trust has gone up orders of magnitudes in the past couple years.
Or you know, like oauth.
Or if you want to really play up the credential angle, how tls client certificates work, if anyone would ever use them.
It also makes blocking and moderation easy and the pseudonyms accrue reputation.
Zero knowledge proofs are one of the more promising things starting to emerge from crypto and decentralized blockchain space. If desired, you can still trust Apple for the ZK proof generation and verification without having to store any private details on their servers.
https://eprint.iacr.org/2021/107.pdf
People in the crypto space are coming from a different angle, they are franctically trying to find a legitimate use for cryptocurrencies, so far unsuccessfully, by constantly rebranding blockchain technologies without being able to address the challenges. It's not that we desire to trust Apple, it's that they get things done. They have actual solutions that work, not just empty promises aimed at greater fools. People in the crypto space never deliver.
I generally agree, for almost all uses blockchains are pretty bad.
But it has, so far, been an eventually consistent global write-only data store where reads have 100% uptime. I don't want a service layer on blockchain, don't want to be using the blockchain to transact, but if there's some small modicum of write-once globally-read-many datum (such as oh say, a cryptographic token I can use to sign things to prove my identity) where blockchain actually seems like a good match. The slow and expensive isn't a problem, if all I'm doing is proving an identity I made a long time ago.
I'm not super worried about people verifying me using a bad blockchain. These systems should be self-verifying & diverging for too long should trip systems.
Normally i try to avoid low quality complaint comments like the one i am making, but blockchain naming is frustrating.
Yeah. In every other situation, people try to improve the speed and efficiency of software.
In this case, it’s like people prefer to do bubble sort even if there is quick sort available. And then sell it as the best thing ever invented.
How about we go back to web 1.0. TLS mutual cert auth with an ID card as a smart card, either from the government or from your favourite third party.
Or maybe we go back to web 2.0 with OpenID. Users pick their own identity providers and websites can pick which ones to trust and which ones not to trust. Actually, we already have that, and it's "sign in with Google/Facebook/Apple".
If you're a fan of stuffing Javascript everywhere you can, just use FIDO2/WebAuthn before or after validating the user through OAuth.
Solutions exist. Nobody wants to implement them, it seems. Inventing new ways to do what has been done before doesn't solve the problem, it just creates more dead protocols.
I'm not paying $10-$30 to store data on the ethereum blockchain every time I need to add some kind of datum (assuming the ethereum blockchain). That price will only go up once such a system actually becomes used by many parties, making the system even more expensive.
I'm already overpaying for getting the government to do stuff for me. I don't want to overpay some random servers all over the world instead of my government, that's just moving (and duplicating) the problem.
Blockchain people are the epitome of the "when all you have is a hammer everything looks like a nail" proverb.
If I need to prove my date of birth, why not present a credential, signed by the vital records agency of where I was born to prove it without any data broker in the middle?
The only thing the blockchain protects against in these circumstances would be that the government is denying ever signing your date of birth and you losing your signed token. I don't think that's a problem in practice in most countries where an alternative trust system would even work.
Git is basically a Merkel Tree, but not a blockchain.
Its hard to cut theough the buzzword bullshit, but this sounds like they reinvented PKI and added 10 billion layers of indirection.
Is there more to it than that? Or is this really just taking the latest technogies of the 1990s, and explaining it badly so people think they have invented something new?
While I agree that blockchain technologies can quickly fall in bullshit buzzwords, there is still food for thoughts here, but you have to be somewhat familiar with the subject to understand it.
Let me try to explain it from software engineer to software engineer.
The core of web 5 is "self sovereign identity" . That means you (the user) gets to be in control of authentication, identification, and user data access and lifecycle.
Take a typical web 2.0 worflow:
- You sign up on a website / app by providing mail, password, and some other user data like address, phone, etc.
- The website / app stores your information + their own metadata (admin flag, purchase history, whatever) in their database somehow.
- When you log in, you are given a JWT which basically is just a subset of the data you provided + the website metadata, along with a signature to ensure you're not forging all that.
- The website / app have you perform API calls providing the JWT.
The whole idea of self sovereign identity is that you don't need the website / app to own any of your data and metadata in the first place.
If your data is stored in a place _you_ control, and where _you_ can delegate read access to them, as well as the capability for them to enhance it with their metadata that they can sign, then you can pretty much get rid of them storing anything at all about you.
This place where you store your data is a blockchain dedicated for that purpose. You can have all your information stored there, encrypted, and just encrypt for their public key what you are willing to share with them. If you don't want them to know you anymore, just remove the version of your data encrypted for them.
If they need to store additional metadata on you (say an "is_admin" flag), have them store it in your wallet and sign it.
You can pretty much see it as a blockchain of persistent JWT claims that you control. These claims would be accessed through a browser plug-in a-la-metamask.
The overall idea is that by switching to this model, websites / apps will become 99% front-end only, APIs will switch to smart contracts, and you will have total control of your data.
Hope that clarifies a bit the jargon of the article.
But why would they want to?
If i understand, the premise of this idea is basically that we don't trust service providers with our data/to have our best interests at heart.
So we make a complex system where service providers (for the sake of argument, i dont know if i buy this) must respect our wishes.
Which raises the question, why would they?
Either a) service providers are good, and this system is pointless.
Or b) service providers are evil and they wouldn't use it and/or would subvert the intention.
> If you don't want them to know you anymore, just remove the version of your data encrypted for them.
Assuming they dont store it. Can't unring a bell.
> The overall idea is that by switching to this model, websites / apps will become 99% front-end only, APIs will switch to smart contracts, and you will have total control of your data.
Idk what y'all are smoking over there, but its clearly the good stuff.
Web3 should really use "signet" rather than "wallet." Web3 is all about signing, attestation, and authentication through digital signatures. That's what signets are for, not wallets.
Coinkite recently switched to the term "signing device," but 1) that's lame, and 2) "signet" already exists and means the same thing.
At least with web5, the wallet analogy works.
Why I think it is better: (1) don't need a new blockchain (re-uses Bitcoin's); and (2) implements DIDs / DID Documents with all needed features (e.g. last time I tried, Sovrin's implementation did not support serviceEndpoints!)
¹ https://identity.foundation/ion/
² https://www.coindesk.com/markets/2021/03/25/microsofts-ion-d...
Web2 is not perfect but all the complexity brought by web>2 is just not worth the bits it’s written in.
Make something simple and easy to use and understand, dammit. I don’t want my mum to call me because her identity provider for Instagram is down.
In reality, many of the good projects and people referenced at the end of the article have been working for years without any notion that their projects are sprung out of some hyped but underspecified 'web3' technology.
Dorsey's 'web5' clamor is mostly about (barely [1]) implementing some existing technology and then writing a bit of slideware around it [2], which proposes to magically "allow individuals, organizations, and companies to publish credentials anyone can discover and independently verify" while not spending any thought on how such a PKI would be ("independently") governed without centralizing everything back again – an all too common failure mode of 'web3' [3].
Meanwhile, both Dorsey's slideware [4] and the actual specifications referenced [5][6] make bad technological choices with regard to privacy where users have stable identifiers (their public keys) which must be published, allowing them to be easily tracked across transactions.
While this can be used as a building block, no material on the 'web5' website or the TBD54566975 Github repository (I guess it's some other wordplay) indicates that they even recognize this as a problem, let alone that they propose how to solve it.
This is no new problem however: Sovrin – which many people referenced in the OP have worked on or with – has published a commentary on this back in 2018 [7]. There's also a great talk by Christopher Allen if you need to refresh your memory about what you need to consider when designing identity systems [8].
Otherwise the OP can be a great introduction to identity, but please don't feed the magical hypetrain.
[1] https://github.com/TBD54566975/ssi-service#whats-supported
[2] https://developer.tbd.website/docs/Decentralized%20Web%20Pla...
[3] https://moxie.org/2022/01/07/web3-first-impressions.html
[4] See the diagram on page 9 of [2]
[5] https://identity.foundation/decentralized-web-node/spec/
[6] https://identity.foundation/ion/
[7] https://sovrin.org/wp-content/uploads/2018/10/What-Goes-On-T...
To that end, I'm generally happy to support the hype, and hope this stuff gets more attention from the web3 lot.
It's really hard for anyone unfamiliar to the area to not read that in your article. To take three quotes out of the whole narrative: "But web5 takes it to the next level", "it's possible to keep the good parts of web3 while improving on its privacy properties (...) thats what web5 is all about", "In web5 (...) This is a radical departure from both web2 and web3".
I get that you wanted some nice story for your blogpost, but it's just not grounded in reality, and you're supporting the wrong actors here if you really want to claim that 'web5' is about privacy.
> I'm generally happy to support the hype
Happy to support privacy destroying technology by adopting their buzzwords while plenty of people – which you even reference at the end – do keep ethics in mind. Alrighty then.