Challenges in open, self-sovereign identity
E148 | Sun 16 Jul 10:30 a.m.–11:30 a.m.
Presented by
-
Tom Marble
@tmarble
https://tmarble.info9.net
Tom Marble is best known for being the first "OpenJDK Ambassador" on
the Sun Microsystems core team that open sourced the Java programming
language. He continues to apply his community experiences in open
source projects and his interest in intellectual property by
co-organizing the legal and policy issues track at Europe's largest
open source conference, FOSDEM as well as being a member of the
Software Freedom Conservancy's Evaluation Committee.
Marble is the founder of Informatique, Inc., a consultancy which leverages
his hardware, software and legal engineering background for client
projects as diverse as Enterprise IoT services, coaching Dojo
immersive learning experiences, automated mobile/web testing,
autonomous cyber defense, AI prompt engineering, and open source
business strategy.
Tom Marble
@tmarble
https://tmarble.info9.net
Abstract
The promise of the Internet was a federation of cooperative services and users around open protocols. Ironically most of the essential services we use today -- including authenticating identity -- rely on large, proprietary, centralized services.
Users ought to be able to share messages and files securely with one another without relying an a third party such as Google or Facebook. Ideally we ought to be able to securely authenticate with service providers anonymously in order to truly prevent becoming the product of surveillance capitalism.
The traditional X.509 Public Key Infrastructure (PKI) has demonstrated weaknesses due to centralization. Mitigations such as Certificate Transparency only partially address these weaknesses.
The Web of trust based on Pretty Good Privacy (PGP) in theory offers a truly decentralized identity solution. However, in practice, broad success of PGP in identity has been stymied by overwhelming complexity, excruciatingly poor user experience design, and difficulty in integrating the required software with popular email providers.
There is promising W3C standards work in the areas of Decentralized Identifiers (DIDs) and Verifiable Credentials, yet implementations often depend on proof-of-work based crypto or token exchanges with asymmetric ownership and control. What's more DID resolution (anchoring in non-repudiation framework) is often either closed or left as an exercise for the reader.
The purpose of this talk is to highlight the challenges in open source identity and brainstorm approaches which leverage the best parts of the Web of trust and the W3C standards work while preserving the values the FOSS community holds dear.
The promise of the Internet was a federation of cooperative services and users around open protocols. Ironically most of the essential services we use today -- including authenticating identity -- rely on large, proprietary, centralized services. Users ought to be able to share messages and files securely with one another without relying an a third party such as Google or Facebook. Ideally we ought to be able to securely authenticate with service providers anonymously in order to truly prevent becoming the product of surveillance capitalism. The traditional X.509 Public Key Infrastructure (PKI) has demonstrated weaknesses due to centralization. Mitigations such as Certificate Transparency only partially address these weaknesses. The Web of trust based on Pretty Good Privacy (PGP) in theory offers a truly decentralized identity solution. However, in practice, broad success of PGP in identity has been stymied by overwhelming complexity, excruciatingly poor user experience design, and difficulty in integrating the required software with popular email providers. There is promising W3C standards work in the areas of Decentralized Identifiers (DIDs) and Verifiable Credentials, yet implementations often depend on proof-of-work based crypto or token exchanges with asymmetric ownership and control. What's more DID resolution (anchoring in non-repudiation framework) is often either closed or left as an exercise for the reader. The purpose of this talk is to highlight the challenges in open source identity and brainstorm approaches which leverage the best parts of the Web of trust and the W3C standards work while preserving the values the FOSS community holds dear.