Requirements for an independent Decentralized Identification System (DIS)

[Arnaud Faisan]

Hello

A previous thread (https://groups.google.com/d/topic/openudc/zxkbpwZYtgQ/discussion) has shown that the goal of using OpenPGP within OpenUDC is to provide a Decentralized Identification System. A Decentralized Identification System (DIS) may be of interest for many different usages (not only money-related projects) so I propose to start building one or at least thinking about it.

The context of this idea being OpenUDC, the DIS should serve it and provide all necessary features but without being dependent of OpenUDC. The only dependency should be from OpenUDC to the DIS (if the DIS fits the OpenUDC needs of course) but there should be no dependency from the DIS to OpenUDC as the DIS could serve other purposes and should not be limited to OpenUDC usage.

So, the goal of this thread is to gather the requirements for an independent Decentralized Identification System from OpenUDC perspective. In other words, what features does OpenUDC need?

Example of obvious feature: a mean to answer if a particular person if alive, dead, unexisting (some people always try to cheat), ...

[Matthieu Vergne]

2013/12/19 Arnaud Faisan <arnaud...@gmail.com>

The context of this idea being OpenUDC, the DIS should serve it and provide all necessary features but without being dependent of OpenUDC.

So it should be general enough to include OpenUDC needs (among others).

 

So, the goal of this thread is to gather the requirements for an independent Decentralized Identification System from OpenUDC perspective. In other words, what features does OpenUDC need?

So let provide some!

For a distributed system, it seems to me mandatory to consider that the only valuable node to trust is the local (personal) one. We never know if another (remote) node is one we know, or if it has been cracked, and so on. Of course, it is the assumption that our own node is clean (at least to some extents), but it seems to me the only perspective fitting for a fully distributed system (if you rely on other nodes to certify, then it is at least partially centralised). Now, the local evaluation can be done considering remote nodes and their properties, but this has to be decided by the owner of the local node, not by another nodes. In the same way that I decide to trust in this guy because a good friend of mine trust in him (I do not trust because he tells me to do so, but because I consider that his trust is enough to do the same).

Thus, any DIS should be, in my mind, able to build a "trust index" (I come back later on it) by using a chosen policy applied to the local node. This policy can use the information of the local node and available remote nodes, but this is a policy decided and computed at the local level and the needed information must be requested to compute it. The identification policy can be of any complexity (a remote node could refuse to provide some information, implying to have some alternatives, or it could be composed of existing, simpler policies, and so on) and, thus, should not be limited to specific ones (some can be provided, but it should not limited to these ones).

Regarding the index of trust, probably the term is not adequate, but I did not want to speak about a simple boolean (true/false) property, because the trust is built progressively, so we need to be able to manage a level of "lack of decision" (included third rather than excluded third) which forbid the limitation to a simple boolean value. In the same way, I do not want to speak about a level of trust, because the notion of level implies to have an ordered set of values (e.g. trust between 0 for not at all and 5 for surely), but having a level of 3 because not enough information has been provided is not the same than having a level of 3 because some information were wrong, so the notion of level is not explicit enough to evaluate the kind of trust. Moreover, a level implies to choose a threshold to be able to say, at last, whether we trust or not. Due to this last reason, I think a 3-level "trusted - undecided - untrusted" seems a good one, because as long as we are in the middle, more information can be gathered by the policy or at last the choice can be given to the user explicitly. In both other cases, the decision is straightforward. The policy by itself can use the notion of levels or any other thing internally, but the one displayed seems to me the best with these 3 levels. Otherwise, maybe simply using trust dimensions, such as "regarding the hash, the node is trusted + regarding the name, the node is undecided" -> looking at the name we see it is another writing of the same name so we decide it is OK, or simply we do not care because we consider that the hash is enough. Well, a lot of discussion for this "trust" thing in perspective. The opinion of someone used to work with that could be of interest (or some formalised models).

[Cédric Moreau]

From what I read and remember according to OpenUDC system, it is required to:

- link a numeric identity to an individual, exclusive both in space and time

- know wether an individual is alive or not

- worldwide

- relying on individuals themselves (so not by any central authority)

- resilient (distributed? replicated?)

I know, there is not much you haven't already in mind. But it seems to me the core (OpenUDC real contributors may confirm).

I won't go any further in technical details, it seems you and Matthieu already have ideas.

Hope this will help.

2013/12/19 Matthieu Vergne <matthie...@gmail.com>

--
OpenUDC aims to provide a open standard for Universal Dividend Crypto-Currencies.
 
homepage: http://openudc.org --- git's home: https://github.com/Open-UDC/open-udc.git --- Multi User Chat: open...@muc.jappix.com.
---
You received this message because you are subscribed to the Google Groups "OpenUDC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openudc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Matthieu Vergne]

My interpretation :

2013/12/19 Cédric Moreau <cem.m...@gmail.com>

From what I read and remember according to OpenUDC system, it is required to:

- link a numeric identity to an individual, exclusive both in space and time

exclusive in space : 1 ID = 1 individual

exclusive in time : no reuse of any ID even when the individual is dead

With that, we need an ID able to adapt in size, because an ID with a fixed size implies a limited number of individuals to represent, while here, these two conditions implies to be able to manage an inifinite number of individuals.

 

- know wether an individual is alive or not

I am not sure this is the purpose of the identification. Be able to recognise if we speak about this person or not, but not to know if this person is alive or not. We go out of the simple identification process if we consider the living state.

 

- worldwide

Linked to the ability to represent an infinite number of individuals (scalability issue).

 

- relying on individuals themselves (so not by any central authority)

This is the purpose of a distributed system for me.

 

- resilient (distributed? replicated?)

This one I do not get it. You mean which allows the owner of the ID to customize his ID?

[Cédric Moreau]

- know wether an individual is alive or not

I am not sure this is the purpose of the identification. Be able to recognise if we speak about this person or not, but not to know if this person is alive or not. We go out of the simple identification process if we consider the living state.

This is a required feature for OpenUDC, and Arnaud aims at developing something at least OpenUDC if I well understood.

 

- resilient (distributed? replicated?)

This one I do not get it. You mean which allows the owner of the ID to customize his ID?

I wrote it too shortly. I meant: DIS should be a resilient system, i.e. not controlled by a central authority nor a central server.

This was probably implicit in your mind, however.

[Matthieu Vergne]

More redundant than implicit, considering the previous points.

For the living property, this is not the point of an identification system. And this is not because OpenUDC need it that it should be considered in the identification process. Otherwise you could say that the monetary perspective is also needed for OpenUDC and so it should be considered... obviously it has no sense. The point is not to redo OpenUDC, but to identify what is the part for identification and abstract it from OpenUDC. This means that OpenUDC should be able to exploit it to redo the same, but it should be clear which feature should be considered as part of the identification system and which should not. From my point of view, first I identify someone, then I check this someone is alive. These are 2 different things : I can identify someone who is dead also, but in his identification I do not care a second whether he is alive or not. So it should not be delegated to the identification process. Checking someone is alive is a "living check" process, not an identification process. At least for me.

2013/12/19 Cédric Moreau <cem.m...@gmail.com>

[Arnaud Faisan]

This is very interesting and we should add your ideas to a specific thread/forum dedicated to the implementation details of our DIS. Here, I meant high-level requirements in a top-down approach to build a DIS.

[Matthieu Vergne]

If you want to have reliable requirements, you should consider a mix of top-down and bottom-up discussions. Considering high level specs is important to provide a global view which set a consistent context, but if you miss the concrete ideas in which you can implement them, you can fail in making it useful (and remain with a philosophical discussion). OpenUDC provides a good reference for bottom-up discussions which allow to validate the high level reqs, but it should not be the only one if you want to make it general enough. The database interpretation is also valuable, because IDs are important to retrieve entries and build indexes. The national ID card could be also of interest.

2013/12/19 Arnaud Faisan <arnaud...@gmail.com>

[Arnaud Faisan]

To link a numeric identity to an individual, exclusive both in space and time. When you say time, does this requirement is for eternity in which case, as Matthieu mentioned, we might need to generate identifiers of bigger sizes over time? Or can we fix an arbitrary limit of 1 million of years (for example) and always generate fixed-size identifiers?

For the living property, I think it has its place within the DIS. But we might have a different view of what would be an identification system. Here is mine today: I see a decentralized identification system as decentralized alternative to centralized authorities that delivers national and international identification papers (passport, “Carte Nationale d'Identité” for french, …). What is your view of an identification system?

Arnaud Faisan

[Matthieu Vergne]

For me, the ability to make a mapping between someone (or more generally something) and an ID which represents it. Whether this thing exists or not (is living or not) using this ID always refers to this specific thing and not another. So if for instance you want to speak about this thing after it has disappeared, you can still use its ID to refer to it in a unique and reliable way. But the living property is out of this identification part for me, because it makes no sense to know if something exists when you ask "what is this ID representing ?".

2013/12/19 Arnaud Faisan <arnaud...@gmail.com>

[Arnaud Faisan]

On 20 December 2013 00:22, Matthieu Vergne <matthie...@gmail.com> wrote:
> For me, the ability to make a mapping between someone (or more generally
> something) and an ID which represents it. Whether this thing exists or not
> (is living or not) using this ID always refers to this specific thing and
> not another. So if for instance you want to speak about this thing after it
> has disappeared, you can still use its ID to refer to it in a unique and
> reliable way.

I totally agree.

> But the living property is out of this identification part for
> me, because it makes no sense to know if something exists when you ask "what
> is this ID representing ?".

Why? The concept represented here is a human person, which has many
properties including hair color, favorite activities, sexual
preferences and life (or death)!
OpenUDC does not need to know hair color or sexual preferences but if
this data is available, it won't prevent OpenUDC to work. What OpenUDC
needs to know however, is if the person is still alive to know if the
person is allowed to receive a universal dividend.

[Cédric Moreau]

Is it consistent to build an eternity compliant system? Difficult to say, but I would rather say no as we cannot imagine wether DIS would still be required in 10k years for example. Probably humanity will be completely different (if not non-existing), and would have a lot of time to build a better system if it is required. I would say a long-term system (say, 100k years, which already seems to me tremendous) is enough.

About living property, I did not say it was good or not, just that OpenUDC required it. I agree with Matthieu that it should not be a DIS core feature, rather another system potentially dealing with DIS. Looking at current centralized authorities, you have different papers: ID card, but also birth certificates, and death ones. Probably we should do the same, in decentralized way, with different decentralized systems.

OpenUDC already has some features for that: in a certificate, when signing an ID, you may add signature annotations such as @alive, @dead, @birth, etc, vouching for annotation you add. It may inspire us.

2013/12/19 Arnaud Faisan <arnaud...@gmail.com>

[Matthieu Vergne]

I have a database like perspective of the identification: to identify X, you can use information related to X, but it does not mean your system should depends on this information. As OpenUDC implements a core allowing to manage a monetary system, it does not care about specific stuff like anonymous donations and so on, stuff which can be implemented above OpenUDC, for me the living property is the same regarding an identification system: the system should not depend on it, but allow it to be implemented.

2013/12/20 Cédric Moreau <cem.m...@gmail.com>

[Arnaud Faisan]

Dead or alive, John Smith is still John Smith and the living property is not necessary to refer to John Smith. So, I agree that a DIS should not require that a living property is linked to an identity. However, I think the DIS should allow to indicate and/or ask, one way or another, if a person corresponding to a specified identity is living or not.

This feature does not necessarilly have to be part of the core of the DIS but I think it should remain in the global DIS scope. Indeed, this is a feature which could be usefull not only for OpenUDC.

[Matthieu Vergne]

As well as the hair color or the weight... This is an information among others which can be exploited, but I do not see the particular interest for such DIS to consider the living state compared to the other kind of information.

2013/12/20 Arnaud Faisan <arnaud...@gmail.com>

[Arnaud Faisan]

After some researches, here are some interesting links:

First, a video conference from the last Chaos Communication Congress (30C3) : "Europe, the USA and the Identity Ecosystems" (http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5483-en-Europe_the_USA_and_Identity_Ecosystems_webm.webm).

A second very interesting document is "The Laws of Identity" by Kim Cameron. It is actually mentioned in the talk from the 30C3. I did not finish reading it but my first feeling is that the concept of "Digital Identity System" has been and is still widely discussed, it is a big thing. However, Kim Cameron working at Microsoft, I am not surprised not to see any mention of decentralization in his paper!

I also took a brief look at OpenID but I actually don't see any advantage for people using that system. It looks like a dencentralized Big Brother system. I need to check but I don't think OpenID respects the Laws of Identity by Kim Cameron.

[Matthieu Vergne]

I made a little document describing my point of view:
https://docs.google.com/document/d/1KxUz6wpRROVevyhfUag2olyKXC0w2uP1-mjTBJNv2do/edit?usp=sharing

Anybody having the link should be able to comment it, but I am the only one able to modify. However, I do not know if everyone see all the comments or only his/her own (this is the first time I try it). If you think it is not a good approach, do not hesitate to provide your own description, otherwise to comment this one with some improvements or remarks. If later we have a dedicated space to work on it, we can put all this stuff.

[Cédric Moreau]

You or Arnaud should definitely create a dedicated diffusion list or something else to discuss about DIS.

I would like at least to follow your exchanges, why not participate to it (comments on a Google Doc is not really appropriate to me).

Hope you will do such thing and keep us in touch about it.

[Arnaud Faisan]

I may start a dedicated list but I will first have a look at the state of the art about Digital Identity Systems and Decentralized Digital Identity Systems. As my first researches showed me, the Digital Identity Systems idea seems to be a big subject. Kim Cameron has publish his paper in 2005 so that makes quite a few time. Some ready-to-use Decentralized Digital Identity Systems might already exist which would make no sense to start a brand new forum about it.

However, I understand that this list is about OpenUDC. So I will stop the pure DIS discussion here. We can still communicate about it by email if you wish.

--

OpenUDC aims to provide a open standard for Universal Dividend Crypto-Currencies.
 
homepage: http://openudc.org --- git's home: https://github.com/Open-UDC/open-udc.git --- Multi User Chat: open...@muc.jappix.com.
---
You received this message because you are subscribed to the Google Groups "OpenUDC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openudc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Arnaud Faisan