There are two ways to get trusted information:(1) verify a signed claim associated with an identity(2) present a secure (UMA) token to a resource server you trustAdrian
On Tuesday, November 1, 2016, Eve Maler <eve.maler@forgerock.com> wrote:I changed the subject line so as not to be misleading. Hopefully that starts a "new thread" in most everybody's email systems.I'm still not getting what about "blockchain the technology" helps any of this. Lots of information that is important to an individual -- e.g. credit information, as pointed out below -- must be third-party-asserted to be valuable. We can argue about whether this is/constitutes/contributes to "identity" information or not (in this case, it can be used to help "proof" a digital identity and so on). But the conventional wisdom seems to be hardening around the notions that:
- It's inefficient, inappropriate, and insecure to store such information by means of DLTs.
- It's quite often inefficient, inappropriate, and insecure to aggregate such information in a single place away from whoever is authoritative for it. See all the schemes -- federated identity and federated authorization both -- for getting this info fresh by means of attribute transfer and API calls and such. You have to tamper-proof college e-transcripts, income tax forms, identity attributes, etc. that have to pass through intermediary services if you can't arrange for them to be shared directly.
UMA at least tries to let an individual authorize access to data that is asserted by others about them. (That role at the technical level is called "resource owner" after OAuth, but as I always say, I never liked that phrase, property being a bundle of sticks... :-) )Eve Maler
ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
The ForgeRock Identity Summit is coming to Paris in November!On Tue, Nov 1, 2016 at 10:46 AM, Adrian Gropper <agropper@healthurl.com> wrote:I share Jim's perspective about incremental semantic standards and I'm seeing coherent identity standardization efforts at every level with: 1 - Authentication credentials corresponding to a decentralized identifier (DID), point to2 - Secure decentralized identity data objects (DDO), that point to3 - Identity Containers that issue (W3C) verifiable claims and (UMA) authorization tokens to use4 - on other resources with my personal data on the Web that are only partially under my control.Levels 1-3 can be self-sovereign without any federated IDPs.However, there is absolutely no mention of PDS in any of the forums. The term may be too vague and overloaded to be useful. I hope we can abandon it soon. Identity containers may not be a much better term but at least it allows for a personal authorization server as a component.Adrian
On Tuesday, November 1, 2016, James Hazard <james.g.hazard@gmail.com> wrote:Sorry, I missed the call, again. On the west coast for a bit.I agree with the direction of the conversation.The essence of a peer-based system is the PDS notion. Each participant has a first-class copy of the records that touch them.Those records must be in formats that have common semantics.Because the world is big and varied (and more top-down is dangerous), the semantics need to be extensible by the participants. The commonality of the semantics does not need to be system-wide, it only needs to be shared as far as the records they relate to. This makes it possible to do "standards" incrementally. (Open source software iterates from personal project to standard this way.)Blockchain permits each participant to have a first-class copy, but has major draw backs, particularly that every participant gets a copy of all the records (reason that Corda is not a blockchain) and blockchains have the rigidities of "shared state." (https://medium.com/@justmoon/the-subtle-tyranny-of-blockch )ain-91d98b8a3a65#.oupo603xl Ideally, each record would be only in the PDSs of the participants that the record directly touches.To run a "DRY" system, with very little need to have duplicate information about participants, the PDS must be available to respond to appropriate queries.The records in the PDS could come all via a single protocol, but they could instead come via a variety of protocols. The participants do need a way to prove records as against one another. There are a variety of ways to do this, and they don't need to depend on the protocol.From this perspective, the goal is PDSs with shared record semantics, unlimited extensibility, and a secure method of querying. Unlimited extensibility is what the "prototype inheritance" model of CommonAccord appears to enable.That in turn will create an ecosystem for codified legal, which is the goal of CommonAccord.On Tue, Nov 1, 2016 at 8:52 AM, Adrian Gropper <agropper@healthurl.com> wrote:You might find the FAQ useful.Adrian
On Tuesday, November 1, 2016, Eve Maler <eve.maler@forgerock.com> wrote:Adrian-- I'm sorry, it appears you already did send this link to the group! Thanks; action item completed.Eve Maler
ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
The ForgeRock Identity Summit is coming to Paris in November!On Tue, Aug 30, 2016 at 2:06 PM, Adrian Gropper <agropper@healthurl.com> wrote:We should also consider the place of protocols that support decentralization without neccessarily being either blockchain or smart contracts. For example, W3C Verifiable Claims https://w3c.github.io/webpayments-ig/VCTF/use-cases/ seems to solve a major privacy and centralization problem by enabling triple-blind interactions. Adrian
On Tuesday, August 30, 2016, Scott L. David <sldavid@uw.edu> wrote:Jeff - I heartily agree with all the points you raise.
Kind regards,
Scott
Scott L. David
Director of Policy
Center for Information Assurance and Cybersecurity
University of Washington - Applied Physics Laboratory
Principal Consulting Analyst
TechVision Research
w- 206-897-1466
m- 206-715-0859
Tw - @ScottLDavid
From: j stollman <stollman.j@gmail.com>
Sent: Tuesday, August 30, 2016 10:15:27 AM
To: Scott L. David
Cc: Eve Maler; dg-bsc@kantarainitiative.org
Subject: Re: [DG-BSC] Agenda for BSC telecon Tuesday, August 30 (shortly -- sorry for the late note!)Scott,
Excellent survey.
I would like to further emphasize one of the corollary points you raise: Perhaps we shouldn't be looking for a distributed organizational "structure" at all. Instead, we might consider what organizational "processes" would serve the interests involved, and then allow the organizational structure to reveal itself based on the observation and reification of the patterns that emerge from those processes.
In my observations people move rapidly from trying to describe a new solution to using their description to prescribe its use. Over two years of focus on blockchain technology, I have noticed that it is common for people to recognize that a particular instance of blockchain solves a particular problem and to then falsely conclude that the features of that instantiation are necessary to achieve the same end in other contexts. For example, we give a lot of lip service to the fact that popular blockchain instances use a distributed model in which the blockchain itself is replicated in numerous locations and the block verification process is also distributed among a large group of "miners." This has been followed by the conclusion that all blockchains are necessarily distributed for both data integrity and verification integrity. (In fact many people now refer to blockchain technology as "Distributed Ledger Technology" (DLT)). I suggest that this causes an unnecessary narrowing of our thinking by casting out other alternatives before they are even considered.
In the example, I would suggest that distributed data does provide higher levels of information assurance by removing a single point of failure that a nefarious hacker could modify. And this is likely true for any instantiation of a data structure -- whether or not it is a blockchain -- as long as the consensus mechanism for determining which data set is the correct one when discrepancies are found is robust. But, depending on the risk of such hacks, it may not be cost-effective to use this information assurance technique. As long as the underlying data structure uses blockchain encryption, I would still consider it a blockchain application.
I also agree that distributed miners afford some ability to reduce collusion in systems where there is an incentive to collude. But not all transaction systems have such an incentive. And I don't think that mining whether using proof of work or proof of stake is either cost-effective or necessary.
We all agree that standardization can create great benefits. But standardizing too early can stifle innovation or raise the cost of better solutions to the point of making them no longer viable.
In view of the many directions that our blockchain DG discussions continue to splinter off, I hope that this comment offers some value.
Jeff
--------------------------------- Jeff Stollman+1 202.683.8699
Truth never triumphs — its opponents just die out.Science advances one funeral at a time.Max Planck
On Tue, Aug 30, 2016 at 12:09 PM, Scott L. David <sldavid@uw.edu> wrote:
Hi folks - This wiki page provides a pretty nice overview of cooperatives.
https://en.wikipedia.org/wiki/
Cooperative
I am NOT suggesting that we confine ourselves to these historical structures, since they are all institutions configured to address various prior governance/organizational challenges, none of which will perfectly match current challenges in character and scope.
However, exploration of the co-op form (and similar structures developed under various legal and cultural regimes) can provide insight into at least prior forms of "organic" stakeholder-responsive governance that can potentially help to reveal governance techniques that might be borrowed for our current discussions and effort.
I am guessing (projecting) that organizational surveys might suggest that we consider separating the analysis of stakeholder involvement into at least three sub-categories of governance activity, along the lines to which Jeff S. was alluding in the call.
Specifically, we might benefit from separating out stakeholder involvement in the separate activities of 1. rule making, 2. system operation, and 3. enforcement, as helpful in mitigating the conflict-of-interest/power accumulation/etc. issues that are inherent in the centralized models (and their too-often-tempting-abuses of gatekeeping function). For example, in 2007 when NASD (National Association of Securities Dealers) converted to FINRA (FInancial Industry Regulatory Authority, Inc.) they formed separate subsidiaries to separate these three functions for the SRO (self-regulatory organization) responsible for broker dealer activities (at least for purposes of optics!). For current purposes, the important point is that they chose to separate the rule making, operation and enforcement purposes to at least reduce the appearances of conflict among the decision making in those separate spheres.
Of course, these 3 "system governance" elements are in addition to stakeholder role as system "users," which is not a "governance" role, per se. However, in co-op and similar forms participation as a "user" is a form of quasi-governance since the use of the system by a stakeholder reveals problems and value propositions that helps the stakeholders to set the agenda for further refinement of the system in the "1. rule making" role of stakeholders alluded to above.
The current global information network organizational structu
re that we are looking for does not yet have a name, but that novelty should not be discouraging. ALL forms of human organization (governance, language, belief systems, etc.) are responses to shared challenges, and all of them permit stakeholders (both institutional or individual) to do things (mitigate risks and enhance rewards) that they cannot do (or cannot do as well) unilaterally. Many of the shared challenges that are currently faced by individuals are unprecedented, requiring groups such as ours to search the history of human organization for clues as to what might be effective in this context.
One last thought (at least for now!). Perhaps we shouldn't be looking for a distributed organizational "structure" at all. Instead, we might consider what organizational "processes" would serve the interests involved, and then allow the organizational structure to reveal itself based on the observation and reification of the patterns that emerge from those processes (as "Lagrangian Coherent Structures" for you fluid mechanics geeks out there). Our first question might be "What are the sets of processes that MUST be standardized, normalized in order for the value propositions of block chain and/or smart contracts to be effective in mitigating risk and/or leveraging value?" After we catalog those processes, we might be in a position to assign that catalog a name.
An article "Self Regulation as Policy Process" by Porter and Ronit (2006) suggests that among hundreds of "self-regulatory" organizations, a familiar 5 stage pattern emerges for a governance feed-back loop among stakeholders (agenda setting-problem identification-decision-implem
entation-review). The emergence of this similar archetype pattern in myriad disparate settings may be suggesting that there is a natural feedback process through which separate elements of human organization can be joined together to create larger forms in "information" space, where decreased Shannon entropy (in whatever context or domain) is the ultimate test of fitness (based on the primacy of information risk and information leverage in current discussions).
This latter suggestion may be confirmed by considering how many current human institutions and organizations can be accurately described by reference to their information flows and processes, variously constrained by their intended application. Human organizations that demonstrate their usefulness "achieve" longevity (in fact human stakeholders have endowed governments, and corporations with "perpetual life," by mutual agreement, in an effort to project an external sovereignty toward these organizational forms that are relied upon to create a "solid" foundation of most (not all) human endeavor). However, all governments and corporations are collective hallucinations of the stakeholders that recognize, and depend upon, their presence.
But I digress. . .
Kind regards,
Scott
Scott L. David
Director of Policy
Center for Information Assurance and Cybersecurity
University of Washington - Applied Physics Laboratory
Principal Consulting Analyst
TechVision Research
w- 206-897-1466
m- 206-715-0859
Tw - @ScottLDavid
From: dg-bsc-bounces@kantarainitiative.org <dg-bsc-bounces@kantarainitiative.org > on behalf of Eve Maler <eve.maler@forgerock.com>
Sent: Tuesday, August 30, 2016 6:50 AM
To: dg-bsc@kantarainitiative.org
Subject: [DG-BSC] Agenda for BSC telecon Tuesday, August 30 (shortly -- sorry for the late note!)http://kantarainitiative.org/confluence/display/BSC/2016-08+ %28August+2016%29+Meetings#id- 2016-08(August2016)Meetings-Tu esday,August30
We meet Tuesdays for 30 minutes at 7:30am PT / 10:30am ET / 3:30pm UK / 4:30pm CET. We use Kantara Line A (US +1-805-309-2350, Skype +99051000000481, international options, web interface, more info, code 4022737) and http://join.me/findthomas
for screen sharing. See the DG calendar for our full meeting schedule. Previous meeting minutes are here: July. Agenda:
- Confirm timeline, scope, and approach, or revise in specific
- Assign action items for report next steps
Eve Maler
ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
ForgeRock Summits and UnSummits are coming to London and Paris!
_______________________________________________
DG-BSC mailing list
DG-BSC@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-bsc
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________
DG-BSC mailing list
DG-BSC@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-bsc
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________
DG-BSC mailing list
DG-BSC@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-bsc
--@commonaccord
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
--Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/