--- title: Critique and Caution regarding Self Sovereign Identity description: 'Is "acceptably non-dystopian" self-sovereign identity even possible?' excerpt: > It is evident that our ongoing discussions about identity, ethics, bias, privacy and consent revolve around a lot of noise (opinions) but little signal (alignment), but why? Recognising that in 30 years of digital identity, we still lack coherent and coordinated action to make it work for everyone is a reality. layout: single toc: true toc_sticky: false permalink: /self-sovereign-identity/critique-caution/ canonical_url: 'https://decentralized-id.com/self-sovereign-identity/critique-caution/' categories: ["About"] tags: ["Critique","Caution","Decentralized Identifiers","Verifiable Credentials"] last_modified_at: 2023-08-19 --- ## Main * [Thread: VCs need Threat Modeling](https://twitter.com/pamelarosiedee/status/1537233243086327812?s%3D20%26t%3DWWt14_H4AXgtn09xb5-yew) 2022-06-16 Pamela Dingle > Another pre-read recommendation for @identiverse: the @openid for Verifiable Credentials Whitepaper. * [Firstyear Replying to @Erstejahre @pamelarosiedee and 4 others](https://twitter.com/Erstejahre/status/1537615778106658816) > It also seems to lack any sections about threat modelling and possible risks, making it hard to trust since risks are not directly and clearly addressed. * [Torsten Lodderstedt Replying to @Erstejahre @pamelarosiedee and 3 others](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) > I agree. We [threat] model while we are designing the protocol, we also need to add it to the spec. Please note: we build on existing work. There is an extensive thread model for OAuth and countermeasures that we built on ([datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics). Feel free to contribute. * [I reckon most cases of over-identification stem either from bad habits](https://twitter.com/Steve_Lockstep/status/1524073204805160960) 2022-03-10 SteveWilson > (e.g. RPs gathering circumstantial AuthN signals) or from Surveillance Capitalism. Either way, better deals for users will come from better design, not by weaponising Digital Identity (SSI, DIDs). * [Mozilla Formally Objects to DID Core](https://lists.w3.org/Archives/Public/public-credentials/2021Sep/0010.html) 2021-09-02 Drummond Reed, CCG Mailing List > here's the REAL irony. Mozilla and others are pointing to the URI spec and existing URI schemes as the precedent without recognizing that in [in section 9.11 of the DID spec](https://www.w3.org/TR/did-core/%23dids-as-enhanced-urns), we specifically compare the DID spec to the *URN spec*, [RFC 8141](https://datatracker.ietf.org/doc/html/rfc8141). In fact we deliberately patterned the [ABNF for DIDs](https://www.w3.org/TR/did-core/%23did-syntax)  after the ABNF for URNs—and patterned DID method names after URN namespaces. And we set up a registry for the exactly the same way RFC 8141 establishes a [registry of URN namespaces](https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml). > > Now: guess how many URN namespaces have been registered with IANA? [SEVENTY*. Count em.](https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml) I don't see anyone complaining about interoperability of URN namespaces. Amd RFC 8141 was published over four years ago. * [Negative press related to DIDs and VCs](https://lists.w3.org/Archives/Public/public-did-wg/2021Jun/0032.html) 2021-06-29 Manu Sporny  > These are things that I would expect we would normally just ignore, but I've received a number of private emails over the tweet above from various decision making parties inside the EU requesting that we respond publicly to theses sorts of accusations. * [Chartering work has started for a Linked Data Signature Working Group @W3C](https://lists.w3.org/Archives/Public/semantic-web/2021May/0177.html) Harry Halpin > Hi, I'd like to point out that while there are no peer-reviewed publications on the (lack of) security of the so-called Verifiable Credential architecture and the problems with this kind of standardization of things like "Linked Data Proofs", In fact, published a peer-reviewed article explaining in detail how utterly broken the entire DID and Verified Credential architecture is, and how this is damaging the credibility of the W3C, and it was presented at Mozilla. * [Don’t use DIDs, DIDs, nor DIDs: Change My Mind (a.k.a. Oh no he DIDn’t)](https://dwhuseby.medium.com/dont-use-dids-58759823378c) - [Video](https://eu01web.zoom.us/rec/play/4_ZLV8uot0hFQgRZsoILvdnn879oGEmrXsPXsCcvf4GsDPjWLQAxKjrZFiF0AxQe_MYb1_oeQa9HsRY.8KTaTYyrhu2Q-kJ_?continueMode%3Dtrue) 2021-04-11 Dave Huseby > Joe came and fervently disagreed with my assertions. Lots of people had reasonable counter arguments. My main arguments are 1. DID Documents don't have history when old keys are always relevant and 2. having 94 different DID methods that aren't compatible nor replaceable and don't function the same way is a HUGE problem. The W3C has been hard at work for the last four years in endless political fights over the design of the standard for decentralized identity documents and their identifiers. * [Literature] [A Critique of Immunity Passports and W3C Decentralized Identifiers](https://arxiv.org/abs/2012.00136) 2020-11-30 Harry Halpin > Our analysis shows that this group of technical identity standards are based on under-specified and often non-standardized documents that have substantial security and privacy issues, due in part to the questionable use of blockchain technology. One concrete proposal for immunity passports is even susceptible to dictionary attacks. The use of 'cryptography theater' in efforts like immunity passports, where cryptography is used to allay the privacy concerns of users, should be discouraged in standardization. Deployment of these W3C standards for `self-sovereign identity' in use-cases like immunity passports could just as well lead to a dangerous form identity totalitarianism. * [Blockchain, Self-Sovereign Identity, and Selling Off Humanity](https://wrenchinthegears.com/2018/07/15/blockchain-self-sovereign-identity-and-selling-off-humanity/) 2018-07-15 Wrench in the Gears *I think this piece is full of inaccuracies - it is also put together by someone really trying to understand a whole bunch of different things that some how get merged into being “all that bad blockchain technology that deprives people of dignity and rights”* (Kaliya) > It’s time activists began to develop a working knowledge of Blockchain and self-sovereign digital identity, because these are the mechanisms that will drive the transition to IoT monitoring for the purposes of Pay for Success deal evaluation ## Sheldrake Vs SSI * [Human identity: the number one challenge in computer science](https://generative-identity.org/human-identity-the-number-one-challenge-in-computer-science/) 2022-07-14 Philip Sheldrake > I find that many people working on digital identity today understand their undertaking solely in this bureaucratic context, even if they deny it, and they appear to operate therefore under the illusion that this somehow describes and supports our selves, culture, and nature, or at least has the qualities to do so. * [dystopia of self-sovereign identity](https://www.philipsheldrake.com/2020/11/the-dystopia-of-self-sovereign-identity-ssi/#more-31058) 2020-11 Philip Sheldrake > A community is forming under the banner of generative identity. By generative I mean ‘participating as nature’. It denotes a capacity to produce unprompted change, growing not shrinking the possible; a capacity for leverage across a range of tasks, adaptability to a range of different tasks, ease of mastery, and accessibility * [Self Sovereign Identity Critique, Critique.](https://identitywoman.net/self-sovereigh-identity-critique-critique/) IdentityWoman > > if ever there’s a technological innovation for which ‘move fast and break things’ is not the best maxim, this is it. > > To think that some how this community who has been working very slowly and diligently for 15 years [...] is some how “moving fast” is preposterous. * [Self-Sovereign Identity Critique, Critique /2](https://identitywoman.net/self-sovereign-identity-critique-critique-2/) > It might be a surprise to you Philip but we have “an identity layer” that is used on the internet right now. It exists and billions use it every day (with standards we created out of the IIW community, Oauth and OpenIDConnect). The problem with it is [...] companies own the identifiers we anchor our digitial representations of ourselves * [Self-Sovereign Identity Critique, Critique /3](https://identitywoman.net/self-sovereign-identity-critique-critique-3/) > > When the SSI community refers to an ‘identity layer’, its subject is actually a set of algorithms and services designed to ensure the frictionless transmission of incorruptible messages between multiple parties. This involves some clever mathematics and neat code that will undoubtedly prove of some value in the world with appropriate tight constraints, and it will certainly impact the operation of various conceptualisations of identity, but this is not human identity per se, or the digitalization of human identity. Far from it, as we shall see. > > – THE DYSTOPIA OF SELF-SOVEREIGN IDENTITY (SSI) > > So again. When I say you don’t understand the technology. I am reading things like this and asking myself what is he referring to? * [Self-Sovereign Identity Critique, Critique /4](https://identitywoman.net/self-sovereign-identity-critique-critique-4/) > Philip’s essay has so many flaws that I have had to continue to pull it a part * [Self-Sovereign Identity Critique, Critique /5](https://identitywoman.net/self-sovereign-identity-critique-critique-5/) > before you go pulling out and “waving around” the book Code: And other Laws of Cyberspace and saying “Code is Law” as if his work was a reason to NOT do anything in relationship to digital identity on the internet. He himself proposed an architecture for a certificate based digital identity system for the whole internet. * [Self-Soverieng Identity Critique, Critique /6](https://identitywoman.net/self-soverieng-identity-critique-critique-6/) > What is the point of doing this – to show you are “smart” you aren’t the first guy to show up and say – stop the presses – I have figured out all of identity. “Pay attention to ME”. * [Self-Sovereign Identity Critique, Critique /7](https://identitywoman.net/self-sovereign-identity-critique-critique-7/) > We have now gotten to the Buckminster Fuller section of the document. * [The Generative Self Sovereign Internet](https://www.windley.com/archives/2020/12/the_generative_self-sovereign_internet.shtml) 2020-12 Phil Windley > Generativity is a function of a technology’s capacity for leverage across a range of tasks, adaptability to a range of different tasks, ease of mastery, and accessibility. * [Generative Identity](https://www.windley.com/archives/2021/01/generative_identity.shtml) 2021-01 Phil Windley > The Generative Self-Sovereign Internet explored the generative properties of the self-sovereign internet, a secure overlay network created by DID connections. [...] > > In this article, I explore the generativity of self-sovereign identity—specifically the exchange of verifiable credentials. One of the key features of the self-sovereign internet is that it is protocological—the messaging layer supports the implementation of protocol-mediated interchanges on top of it. This extensibility underpins its generativity. ## Caution * [Is "acceptably non-dystopian" self-sovereign identity even possible?](https://blog.mollywhite.net/is-acceptably-non-dystopian-self-sovereign-identity-even-possible/) 2022-06-10 Molly Wood ([Hacker News](https://news.ycombinator.com/item?id=31701601) > as more and more developers and companies and “blockchain visionaries” seek to eschew centralization and trust in the state and institutions, it seems that their definition of “acceptably” when they describe “acceptably non-dystopian” projects is very different from my own. * [Book] [Identity Cycle](https://iang.org/identity_cycle/) 2021-11-18 Ian Grigg > Identity Cycle is a book in four parts exploring the nature of identity and how it might or might not fit in a digital world > > Oddly, unlike most other innovations, the efforts to build flexible large scale identity systems into the digital domain have more or less flopped. More, in that they did not seem to protect and serve people, and less in that they have done something, even as their original promises were discarded. * [#Identity. Are we (the industry) the problem?](https://www.mydigitalfootprint.com/2021/08/identity-are-we-industry-problem.html) 2021-08 MyDigitalFootprint > It is evident that our ongoing discussions about identity, ethics, bias, privacy and consent revolve around a lot of noise (opinions) but little signal (alignment), but why?  Recognising that in 30 years of digital identity, we still lack coherent and coordinated action to make it work for everyone is a reality. * [An Examination of the Biases within Commercialized Identity](https://www.pingidentity.com/en/company/blog/posts/2021/biases-commercialized-identity.html) 2021-03-09 Hello User > “There is no discipline for software engineers when it comes to identity and privacy due to the pace at which they are expected to build, but this will likely change because of liabilities and regulation.” > > Takeaway #3: A potential side effect of the future of identity management could be a lack of anonymity. > > “This exposes that gray area around allowing free speech while maintaining the right to privacy, and who should have access to authentication and verification.” > > Takeaway #4: The technology exists to be able to create accountability models as it pertains to identity and to reduce misinformation. > > “The challenge is having uncomfortable conversations to address the issues surrounding diversity.”