I have always felt identity, including online such as domain names, should be decentralized — it’s too much power for a central authority to dictate who gets (and doesn’t get) a name. Further, it’s too easy for people to impersonate others online. It even happened at reddit where the CEO masqueraded as users by modifying their comments [1].
Handshake [2] is a great project that helps decentralize online identity. Not only is naming distribution in the hands of the people with Handshake which ends the deplatforming/censorship debacle the world has been facing recently, but also, anything a name does can be verified with signatures verifiable against the blockchain.
I see that they've updated their website since I last looked at it. They still use some abstract art and meaningless pictures of nature to explain their concepts, but at least the description makes sense now.
Sadly the system cannot be used easily for any applications storing personal information since your identity is tied to a blockchain and the GDPR requires companies to make information deletable.
The reliance on abstract art for trying to make their points come across are still to vague for me to give the project a try, but who knows, maybe in another year or two the project and its concepts will actually be understandable enough for me to give it a shot.
Urbit does seem to have an over abundance of weird jargon and glyphs that reinvent existing technologies, it just reeks of techno-alchemy.
As to your second point, I'm curious if any decentralized system will ever allow for full deletion of information once it has been replicated by another client. Any gossip protocol, or decentralized CRDT document system has to take into account that a client will go offline and retain information once it has been released into the wild. Whether or not a request to "delete" or hide that information is followed through with is almost impossible to regulate. It's perhaps more important to realize that what we publish, may always exist out there.
That being said, clients could randomly ask for "tombstoned" information to verify that other clients comply to a delete request, but it will likely always exist somewhere.
I 100% agree with you, but generally I find "in before..." comments to be unhelpful at best and harmful to the discussion at worst. In the latter case, it's typically because it's not only attacking on a straw man, it's actually announcing, "Hey, I'm creating a straw man!" at the beginning of the comment.
If you do want to head off the crypto founders before they show up, perhaps you could write a comment along the lines of, "In case anyone is wondering, here are the reasons cryptocurrency/identity makes no sense when solving this problem..."
"I predict from prior experience that a bunch of cryptocurrency identity bagholders from 2017 will show up to shill their useless project not realizing it will never catch on and that product's adoption will never buoy their bags even if it did catch on"
There's the "European" ID4Me project (https://id4me.org/), which tries to add federation on top of OpenID Connect / OAuth2. The idea is to give users globally valid IDs that contain a domain name. Using a TXT record on that domain you then specify which OpenID auth provider a service should use to authenticate the user. If you have your own domain this enables you to switch ID providers without having to update your accounts.
In general I like the idea but since it's a EU-style project I don't expect it to go anywhere to be honest. And personally I don't think the benefit over e-mail based authentication is marginal. That said there are some extensions in OpenID Connect that can achieve something similar, and that (IMHO) are more likely to actually get widely adopted.
What does federation bring here? Aren't OpenID identities already collision free?
I'd love to have SSO under my own control, and while it was theoretically possible with OpenID 2 things have gone backwards with OIDC with everyone supporting it but restricting login to just the big names (Google, Facebook, Apple).
I put together a simple stateless OID2/OIDC identity provider: https://gitlab.com/rendaw/oidle but I have yet to find a website I can actually use it on. I still have hope though.
I had a classic OpenID server and every website I use to authentication against using it has gotten rid of OpenID support. Stackoverflow was the big one. I haven't tried OpenID Connect yet.
By the way I wanted to say I read that blog post a bunch of times while trying to put together that software! OpenStreetMap and GnuSocial may really be everything on the internet now.
I'd almost sign up for a website at this point just to get a chance to use my OID provider...
New Zealand had a program called Real Me. It's based on a completely and totally broken SAML2 implementation, that only gives you back a single token, and then you have to query another web service to get more information. Oh and years ago when we had to implement a product using it, their Identity Providers would give us different responses randomly ... and it once went down for two weeks straight.
Feels like you'd have to lean significantly away from anonymisation to want to leave public proofs of cross account identities lying around. Maybe that's a more common use case for businesses and high profile people though than wanting to link, say, a pseudo-anonymous forum account with a payment account.
I think one of the great parts of the internet is that it promotes this identity decentralisation (or, as i have always thought about it, identity fragmentation). You are allowed to isolate online identity from the rest of your life, or from separate online accounts/personae.
Which is why I am confused as to why the author spent so much time worrying about verifying identity. To me, that feels like it's completely missing the point of fragmenting your online experience. Is the author simply concerned with the amount of power associated with their google login?
If anything, my bet is the future of identity is more centralized.
Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.
It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.
Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.
Yes, but that requires an economic model. UX is often well over 90% of the work for a product and usually includes a ton of work that is not much fun and people have to be paid to do.
Centralized has subscriptions, advertising, and "surveillance capitalism." Decentralized has nothing. I had some hope that cryptocurrency would provide some kind of mechanism, but cryptocurrency was taken over and destroyed by scammers and bad money drives out good.
The lack of an economic model is IMHO why decentralized solutions have not succeeded, not technical challenges.
One possibility would be to abandon the free as in beer part of open source ideology and go back to just charging for software, but licensing and payment add friction and it's very hard to compete with "free" options funded surreptitiously via surveillance.
BTW the fact that cryptocurrency was destroyed by scammers and criminals highlights a second huge issue: it seems to take the efficiency, executive ability, coordination, and direct human guidance of a centralized system to resist bad actors. This is why even the most democratic countries have mechanisms to phase shift into dictatorships during emergency or war. I have yet to see a decentralized system that became popular and was not instantly destroyed by black hats.
The model intentionally guards against data harvesting. I think that is great but unless users are willing to pay for that the existing "free but we collect data to manipulate you" will receive more capital.
The UX isn't the most looming problem, but it's one that needs to be solved. My question is: How in the world would you convince people to use keys to verify their accounts to one unique, anonymous, identity, as the OP suggests? I just don't see it being something people would spend the time to do. Not to mention, getting to a "Login with Google" level of UX, available as universally as "Login with Google", would be extremely hard without a centralized authority.
The bigger problem is convincing people that it's worth switching. Apple is the closest to doing this with "sign in with Apple". "Sign in with Apple" hides your identity from the client site, the value prop is clear for the user, and the process as close to frictionless as possible. But the solution is still "centralized". Apple stores all of the information to make the system as frictionless as it is.
It's more about a fundamental design trade-off rather than removing accidental complexity coming from UX. Currently, most of us delegate the responsibility of identity management (other than memorizing id and password) to one of big-techs, presumably much better at this area than 99% of us. In the fully decentralized world, the burden of proof is now up to users. And they usually don't really care about the best practice for security, privacy and reliability. Technology may improve over time so the equation will get better, but I don't expect this dynamic to change that much.
On the other hand, however, the outcomes of a breach are vastly different. An individual who fails to secure their information is liable for only their information. If a "big-tech" is compromised, they are liable for everyone's information.
If users are still unwilling to run their own infra, then that seems like a great opportunity for Identity as a Service. I'd feel much more comfortable handing identity to a firm whose entire business model revolves around securing my information and protecting my privacy rather than a big-tech.
"I'd feel much more comfortable handing identity to a firm whose entire business model revolves around securing my information and protecting my privacy rather than a big-tech." - in order for that company to be rock solid, trusted by most of the world and with a proven track record of top notch security, would mean that the said company is a big-tech.
I would call okta, auth0 and iWelcome big-tech already, even if they're not FAANG-level big tech yet.
This is a great point that I hadn't thought of. Well said.
I'd rather, as a company, risk managing all of my users' identities (vulnerability to a data breach, mitigated by a well-trained security team) than trust my users to manage their own security well and inevitably deal with a mass amount of compromised accounts.
As a user, especially if I'm not technical, I'd have a strong bias towards handing my identity to a team that's spent years studying computer security. Managing my own identity would involve learning a lot about computer security. That would take a lot of time and I'd really have to care about it to do it "right". Regardless, I'd likely get a lot of things wrong, leading to my identity being more insecure than if I had just stored it with someone like Apple.
Yes, exactly. Attempts to register with an email that's already used will fail, and so adversaries check whatever sites interest them.
However, I believe that would fail for those using Google or Facebook authentication. But I can't test that, given that I don't have an account with either.
In the US, everyone uses credit cards (centralized identity) to pay for stuff.
In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.
All central authorities are built on trust, fear, or complacency. Americans are complacent with the credit card system and trust it for the most part. The Experian breach has shown that breaches of trust are easily overlooked in favor of complacency, at least to a point.
Considering how Americans view other Americans (I hear "stupid" thrown around a lot), I strongly doubt that a decentralized authority would ever gain enough trust in the US to take hold today without a strong historical precedent.
For what it's worth, cash is still centralized. It's made "legitimate" by the power of the central government, and is managed & controlled by that authority. Given, it is somewhat "decentralized" because the value of fiat money comes from the people's agreement that the currency has value. On the other hand, the US dollar's global hegemony exists in large part because of global US Military presence, which is absolutely a "central authority".
It's unfair to say we still use credit because we are complacent. If you stop caring about building a credit score, you will end up paying more money in things like mortgages or car loans. There is a financial incentive to use credit cards (if you don't miss payments) despite the breach of trust.
I didn't say it's just complacency that keeps the credit system going. Low friction purchasing (complacency) absolutely plays a strong role. Trust is important, too (but is less strong than complacency) because the system wouldn't be used at all without it, and, to your point, fear absolutely plays a role as well.
> The Experian breach has shown that breaches of trust are easily overlooked in favor of complacency, at least to a point.
I disagree that it matters for trust in CC's. It may have damaged experians reputation, but people still trust amex/MasterCard/visa and their banks, despite Experian being useless. The fact that Experian is required to access those systems is unfortunate, but most people don't deal with Experian directly.
I think people's day-to-day trust in banks is well placed, for what it's worth. I banked with a large bank that fell in 2008, and had less than 10,000 in my bank. My money wasn't affected, I just had to find a new provider.
I've had multiple incidents of fraudulent transactions on debit and credit cards over the last 15 years, and in _every_ instancr, my card provider has sided with me and refunded me the money immediately (even in the one case I was actually wrong and it was a billing mistake). Those amounts we're almost always in the few hundreds.
Considering that the data breach was actually at a completely different company than the one this thread named leads me to believe that the reputation damage is not as significant as you suggest.
As I used to work in a high-crime area, I placed fairly low daily and weekly limits on how much I can spend. I have to warn the bank at least 1 day before if I want to spend more. So chip+pin allows for mitigations where cash doesn't
All people still somewhat understand is federated identity, and that's becoming less prevalent.
Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.
Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.
When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.
As much as I'd like to see a decentralized solution, I agree with you. I just spent 30 minutes helping my mom (age 60) and brother (36) set up a microsoft family account so they can dictate and monitor my nephews computer usage because [nephews] are addicts.
I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.
Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.
I dunno, I think the UX for decentralized identity could be made pretty good. The GNUnet project has one that runs locally but exposes itself with an OIDC interface: https://reclaim.gnunet.org/
It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)
That's so so many steps and requires knowledge of so many things. It has the big two fundamental problems, and a major third one:
* Its value prop is poorly explained. As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.
* Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.
* (this is the big one) Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.
This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people. That's why centralized tech co's will probably always do this better than open source. They are customer focused just as much as technology focused.
Unmonetized open source projects tend to focus more on technology than user experience. That's why you see regular people using monetized software and developers using open source to build monetized software.
>As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.
It's not really ready to be used widely at this point. Given that, the fact that the documentation is currently more oriented towards developers working on identity software is fine, I think.
>Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.
Sure, installing software is higher-friction than using a centralized service, but it's not that much higher friction. It's not like people don't install software all the time. (And again, this is something that could easily be preinstalled by your OS vendor of choice, which would make the experience very similar to the centralized providers'.)
>Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.
Yes, this is a big one. No, I don't think those are the only two options. You could sync them between devices if you have more than one (phone/laptop?), you could store them on a user-specified data storage location (think MIT's Solid), etc. I acknowledge that it's a problem, but I think it's a tractable one.
>This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people.
I think you're looking at the project as it is, and not as it could be.
The future of online identity is indeed decentralized and not distributed, meaning that users will always have some super nodes to handle their identity on behalf of them. In my opinion Facebook/Twitter/etc are not identity providers, they are silos. Sure they are very successful ones and can even used as identity providers at some places, but as long as they don't open up they can easily die anytime.
The author suggests that services built on top of these Silos that provide proofs of connection between all the identities. I welcome such initiatives and but I doubt they will lead anywhere, cause they are built on top of silos. And a silo, as soon as it figures out it loses money, it will cut down that connection.
What won't die is decentralized published standards and protocols that handle the Identity management through the internet. Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that facilitate the identity management like Oauth2, OpenID etc. All open and standardized. We are getting there, we just need some more time I guess.
That's why I always thought that, Google, who owns emails has much more value than Facebook, that asks for your email. If facebook dies, you lose one aspect of your digital social part. If you lose your email though, you almost lose your online identity. I really can't get how Zuckerberg has missed that.
In my ideal world, we have a framework for brick-and-mortar businesses to act as internet notary service providers.
If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).
The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.
> You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".
There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.
Absolutely! It would be far from perfect, and, but for the worst-case scenario that the internet currently embodies, not worth pursuing. But there's so much room for improvement today. Just placing a barrier against sock puppet accounts would already be a huge win.
Certificate authorities with brick and mortar locations would be an improvement over the current USA situation of SSN+DOB as master password to all IRL accounts. Checking a drivers license IRL is better than looking at an uploaded scan or photo. They could use those box scanners casinos use.
The main issue is minimizing cost. Dot com companies and banks don't want to pay for this so they peg online identities and account security to SMS effectively pushing off the problem to cellular companies. Cellular companies lack the competence to handle IAM. Opening a branch in every city is very expensive and companies don't want to even pay ~$10 for an offshore script reader to check a SMS code and verify "public information" off a credit report.
Credit card companies that are already liable for fraud usually settle for SSN+DOB, ID scans and aforementioned Equifax data verification because fraud losses are cheaper than in person due diligence.
It would create a small financial (and convenience) pressure to use one identity. Careful design would be needed to ensure that multiple identities are encouraged and accepted.
There is enormous pressure to converge on one identity. IAM has huge network effects. On-boarding customers is an expense so businesses and governments rely heavily on existing rails like email, SSN+DOB, Facebook, SMS, etc. If you don't want to surrender SSN or your whole Facebook profile your only option is to reject the service entirely.
It could also make things like online voting (like, for winners in a contest or features in software) possible which would otherwise be impossible due to multiple accounts.
The people who consume the notarized documents. If too much crap comes through they can reject the issuer. Kind of like how Symantec CA got dropped by browser makers.
Public notaries are licensed by US state governments. There is generally a background check, brief training course, and application fee. In at least some states they have strict liability for theft of their stamp.
What does it mean to reject the issuer when there are around 4.4 million notaries in the US? What systems are in place now or would need to be created in order to aggregate trust and what are the pros and cons associated with those systems?
For individual notaries file a complaint about incompetence or report them for fraud. Signatures, seals, and watermarks aren't as good as public crypto but that's okay because phone calls, clearinghouses, and the legal system backstops them (especially for reversible transactions).
Rejecting issuers would be more applicable to repeated transactions from a corporate certificate authority.
As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.
As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.
You've never provided any business with ID? How do you get into nightclubs?
The internet is important. When something is important enough, it is worth the risk. That's why people share secrets with their bank, lawyer, doctor, psychologist, etc.
We are squandering most of the potential of social media, because its design limits worthwhile conversation to hypotheticals. Since there's no reason to trust the honesty or motivations of anyone online, discussing actual data or life-experience is pointless.
CAcert has a system in place that is close to what you described[1]. Basically already verified users check the identity documents of new users and vouch for their authenticity. Their "Assurer Handbook"[2] is an interesting read. When I became an assurer a few years ago the person that trained me also took their task very seriously and I learned a ton about how to check identity documents for forgeries. That alone made it worth it.
Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.
Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.
> If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity.
This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.
TL;DR advice is to use email as your account ID method on various sites, and author's new service to 'verify' the accounts in a central place so people will know they are the same user between sites.
This isn't really decentralization is it?, it's a new kind of account linking which requires one to trust the central verification authority.
You wouldn't need to use your email as account id. The account id could even be completely random, as long as you manage to link back from that account to your key (in case of twitter, a tweet with the key fingerprint), anything works! Just add a link to that account to your key.
With regards to decentralization: keyoxide doesn't hold the proofs. Your key does. You can take your key to any verification system, whether it is keyoxide website or some CLI tool or an app, and have that verify the proofs. Yes, you do need to trust the service. But that's where the open source and hopefully one day, network effect comes into play. If enough knowledgeable people trust it and talk about it, then less-techy people might one day too.
In the end, what is important to note is this: keyoxide is just an implementation detail. If soon a different service becomes much more popular and used, the "decentralized identity proofs" ecosystem still wins! I would love to see apps get developed where anyone can at the press of a button verify online identities. That will be the next big milestone.
I agree with a lot of this post. A lot of the left-leaning intellectuals that are now criticizing the harder-left stances in academia; people like Brent Weinstine, Jonathan Haidt, Sam Harris, et. al. ... I've heard all of them say they want less anonymity and more accounts tied to real identities.
Whenever I hear this I think, "What? No! That's the opposite direction we should be going." Identities that are hard locked to real people makes it so easy to harass, mob, cancel and abuse people. At least in the US, most employers are at-will, allowing for Viewpoint Discrimination.
Anonymity does have its issues. It also does allow people to harass with more impunity. But in many ways, it also exposes more of the deep self and the controversial ideas people have that they are less and less likely to discuss outside of anonymity.
Even semi-anonymous platforms like Reddit are going back on previous commitments to free expression of ideas; and the effect is that Reddit is becoming more one-sided/one-direction, just like the platforms everyone is fleeing into.
Always use your e-mail to sign up for things. I rarely ever allow applications to connect via social media/OAuth. There was a time on the Internet where we thought all identity providers could be interchangeable. I ran an OpenID IDP for years, but fewer and fewer sites allow OpenID logins:
how about we have a whole range of options so that we can express our full selves via the various venues made available?
sometimes you want (pseudo-)anonymity and sometimes you don't. being able to pick and choose seems to offer the greatest freedom, rather than pigeon-holing everyone into one option.
This! While sometimes I want to use a pseudonym, there are many times I want to say "I am the human who I say I am," and currently, that means hoping a platform will magically verify me (if they even verify anyone) or, I suppose, posting a copy of my ID to the internet, and even that doesn't work so well.
While there are many routes to be semi-anonymous, there are very few to being verified (or maybe I just don't know about them)
On the contrary, I advise everyone to use real-name identities wherever they can. I understand that pseudonymous and real name accounts have fundamentally different approaches, but I think, for the majority of people, pseudonymous accounts are a mistake.
The reason is simple. In 2020, everybody is a brand. Things have become competitive to the point that the inevitable happened: business has occupied free time. We could lament that, or we could accept it, because it's the reality today, and I don't think we're ever going back.
Personally I think pseudonyms are a legacy of a time when the Internet was not taken seriously and whatsupdoggg69 was a perfectly valid username in a place where nothing mattered and Internet work had no monetary value.
That's changed, a lot. That viewpoint - which, to be honest, was probably questionable, even then - seems definitely wrong now. It seems more and more like the wrong path, and you don't have to go down it.
You need to start posting under your real name, and then keep doing that, so people know they can go to your advice, expertise, friendship, a place to pay attention, etc. That has a lot of monetary value.
My philosophy here is: unless you intentionally chose to leave money on the table, you should never leave money on the table.
So if you're working in 2020 at a prestigious or a first-mover startup (which covers a lot of startups), don't go on reddit and post memes under some name that will always be worth $0.
Instead, go on Twitter, post under your real name, and start becoming known as the go-to person for your niche of the industry.
If you are working at a startup, and building a name launched out of a startup (no lawyer is going to attempt to claim your real name social media handle), you can launch a consultancy, just off that.
Assuming your consultancy brings in 100k a year and businesses often sell for 10x revenue (a pretty reasonably assumption), then doing that over 10 years can build you a $1,000,000 consultancy.
Given those numbers, I think it's positively stupid to turn down $1,000,000 for the sake of a few forgettable jokes and political opinions that, let's face it, in the case of the average person, are not changing anything.
Instead, do the smart thing, claim that $1,000,000, and get used to using real names & real name content for everything.
As you say, using your real name builds your brand. However, you must then be very careful to avoid saying stuff that damages your brand. And as you basically say, you must therefore censor yourself online.
So why not do other stuff using pseudonyms? That's exactly why I started using them. I'm retired now, so there's really nothing about my meatspace identity to protect. But when there was, having the freedom to express myself honestly online was important to me. In particular, because I had to police my meatspace behavior so carefully.
I've given this a lot of thought (I also practice what I preach - I 95% post under my real name).
I advise against that, because in my experience, when you have a real name and a pseudonym account, there's a strong temptation to post all your edgy, attention-grabbing content to the alt, and all the boring content to your real name account.
Which is really bad for your main account, actually.
Note that some of the most popular personalities on Twitter - Elon Musk, Balaji Srinivasan - take this "carefully moderate your opinions unless it's a pseudonym" approach and stomp all over it. They are the total opposite of that. I think there's a lesson there, too: to really reach the stratosphere (including fame and wealth), as an unknown person, you probably need to take some risks and post risk-taking content, and associate it with a name+face where people can rally to you.
To be clear, I'm not making the moral argument that pseudonyms are cowardly or a moral failing, so don't use them. I'm making the purely self-interested argument that your content is worth money and you should monetize it under your real name, because it's the best vehicle for that.
That works for some, but for others it's been disastrous. And sometimes, it goes from popularly edgy to canceled in a flash. But yes, I agree that keeping a real name account totally boring is also risky.
Didn't you get the memo? We're supposed to like government surveillance now. After all, now FBI/CIA/NSA are on our side and we can totally trust them forever.
This makes tracking slightly more difficult, but does it really make significant difference when you consider all the tools at tracking companies' disposal?
How does it prevent linking those identities with real identities by using tools like browser fingerprinting, tracking preferences and stylometry?
I don't really see a way to keep my commenting (and even browsing to some extent) user friendly and disconnected from my real persona, so I act accordingly.
The system is attribute based and requires an 'authority' to give you the attribute. After that the attribute lives on your phone and you can give it out to organisations or businesses asking for....:
- your name
- whether you are >= 18
- your address
- etc.
What's great about it is:
- you can give out minimal information
- no 3rd party/intermediary required after you've received an attribute
The DID spec has been the one big success so far, but implementations matter. Our implementation has been open sourced, and is compatible with oAuth and other specs like DID:
The future is Decentralized - you have very large actors working to deploy systems based on the Verifiable Credentials (VC) Data Model (W3C Standard) and the Decentralized Identifiers (soon to be W3C Standard) extensive work is being done on how the data is exchanged (Credential Handler API, OpenID Connect Self Issued Identity Provider (OIDC_SOIP) <- so any installed openID can accept VCs and DID Communications (spec under development at the Decentralized Identity Foundation). Actors supporting this work include wester liberal governments, MSFT, IBM and many many others many cool small startups. We gather twice a year at the Internet Identity Workshop. Our archives for the last 10 years are online.
The DID and VC specs are the most advanced tools we have now to implement decentralized identity, plus there are many startups applying these in real world, solving problems and generating open source implementations.
Maybe I’m missing something but the author mentioned using email instead of Facebook/Google login. Why come up with a complex crypto protocol instead of using email as the identity key?
Because email alone is vulnerable, without two-factor authentication. And keys are a great second factor, except for the risk of losing them. Phone numbers are commonly used, but that's more PII to share, and it can be bypassed. Also, with something like Keybase or Keyoxide, you can still use multiple email addresses.
Your identity is going to come down knowledge of the private key from some sort of public key system. Why not just standardize that?
An excellent example of something perversely non-standardized for identities can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even supposedly based on the same protocol. In terms of identity they are all complete silos. All the things you establish about an identity on one system is completely unusable on another.
Creating systems to kludge this mess together seems to be a way of avoiding the root problem here...
What happens when the private key is lost? We can either have certificate authorities issue you a new one, or you would need to approach your peers and have e.g. three of them confirm that you've changed keys.
One could also use Shamir's Secret Sharing algorithm to have a number of your peers hold your secret key without them being able to access it. When you've lost the key, you have a subset of the peers reproduce it for you, by sharing their portion of the secret. Cryptography is pretty great.
Then you have lost that particular identity and would have to start over with a new one for that particular aspect of your online life. If you lose it and can get it back somehow then it wasn't really yours in the first place.
You can have as many passphrase protected backups of your identity in as many places as you like so in practice the more likely issue would be where someone else gets access to your private key. So that means some sort of revocation contingency.
Yeah, that is a huge problem. Most people just don't do well at managing keys and credentials. As much as I hate Signal's phone number requirement, I appreciate the reason for it.
Yes, it might be de-centralized, but in a different way. It will simply be distributed to different bureaucracies/aristocracies/warlords/agencies/etc. with each jealously holds their part and tries to grab the rest from other players.
I’m happy to support IndieAuth (a decentralized identity protocol built on top of OAuth 2.0) on my site and give people the option to use their personal site, if they have one, as a way of identifying themselves and performing authentication.
"Built for individuals, I recently launched Keyoxide which uses cryptographic keypairs to accomplish decentralized identity verification."
So this is about the introduction of a new identity service. From what I get looking into Keyoxide it basically strives to be what Keybase originally intended to be.
From their Keybase migration guide [1]:
"Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.
Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs."
The key difference is that instead of the Keybase server storing verifications, it looks like they tell you to add the link to the proof directly to your key as a notation.
This means the proof isn't dependent on a central server, which seems like a significant improvement.
Fully agree. I've had the opportunity to work on identity at 2 former employers. We tried to push things in this direction as part of exploration work including discussions with Mozilla around Persona and much more. Unfortunately every time, we met a fairly insurmountable problem - most users just don't get it, and even if they get it, they don't care.
I agree this is where things need to move, but we need to make it so simple that users who don't care can still use it and those who do can get the most out of it.
201 comments
[ 2.5 ms ] story [ 228 ms ] threadHandshake [2] is a great project that helps decentralize online identity. Not only is naming distribution in the hands of the people with Handshake which ends the deplatforming/censorship debacle the world has been facing recently, but also, anything a name does can be verified with signatures verifiable against the blockchain.
[1] https://www.theverge.com/2016/11/23/13739026/reddit-ceo-stev...
[2] https://handshake.org
Sadly the system cannot be used easily for any applications storing personal information since your identity is tied to a blockchain and the GDPR requires companies to make information deletable.
The reliance on abstract art for trying to make their points come across are still to vague for me to give the project a try, but who knows, maybe in another year or two the project and its concepts will actually be understandable enough for me to give it a shot.
As to your second point, I'm curious if any decentralized system will ever allow for full deletion of information once it has been replicated by another client. Any gossip protocol, or decentralized CRDT document system has to take into account that a client will go offline and retain information once it has been released into the wild. Whether or not a request to "delete" or hide that information is followed through with is almost impossible to regulate. It's perhaps more important to realize that what we publish, may always exist out there.
That being said, clients could randomly ask for "tombstoned" information to verify that other clients comply to a delete request, but it will likely always exist somewhere.
If you do want to head off the crypto founders before they show up, perhaps you could write a comment along the lines of, "In case anyone is wondering, here are the reasons cryptocurrency/identity makes no sense when solving this problem..."
"I predict from prior experience that a bunch of cryptocurrency identity bagholders from 2017 will show up to shill their useless project not realizing it will never catch on and that product's adoption will never buoy their bags even if it did catch on"
In general I like the idea but since it's a EU-style project I don't expect it to go anywhere to be honest. And personally I don't think the benefit over e-mail based authentication is marginal. That said there are some extensions in OpenID Connect that can achieve something similar, and that (IMHO) are more likely to actually get widely adopted.
I'd love to have SSO under my own control, and while it was theoretically possible with OpenID 2 things have gone backwards with OIDC with everyone supporting it but restricting login to just the big names (Google, Facebook, Apple).
I put together a simple stateless OID2/OIDC identity provider: https://gitlab.com/rendaw/oidle but I have yet to find a website I can actually use it on. I still have hope though.
https://battlepenguin.com/tech/the-decline-of-openid/
I'd almost sign up for a website at this point just to get a chance to use my OID provider...
Which is why I am confused as to why the author spent so much time worrying about verifying identity. To me, that feels like it's completely missing the point of fragmenting your online experience. Is the author simply concerned with the amount of power associated with their google login?
Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.
It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.
Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.
Centralized has subscriptions, advertising, and "surveillance capitalism." Decentralized has nothing. I had some hope that cryptocurrency would provide some kind of mechanism, but cryptocurrency was taken over and destroyed by scammers and bad money drives out good.
The lack of an economic model is IMHO why decentralized solutions have not succeeded, not technical challenges.
One possibility would be to abandon the free as in beer part of open source ideology and go back to just charging for software, but licensing and payment add friction and it's very hard to compete with "free" options funded surreptitiously via surveillance.
BTW the fact that cryptocurrency was destroyed by scammers and criminals highlights a second huge issue: it seems to take the efficiency, executive ability, coordination, and direct human guidance of a centralized system to resist bad actors. This is why even the most democratic countries have mechanisms to phase shift into dictatorships during emergency or war. I have yet to see a decentralized system that became popular and was not instantly destroyed by black hats.
You’re right. This lack needs to be addressed for us to progress.
How about this model? Would like feedback: https://qbix.com/token
The bigger problem is convincing people that it's worth switching. Apple is the closest to doing this with "sign in with Apple". "Sign in with Apple" hides your identity from the client site, the value prop is clear for the user, and the process as close to frictionless as possible. But the solution is still "centralized". Apple stores all of the information to make the system as frictionless as it is.
If users are still unwilling to run their own infra, then that seems like a great opportunity for Identity as a Service. I'd feel much more comfortable handing identity to a firm whose entire business model revolves around securing my information and protecting my privacy rather than a big-tech.
I would call okta, auth0 and iWelcome big-tech already, even if they're not FAANG-level big tech yet.
I'd rather, as a company, risk managing all of my users' identities (vulnerability to a data breach, mitigated by a well-trained security team) than trust my users to manage their own security well and inevitably deal with a mass amount of compromised accounts.
As a user, especially if I'm not technical, I'd have a strong bias towards handing my identity to a team that's spent years studying computer security. Managing my own identity would involve learning a lot about computer security. That would take a lot of time and I'd really have to care about it to do it "right". Regardless, I'd likely get a lot of things wrong, leading to my identity being more insecure than if I had just stored it with someone like Apple.
They can find out if you are a user of sex.com or dangerouspoliticalopinions.com
They can do this by trying to register an account with your email address, and being told it was already registered.
Here is a tool that allows anyone to do it:
https://www.quora.com/Is-there-a-way-to-know-which-all-sites...
https://brandyourself.com/blog/privacy/find-all-accounts-lin...
However, I believe that would fail for those using Google or Facebook authentication. But I can't test that, given that I don't have an account with either.
In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.
Considering how Americans view other Americans (I hear "stupid" thrown around a lot), I strongly doubt that a decentralized authority would ever gain enough trust in the US to take hold today without a strong historical precedent.
For what it's worth, cash is still centralized. It's made "legitimate" by the power of the central government, and is managed & controlled by that authority. Given, it is somewhat "decentralized" because the value of fiat money comes from the people's agreement that the currency has value. On the other hand, the US dollar's global hegemony exists in large part because of global US Military presence, which is absolutely a "central authority".
I disagree that it matters for trust in CC's. It may have damaged experians reputation, but people still trust amex/MasterCard/visa and their banks, despite Experian being useless. The fact that Experian is required to access those systems is unfortunate, but most people don't deal with Experian directly.
I think people's day-to-day trust in banks is well placed, for what it's worth. I banked with a large bank that fell in 2008, and had less than 10,000 in my bank. My money wasn't affected, I just had to find a new provider.
I've had multiple incidents of fraudulent transactions on debit and credit cards over the last 15 years, and in _every_ instancr, my card provider has sided with me and refunded me the money immediately (even in the one case I was actually wrong and it was a billing mistake). Those amounts we're almost always in the few hundreds.
If a centralized system is not inept, it can do all the same things decentralized things do and better.
1: https://xkcd.com/538/
Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.
Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.
When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.
I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.
Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.
It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)
* Its value prop is poorly explained. As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.
* Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.
* (this is the big one) Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.
This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people. That's why centralized tech co's will probably always do this better than open source. They are customer focused just as much as technology focused.
Unmonetized open source projects tend to focus more on technology than user experience. That's why you see regular people using monetized software and developers using open source to build monetized software.
It's not really ready to be used widely at this point. Given that, the fact that the documentation is currently more oriented towards developers working on identity software is fine, I think.
>Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.
Sure, installing software is higher-friction than using a centralized service, but it's not that much higher friction. It's not like people don't install software all the time. (And again, this is something that could easily be preinstalled by your OS vendor of choice, which would make the experience very similar to the centralized providers'.)
>Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.
Yes, this is a big one. No, I don't think those are the only two options. You could sync them between devices if you have more than one (phone/laptop?), you could store them on a user-specified data storage location (think MIT's Solid), etc. I acknowledge that it's a problem, but I think it's a tractable one.
>This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people.
I think you're looking at the project as it is, and not as it could be.
The author suggests that services built on top of these Silos that provide proofs of connection between all the identities. I welcome such initiatives and but I doubt they will lead anywhere, cause they are built on top of silos. And a silo, as soon as it figures out it loses money, it will cut down that connection.
What won't die is decentralized published standards and protocols that handle the Identity management through the internet. Starting from plain DNS, we can get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that facilitate the identity management like Oauth2, OpenID etc. All open and standardized. We are getting there, we just need some more time I guess.
That's why I always thought that, Google, who owns emails has much more value than Facebook, that asks for your email. If facebook dies, you lose one aspect of your digital social part. If you lose your email though, you almost lose your online identity. I really can't get how Zuckerberg has missed that.
It didn’t really take off though, and I guess was quietly withdrawn.
https://techcrunch.com/2010/11/15/facebook-messaging/
If you want a general-purpose open-id style account, you visit a notary, and provide them with a fee and proof of your identity. You tell the notary how much information they can share (in particular, whether they can release your name to the internet, or just the "we verified this account is held by a real person" boolean).
The protocol would cover much more than passport info though. You could have a notary vouch that you're a licensed driver, or have a college degree, visited a certain country, etc.
That might cut through some flavors of online nonsense. It would also allow people to stay pseudonymous, and yet enable law enforcement to subpoena their identity, if they go on a killing spree, or hack a few million dollars worth of bitcoin.
Humans, generally, are very bad at caching document fraud. It wouldn't be a vouch for a licensed driver but instead it would be a vouch for "a bit of plastic that looked like a driving license to me".
There is lots of sophisticated fraud and often automated solutions have a much higher rate of detection than your average person, even with some training against common attacks.
The main issue is minimizing cost. Dot com companies and banks don't want to pay for this so they peg online identities and account security to SMS effectively pushing off the problem to cellular companies. Cellular companies lack the competence to handle IAM. Opening a branch in every city is very expensive and companies don't want to even pay ~$10 for an offshore script reader to check a SMS code and verify "public information" off a credit report.
Credit card companies that are already liable for fraud usually settle for SSN+DOB, ID scans and aforementioned Equifax data verification because fraud losses are cheaper than in person due diligence.
Public notaries are licensed by US state governments. There is generally a background check, brief training course, and application fee. In at least some states they have strict liability for theft of their stamp.
Rejecting issuers would be more applicable to repeated transactions from a corporate certificate authority.
As a person being notarized it sounds like I have to give that business more personal information about myself than I usually have to do to get an online identity, as suggested by your subpoena statement.
As a service trying to verify accounts I now have to trust a third party. Maybe the notary has a business that sells fake IDs in the back that are then used in the notarizing process. Maybe my competition set up a burner notary node in order to flood my service with malicious accounts. It sounds like an attack vector.
The internet is important. When something is important enough, it is worth the risk. That's why people share secrets with their bank, lawyer, doctor, psychologist, etc.
We are squandering most of the potential of social media, because its design limits worthwhile conversation to hypotheticals. Since there's no reason to trust the honesty or motivations of anyone online, discussing actual data or life-experience is pointless.
Clubs don't care about identity. In some parts of the world they care about age and outward signs of affluence and/or attractiveness.
https://www.w3.org/TR/vc-data-model/
Since we have Let's Encrypt I'm not entirely sure what CAcert's place and purpose is, but I think with an existing network of trusted people they are in an ideal position to pivot into a decentralized online identity system.
Mark Shuttleworth's Web of Trust similarly had so called Thawte Notaries but I think it was discontinued a few years ago.
[1] http://wiki.cacert.org/FAQ/AssuringPeople
[2] http://wiki.cacert.org/AssuranceHandbook2
This is never going to happen. I will never visit a physical location in order to create an online account. I strongly suspect I'm not alone in this regard.
This isn't really decentralization is it?, it's a new kind of account linking which requires one to trust the central verification authority.
Maybe I'm missing something.
With regards to decentralization: keyoxide doesn't hold the proofs. Your key does. You can take your key to any verification system, whether it is keyoxide website or some CLI tool or an app, and have that verify the proofs. Yes, you do need to trust the service. But that's where the open source and hopefully one day, network effect comes into play. If enough knowledgeable people trust it and talk about it, then less-techy people might one day too.
In the end, what is important to note is this: keyoxide is just an implementation detail. If soon a different service becomes much more popular and used, the "decentralized identity proofs" ecosystem still wins! I would love to see apps get developed where anyone can at the press of a button verify online identities. That will be the next big milestone.
Whenever I hear this I think, "What? No! That's the opposite direction we should be going." Identities that are hard locked to real people makes it so easy to harass, mob, cancel and abuse people. At least in the US, most employers are at-will, allowing for Viewpoint Discrimination.
Anonymity does have its issues. It also does allow people to harass with more impunity. But in many ways, it also exposes more of the deep self and the controversial ideas people have that they are less and less likely to discuss outside of anonymity.
Even semi-anonymous platforms like Reddit are going back on previous commitments to free expression of ideas; and the effect is that Reddit is becoming more one-sided/one-direction, just like the platforms everyone is fleeing into.
Always use your e-mail to sign up for things. I rarely ever allow applications to connect via social media/OAuth. There was a time on the Internet where we thought all identity providers could be interchangeable. I ran an OpenID IDP for years, but fewer and fewer sites allow OpenID logins:
https://battlepenguin.com/tech/the-decline-of-openid/
sometimes you want (pseudo-)anonymity and sometimes you don't. being able to pick and choose seems to offer the greatest freedom, rather than pigeon-holing everyone into one option.
While there are many routes to be semi-anonymous, there are very few to being verified (or maybe I just don't know about them)
The reason is simple. In 2020, everybody is a brand. Things have become competitive to the point that the inevitable happened: business has occupied free time. We could lament that, or we could accept it, because it's the reality today, and I don't think we're ever going back.
Personally I think pseudonyms are a legacy of a time when the Internet was not taken seriously and whatsupdoggg69 was a perfectly valid username in a place where nothing mattered and Internet work had no monetary value.
That's changed, a lot. That viewpoint - which, to be honest, was probably questionable, even then - seems definitely wrong now. It seems more and more like the wrong path, and you don't have to go down it.
You need to start posting under your real name, and then keep doing that, so people know they can go to your advice, expertise, friendship, a place to pay attention, etc. That has a lot of monetary value.
My philosophy here is: unless you intentionally chose to leave money on the table, you should never leave money on the table.
So if you're working in 2020 at a prestigious or a first-mover startup (which covers a lot of startups), don't go on reddit and post memes under some name that will always be worth $0.
Instead, go on Twitter, post under your real name, and start becoming known as the go-to person for your niche of the industry.
If you are working at a startup, and building a name launched out of a startup (no lawyer is going to attempt to claim your real name social media handle), you can launch a consultancy, just off that.
Assuming your consultancy brings in 100k a year and businesses often sell for 10x revenue (a pretty reasonably assumption), then doing that over 10 years can build you a $1,000,000 consultancy.
Given those numbers, I think it's positively stupid to turn down $1,000,000 for the sake of a few forgettable jokes and political opinions that, let's face it, in the case of the average person, are not changing anything.
Instead, do the smart thing, claim that $1,000,000, and get used to using real names & real name content for everything.
As you say, using your real name builds your brand. However, you must then be very careful to avoid saying stuff that damages your brand. And as you basically say, you must therefore censor yourself online.
So why not do other stuff using pseudonyms? That's exactly why I started using them. I'm retired now, so there's really nothing about my meatspace identity to protect. But when there was, having the freedom to express myself honestly online was important to me. In particular, because I had to police my meatspace behavior so carefully.
I advise against that, because in my experience, when you have a real name and a pseudonym account, there's a strong temptation to post all your edgy, attention-grabbing content to the alt, and all the boring content to your real name account.
Which is really bad for your main account, actually.
Note that some of the most popular personalities on Twitter - Elon Musk, Balaji Srinivasan - take this "carefully moderate your opinions unless it's a pseudonym" approach and stomp all over it. They are the total opposite of that. I think there's a lesson there, too: to really reach the stratosphere (including fame and wealth), as an unknown person, you probably need to take some risks and post risk-taking content, and associate it with a name+face where people can rally to you.
To be clear, I'm not making the moral argument that pseudonyms are cowardly or a moral failing, so don't use them. I'm making the purely self-interested argument that your content is worth money and you should monetize it under your real name, because it's the best vehicle for that.
Didn't you get the memo? We're supposed to like government surveillance now. After all, now FBI/CIA/NSA are on our side and we can totally trust them forever.
How does it prevent linking those identities with real identities by using tools like browser fingerprinting, tracking preferences and stylometry?
I don't really see a way to keep my commenting (and even browsing to some extent) user friendly and disconnected from my real persona, so I act accordingly.
However, I'd like to be proved wrong.
The system is attribute based and requires an 'authority' to give you the attribute. After that the attribute lives on your phone and you can give it out to organisations or businesses asking for....:
What's great about it is:Source: I'm Icelandic but have a cousin in NL.
https://github.com/Qbix/auth
The DID spec has been the one big success so far, but implementations matter. Our implementation has been open sourced, and is compatible with oAuth and other specs like DID:
https://github.com/Qbix/Platform
The DID and VC specs are the most advanced tools we have now to implement decentralized identity, plus there are many startups applying these in real world, solving problems and generating open source implementations.
Btw, I joined the Internet Identity Workshop last spring and it was an incredible experience. (https://internetidentityworkshop.com/)
An excellent example of something perversely non-standardized for identities can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even supposedly based on the same protocol. In terms of identity they are all complete silos. All the things you establish about an identity on one system is completely unusable on another.
Creating systems to kludge this mess together seems to be a way of avoiding the root problem here...
You can have as many passphrase protected backups of your identity in as many places as you like so in practice the more likely issue would be where someone else gets access to your private key. So that means some sort of revocation contingency.
I described the motivation in more detail at https://github.com/shurcooL/home/issues/34.
So this is about the introduction of a new identity service. From what I get looking into Keyoxide it basically strives to be what Keybase originally intended to be.
From their Keybase migration guide [1]:
"Keyoxide as a partial replacement for Keybase
It's important to moderate expectations and state that Keyoxide only replaces the subset of Keybase features that are considered the "core" features: message encryption, signature verification and identity proofs.
Message decryption and signing are not supported features: they would require you to upload your secret key to a website which is a big no-no.
Encrypted chat and cloud storage are not supported features: there are plenty of dedicated alternative services.
If you need any of these Keybase-specific supports, Keyoxide may not be a full Keybase replacement for you but you could still generate a profile and take advantage of distributed identity proofs."
[1] https://keyoxide.org/guides/migrating-from-keybase
This means the proof isn't dependent on a central server, which seems like a significant improvement.
Far too technical and obscure a solution for 99% of the world.
I think Apple, while not a complete solution, shows a path forward with Sign In with Apple allowing you to generate a relay email.
As always, whoever nails the user experience will win.
I agree this is where things need to move, but we need to make it so simple that users who don't care can still use it and those who do can get the most out of it.