There's a book, "Mystery of Capital", wherein the author points out is that in order for identity and contracts to work there has to be "something to lose" for the parties involved.

E.g. the power company can't supply power to slums not because of technical limits, but rather economic limits: because the residents don't have titles or leases or bank accounts there's no way to shut off the power to a household for non-payment. There's no leverage without paperwork.

It's relatively established how to do this IRL with deeds and titles and contracts and such. On the Internet it's not even clear that identity is possible to establish. Our computer systems leak like sieves and people get hacked all the time.

I was imagining just yesterday starting an MLM system based on reselling yubikeys and establishing a hardware-backed web-of-trust. I wouldn't even try to make it a pyramid: just resell the keys to your "downline" at wholesale plus the upline uh payment (I don't know the terminology.) Any infrastructure is provisioned by open bid and paid for by simple equal division among all current members. I would imagine it would amount to about a dollar or two per month per person at the very most, flat rate, not part of the MLM.

The whole point is to self-fund a hardware-backed p2p-IRL identity authentication network.

Personally I think good identity system should have these properties:

* Identity provider should not see which services users authenticate to. Afaik this is now a major issue with current "Log in with X" systems

* Services should not be able to discover which other services user has authenticated to, i.e. the identity presented to service A should not be linkable to identity presented to service B

* Identities should be relatively stable. The identity presented to certain service at certain point in time should be the same identity presented to the same service in some other point of time.

* The system probably needs to be able to allow users to reveal additional information about their identity. This is problematic requirement because in wider use it is ripe for abuse by service providers

* Optionally it'd be nice if the system would have some facilities for offline usage, where neither user nor service needs to talk to identity provider.

This is fairly hairy problem, with many more concerns in the details and other people probably having different requirements. From a quick search, Credenticas (now MS) U-Prove system comes closest, but I haven't delved really into it to see if it actually matches my thoughts.

This article seems to present the state of the Internet as a kind of feudalism, where one must swear fealty to an established "brand", and carving out a life as a freeman is practically unattainable. I'd say the reality is that it's easy to join the Internet land-owning class (buy a domain; get a cert; run services), yet most people prefer to rent because they are not so inclined.

Email is widely used, HTTPS is widely used, and they don't require you use a gatekeeper brand. Many instant messaging platforms, while run by brands, allow you to bring your own email address as an identity.

I don't think authentication of identities is a feature that ties people to brands. A phone number is pseudonymous, and acts as an identity for many mobile messaging applications. Authentication in many cases is performed socially: you got the number from them, from a mutual friend, or they told you who they are and you were convinced.

> There is no good way for a person to identify another person without first mutually agreeing on Brand identities.

How is this absence not a good thing? If someone wants to be identified, they have to go through the trouble of creating an identity. In fact, it would be preferable to also not have a permanent or consistent personal identity with respect to brands either.

I think I get what the article is trying to say, but I have to admit that bringing in the concept of "brand" seriously derails it for me.

My identity is not a "brand", the identifiers I use online are not a "brand", and I don't interact with "brands". I interact with people.

What I'm not sure about is whether I'm just having a reaction to the use of the concept of "brand" that is obscuring a meaningful and accurate point for me.

Now that I've written all of this, though, I'm not sure that I understood what the article was trying to say at all.

EDIT: now that I've read it a couple of times, I'm pretty sure that I don't understand what it's really saying. Can someone explain like I'm five?

Really good read. Provides a new abstraction model that we've not seen before. It shows the depth of the problem and why we have never solved it since the days of PGP, 1991. It does not mention the idea of owning your own identity[1], a possible solution. [1] https://wiki.p2pfoundation.net/Self-Sovereign_Identity

The discussion leaves out account/identity recovery, which in practice is the most important part. You can use a PGP keypair as your identity, but if you lose access to it then you're screwed. So from an identity perspective the "brands" he mentions are a set of account recovery services of varying effectiveness, consisting of email, SMS, phone, and more complicated/unreliable methods like begging technical support.

At the end he mentions a statistical analysis in Mathematica and a text adventure in PHP. The second seems easy enough to share by just giving out an IP or using a dynamic DNS service. Mathematica is less clear, because it's proprietary, but it comes with a cloud subscription so presumably one would just upload it to the cloud. It's pointless to complain about a "brand" when the software itself is the brand.

And the last part where he talks about identifying people is also really simple. Everyone has a phone, so just using GPS narrows down the space to a few hundred, wherein one can use other methods like scrolling through the list. The hard part is doing it in a way doesn't allow user tracking, but that's a privacy rather than an identity issue.

I don't necessarily want to rely on brands to use the jargon of the article to facilitate informational exchange.

As a user I certainly am interested to exclude the brand wherever I can, because it is a security flaw and allows for countless attack vectors.

I know about the current ambitions of identity providers and I make use of them because I am lazy too and don't know enough about security to match their services. But it is still a concession.

I think keeping the logistical perspective of key exchange can work for new ideas, while this perspective obfuscates ambitions the brand could want to see realized.

Quote from the link in the text:

> User-centric designs turned centralized identities into interoperable federated identities with centralized control, while also respecting some level of user consent about how to share an identity (and with whom).

... "while also respecting ~some~ level of user consent" is the issue where legislation for informational self determination is needed.

Again, if this problem is transparently presented, I would have less issue with this new perspective.

You can already upload everything to Amazon beanstalk and use Amazon cognito as an identity provider. Hacked together but very usable. I already sold my soul countless times but there is still one problem: Amazon.

I like this article. It is concise and really lays out the issue in an organized way that explains a lot. I've understood this as a problem for so long, but I've not had the perspective to think about it clearly.

This is lovely. I've always considered myself an internet person, I own a few domain names, I have a few servers, actual, physical pieces of hardware, connected to the Internet through my private internet connection. Sure, it took a bit of effort to get it up the first time, to figure out how to configure routers, to configured postfix and setup mail accounts, figuring out how to do DKIM in and DNS, but, now the bar for entry is extremely low..

If I write a PHP adventure in an hour, it won't take more than 5 minutes to put it online for the world to see, and those who know me, know my domain/brand, and I can easily link it to them.

If alice wants to talk to bob, she can just send those IP packets to his computer! If alice and bob are good friends, they probably exchanged certificates at some point.

In retrospect, I used to be rather arrogant about this, not proud, just annoyed why everyone didn't just do that. But I've realized that I probably didn't find any of it easy, I just happened to find it fun and interesting. It'd have been torture if it was not fun for me to do.

So yeah, we should maybe think hard about how to get to that point, where everyone who are online can have that amount of freedom, without having to rely on third parties, and without dedicating days to learning _that_much_ technical stuff. We don't need a new service trying to do this for us on the old Internet, we need some fundamental change, maybe it is not even to the network itself, maybe it is to the way we use or think about it.. Maybe it is just concepts we are missing? Maybe it is tools. Maybe it is really a fundamental change to the network itself. All must be free and equal on the capital I-Internet.

I was surprised this post didn't even mention the existence or development around decentralized P2P technologies for identity management. We have the tech, it's mostly a problem of marketing and network effect. Large centralized brands like Google or Facebook are convenient active hubs of interconnected identities, but these centralized apps have the major downside of eventually leaking personal data that we don't want them too. Not to mention at some point it just gets so tiresome to create yet another account, for yet another brand. We need secure means to manage our own online identity in a way that can interoperate with all the brands out there with minimal risk.

Layer 5 belongs before Layer 4, its more like a half layer similar to IP vs MAC. OAuth is a way to communicate someones registered personhood securely.

The last layer should be "Persona" and be about how people present their personality and behavior, having potentially multiple identities, characters, depending on the service, context, how much anonymity exists, etc and it would be akin to Layer 7 Applications, running on top of our wetware. Steven Colbert vs Steven T Colbert.

DNSSEC. It's the solution to walled garden brands. The problem is that it needs the support of the big brands to be successful, and the big brands don't want competition.