Replies: 7 comments 48 replies
-
Having asked this question, I am now looking through other things we've published to see if we've already answered it. It's a mixed bag, I think. Principle 1 of our Design Principles assumes a communication paradigm, and the terminology section and mental model diagram early in that doc clearly assume intentionality in relationships, not just authentic data. However, Principle 2 ("Connectivity is its own reward") is described with this phrase: "Connectivity in this context should be understood as the ability to exchange trustworthy information between any two endpoints." This is a more generic formulation that "communication" as I'm defining it -- it mentions "information" rather than something semantically richer like "message" and it describes endpoints but makes no assumption about intentional actors. In the actual spec that we've written, we seem to make stronger assumptions: "With regard to the first design goal, establishing trust between parties requires that each party develop confidence in the following properties of their relationship" (Section 6.1). This is a communication framing, not just a data framing. Later, we say of the Trust Spanning Protocol, "The main function of this protocol is to enable universal end-to-end communication among all Endpoint Systems using trusted messages" -- followed by 3 observations about "communication", followed by this paragraph: "This protocol is designed to be universal in the sense that all Endpoint Systems, regardless of their form factors or implementation methods, can communicate with each other using messages incorporating standard trust guarantees." (section 8.1) And we have requirements like this one, which are not about authentic data: "The ToIP Trust Spanning Protocol MUST support extensible message schema. [REQ 2.13] This enables different Trust Task protocols to be constructed without changing the base format." Or this: "L2.1 A ToIP Endpoint System MUST communicate with another ToIP Endpoint System using the ToIP Trust Spanning Protocol." (Note the use of the word "communicate" and note as well that the careful definition of Endpoint System includes intentionality.) @talltree or @wenjing, can you comment on whether the distinction between data and communication has been deliberately discussed before? Are we using "communication" as a convenient generic word to mean simply the production of data, or do we actually mean it in the sense that linguists and most business contexts would assume? |
Beta Was this translation helpful? Give feedback.
-
It may help to try to answer this question with reference to some specific examples, so here are some examples plus my musings about them.
|
Beta Was this translation helpful? Give feedback.
-
@dhh1128 picking out a few phrases from your original post...
Agreed, it's about data embedded in communication(s).
This is an impossibility (as worded). ToIP has no role in the origination of data, it's storage, and processing of virtually all LOB data (aka producing data).
Authenticity is impossible to determine by most software (maybe ChatGPT is an exception). I refer you to the following article about facts, options, and folklore: Facts, Opinions, and Folklore: A Preliminary Taxonomy (https://hyperonomy.com/2022/11/19/facts-opinions-and-folklore-a-preliminary-taxonomy/) |
Beta Was this translation helpful? Give feedback.
-
You are correct, given you use a broad enough definition of authenticatable or authentication, that is why I go to great pains to use a very narrow definition. In general "authenticatable" can only be known with some degree of uncertainty. Typically the uncertainty is largely statistical as in the likelihood that the data is sourced from a given entity or natural person. Even for the narrow definition of authenticity which is a verfiably signed message, the likelihood of authentication is influenced by the incentivization structure governing that person or entity's motivations with respect to maintaining the security of their key state. Using asymmetric keys that NEVER require an entity to share the private key, in order to authenticate makes it possible to have a very high incentivization (as in legal recourse over fraudulent signatures) for mishandling keys. That only changes the likelihood but does not remove its inherent uncertaintly, but merely lessons it (albeit materially). Anyone engaging in a transaction must weight the inherent uncertainty as a risk factor in their decision to engage in that transaction. Transactions whose value are under a given threshold of risk for a given level of uncertainty can proceed in an automated fashion. Transactions whose value exceeds that given threshold should not proceed, thereby protecting the associated party. The point is that in any case one can argue that there is no such thing as true or complete authentication, which is a true arguement, but not a very useful one. |
Beta Was this translation helpful? Give feedback.
-
NOTE: We need to strive for defintions and contexts that have not been KERIzed. Here is a more basic set of definitions that do not include any KERIsms. I think this is very basic:
More specifically,
|
Beta Was this translation helpful? Give feedback.
-
Authentication or Authenticability of Data is a Layer 3 Super Protocol Issue - not A Layer 2 Trust Spanning Layer Protocol topic. |
Beta Was this translation helpful? Give feedback.
-
TL;DR: Skip to the header SUGGESTION As I said yesterday in the CTWG meeting, different people have different conceptualizations (i.e., sets of related concepts/ideas they use in their mind to make sense) of the things they talk about. Often, such conceptualizations are valid, meaning that they actually make sense to those that use them. Lots of discussions and misunderstandings arise, AFAICT, because people mix their own conceptualization with that of others. It doesn't work like that. Even under pressure (of e.g., a deadline) it still doesn't work. The first step, as I see it, to coming to grips with this is to ask people to clarify their concepts such that we can learn what they are, and test whether or not we can agree that we have the same understanding. We do that by (temporarily) setting our own ideas, concepts, truths, etc. aside, and then stimulating and helping a person come up with a criterion for each such concept (which Merriam Webster says is: "an abstract or generic idea generalized from particular instances", i.e. a class of things, behaviors, etc. that have some commonalities that make them instances, or examples of that class). A criterion is simply a test to check whether or not something has these commonalities that make it an instance/example of the class (or not). Note that concepts are ideas, thoughts, intangible stuff. They are not terms. A term is just some text that refers to that particular concept. And one might say that the pair (term, criterion), where the term refers to a concept and the criterion can be evaluated to determine whether or not something is an instance of the term, might be called a definition. There is nothing intrinsically right or wrong about any such pair. But specific pairs may be more efficient when used to make sense (of a specific part) of the world. While in discussions like the above it is ok to start of with some term, the next thing we should do is come up with the criteria that different people have associated with such a term. They are going to be different and that is ok. We FIRST need to understand what they are about (and possibly also what the criteria are for the concepts that are related to them in a conceptualization of a person). I know this takes time - likely more time than people feel comfortable with. Fortunately, there's a choice: you can either do it this way (and experience what good - if any - comes from this), or do it in the way you have been using for the past decade(s) or so (and you will be able to predict what you'll end up with). Lawyers have been there. Over the years, at least in the Netherlands, it has come to pass that in one of the first Articles, they have a glossary, which is a list of (term, criteria) pairs. They do this because judges and other lawyers can then determine, for example, whether or not you qualify as a 'driver' or 'owner', or ..., which would have the implications that the laws state for 'drivers', 'owners', etc. Doing this makes it much easier to have the same understanding about what the law is about - even if you do not agree (because that's a different matter). Note that two different laws may have different definitions for the same name, or different names for the same criterion. They may also 'import' terminology from other laws, saying that terms X, Y, and Z are defined in article 1 of a particular other law. It's exactly what CTWG proposes that we do in governance frameworks, architecture documents, etc., etc.. This is how I think the conceptualizations of a community could be constructed. Individuals do not need to agree (I do not agree with every law in the Netherlands). Being part of a community means that you can deal with its conceptualizations, and since you're a 'party', that is autonomous (self-sovereign if you will), you still get to keep your personal conceptualizations. There are several things we can do. An obvious one is to come up with sets of criteria for concepts/ideas/classes of things, behaviors, etc. and find out which are relevant for the TSP. Don't bother about assigning them terms yet. Call them C1, C2, etc. or something similar. Continue until the set is more or less complete. Then choose names that seem useful, and continue as usual. SUGGESTION Another idea is to make a list of 'disputed terms', i.e. terms that we are arguing about. In this issue, terms such as 'authentic data', 'authentic communications', perhaps even also 'data' and 'communications' themselves, would go on the list. Then, make it a habit to NOT USE any such term in any text you write or speak (e.g.: in this very issue), but instead, use the criterion that enables others to make the same distinction as you do. For example, suppose I wrote the first post in this issue, which contains the phrase "authentic data is great", which contains the disputed term 'authentic data'. Since I should not use the term 'authentic data', I need to resort to something like "data that I have received from a party that I trust is great", if that is what I want to say. This does several things. First, it forces me to express what I want to say, rather than burdening my audience with figuring out what the hell I mean by 'authentic data'. It can be an insightful, sometimes also humbling experience. It may even resolve some problems that I had. Actually spending time on this is a real contribution to the community in which the dispute lives. Second, it helps others to better understand what my position is. I would consider "data that I have received from a party that I trust" much better to understand than "authentic data". This puts them in a better position to contribute to the resolution of the dispute. Third, it may become messy, e.g., if a new dispute is started over the term 'trust' that I used. If this were put on the list of disputed terms, I'd have to rephrase it again, and run the risk of (again) using words that will be disputed. We have to deal with this sensibly when it happens keeping in mind that we're not doing this to follow the procedure, but to come to a better understanding of each other, and create a conceptualization of the things we're talking about that we can all understand, yet may (not) totally agree on. |
Beta Was this translation helpful? Give feedback.
-
During the very brief Q&A at the end of my preso the other day, @SmithSamuelM pointed out that I was using the word "authentic" in a way that seemed odd. He was right, but my mistake was actually worse than his polite comment implied: I wasn't just using an unusual definition -- I was being inconsistent. Ugh. I have written a little bit more about that here; read down at least as far as @sawhitmire's comments if you want full context.
This new discussion is to frame a larger question which is at the heart of my inconsistency. It's the question in the discussion title, and I think it's vital that our TF explore and align around an answer to it. Doing so may lead to an obvious answer to any disagreements we have about layering.
Authentic data is great -- but I claim that it is very much not the same thing as authentic communication. This is not because I define "authentic" differently, but because of the noun that follows the adjective. Data is not communication. Astronomers analyze the chemical composition of a star using a spectrograph. A spectrograph is data. We may use some verbal sleight-of-hand to say that the data "speaks" to us, but this is only sleight of hand. Actual communication has the defining characteristic that it is the embodiment of intention to produce interpretive effects in an audience. This is true even when we talk to ourselves.
I have been under the assumption that it is the act of communicating authentically that ToIP should nail down. I think Sam has been under the assumption that it is the act of producing data authentically that ToIP should nail down.
Here is the argument for focusing on authentic data, as I understand it (and as I believe it):
More could be said, but I think this sums it up fairly, and I agree with all of it.
However, I think that authentic data is relevant to many use cases that are outside the scope of concerns of ToIP. Whether a spectrometer signs its spectrograph is an interesting authentic data question, but it is not at the heart of ToIP's raison d'être. Whether a particular block is part of Bitcoin is an interesting authentic data question, but it is not at the heart of ToIP's raison d'être.
This doesn't mean that ToIP is uninterested in such things; a scientific governance body in ToIP's layer 4 might well have something to say about whether spectrographs should be signed, and an ecosystem that uses Bitcoin might impose requirements about how long to wait before trusting a commit to the blockchain. This is, I believe, the kind of trust tool usage that we imagined in our Design Principles whitepaper when we said, "Parties can use all the facilities of the ToIP stack—DIDs, verifiable credentials, governance frameworks, trust registries—to accumulate the evidence necessary to make [a given] trust decision." [p. 13] But notice that statements about signed spectrographs or Bitcoin commits could also, easily, be made by entities that have no intention, need, or desire to fit into ToIP's model and don't care about the kind of trust we are trying to achieve here. In this sense, I would compare authentic data to something like multisig schemes. Yes, we totally want them, and we plan to use them -- but using them isn't a uniquely defining concern of ToIP. They are world support infrastructure to us, and we call on them as needed to suit our purposes.
On the other hand, I have thought that authentic communication IS a defining concern of ToIP. The very first principle in our Design Principles whitepaper is the end-to-end principle. Set aside Beck's ambivalence about its power to explain and guide (ambivalence which I think you share, Sam?), and just look at the language we use to justify its primacy. It tells you something about where our heads and hearts are. We say that this first of our design principles is all about "application-specific features resid[ing] in the communicating end nodes of the network." [p 11] A little later in the whitepaper, we explain our reliance on it again with communication in our minds: "The only way to deliver end-to-end security and end-to-end privacy to parties communicating over the Internet is with end-to-end protocols." [p 13] The point I'm making is not about whether we chose our principle wisely; it's that we justified our first principle with an argument about communication. Our 8th Design Principle, "Trust is human" and our 9th, "Trust is relational" are also suffused with communication paradigms.
I believe that the reason we did this is because it is when we change our mental frame from data to communication -- by postulating a message sender with intention toward another party -- that trust gets gnarly. I believe that ToIP passionately aspires to provide the definitive answer to the question of how trust is built and evaluated under that condition, not under the more general condition of how to decide the origin of data in the abstract.
If I am right, then the bottom of ToIP's trust spanning layer should be the weakest thing that is had in common by all higher-level constructs wanting to build on trusted communication. My clumsy attempts to explain why we needed to guarantee that intentions of a message sender are defined actually make sense, under that worldview: we can't afford to have people think it's optional to declare their intentions about messages. This doesn't mean that we combine layers and pollute the beautiful simplicity of what Sam has built for authenticity -- but it means that authentic data is a Layer 1 tool, not a layer 2 narrow neck/waist. Authentic data is not minimally sufficient for authentic communication, but it can certainly be the way we achieve it. In that view, if we found other supports that were capable of delivering the same things as KERI, they would all be alternatives that our spanning layer could use.
If I am wrong, then the bottom of ToIP's TSP is just authenticity as Sam proposed it. Authenticity is the ONLY characteristic that we guarantee to be shared by everything above it, and the scope of concerns for ToIP is anything that has that solution in common.
Beta Was this translation helpful? Give feedback.
All reactions