[introduction] Goverments do not "issue identity"

[wip-abramson]

I think we should find a better framing for this sentence

Human identities are a very special case, particularly those issued by governments.

Governments issue a set of claims that an individual may present to contribute to an identity in the eye of the verifier.

I feel we should move away from the idea that government issuance is a pre-requisite to identity in any context.

[simoneonofri]

hi @wip-abramson , thank you for the comment.

In that phrase, it can be useful to specify that I intended the identities as a set of attributes (ISO definition) or credential as a set of claims (W3C definition).

In the end, governments recognize the identity (as an abstract concept) by releasing a credential (e.g., birth certificate) and some identifiers (e.g., tax-id) which are used in their domain/context.

[xiyao]

Many real-world application scenarios in China require the use of government-issued identities, resulting in a large number of identity leaks and identity impersonation. although W3C-standardized identities are useful in the online world, most identities in real-world systems require a real name. has there been any consideration of how to link real-name identities and DID identifiers in various countries?

[simoneonofri]

@xiyao thank you.

Identity leakage and impersonation are threats in each identity system, and we're tracking all the threats in the Threat Model. It can be useful to consider them in this context.

For DID, each government first chooses whether to use it and whether to use an existing method or create a specific one according to its needs.

As W3C, we require that anyone developing a DID method perform a security analysis according to RFC 3552 and document all security aspects.

However, that kind of threat concerns not only DID but, in general, the whole architecture (the five layers in the report), and it is an issue that should be analyzed on the specific implementation.

[jandrieu]

Many real-world application scenarios in China require the use of government-issued identities, resulting in a large number of identity leaks and identity impersonation. although W3C-standardized identities are useful in the online world, most identities in real-world systems require a real name. has there been any consideration of how to link real-name identities and DID identifiers in various countries?

IMO, this is partially a language challenge.

In particular, identity is subjective. That is, each individual observer--any cognitive system that can recognize, remember, and respond to specific people and things--necessarily has their own sense of "who someone is".

W3C has a sense of who Joe Andrieu is. The US State Department has another. Google has a sense of me. My family and friends, each, individually have a unique sense of who I am based on their experiences, observations, and gossip.

As such, what governments issue is not an "identity" per se, but rather they issue credentials that can be used by identity subjects to establish that they have an identity recognized by the government. When service providers accept these credentials as evidence of claims about the subject, they are binding (however strongly) the nation-state's identity with the service provider's sense of the user. It's the record in their own systems that comprises the service provider's identity for the user.

In this way, credentials allow us to establish beliefs about subjects by adopting assertions from credential issuers based on our confidence level in those issuers for those claims. There may or may not be a government involved.

Importantly, there are nearly infinite use cases for identity that have no reliance on sovereign states. Unfortunately the expectation of resolving online identity to both a unique physical person and to a unique legal person create many, probably most of our privacy failures in this industry. And is one of the biggest threat vectors in our digital society.

So, to answer the question directly:

has there been any consideration of how to link real-name identities and DID identifiers in various countries?

Yes. This is, IMO, the purpose of Verifiable Credentials issued to DIDs. The DID secures the identifier using cryptography under the subject's control (without revealing unnecessary details about the subject) and the VC establishes facts which you can take as about the controller of the DID as long as there is a proof-of-control ceremony at issuance and presentation of the VC.

We've been thinking about this a lot at the Digital Fiduciary Initiative, where we are creating a formal protocol for establishing the eligibility to work in the United States, issuing a VC to the subject's DID, after satisfying the rules of the protocol. https://digitalfiduciary.org We base it on this pattern of in-person ceremonies that result in auditable verifiable credentials. Those credentials can represent just about anything anyone wants to know about the subject, per the specific protocol. We are starting with the employment eligibility because its the most widely used identity verification protocol in the US, but the pattern can be used for any domain in which private details need to be keep private, but which need to be evaluated to establish characteristics about a data subject.