The Internet has become the most important mediator of information because it can spread news very quickly to the masses. Famous and important people, celebrities, companies, banks, and authorities have learned to use social networks. A popular platform for sharing short news is Twitter. The social importance of such platforms is huge and it is no wonder that people are calling for more security of user accounts and protection against fraud. So far, this has not been the case. Let’s consider whether Cardano and the Atala PRISM project can help IT companies.
TLDR
The digitization of information and centralization has gone too far and the concept is no longer working. It is time for Peer-to-Peer communication.
The same principle used to send a blockchain transaction can be used to authenticate tweets.
Atala PRISM is an existing solution that could be easily integrated with Twitter.
You can have a single DID for all services on the internet.
Man, I hope so. And, it is not just about the digital identity - authentication problem but also the ownership of the content produced. On youtube, twitter, facebook, people don’t actually own their own content. Furthermore, any businesses built on top of these platforms can be taken away by the big tech gods on a whim.
In the intoduction, you say that the problem is centralisation, but in the rest of the article the topic is only logging in and signing messages on still centralised services.
There already were attempts to decentralise social networks – Mastodon probably being the most successful, but by far not the only one. They did not need any blockchain at all for it. Nevertheless, they did not replace any of the existing networks. I’d say for social, more than for technological reasons: People just want to find a critical share of their peer groups on one, centralised platform.
(Ironically, the preferred platforms of most crypto projects – e.g., Telegram and Discord – are rather less open and very much centralised. The only “decentralised” thing about Telegram is – in an interpretation sacrificing all meaning – that it makes a pose out of not bowing to regulations and letting Nazis run rampant unblocked.)
Logging in and signing with cryptographic credentials is nothing new that would need a blockchain, let alone a cryptocurrency blockchain. TLS client certificates, S/MIME, and OpenPGP have been around for decades. Nobody using them was more of a usability issue. And maybe it would benefit the world more if wallets would be developed to finally use them without any coins and chains attached.
Does such a wallet – irrespective if shiny, new, hype blockchain or good, old Internet standards – protect users better against being hacked? Well, given the plethora of people scammed in crypto, the need to tell them on every welcome message, in blinking GIFs, and as first part of any support answer to not share their seed phrases, and they still do it, I’d make a question mark on that.
Does the blockchain magic in there give us some assurance about identities?
This paragraph does not describe how such an association is made reliable. The association is just stated here. Anybody could state to be me (and if they have access to it also include some of my – or maybe their? – biometrics to seem extra trustworthy). This has to be verified by someone.
In the classical cryptographic solutions, it was done – rather unsuccessful – by webs of trust and – rather successful – by certification authorities. To roll something like that out to the masses, it should probably be done by your local government office – or in countries without a trustworthy administration by the church or another widely respected authority. And if we need an authority, anyway, what do we need the blockchain for?
By the way 1: One of the companies seemingly being a bit further with their interpretation of “SSI” uses either the data of telecommunication companies or the machine-readable identities of governments for assuring that I am me: https://iamx.id/wp-content/uploads/2022/02/2022-02-IAMX-Factsheet.pdf There is no win. Please, let governments directly assure identities without wasting resources on blockchains!
By the way 2: Do you have sources that Atala Prism is production-ready? The website still is all marketing and mock-ups. I’d love to read some specs and documentation.
I agree that we need to use existing authorities to issue credentials particularly in countries that have egalitarian ones. But, identities can be built from lots of different credential pieces issued by different organisations, so this can provide a degree of decentralisation even at the issuing stage.
Though, I think the benefit of blockchain comes more at the access and usage stage. Control over credential usage needs to be in the hands of the owner, and it must be impossible to remove the owner’s right of access. Furthermore, it must be impossible for anyone to re-write history.
Then, by leveraging zero knowledge proofs, the owner gets control over what aspects of their identity they choose to reveal. And, society is more empowered to negotiate over what identity proofs should be required for certain services.
I have a feeling that we might have different standards for what is egalitarian enough. …, but that should be totally okay.
Oh, yes, point I should have added: The “government or other trustworthy authority” in my post is not an exclusive or. For some things – e.g., ensuring “one person – one vote” or “one person – one universal basic income” – a centralised, trustworthy authority is needed. But a lot of other things work just as well with pseudonymous identities issued by your local hackspace.
Still don’t see the benefit of the blockchain, there. Giving them to the owner can just be done by giving them the signed documents – simply in the form of a signed PDF or as some QR code shenanigan (quite successfully tried with the vaccination certificates in Europe) or … Chains of verification certificates can be cached locally, have to be kept available by the authorities that are needed, anyway, and availability can be ensured by redundant replications.
The core feature of a blockchain is the consensus mechanism preventing double-spending in cryptocurrencies. Where is the need for that here? We have to know and trust the sources of truth anyway and there is no easily definable “double-spending” that could be prevented by consensus.
Would have to be defined in more detail. If I have the signed documents, they cannot take them from me. They could revoke them, which is an application-dependent action that might or might not be legitimate, which cannot be solved by technology. They could claim the key was compromised and that they were never legitimately signed in the first place.
And that is the only part, where a blockchain might be handy. As a very, very expensive time-stamping service. There are other solutions – https://en.wikipedia.org/wiki/Time_stamp_protocol – and it can already be enough to have a public, replicated hash chain, so that “they” cannot simply claim something in that chain never happened without rewriting it completely, which would need a huge collaboration and could still be spotted. Still doesn’t need the consensus part of blockchain, doesn’t need thousands of validators storing and working on that data, just maybe dozens. Somehow related to the question if git is a “blockchain”.
ZKPs are independent of data storage on a blockchain. They are interesting, but for a lot of applications, it is maybe more user-friendly if the verifiers/authorities issue specialised reduced documents that can just be shared fully – e.g., a PDF or a QR code stating that the holder (identified by a picture?) is above 18 or 21 without more details. Such systems have to be understandable by the masses and a document that they can look at trumps ZKPs in that regard.
Apropos “understandable by the masses”: That is the big risk I would see in addition to blockchains not really fulfilling a purpose in these applications. People – at least the ones somehow believing in blockchains – tend to think: “It is recorded on a blockchain. It has to be true.” And that is very risky in such applications, where the important truths live outside of the blockchain and just the fact that there is a transaction on the chain proves next to nothing. (Comparable problem: Copyright-violating NFTs – the fact that someone minted an NFT does not say anything about the question if they really were the creator of the linked piece of art or non-art.)