undefined | Better HN

0 pointsandreskytt3y ago0 comments

I’m genuinely curious as to why discussions on identity inevitably also involve claims about that identity. For authentication purposes, all that’s necessary is for a user to prove they are in control of an identifiers by presenting some credentials like a nonce encrypted with a private key. Yes, one can share data in-band during the authentication process (as part of the certificate, for example), but it’s not necessary and verifiable claims can be shared via a myriad of other mechanisms like API calls. So why do we spend enormous amounts of resources on trying to merge authentication and data sharing?

0 comments

3 comments · 2 top-level

PretzelPirate3y ago· 1 in thread

Because identity and credentials aren’t the same. A credential tells a system that “I have the correct secret” and an identity tells it “this is who I am”.

Who you are is important in understanding what you can and can’t do in a system. For example, an identity might say “this person is a US citizen” and then all systems that can’t allow US citizens will respond appropriately and block your access.

Credentials are often shared, identities should never be shared. Credentials will often grant you access to a specific identity.

The issue with DID is that there isn’t a way to differentiate whether a credential holder matches the identity those credentials grant access to. The nice thing is that it allows for a set of attestations to be associated with your identity that allow you to essentially be verified once instead of per-system. You could have one financial company go through the KYC process for you and others could leverage their attestations about who you are.

You also don’t have to give control over your identity to a third party like Google, Apple, Meta, or Microsoft. I appreciate that since I’m leaving the Apple ecosystem and have way too many accounts set up which use Apple for login. It’s not fun to try and change that and recover my access to those sites.

Karunamon3y ago

You've described the identity of a person, which is not the only or the most common use for credentials.

Consider a public/private keypair, where the private key is the credential, the public key is the "identity", but that public key can grant access to any number of accounts despite not being anything other than a randomly generated key.

mordae3y ago

You too?

I mean, the data are immediately stale! And there is no persistent subscription to update the data to comply with GDPR. It's crazy.

j / k navigate · click thread line to collapse