Implementing a minimal identity (meta)system #34
Replies: 4 comments
-
Thanks for writing this up, super interesting. You gave this policy example:
Is the idea that each of these platforms––Discord, Discourse, and GitHub–– would actually add support for the same "identity metasystem" (whether that's Solid WebID or DID or something else)? |
Beta Was this translation helpful? Give feedback.
-
Possible identity arrangements, from hardest to easiest:
Note, you can have SSO without account linking, because the identity provider might not give you access to the distinguishable user information. |
Beta Was this translation helpful? Give feedback.
-
I don't think I understand each of these bullet point options well enough to really be able to comment on this yet @thelastjosh .
and I still don't have the answer to this question, but I can do some more research into decentralized/SSI approaches to figure it out. -- Can we bring this back to what we're trying to accomplish to see if we're on the same page about that? Here's what I would like Metagov to be able to do. This example uses SourceCred(+Discourse) and Open Collective, but ideally we can do it for any external service that we have a Plugin for (Loomio, Discord, etc). # use-case: Use SourceCred to decide whether to approve or reject an Open Collective invoice.
# this is in a PolicyKit policy:
oc_username = opencollective_event.initiator.username # "miriam-ashton"
response = metagov.perform_action(
name="sourcecred.get-user-cred",
# this is directing metagov to resolve this username using the "opencollective" provider key
user={"username": oc_username, "provider": "opencollective"}
)
# metagov magically returned my SourceCred value, even though SC does not have an OC integration
cred = response["value"] So, there's lots of ways for that identity resolution to happen, I'm sure. But somehow, Metagov is able to resolve username from one provider (
There are lots of questions here around consent, opt-in/opt-out, and how these connections are formed. But I think these connections DO need to exist in order for us to achieve all these cross-platform use cases we've talked about. Do you agree? Is using a "self-sovereign identity meta-system " supposed to make this obsolete somehow? That's the part I'm not following. Thanks! |
Beta Was this translation helpful? Give feedback.
-
I think the idea of a Metagov identity metasystem is not that these platforms themselves would implement an identity metasystem, but that every community would implement its own identity system. So the administrator of a multi-service, multi-platform Metagov community would have tools that allow her to choose whether to manually link identities across services and platforms, link them through user prompts, or through some sort of external SSI option. ONE such tool for linking would be an "off-the-shelf" Metagov identity system that solves the problem for services with a Metagov plugin.
Yes.
No. SSI is just another method of providing these identity linkages. It simply offers more security / control over personal information to the user, but also requires a lot more active permissioning + sophistication by the user. |
Beta Was this translation helpful? Give feedback.
-
Tl;dr: we should see if Solid or some other service in Web3 has implemented a minimal, "claims-based" identity metasystem, and evaluate whether it's possible to import that metasystem into Metagov along with some basic support for building plugins and policies using the units of that metasystem.
Parts of this post are
Problem
Linked identity is a clear prerequisite to a range of possible governance policies that communities may wish to adopt. Linked identity is also necessary for certain Metagov services to function. For example:
This is clear value in having linked or shared digital identities for users as well as for other entities such as organizations, roles, and resources.
Direct solutions (copied from @mashton's docs)
Linked identity can be accomplished directly through various forms of account linking; account linking is when user accounts from various identity providers are associated with the same user profile. In the above example, the record for OpenCollective user “joshua-tan” would be linked to the record for Discourse user “joshua.” There would be some core user profile record that lists all the accounts that belong to this user. That profile record could be curated
We got as far as the above before deciding that identity was out-of-scope for phase 1 of the Metagov prototype.
Proposal: an identity metasystem
I hypothesize that Metagov should not be in the business of providing a shared identity layer for its plugins, nor should it be in the business of determining the identity policies of particular platforms and communities.
Therefore, instead of an explicit identity layer, I propose that we implement (or import) a minimum viable identity metasystem (MVIM) for Metagov. Such a metasystem should expose a unified interface that allows services to "loosely couple" to a set of 3rd-party identity management systems. By implementing an identity metasystem as opposed to an identity system, we maintain Metagov's status as a backend service for governance authors.
Background and Definitions
This is clear value in having linked or shared digital identities for users as well as for other entities such as organizations, roles, and resources. Indeed, corporations spend billions on a generalization of this problem every year, called "[entity resolution[(https://www.sciencedirect.com/topics/computer-science/entity-resolution)". But the problem of providing a linked, much less unified, identity layer is extremely difficult. Kim Cameron has an excellent summary of why:
Instead of an identity layer, Cameron argues that we need a identity metasystem:
She further argues that the concept of a "claim" is central to such an identity metasystem and "encompasses all the known digital identity systems and therefore allows us to begin to unify the rational elements of our patchwork conceptually. It allows us to define digital identity for a metasystem embracing multiple implementations and ways of doing things." To Cameron,
Note that, contrary to the problem setting above described by Cameron, Metagov does not need an identity layer for the whole Internet. It just needs an "identity open set" that covers the services needed for a single community. (Indeed the problem seems intractable at the scale of the Internet: Cameron posed her idea of an identity metasystem in 2006.)
Next steps
It's my belief that some kind of claims-based identity metasystem has almost certainly been implemented somewhere, i.e. the claims-based approach sounds vaguely familiar to docs I've read for things like Solid, DID, and self-sovereign identity. So the next step is to do some research / ask a knowledgeable expert who can point us in the right direction. I'll update this issue as we collect more information.
Beta Was this translation helpful? Give feedback.
All reactions