[smoldesu]

That's probably what someone would have said if they saw Facebook 20 years ago.

The intention here is to get out in front of FAANG before they can make their own, proprietary standards for ID. As terrifying as it is, personal identification is going to become a huge part of the next 10 years of computing, and potentially radically change the way we interact with the web.

[bawolff]

> That's probably what someone would have said if they saw Facebook 20 years ago.

This is just a variation on the URN idea afaict. RFC2141 is more than 20 years old. There's been plenty of time to get out in front of fb, et al.

[jchrisa]

The distinctive capability is offline auth. I guess we are still holding out that eventually it will get easy enough to write offline (aka p2p, user-agent only, interconnected apps) that having an auth standard becomes an accelerator.

[refulgentis]

I'm, sadly, old enough to remember this absolutist argument about OAuth.

I'm curious, what's the risk here?

[_jal]

If FB or some other big actor were to define identity standards, the standards would at least be friendly towards their operations, if not optimized for it.

Risks would include, privacy concerns, from obvious to not yet identified; the standards not being good at things other interested parties may like; mechanisms that encourage/require normal users to delegate some functions to private third parties; mechanisms that make it hard for normal users to use their identities as they choose; mechanisms that place more burdens on the user for retail fraud ("identity theft", for instance); the list goes on.

For more, consider the ways that ID is used against people today. Now apply automation and a world-wide attack surface, and do not consider mitigations that might have an effect on some big actor's bottom line.

[dwaite]

The basis for identity is that the receiving party has to make a decision based on some sort of trust relationship.

Everything really winds up being direct, indirect, or brokered, eg. : - direct: you have a pre-existing account on a website. - indirect: you have an account with a Company, and I let that company's employees sign in with SAML etc - brokered: certificate authorities issuing certs based on domain/email/etc validation, and I accept those certs by accepting those authorities

We won't see the indirect model get any broader than it already has - nobody is going to accept Sign in with Apple in lieu of a birth certificate.

What we _do_ see is the platforms (like iOS and Android) becoming wallets for identities issued by _others_ based on the indirect and brokered models. Adding mobile drivers licenses is upcoming for both mobile platforms.

but the reality is that for indirect/brokered, you have an issuer and you have parties who have made a decision to trust the identity. If Apple/Google mandate properties the issuers don't like, the issuers won't use it. If the issuers mandate behavior the verifiers don't like, they won't accept it.

And thats the same for any "user-centric" or "self-sovereign" identity system too. If bringing my own DID means that the issuer can't meet their identity verification/authentication mandates, they won't support it. If me using my own wallet means that a retailer is not getting identity assurance or is otherwise taking on additional risk, they won't accept it.

And obviously the people who do not like the overall properties will choose not to consume it.

What you imply is some nefarious function of big actor desires being baked into standards, I would just call 'understanding market requirements'.

[uberdru]

In my view, it's actually a move toward the PKI/trust layer that we should have implemented at the outset.

[dboreham]

It was implemented. Nobody used it.

[uberdru]

I'd put it slightly differently. The infrastructure went part of the way. It needed several more iterations. The UX, as you point out, never went anywhere. At least now people are getting comfortable with the idea of using a private key, even if no one has yet cracked the problem of crypto UX.

[dboreham]

When I say it was implemented, I mean at Netscape around 1999 we had projects with banks where they issued smart cards, used with USB readers, that facilitated SSL client cert auth. Similar to today's FIDO2/U2F. I don't know why these schemes were never widely adopted but it wasn't because the implementation was lacking.

[tatersolid]

I used these all these systems, and even helped run a smart card conference back then.

The implementations were very lacking. As unusable as PGP for normal people. The banking industry took a hard pass on the whole thing for good reason.

[smoldesu]

"The risk" is a weird, ambiguous ghost in the machine. Maybe it's a result of digital paranoia setting in over the past decade, or maybe it's our response to digital rights abuse. In any case, it's always a good thing when mission-critical infrastructure is democratized like this.