|
|
|
|
|
|
by _jal
1829 days ago
|
|
|
If FB or some other big actor were to define identity standards, the standards would at least be friendly towards their operations, if not optimized for it. Risks would include, privacy concerns, from obvious to not yet identified; the standards not being good at things other interested parties may like; mechanisms that encourage/require normal users to delegate some functions to private third parties; mechanisms that make it hard for normal users to use their identities as they choose; mechanisms that place more burdens on the user for retail fraud ("identity theft", for instance); the list goes on. For more, consider the ways that ID is used against people today. Now apply automation and a world-wide attack surface, and do not consider mitigations that might have an effect on some big actor's bottom line. |
|
|
Everything really winds up being direct, indirect, or brokered, eg. : - direct: you have a pre-existing account on a website. - indirect: you have an account with a Company, and I let that company's employees sign in with SAML etc - brokered: certificate authorities issuing certs based on domain/email/etc validation, and I accept those certs by accepting those authorities
We won't see the indirect model get any broader than it already has - nobody is going to accept Sign in with Apple in lieu of a birth certificate.
What we _do_ see is the platforms (like iOS and Android) becoming wallets for identities issued by _others_ based on the indirect and brokered models. Adding mobile drivers licenses is upcoming for both mobile platforms.
but the reality is that for indirect/brokered, you have an issuer and you have parties who have made a decision to trust the identity. If Apple/Google mandate properties the issuers don't like, the issuers won't use it. If the issuers mandate behavior the verifiers don't like, they won't accept it.
And thats the same for any "user-centric" or "self-sovereign" identity system too. If bringing my own DID means that the issuer can't meet their identity verification/authentication mandates, they won't support it. If me using my own wallet means that a retailer is not getting identity assurance or is otherwise taking on additional risk, they won't accept it.
And obviously the people who do not like the overall properties will choose not to consume it.
What you imply is some nefarious function of big actor desires being baked into standards, I would just call 'understanding market requirements'.