The DID Dilemma: When is an identifier ‘decentralized’?
The last several weeks have witnessed substantial discussion on the meaning of “decentralization” and on the question of when an identifier can be called “decentralized”. A session around these topics was held at the 28th Internet Identity Workshop, and the chairs of the W3C Credentials Community Group have formulated an action plan. We would like to support these developments.
If we intend to build a universal identity layer for the web, we have to enable technical interoperability between identity systems of all sorts. Decentralized Identifiers (DIDs) have proven to be highly attractive to achieve this effort. While DIDs support the SSI/Web3 vision, we also need to recognize that other, non-decentralized identifiers will continue to exist that do not align with this vision.
It is now clear that certain tension exists between the initial goal of DIDs to empower identity subjects to be in full control of their identity and the more recent goal to achieve interoperability with other identity systems.
This blog post is intended as a constructive contribution toward a resolution of this tension which threatens to undermine the core values and paradigms of thought driving innovation in the decentralized identity space thus far.
We would first like to share the following observations that have been made by members of the community around DIDs:
- It is difficult to define decentralization in a way that is measurable, or formulate a definitive answer to the question “When is an identifier decentralized enough?”.
- Many blockchains or distributed ledgers are not actually as decentralized as they claim to be.
- Some traditional non-decentralized identifier systems such as DNS may turn out to be more reliable and trustworthy than some blockchain-based identifier systems.
- Blockchain and DLT networks are usually developed to be resilient by design. Some strategies to achieve this are: a high number and diversity of nodes, game theory based incentive models as well as the capability to support a large variety of applications and use cases, leading to a heterogenous user base that is likely to support the stability of the network. Other strategies might assume opposing dynamics, opting for specialized networks and contractual relationships of the participating parties.
- Given the perspective on resilience described above, some traditional non-decentralized identifier systems such as DNS can be more reliable and trustworthy than some blockchain and DLT systems, making it necessary to evaluate different approaches on the basis of shared evaluation criteria.
- Interoperability and migration strategies between traditional identifier systems and DIDs are desirable and should be supported.
- We cannot stop anyone from deviating from technical specifications, i.e. companies can always implement “centralized” DIDs, even if that would conflict with parts of the specification.
Finding a balance
Moving forward, we think it is important to find a balance between the following two positions:
- We believe it is important to maintain a strong narrative around individual control, sovereignty, and independence from central authorities in the DID specification and charter of the upcoming DID Working Group. Even though such language may be considered “non-normative” and therefore non-binding in a specification, it is still important to include it in order to communicate the intent behind DIDs.
- At the same time, we acknowledge that there is interest to apply some aspects of DID technology (such as DID syntax and the DID Document format) to a wider range of identifier systems, including non-decentralized ones, with the intent of bridging the centralized or federated world with decentralized identity technologies.
One promising initiative to find such a balance is to articulate a set of “DID Method Rubrics”, i.e. questions that can be used as a basis for evaluating the amount or extent of various types of “decentralization” for a particular DID method. This work originated at the Internet Identity Workshop and is spearheaded by Joe Andrieu, co-chair of the W3C Credentials Community Group. Some DID methods that may be proposed in the future, such as a did:facebook: method, would not score well on a rubrics-based evaluation of certain decentralization goals like open governance and censorship resistance. Therefore, even though they may partially implement aspects of DID technology, they should be considered “adapter” DIDs or “bridge” DIDs, rather than true “Decentralized Identifiers”.
Evaluating DID methods
Organizations such as Decentralized Identity Foundation and others can help evaluate DID methods according to such rubrics, and thereby provide guidance to both developers and users on the question of whether or not an identity protocol is built on decentralized infrastructure that can credibly protect individual sovereignty. This kind of metadata about a DID method could even be machine-readable and allow applications to automatically reject requests or warn users (similar to how today’s browsers display warnings about insecure websites). Daniel Hardman has coined the term “DID Trust Contexts” to describe this idea.
As a first step we would therefore propose introducing a work item in the Credential Community Group for collaboratively developing the proposed DID method evaluation criteria in the proposed rubrics format. This process will be a continuous and iterative approach, enabling the community to improve the rubrics approach over time.
Ultimately, what we must avoid at all costs is a trajectory of development where business pressures lead us toward “re-centralization” and where, for marketing reasons, identifiers are called DIDs that are not really DIDs. We have witnessed this before with OpenID, which was designed as a decentralized identity technology but is often co-opted by various actors to fuel surveillance capitalism and violations of digital human rights.
With DIDs and SSI, we are now at an early stage in which small choices will affect the lives of many people in the future. It is therefore imperative that we act responsibly to not compromise on the formative values embedded in the self-sovereign identity community.
Note: This blog post was prepared as a follow-up to an open statement published on April 26, 2019 by Jolocom and Danube Tech and takes into account subsequent discussions during the 28th IIW and within the DIF community on the topic of Decentralized Identifiers (DIDs).
Contributors: Markus Sabadello, Joachim Lohkamp, Kai Wagner, Rouven Heck, Kim Hamilton, Sean Baldwin-Stevenson, Joe Andrieu