Restoring Trust in a World of Lost Identity

“Lost Identity” by Bartosz Beda — oil on canvas — 2015(c) Reproduced here by permission of the artist

[ed. We are honored to have this post contributed by Nick Meyne, Founder at Social Market Technology Network out of Brighton, UK, who is deeply committed to the RChain Cooperative ecosystem and to the future impacts of Self-Sovereign Identity]


In any platform, especially public, open platforms, the participants or users need to:

  1. trust that the communications between participants are handled securely, reliably, at scale between them;
  2. know, and trust something about each other in order to message or transact meaningfully;
  3. manage identity risk.

Rchain and LifeID are paired together as a foundation for open, decentralized ecosystems that can support future decentralisation at scale, with managed risk. This blog focuses on how they address communication, identity trust and risk.

Communication and Naming

Let’s start with the communications by looking at Rchain:

There is a nice, conversational interview in Amsterdam with Tim Bansemer (European Ambassador, RChain and Rinke Hendicksen (Rholang Developer) published this month on YouTube.

They both summarise how some of the key features of Rchain enable it to scale in a way that other virtual machine blockchain platforms cannot. Part of this is the independence, concurrency and communication between ‘namespaces’. They begin by highlighting that trust in the other party is key in communication. Tim says:

“ But you need to decide if you trust this other network. If you trust it you can communicate with each other …but this would obviously (depend on) the security and your trust in the other side, or in this case the other ‘namespace’ to be precise.”

Rinke agrees and goes on to explain namespaces a little more:

“A name and a namespace are crucial within Rchain because …Rchain is based on the notion of sending and receiving processes (between) names, so communication and computation on this concurrent virtual machine happens by message passing… the name is just there in the database… in the ‘tuple space’ of Rchain …and the name is just listening, (waiting to) receive something. …A namespace is a collection of all these names which are all receiving something and listening… A blockchain is basically a set of all kind of addresses and functions which can send and receive something, but in Rchain …there can be multiple namespaces living ‘in concurrence’ next to each other.”

Tim adds an analogy:

(Imagine) we are “sitting here having this interview in a circle, with people listening on a name. (It’s like) we’re listening on a channel: Hey Rinke! (Hey says Rinke, in reply) Rinke reacted …. it was like I was sending to the channel “Rinke” and he replied to me. He doesn’t need to say ‘Tim’ because this is (part of) the context we are sitting in: It’s clear that he means me. in Rchain (and language) he would write back to the channel I was communicating on…… So (in the analogy for) a namespace we could say we are in this room, and this group in this room. If we had loudspeakers on the ceiling, asking for the attention of all people in room xyz then we would all react as a group. …so this is the namespace. it’s a group! And the beauty of this is it represents (follows) …nature …the world we’re living in.” Or… if we compared to the human body … if you have an organ and every cell and molecule in that organ belongs to the namespace of the organ… heart for example.”

That human body analogy works well: organs get on with their various jobs with only the minimum necessary communication between them. They’re not all waiting on some cerebral consensus process in my head. Tim Bansemer also calls out the need for globally unique names. For example, in the human body analogy, if I accidentally put my hand on a hotplate, an immediate and specific pain response very usefully signals the location of the damage and unconsciously ‘I’ orchestrate my musculo-skeletal system to move my hand away. Very specific ‘whole body’ messaging systems are important: Which hand? Which muscles? Where is the danger? By contrast a non-specific whole body ‘spasm’ would be a much less effective way to avoid danger in a hot kitchen!

Globally unique unforgeable names are also a key part of security. Mike Stay, CTO of Pyrofex, points out that just copying a name and then creating multiple instances of the same name could be a great way of phishing for money or for personal details using spoof wallets. In the coming release of RChain (7) there is a feature that guarantees this uniqueness, particularly when creating / writing to the blockchain. We’d call that a good old fashioned ‘registry’. Mike tells us that Rchain will implement such a registry, enabling unique lookups so contract code can be made public for communication, but securely and without a nasty performance overhead or bottleneck. This decentralized registry is also the foundation for smart contract version control at the major, minor and patch level. It is native to the Rchain platform, and that makes for another advantage over Ethereum.

Trust and Identity

This blog post started with another assertion: that the parties in communication also need to know, and trust something about each other in order to message or transact meaningfully. This trust in the other party is where lifeID comes in. Chris Boscolo, Founder and CEO of LifeID says:

“LifeID is building a blockchain-based identity platform where users can coordinate the use of their identity with any other organization in the world. We’re building an identity platform that needs to scale to global levels”

So with lifeID, and the Rchain registry, Rchain is implementing the globally unique naming and identity infrastructure that Tim and Rinke described as such a compelling feature. LifeID takes this further, being a native, decentralised, Self-Sovereign Identity (SSI) infrastructure based on emerging W3C standards.

The long story and advantages of SSI are explained more fully in Christopher Allen’s excellent paper. The very brief story is that identifiers and attributes should be controlled by the identity holders or subjects — people or personas (like Tim Bansemer, the Rchain Ambassador) things, organisations — not by the centralised, giant ‘relying parties’ of today, who aggregate and correlate data, control the issue of credentials to their subjects and leak data into their ecosystem and beyond. For example, I think the picture at the top of this article — ‘Lost Identity’ by Bartosz Beda — powerfully communicates the loss of control and privacy we all suffer in today’s fragmented, broken and abused identity ecosystem. A few years ago we were all told ‘no one cares about their data’ and ‘everyone trusts Facebook, Apple, Google and so on. How things have changed. And how quickly things can change.

LifeID explains more about the challenges of centralised digital identity in the introduction to their white paper. LifeID supports ‘pairwise’ issue of Decentralised Identifiers — DIDs. In today’s world the companies you deal with (Facebook, Apple, Google, Visa, Mastercard…) or intermediaries ‘identity providers’ (IDP) appointed by them, issue and control your verifiable credentials. By contrast, DIDs are controlled by you and there are typically ‘pairs’ of them for each peer-to-peer relationship that you have. You provide only the information necessary in order to transact with your peer (and usually vice-versa) and there’s no one sitting in the middle, aggregating, correlating, or even selling the data which has passed through their proprietary platform. A LifeID identity layer on RChain provides a scalable decentralised and trusted identity infrastructure, including lookup, “DID-resolution”, to support the wider partner and application ecosystem, globally.

LifeID’s initial focus is on organisations wishing to issue digital credentials for their membership (whether customers, employees, partners or associates..). These cannot be forged because they are signed by that organisation’s private key. Revocation is handled by a blockchain-based public revocation list. Members use an app to authenticate by scanning 2D barcodes. LifeID seeks to make it easier for organisational adopters by:

  1. Using DID protocols built on familiar modern auth and OpenID Connect standards
  2. Providing a client SDK and an integration portal with Oauth and OpenID Connect api’s, and code frameworks to accelerate corporate integration
  3. Providing administrator control / governance to help a local identity ecosystem to ‘bootstrap’, scale up and maintain its common membership and authentication and authorisation infrastructure.

Outside of Rchain, lifeID is working on emerging SSI standards in the Decentralized Identity Foundation. It is committed to interoperability with other blockchains / crypto platforms in a future distributed Identity 3.0 ecosystem. They work with other DID solution providers such as Evernym / Sovrin Foundation and UPort to extend the scope of the identity standards into specific use cases and attribute sets for key industry sectors such as supply chain, health, transport and so on.

Identity Risk

I believe there are great opportunities for new businesses (and for old businesses to re-invent themselves) in this new, open, decentralised and essentially ‘upturned’ world of naming and identity. It does NOT mean ‘putting identity on the blockchain’, nor does it equate ‘digital identity’ with ‘real-world identity’ or ‘self’ or even ‘legal identity’ in the hope of ‘solving’ the ‘identity problem’. All that is false hope. But It DOES mean, for example, that open standards for decentralised identity could give us newer, more efficient and fairer ways to manage identity risk in the new ecosystem.

Vinay Gupta pointed this out nicely when he said ‘The identity system is going to be an insurance system’. In today’s centralised financial systems, the growing cost of cardholder identity fraud is paid for by the cardholders and merchants. Visa and Mastercard don’t really care — as they get paid enough in fees to cover it, including any dispute resolution and regulatory defence, there is little incentive to fix it. In a decentralised world, customers and merchants could instead be ‘micro-insuring’ according to the risk of their peer-to-peer transaction.

Conclusion

RChain is part of a third generation of blockchain platforms and lifeID is part of a second generation of distributed identity solutions. Built and organised as a co-operative, Rchain as a platform, with LifeID in its ecosystem as the identity layer, they show promise as a future foundation for open decentralised applications at scale. Both are rapidly evolving and innovating, and are far from stable, but together they have the potential to provide a trusted decentralised platform to support global peer to peer transaction rates and self-sovereign identity with global consumer reach.

Despite problems and abuses, today’s centralised, mostly hierarchical world of organisation, communication and finance will probably remain the dominant and most efficient ‘socio-techno-economic’ pattern that humans follow. However, there are markets, human populations and environmental ecosystems with problems such as broken trust, massive scale or risk that could perhaps be solved better by applying decentralised, peer to peer patterns. Centralised and decentralised systems will coexist, perhaps uncomfortably, and even compete.

The trick for Rchain and lifeID to manage is the ‘bootstrapping’ of a decentralised user community and application ecosystem that makes it sensible to adopt and grow with ‘synergies’ or common benefit for all. There should be a business design and roadmap, from today’s dominant centralised landscape to make that happen. But how to do that is another story, and the subject of another blog!