Something that should be a bit of a warning flag is that I have two decades of identity-related experience but I still have no idea what DID even is.
For reference, I've worked with three vendors' implementations of LDAP, several versions of SAML, OAuth, JWT, Okta, Azure Active Directory, etc, etc... I've even deployed Smart Card authentication in the field several times.
I literally have no idea, not a clue what DID is supposed to be in a practical sense, despite having read a significant volume of material on a subject.
I found it all pretty simple after looking at it briefly when I first learned about it.
A DID URI is a URI with a 'method' and globally unique part: did:method:somegloballyuniqueid.
The "did" part is literal; a standardized URI namespace. The method part is some symbol that specifies how the unique id resolves and its representation (JSON, whatever.) The method part is what this story is about; W3C has declined to enshrine a set of methods in the standard.
Instead, W3C is delegating to a registry of methods. This registry has already grown to a sizeable number.
The idea is that you will apply a DID URI using its method and obtain a DID 'document'. This document has claims, credentials, etc. The DID owner can cryptographically prove the document represents them and relying parties can cryptographical verify claims in the document.
The actual workflow is more involved than described here but that's the gist of it.
BTW, your list of identity schemes you've had experience with roughly correspond to 'method's, although they aren't 'distributed' in the DID sense.
That sounds very much like one of those solutions that is so complicated that it covers everything in theory, and in practice everyone just ignores it and picks some other standard (or 3...) that is actually narrow enough to cleanly implement and gets the job done.
I’m genuinely curious as to why discussions on identity inevitably also involve claims about that identity. For authentication purposes, all that’s necessary is for a user to prove they are in control of an identifiers by presenting some credentials like a nonce encrypted with a private key. Yes, one can share data in-band during the authentication process (as part of the certificate, for example), but it’s not necessary and verifiable claims can be shared via a myriad of other mechanisms like API calls. So why do we spend enormous amounts of resources on trying to merge authentication and data sharing?
Because identity and credentials aren’t the same. A credential tells a system that “I have the correct secret” and an identity tells it “this is who I am”.
Who you are is important in understanding what you can and can’t do in a system. For example, an identity might say “this person is a US citizen” and then all systems that can’t allow US citizens will respond appropriately and block your access.
Credentials are often shared, identities should never be shared. Credentials will often grant you access to a specific identity.
The issue with DID is that there isn’t a way to differentiate whether a credential holder matches the identity those credentials grant access to. The nice thing is that it allows for a set of attestations to be associated with your identity that allow you to essentially be verified once instead of per-system. You could have one financial company go through the KYC process for you and others could leverage their attestations about who you are.
You also don’t have to give control over your identity to a third party like Google, Apple, Meta, or Microsoft. I appreciate that since I’m leaving the Apple ecosystem and have way too many accounts set up which use Apple for login. It’s not fun to try and change that and recover my access to those sites.
You've described the identity of a person, which is not the only or the most common use for credentials.
Consider a public/private keypair, where the private key is the credential, the public key is the "identity", but that public key can grant access to any number of accounts despite not being anything other than a randomly generated key.
What I get from your explanation: it’s a new way to deal with cases where one proves ownership of something else (but in a more indirect way than exposing or accessing the thing itself)
That reminded me of proof of domain ownership, where we point a registrar to an arbitrary field in our domain records to prove it’s ours.
Sadly I also don’t have enough imagination to see any practical use for that. It feels like an abstraction above every other systems we have today, except any provider would still need to support both this and the underlying actual protocol…
> It feels like an abstraction above every other systems we have today, except any provider would still need to support both this and the underlying actual protocol
It is an abstraction. As to the burden of 'providers', when one reads about the principles of DID design one finds a deliberate bias toward the identity side (person, thing, etc.): All the subject needs is their DID and to (somehow) verify that it represents their identity. Whatever backend providers inflict upon themselves to deal with that is their problem. This mentality is intended to make coping with identity easy for the 'I' (identity) party.
What problem does adding a common “did:” prefix to these identifiers solve over plain old URIs?
Or perhaps my question is more general. What problem does this particular common standard address that individually standardised uri-schemes would not?
It's decentralised because you can pick up any other provider or even host your own (which I did, until OpenID declined from popularity and wasn't accepted anywhere any more).
The method part is only necessary in the case of anonymous, or untrusted, access. If the distributed access points are trusted, known to each other and verifiable, the method part becomes irrelevant because it can be addressed in the body of the message and the willingness of the distant end to process, or not, such message.
As somebody interested in solving for decentralization and previously unaware of the W3C DID effort I formed my own proven solution to this problem 3 years ago. This was one of the less challenging and trivial aspects of the problem space.
I think it speaks extreme volumes that the "methods" of "did" and "com" were both proposed by no-name crypto organizations; "cosmos" seems to be proposed by one guy with a template website maybe unrelated to the relatively major Cosmos blockchain (they're fighting amongst themselves lol); "ens" was proposed by some organization with no website; "evan" was picked up by literally some guy named Evan.
Its not just that they're crypto related; its not even the major players in the crypto space. There are physical organizations you can point to in the crypto space, and if they hopped in and said "yeah this is cool" then that's something. 80% of these organizations have nothing to them. They look like they were formed overnight as this proposal was going through its development.
The only seemingly legitimate proposal in that list, not an obvious planting-my-flag-in-the-ground, is: Baidu proposes "ccp". Lol. Looks like Workday is there proposing "work" as well, that's... something.
I need to read up more on the spec, but that list alone is an extreme embarrassment for W3. Google & Mozilla bring up a fantastic point: What are these things actually going to be used for, not hypothetically, in reality, what is the use case? Its very clear that the Web2 players don't have a good answer for that, and even the successful Web3 players don't either. Is the best response W3 has actually a bunch of nobodies who see something that kind of resembles (but not really) a new DNS, and want to plant their flag in case it gets big?
When we were designing the EU DCC we explicitly choose not to go down the path of the then-nascent w3c verifiable credentials using DIDs. There was a hard lobby from the blockchain bullshitters but they couldn't explain things without a lot of hand waving and technobabble so :)
There's a reason why our spec (EU-DCC) is a global standard: we build on proven technology, we're explicit, and we're not open to allow anyone and their dog to become a "trust anchor". That trust is earned, there are standards you need to follow and keep following to earn that.
DIDs are a wild west and clearly a not-too-unsubtle attempt by the crypto bros to sneak a cash-cow into standards.
The spec reads like it's written by a group of hyperactive kids in a sugar rush.
Don't forget the Korean Ministry of the Interior, who are apparently using a two-line Markdown file as their website and a random Gmail address as their only method of contact.
For an identity verification standard, you'd think they'd demand the authors have more verifiable identities.
I understand that the list presented there is more-so early stage proposals; its not like they've been registered to manage that DID method.
That being said; it speaks some amount to the professionalism of the authors and supporters of this spec. The sane people ask: what are the real, tangible use-cases? There's no answer. Ok, well short of that: are there are least real, tangible organizations who will be building on top of this?
Not only is the answer weak, but the meeting notes from the DID-WG indicate a high level aversion to any known, named authority participating in a significant capacity [1]. They were rather concerned about Mastercard's proposed "id" DID method, for privacy/centralization reasons, maybe those are valid but...
> Markus Sabadello: … Even if we don’t apply it, since in the past we haven’t, even then I think this registration should not be accepted as-is, because it’s incomplete..
> Manu Sporny: Just about every DID Method is incomplete… not a good criteria..
It really comes off as a bunch of people who are mad at the centralization of big tech, want to change it, but lack focus & expertise on how to implement that change. And they managed to drag W3C/TBL down to their level.
If you have arguments against DIDs, then raise them here for rational discussion from all POVs, which is something HN is great at.
'"evan" was picked up by literally some guy named Evan' is not an argument. It's also not factual. The Evan DID method spec [1] was written by Sebastian Wolfram and Philip Kaiser. It is for the Evan Network, which is a blockchain attempting to provide a usable decentralized market infrastructure.
"that list alone is an extreme embarrassment for W3". First, a minor point. w3.org is the domain name, which has some minor cachet because it is a two letter domain. The organization is the World Wide Web Consortium, W3C. Second, hyperbole is present on HN at times, but should be avoided whenever possible because it raises the SNR for your comment, the thread, and HN overall. You could have phrased it without the hyperbole as "the status and standing of the objectors may be an impediment to future DID adoption". More accurate, and signal rather than noise. Of course, if you did any significant standards work you likely would know that objections like these are just as often motivated by market interests. I remember asking an OASIS long-time member about a rep on a standards committee I was on. The rep was from one big company whose name is a household word, and he seemed to do nothing but raise objections and build roadblocks. The long-time member told me he was known as that company's hatchet man. When they wanted to kill a spec before it got voted on they'd send him to join the TC and torpedo it from within. The work quality of the TC did not matter in what he raised, only his company's market drivers.
"I need to read up more on the spec". I would suggest you follow my approach: I do not criticize something I have not read end to end twice. The Evan statement above makes me think you didn't even read it once.
But here's my counter: when it comes to web standards like this, I am fully prepared and willing to delegate my opinion to Mozilla (and a lesser but still positive degree, Google). The W3 (ok you want to be pedantic; W3C; talk about SNR) additionally has a ton of other extremely mature member organizations; Apple, Amazon, Meta, Microsoft, Cloudflare, if even one of these organizations had their name anywhere on this spec I'd give it the time of day. I work at one of them; I've worked for two in the past; I know the people, they're extremely smart and well-intentioned.
I don't agree with your statement that its worth discounting the professionalism and expertise of some member organizations just because you had one third-hand experience in an entirely unrelated organization of some no-name member roadblocking a proposal because of... market interests. Market interests?! Of course that would be a concern! Proposals need to serve the members of the org. The members of the org are, mostly, for-profit organizations! I'm blown away at the dissonance it takes to complain about non-professional SNR, then immediately follow-up with hearsay and supposition.
But, ok, maybe not Web2 Big Tech. Maybe Web3 big tech? Where's the Ethereum Foundation? They're a W3C member org! Block/Square? They're getting very deep into crypto right now; also a member org; silent. Coinbase? Just an exchange, but a member. I mean, the list keeps going on.
I've read the spec. I would not claim to fully understand it, but like Mozilla, it feels abstract and very short on even high-level use-cases. I also think TBL's response signals that's by-design; and I think that's a weak response because ultimately if the organizations who do develop tangible use-cases fly-in-the-night four years from now, the spec will become an unnecessary vestige of the web, like so many before it, while the organizations who actually put in the work and deliver value to Real Humans ignore it (or worse, are forced to keep the dying-but-not-dead vestige on life support) (its not the W3C/TBL who pays the six figure engineer salaries that maintain this shit, its their member orgs, and not even the ones who proposed and approved this).
I also feel, weakly but still prescient, that while the W3C is relatively egalitarian, we can't ignore the politics. This was GOOGLE and MOZILLA who raised concerns (not to mention one anonymous org). TBL can object, and W3C can set the spec, but at the end of the day it will become a vestige even if the people involved with this spec do their best to make it happen, if Big Tech isn't on-board. I'm not, then, asserting that fighting big tech is never worthwhile; I'm just asserting that the W3C probably isn't the best abstraction layer to fight the fight.
So yes: I will criticize. And I'll hyperbolize: the fact that the W3C has hundreds of member organizations, from implementors to thinkers to for-profits and non-profits, and they're willing to overrule real concerns from multiple established and respected members in-favor-of a grocery list of flag-planters, half of which DON'T EVEN HAVE LEGITIMATE WEBSITES, is an embarrassment.
But, fortunately, probably, one that everyone will soon forget about.
Apple, Amazon, Meta, Microsoft, Cloudflare, if even one of these organizations had their name anywhere on this spec I'd give it the time of day. I work at one of them; I've worked for two in the past; I know the people, they're extremely smart and well-intentioned.
Fair; I just scanned the list and saw it was associated with a company named Evan GmbH; I didn't, and still don't, feel it was worthwhile to investigate further; but fine, they're a no-name crypto org with a template website promising to provide the technical and legal framework for the future of the decentralized market economy based on blockchain technology. I'm really excited about their promise that "Digital Identities turn goods into active and autonomous participants in business relationships." And Gartner named them a "Cool Business" in 2020, watch out for these guys I'm sure they'll still be around in four years.
Given that Mozilla and Google have already publicly objected to this proposal, I don't expect them to implement it. The W3C's word is not the law; no one is obligated to implement every specification they put forth.
It's simply a URI standard for crypto signatures. It provides no function except an address to something else. That's why Google is asking for a few "working" integrations to prove the theory.
Because someone goes to implement it and figures out the standard is missing something they need critically, they can modify the standard before it becomes a 1.0 standard.
The document "Use Cases and Requirements for Decentralized Identifiers" [1] lays out the following summary of what they are trying to achieve:
"1. there should be no central issuing agency;
2. the identifier should be inherently persistent, not requiring the continued operation of an underlying organization;
3. it should be possible to prove control of the identifier cryptographically;
4. it should be possible to discover metadata about the identifier."
Additional capabilities got tacked on during discussions, and I think are handled in different specs, such as DID-Messaging, but at it's core the above are the primary requirements.
(Disclaimer - I work in this space, but these words are my own).
My understanding is DIDs are a unique identifier. There's a few methods that can be used regarding the construction of the identifier. It could be a unique key (did:key- https://w3c-ccg.github.io/did-method-key/). It could be using web infrastructure (did:web - https://w3c-ccg.github.io/did-method-web/). It could be using blockchain infrastructure (did:ion).
Whatever it is, it becomes an identifier used to receive credentials and send messages to. For example, your digital wallet can have a DID which can be used to store credentials. Your digital wallet can have many DIDs which can be useful to avoid correlation of identities.
The credentials (and the identities they represent) themselves are normally bundled into things like Verifiable Credentials (https://www.w3.org/TR/vc-data-model/) which have to be issued to something - like a DID.
On second reading with that background knowledge, the crypto pedigree reveals itself: "decentralized", "distributed", "independently of any centralized registry", "distributed ledger", "non-registry based", etc...
It all makes sense now! It's yet another attempt at making Web 3.0 happen.
I'd argue that of those, "distributed ledger" is the only real red-flaggy one -- and even then, only because of its association with blockchain. I think when engineering web technologies, we should hope to find a lot of talk about decentralized, distributed stuff independent of central registries.
No, this is what identity politics is, reducing technical matters to which camp you're in ("your post gives me crypto vibes, scam!!"). Correct me if I'm wrong but I believe this doesn't belong on HN.
No. Broad technical camps are not identity politics, and they're a necessary simplification for making judgements about the massive amount of technical novelty being produced today. I am not going to investigate each crypto scam presented to me for all of its technical details; there are too many of them. It's enough to know it's cryptocurrency-adjacent, and therefore, probably a scam.
Why are Bitcoin maxis and HN Web 2.0 people so intent on keeping everyone from advancing to the next phases of the Web?
Do you like centralized VC-funded “cloud”-hosted startups incubated in Silicon Valley that get gobbled up by big tech or dumped on the public? You like the extreme power inequality between those who run these systems and the public? You think the best our systems can do is extract rents at the behest of Wall Street? People who bought the shares at $100 dont want them to drop to $50 so Uber will take 50% of all drivers’ paychecks, while a decentralized autonomous network wouldn’t. Selling tokens is a one-time deal that makes the founders rich and then the network belongs to the participants.
What happened to the open source, hacker ethos? You know, counterculture, hacking on something, or at the very least not buying into the corporate morass? What happened to cypherpunks and people who wrote M$ and worked on Free Software alternatives to Big Tech?
Once upon a time America Online, Compuserve and Prodigy were today’s Google, Facebook etc. People left for the open, decentralized protocols like HTTP, as soon as good enough clients (browsers) appeared. Web 2.0 companies like FB or Google could have never even gotten started if they needed permission of AOL or MSN … the permissionless nature Web 1.0 made it possible.
Once upon a time, long distance calls cost $3 a minute. Then the decentralized file sharing network Kazaa guys made Skype, and it became so widespread that VOIP dropped the cost to zero. We can all videoconference now and the telcos are reduced to providing dumb pipes.
So why if Web 1.0 broke barriers and allowed anyone to write some HTML and serve via HTTP a website to the whole world … why is it sooooo terrible that in Web 3.0 people can write a smart contract and deploy it on some EVM compatible blockchain making the rules or payments instantly accessible to people around the world who control their own keys? Do you really think this won’t have any real applications?
Because if you actually look at what cryptocurrency is being used for, it’s overwhelmingly:
- Scams
- Risky financial structures that we regulated out of existence because they were risky and unregulated
- Money laundering
If there are real applications of the technology, they would’ve popped up by now.
Just look at the whole space of cryptocurrency lending. Regulations exist for good reason, we have stress tests https://www.federalreserve.gov/publications/large-bank-capit..., consumer protections, all kinds of safeguard so when you put money in a bank account you don’t have to worry that somebody’s gonna run with it.
Web 3.0 is a buzzword-filled collective hallucination. People keep shouting the buzzwords, but still nobody knows what it’s supposed to mean in any concrete way. NFTs are scams and still haven’t found a real use case that’s not a ponzi, crypto lending is 2008 capital structures but turned up to 11, DAOs are useless because courts and corporate governance are things that exists, I can go on and on.
If you have a concrete proposal of how this magical Web 3.0 future is supposed to be better I’m all ears, but where I’m standing it’s all ponzi, scams, shaky capital structuring, and criminal enterprises.
You have no idea how serious the problems Bitcoin is trying to solve are.
One day you will be forced to understand it though. Hopefully it doesn't result in you losing all your savings, like it has happened to billions of people through history....
> "Do you really think this won’t have any real applications?"
So where are they? The consensus is denying it on principle but rather wondering what it's actually useful for. It's strange to see all the claims of opportunities and problems to solve, yet nothing seems to be produced.
Many of them are here, fully documented and explained to laypeople, with links to GitHub, feel free to take the open source software and use them: https://intercoin.org/applications
Is that not good enough for now? What more would you like?
I am philosophically opposed to "Web 3.0" because I am philosophically opposed to cryptocurrency and do not believe it decentralizes anything.
Regardless of the follies of Wall Street, blockchains and smart contracts do not fix them. There is no particular reason why a DAO would not also cut worker wages to benefit the tokenholder class - it's the exact same structure as a corporation, just without the pesky regulation getting in the way. There is nothing about decentralized finance that guarantees that the employees are also tokenholders anymore than regular ol' brick-and-mortar capitalism guarantees that employees are also shareholders. If you want a worker's cooperative, you can start one right now without needing to buy Ethereum and develop a fragile smart contract.
DeFi isn't destroying power structures, nor is it making them less rigid. It's just a changing of the guard, from corporations and investors to anonymous "whales" and DAOs. This isn't actually decentralizing anything, it's just obfuscating how much the system has been corrupted.
As for open source and Free Software, well... their political opinions outside of hacker ethos are all over the map. The space is vaguely libertarian and vaguely leftist, which means there's plenty of people in the space who don't want more unregulated capitalism.
Your example about long distance calls is also wrong. Or, at least, missing some context. Skype was actually kind of late to the "cheap long-distance" party; the government had already done the hard work of breaking up the phone monopoly and ensuring that companies could place and terminate calls on other people's networks. This is because "permissionless" is not a capability, it is a policy. Even ostensibly permissionless blockchains could effectively become permissioned if miners and exchanges colluded in a way that made economic sense. I know this can happen because it's exactly the same thing that happened in Web 2.0.
It might have something to do with all the cryptobro’s pushing get-rich-quick-schemes. Crypto-enthusiasts ignore how regulations existed for good reasons before regulatory capture made a mess of things. Not everyone likes the idea of an anarchocapitalist future.
And I’m not even talking about the outright scamming and the fact that most crypto’s primary use case is criminal. Or the environmental issues of spending energy we can’t spare on something we could solve so many other ways.
I personally take a hesitant approach to crypto/blockchain technology. I'm open to using it where it's legitimately better than other approaches, but for the vast, vast majority of applications traditional methods are always going to be better than shoe-horned decentralization.
It's very unfortunate that the grifters have given the technology such a bad name when, like any technology, it has applications it excels in and others it doesn't. We're still definitely in the phase of working out what, if anything, blockchain is better (than centralised implementations) for. And it sucks that that search is being negatively impacted by all the grifters.
In the future I wouldn't be surprised if we saw 99.99% of blockchain stuff dead, but the small percentage that survive could disrupt some industries (I'm not convinced finance is one of those industries though lol).
1. Except cryptocurrencies aren't any good for that, because the transaction costs are too high, and the value of cryptocurrencies too volatile. Cryptocurrencies are not a medium of exchange.
2. Now, what's a valid use-case for a smart contract, and please explain how it functions if there's a bug in the contract?
3. Maybe. You'll need to provide a more concrete use-case. Also, you have the outside-world problem (you know the data hasn't been altered, but you don't necessarily know where it comes from).
4. All you need for decentralized identities is a public key. (Though if you want your identity to be long-lived, you'll have to also have a system of secure key rotation, and the most straightforward system is blockchain-ish in that it involves a signed append-only log. But it doesn't need a global trustless ledger.
5. See 1, except worse, because the transaction cost dwarf the actual payment.
1. If you're sending a portion of your monthly wages as a remittance to your family, spending a dollar[1] isn't too much.
2. A smart contract allows decentralised organisations to function, with democratic voting and transparency. (That's not appropriate or necessary for every organisation, but it can be an improvement on one person hosting a server and saying "Trust me"). If there's a bug in the contract, you have to vote to change the contract. Traditional contracts, businesses, and even countries fail all the time, but we haven't give up on them as concepts.
3. For a concrete use-case, I offer the example of blockchain technology being used to make the fishing industry supply chain more transparent.[3] It's true that someone could enter fake information onto the blockchain, but they could also fake signatures on paperwork, so a system can still be useful even if it doesn't prevent all possible attacks.
4. If the ledger isn't trustless, then someone is controlling it, so your identities aren't really decentralised.
5. There are better currencies than BTC if transaction costs are the main concern. The equivalent number for BCH is half a cent.[5]
> A smart contract allows decentralised organisations to function, with democratic voting and transparency.
A smart contract is neither smart, nor a contract. It's a program, written in an esoteric language, and running in the world's most inefficient VM.
It's so bad and overcomplicated that "smart contract" authors themselves routinely make mistakes in code equivalent to the most basic of actual contracts. And since there's no avenue of recourse, these mistakes are irreversible.
"Smart contracts" also require the user to pay for any meaningful action.
As for "transparency", there's no transparency when something is enforced by code very few can read and understand (compared to actual contracts that can be read by humans).
As for "democracy", there's nothing democratic about "who has the most money has the most votes".
> Traditional contracts, businesses, and even countries fail all the time, but we haven't give up on them as concepts
Because we have thousands of years of history teaching us how to deal with those, and guess what, we've come up with multiple things like:
- regulations
- contract clauses dealing with failure
- avenues of recourse
- various methods of enforcement
Crypto bros pretend that these things are unnecessary, but then immediately turn to courts to sue scammers, or cry in cryptoforums when a "smart contract" bug wipes their wallets out.
Sorry, but you sound like tech skeptics in every generation ever, saying “the Dewey Decimal system works perfectly well, why do we need computers just to find a book”? (Yes, I have heard this exact objection raised by radio hosts to early computer pioneers who tried to explain why computers will become useful for regular people.)
Email became useful and replaced the post office
Web 1.0 became useful and replaced TV, radio, magazines
Web 2.0 became useful and allowed people to communicate but still hasn’t been truly decentralized
What makes you think that Web3 replacing trusted gatekeepers is not useful? You think “just trust me” is the best system we can possibly have for writing code that does some business logic?
For me it’s simple: if there is something that’s very valuable (some NFT, some role, some election, some large balance of USDT) then I prefer that my customers custody their own keys and deal with that themselves. Less liability for me. Rather than having a guy with keys to the database log in and potentially change the result of an election, and having to track down logs and deal with lawsuits etc. I just want smart contracts to deal with it, and each participant can only take the actions they are allowed to take - no exceptions. No central point of failure for security. No need for audits OF TRANSACTIONSby auditors who can also be corrupted.
How do we make sure that smart contracts are correct? Audits, battle testing and with Cardano we even have provable correctness. UniSwap likely has no exploitable bugs, for instance, or they would have been found. Every instance of UniSwap AMMs comes out of the same factory. THE END RESULT is far more reliable than any code that runs on only one machine by a “trust me” corp.
Sorry buddy, you can shill your centralized “trust me” all you want but you sound like Peter Schiff and his gold. You just don’t get it.
1. No liability for transactions, only for code
2. Open source infrastructure
3. No central entities who can corrupt the system in unlimited ways
4. People can only do what is allowed, no matter what
5. Code operates regardless of whether the central entity is around in 20-30 years
6. Different incentives (selling tokens is far more user-friendly than selling shares to a parasitic investor class that will cause you to extract rents forever and introduce dark patterns and lockin at the expense of the public).
7. Interoperability — on-chain data can be used for other smart contracts and any websites can read the data.
8. Global interoperability, no need to rely on a patchwork of currencies and money transmission legs and banks that Stripe takes care of for you. USDC is an ERC20 token and you write code, not connecting to a billion little APIs. Similarly to HTTP letting you go worldwide vs what Twilio had to do for you, or negotiating syndication by radio stations.
Of course I think blockchain is a first-gen technology but it enables this and a lot more !
Here's the problem: people don't care about even one of the eight things you listed there. None of these things matter to the common person, and they certainly don't matter to the preeminent payment infrastructure.
Nobody here is shilling for centralized services, most of us are veterans of decentralized tech giving you warnings. Many projects have encountered these same issues, and have died because they have no purpose. Blockchains are little more than nerd porn, the average banker isn't going to look a trustless infrastructure and all of the sudden "get it". That's one of many insurmountable problems that cryptocurrency faces, and it has been successfully blocking adoption of it in the real world for more than 10 years. You can't simply shrug off decades of decentralized failure without applying the lessons you learned from watching them fall. Unfortunately, every cryptocurrency I've found is tone-deaf to these concerns, and prefers to replace genuine conversation with marketing crap.
The only concrete use case you've offered “is unlikely to deliver substantial gains to the industry when compared to alternatives” such as shared databases, which don't require any costly consensus algorithm.
They are (at least) two separate use cases, even though they are both examples of sending money. (You could equally say that they are all examples of sending data).
1. Some people want to be able to send large amounts of money internationally to their family in a country which has currency controls and "official" exchange rates. Others want to be able to send funds to organisations that have been banned by traditional money transmitters, such as Wikileaks, or protest groups, or adult content, or cannabis.
5. Separate groups of people don't have a problem with their government's fiscal or censorship policies, but simply want to be able to buy an emote or a skin in an online game, or to listen to a piece of music or read an article without being tracked around the web or needing to wire 50 cents from their bank in Mongolia to the service provider's bank in Cyprus.
1. The problem there is exactly why the space is going to remain a reserve for fundamentally illegal activity.
Arguably it shouldn't be. I get that. That still doesn't get me any closer to me suggesting anyone's grandma hop into Web3.
5. So you're still being tracked, because there isn't a company around that isn't monetizing viewership data. Also, if you're fine with fiscal policies, why are you hesitant to wire? Sounds to me like you're dissatisfied with your host country's fiscal controls, or service provider's offerings.
Look, control over financial networks is one of the most powerful soft control mechanisms on the planet. You will not work around that. Government is slow to catch up, but I assure you, these folks aren't stupid anywhere close to 100% of the time. The fact regulation is crystalizing around crypto as fast as it is without taking the multi-century learning experience trad-fi did is evidence enough of that.
If it comes down to "a bunch of nerds created an unregulable financial system" I can pretty much guarantee it'll get gobbled by trad-fi snd re-centralized.
In fact, anyone could roll their own financial networks without using banks/Visa/you name it. No one has because we've made laws that specifically increase the barrier to entry because finance is the spine that provides support for all manner of economic activity, which includes the illegal stuff, and Government is putatively in the business of making sure that the illegal stuff doesn't see the light of day.
I just do not see the compelling argument that'll carry weight to switch someone from "financial system that makes crime hard" to "financial system that makes crime easy" and feel alright about it. You have to already accept that crime is just an endemic human phenomena, and this is just a rebalancing of the spectrum.
Given you've got much more efficient implementations of your other use cases available, this is the sticking point for me. No people I've spoken to and laid out what Web3 really is, even with the most charitable framing gets passed that.
If I can't convince people it's a good idea with full disclosure in effect, I'm not sure it's something worth pushing forward.
I don't really think there are five applications it excels in, but there might be in the future..?
Like I said, we're still working out what it's good for. I've seen promising applications but nothing I'd say is obviously better than traditional technology. To dismiss the entire technology because of (admittedly a lot of) grifters is premature in my opinion.
So Web2 has gotten such a bad name due to centralized bullshit that entire democracies are up in arms. And the Zucks of the world just say “Calm down. Breathe. We hear you” and proceed to continue to do the very thing people have been mad about (Libra? Beacon?)
Zuck correctly described the situation early on: “I don’t know. They ‘trust me’. Dumb f#%ks”. And it’s still true today and you want to bury any alternative to that system.
Transparency laws, stricter regulation on moving between regulatory agencies and regulated industries, in general, better democratic accountability. All of these are imperfect, but it's also the case that cryptocurrency doesn't make any of it better.
>stricter regulation on moving between regulatory agencies and regulated industries
You seem to assume the existence of a competent and non-corrupt metaregulator (some form of supervisory body that would "regulate the regulators" and somehow prevent "revolving door" scenarios).
- If it exists, why was long-term regulatory capture possible in the first place?
- If it doesn't, how would we go about instituting one?
We're on Hacker News. Exit wishful thinking, enter systems thinking.
- Feedback between regulatory agency and regulated industry: continuous.
- Feedback between regulatory agency and supervisory body: continuous.
- Feedback between supervisory body and sovereign (=the general public getting shafted by the regulatory capture): discrete, and of appalingly low resolution.
I'm told that in the world's dominant democracy, where most of the ideas that we're discussing originate, the sovereign is throttled to expressing its interest in the form of a binary decision once every ~35000 hours.
So, the boffins at the revolving door email each other and call each other on the phone all the time, but the public can only talk to the legislature at the grand rate of 1 bit per 4 years? In that case, I'm prone to applying the concept of "regulatory capture" to any and all regulation that nominally serve the public interest. They simply don't have the bandwidth to establish what the public interest is.
Even at Bitcoin's "low" speed of 7 transactions per second, on-chain voting would still support a much faster democratic process. That's why people are opposed to it. For now, people use cryptos to vote mostly on inconsequential things. That's while the quirks are being ironed out. Some crypto bros who got in for teh gainz got shafted. So what. Maybe in a fairer economic system a fool and his money would be parted even more easily.
Currently, crypto does not work... except as a public "exit"/"no confidence" vote towards the methods through which industry is organized and regulation is instituted. For one to devote time and effort to this emergent form of economic organization, no matter how uncertain its realities might be, is simply to refuse to take part in maintaining a status quo that one has had no part in establishing - and to look for alternatives, no matter how tenuous.
I mean.. as I understand it, you read specs to understand something and as I kept reading it, I have absolutely zero idea what it is or even supposed to be. What is a problem it is trying to solve? I dislike it, because I immediately assume it cannot be good for me.
I have a similar background, and I also know some of the people active in the DID community, and I spent a couple of years trying to get them to explain to me what problem it solved or show me a working application using the tech.
My take is that it is a) X.509 re-born with different encoding (JSON-LD vs BER or PEM) and b) a scheme to promote use of certain blockchains for a purpose that blockchains don't suit well.
Azure Active Directory is on its way to use DIDs [0]
The forces in place here seems to be:
- distributed ledgers allow a different (decentralized) paradigm for identity management, where users own their identities and service providers authorize and authenticate them through verifiable credentials
- years of blockchains and even more years of web certificates have created processes to handle cryptographic material, that service providers supposedly find more secure than "username and password" to manage the identities issuing the verifiable credentials
- in realpolitik, Microsoft (Azure) is expanding in the cloud market by trying to establish a presence in niches (ie: Intel SGX, DIDs) [1]
I understand the overall skepticism about blockchain related technologies, but the intrinsic advantages that I see in them are:
- (for a service provider) having a tamper-proof log of all the auth changes for an identity
- (for a service provider/user) relying on cryptographic signatures allows for a private validation of an identity/claim
- (for a user) provided this is not EEE allover again, a greater degree of choices on how to manage your identity
I do not have as much experience as you do, so maybe there is some wheel-reinventing that I am not aware of :)
As far as I understand it (from skimming through a couple of docs and presentations), DIDs are similar to specs for assertions and/or attributes which are stored in a blockchain which functions as federation metadata datastore and IdP at the same time.
Conceptually, those solutions that you’ve worked with are about account principals and access management. When you deployed a smartcard, the human identity of the person you were assigning an account principal to was established offline, ultimately linked to proof of birth and residence.
Typically your company will validate those credentials to some level for employees. At a minimum, you establish what you need to know for payroll, in other cases you do extensive background investigations. For the public, however, we’re stuck with rudimentary solutions for ID verification (bank/credit accounts, mailing letters, etc) or unreliable and invasive solutions like ID.me.
The idea of things like DID and sovereign identity is that the human has agency and can provide or not provide credentials to establish who they are. That could include a verifiable, signed representation of your birth certificate, a professional license or some other credential. Think of it as a new iteration of 90s “web of trust” concepts.
Seemed to me that DIDs are a more general version of blockchain addresses.
Like, you create a DID from a public key, and everyone who handles DID related stuff can ensure only who controls the related private key is the real owner.
> Something that should be a bit of a warning flag is that I have two decades of identity-related experience but I still have no idea what DID even is.
I'm not sure this is the "flex" you wanted it to be. A cursory look at the specification gave me a pretty good idea what DID are supposed to be, and for (and I would only say I know enough identity-related stuff in order to implement things in my own services, but not over two decades). The use cases are relatively easy to understand, and there is bunch of implementations in the wild as well.
Maybe it would also help by looking at some of the proposed DID methods that are more similar to the approach you're used to. While not centralized, maybe DNS is something you're more familiar with, so you can link it together with existing knowledge?
What exactly is it you don't understand? Maybe your knowledge about centralized identity management is not helping you in this case, but making it harder to understand.
For reference, I've worked with three vendors' implementations of LDAP, several versions of SAML, OAuth, JWT, Okta, Azure Active Directory, etc, etc... I've even deployed Smart Card authentication in the field several times.
I literally have no idea, not a clue what DID is supposed to be in a practical sense, despite having read a significant volume of material on a subject.
Like, okay, it's "identity"... somehow? How? What? Where?
The documentation is impenetrable buzzword-compliant gibberish that makes SAML's documentation look like crystal-clear poetry in comparison.