HACKER Q&A
📣 asim

What Is Identity for the Internet?


Is email identity for the internet? Is there an alternate source? I don't know that we can rely on social sites with their "Login with X" as this tool. It's not clear to me "Connect with your wallet" is any better. Is email the true identity for the internet? Is there anything better?

  👤 sp332 Accepted Answer ✓
Check out "self-sovereign identity" as a starting point. Sometimes those others are used to cut down on spam or as age verification, but if you just need to identify someone, it's more flexible.
👤 nullfield
The answer largely, like most things (and like your lawyer likes to tell you), is “it depends”.

From a perspective of, say, a small site trying to just identify people who have accounts and let them post in forums, email is probably sufficient.

For voting in real elections, it’s obviously not sufficient.

Ideally you want something pretty permanent for identity-something you can’t just change on a whim. The idea, I think, from the question is “what can we use for authentication”, and email’s never really been good at that in a real security sense-anyone can read it, if you leave it open, or if you share your password, or if…

In the same breath, though, let’s go to the other extreme: suppose we use DNA for identity. Further suppose that the device used to check it is perfect at the “checking it” part. Now you’re just off by one level, because you’re now trusting the machine that attested to the DNA not being compromised in some other way, and you still have all the other problems inherent in a distributed system (not to mention the “proof of life” part) - in short, all that’s happened is that we’ve moved the problem of identity from your DNA to the machine that attests to someone’s DNA.

You’re absolutely correct that one can’t trust or rely on “sign in with X” when they can take your account away arbitrarily and capriciously, without recourse, and in doing so break everything that relied on it.

The alternative of running your own OpenID Connect system (the most current method of doing “identity” like the major social sites do, after enough people learned the medium-to-hard way that “authorization is not authentication” and stopped using OAuth2 for “authentication”) also has its issues:

1: they’re not federated in any sense, so unlike “everyone knows Twitter and will let you log in after Twitter confirms who you are”, no one knows the OpenID Connect server run by nullfield and, further, wouldn’t trust it to vouch for identity of anyone. Except maybe nullfield. And still, they’re not going to integrate everyone’s self-sovereign ID server for login unless it’s seamless. 2: running such a server is technically challenging, to be polite

Getting back to “it depends”:

The use case matters too much for there to be a generic answer at this point in time. Even social sites only go so far in verification; logging in via Facebook doesn’t mean that Facebook has checked that you’re who you say you are, even if their policy is to make you use your real name.

For most situations it’s going to be domain-driven, i.e. “for this domain, what level of assurance do I need about identity”.