Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

[stephen.farrell@cs.tcd.ie]

On Wednesday, 4 October 2017, Tom Herbert wrote:
> On Wed, Oct 4, 2017 at 7:57 AM, Phillip Hallam-Baker
> <phill@hallambaker.com> wrote:
> > On Fri, Sep 29, 2017 at 2:31 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> > wrote:
> >>
> >>
> >> As currently described, I oppose creation of this working
> >> group on the basis that it enables and seemingly encourages
> >> embedding identifiers for humans as addresses. Doing so
> >> would have significant privacy downsides, would enable
> >> new methods for censorship and discrimination, and could
> >> be very hard to mitigate should one wish to help protect
> >> people's privacy, as I think is current IETF policy.
> >>
> >> If the work precluded the use of any identifiers that
> >> strongly map to humans then I'd be ok with it being done
> >> as it'd then only be a waste of resources. But I don't
> >> know how that could be enforced so I think it'd be better
> >> to just not do this work at all.
> >>
> >> S.
> >
> >
> > +1
> >
> > I know how to restrict the work to 'meaningless' identifiers, require that
> > the identifiers be the output of a cryptographic algorithm.
> >
> > Now strictly speaking, this only limits scope to identifiers that are
> > indexical as opposed to rendering them meaningless but I think that was the
> > sense of it.
> >
> >
> > Nöth proposed a trichotemy of identifiers as follows
> >
> > * Identity, the signifier is the signified (e.g. data: URI)
> >
> > * Indexical, the signifier is related to the signified by a systematic
> > relationship, (e.g. ni URIs, SHA256Data), PGP fingerprints etc.)
> >
> > * Names,  the signifier is the related to the signified by a purely
> > conventional relationship, (e.g. example.com to its owner)
> >
> >
> > There is a big difference between attempting to manage indexical signifiers
> > and names. Especially when the people trying to do so refuse to read any of
> > the literature on semiotics.
> >
> > Names are problematic because the only way that a conventional relationship
> > can be implemented is through some sort of registration infrastructure and
> > we already have one of those and the industry that manages it has a
> > marketcap in the tens of billions.
> >
> > Identifiers do lead to tractable solutions. But, this proposal looks a bit
> > unfocused for IRTF consideration, an IETF WG? Really?
> >
> Identifiers are equivalent to addresses in that they indicate a node
> in the network for the purposes of end to end communications. The only
> difference between identifiers and addresses is that identifiers are
> not topological. Virtual addresses in network virtualization are also
> identifiers. So the security properties are the same when considering
> privacy. For instance, if applications use temporary addresses for
> privacy, it would have equivalent properties using temporary
> identifiers. In fact from the application POV this would be
> transparent. It could get a pool of apparently random addresses to
> choose from as source of communication, it shouldn't know or even care
> if the addresses are identifiers.
> 
> Identity is a completely separate concept from identifiers. Is not
> required in any of the identifier/locator protocols and AFAIK none of
> them even mention the term. There is no association of an identity of
> user behind and identifier any more than there is an association of
> identity behind IP address. The fact that the words "identifier" and
> "identity" share a common prefix is an unfortunate happenstance :-).


Yes. But doesn't that mean either the name of this effort is wildly misleading or else the effort is hugely problematic from a privacy POV? Either way, istm this ought not proceed.

S.

> 
> Tom
>