1. STD epidemic slows as new syphilis and gonorrhea cases fall in US  The Associated Press
2. Sexually Transmitted Infections Surveillance, 2023  CDC
3. At Long Last, the Surge in S.T.I.s May Be Leveling Off  The New York Times
4. ‘Been a long time since I felt that way’: Sexually transmitted infection numbers provide new hope  POLITICO
5. There are millions of sexually transmitted infections in the US every year, but new data shows the epidemic may be slowing  CNN

1. Fantasy football rankings Week 11: Sleepers, projections, starts, Russell Wilson, Calvin Ridley and more - The Athletic  The New York Times
2. Start 'Em, Sit 'Em Quarterbacks For Fantasy Football Week 11  Sports Illustrated
3. Week 11 Waiver Wire: Top Pickups, Drops Likely Available After Reviewing Box Scores  Bleacher Report
4. Fantasy Football Week 11 Defense (DST) Rankings and Streamers  NBC Sports
5. Fantasy plays: Players to start and sit for NFL Week 11  The Associated Press

1. Video: Mike Tyson shows he's not your typical 58-year-old during open workout  MMA Junkie
2. Tyson vows to bring 'devil himself' into Paul fight  ESPN
3. Watch 58-Year-Old Mike Tyson Crush Pads Days Away from Jake Paul Fight  Sports Illustrated
4. Mike Tyson-Jake Paul: How to watch the fight, time, odds  The Associated Press
5. The Mike Tyson-Jake Paul boxing match shows streaming is just cable now  The Washington Post

1. Internet Divided as ‘People’ Names John Krasinski ‘Sexiest Man Alive’  Rolling Stone
2. John Krasinski named People magazine’s ‘Sexiest Man Alive’  CNN
3. Just a Bunch of Sexy Photos of John Krasinski  PEOPLE
4. John Krasinski Reveals Wife Emily Blunt's Hilarious Response to His Sexiest Man Alive Title - E! Online  E! NEWS
5. Emily Blunt reacts after husband is named 2024 Sexiest Man Alive  The Independent

1. Lego Horizon Adventures Sylens voice actor revealed following Lance Reddick’s passing  Video Games Chronicle
2. Lego Horizon Adventures Review  IGN
3. Lego Horizon Adventures: How Long to Beat (& Chapter List)  GameRant
4. Lego Horizon Adventures is a delightful, kid-friendly twist on Horizon Zero Dawn  Polygon
5. How LEGO Horizon Adventures was built with real LEGO bricks, out Nov 14  PlayStation

1. Fact check: Amsterdam video doesn't show attack on Israelis  DW (English)
2. Opinion | A Worldwide ‘Jew Hunt’  The New York Times
3. Dutch lawmaker Wilders wants to deport those convicted of violence against Israeli soccer fans  ABC News
4. VIDEO: Tram set ablaze after violence erupted again in Amsterdam  CNN

1. IDF: ‘New Hezbollah targets’ reached in expanded south Lebanon ground operation  The Times of Israel
2. A new deterrence for Lebanon is needed to avoid a long war with Israel  Al Jazeera English
3. Lebanon awaits truce proposals after US envoy expresses hope  Reuters
4. Israel-Gaza-Lebanon live updates: 'No cease-fire' in Lebanon, defense minister says  ABC News
5. While Israel Seeks Deal in Lebanon, IDF and Hezbollah Escalate Their Attacks  Haaretz

1. Biden and Trump to Meet at the White House: Live Updates  The New York Times
2. Biden, Trump Set For White House Meeting After Harris Election Loss  NDTV
3. Biden-Trump White House meeting revives presidential tradition skipped 4 years ago  Fox News
4. Trump and Biden to meet at White House as Senate GOP holds leadership election  CNN

Flirty and casual responses to send your crush or loved onesYou wake up, roll over, and grab your phone to find a message from your crush, “Good morning! How did you sleep?” You bolt upright in bed. You have to respond, but how? When someone asks, “How did you sleep?” they want to know how your evening was—they’re starting a conversation. So, what do you do if someone sends you this text first thing in the morning? Try sending them one of these friendly or flirty responses.

Data gathered from several consulting firms by HT Digital indicated that Bengaluru has maintained its position as the top option for non-resident Indians wishing to invest in India’s residential real estate market, particularly those seeking affordable and mid-segment homes.  The … Continue reading →

Property owners may face serious legal and financial ramifications if they fail to pay their property taxes. Therefore, timely paying such taxes is necessary to continue taking advantage of the municipal amenities. Owners must take immediate action if a property … Continue reading →

According to officials, the Noida Authority projects that in the fiscal year 2024-2025, it will sell group housing plots for a maximum of Rs 1,080 crore and commercial land parcels for Rs 1,010 crore.  According to people who know the … Continue reading →

Try these 12 incredible iPhone tips and tricks for 2024 that will change the way you use your iPhone! From a hidden sleep timer in the Clock app to bypassing annoying ads in Safari WITHOUT an ad blocker, these hacks will save you time and headaches!

Doors are usually mundane, but these 16 different doors all hide terrible secrets behind them. Or do they?

Summary: The abundance of X.509 certificate authorities who already perform identity proofing for businesses provides a rich resource that can be leveraged to boot the verifiable data ecosystem.

When you used a verifiable credential to prove something about yourself, the verifier can know cryptographically: (1) the identifiers for the issuer, (2) the credential hasn't been tampered with, (3) the credential was issued to you, and (4) the credential hasn't been revoked. These four checks are important because their establish the fidelity of the data being transferred. They don't, however, tell them whether they can trust the issuer. For that, they need to take the issuer's decentralized identifier (DID) that they got from credential presentation and determine who it belongs to.

At the most recent Internet Identity Workshop, Drummond Reed gave a session on how X.509 certificates could help with this. The first step, like always, is to resolve the DID and retrieve the DIDDoc that associates keys and endpoints with the DID. The endpoint can be an HTTP server and, of course, should have an X.509 certificate providing TLS security. That certificate, at the very least, has a a domain name to bind that to the certificate's public key. It can, if you pay for the feature, also include information about the entity that applied for the certificate. The certificate authority proofs that information and is vouching for it when they sign the certificate.

The key to making the X.509 certificate useful for checking the provenance of a DID lies in one key change. X.509 certificates can contain and extended field called a Subject Alternative Name. This following figure shows how it can help.

In this figure:

1. The issuer (Attestor) creates the DID they will use to issue the certificate along with its associated DIDDoc, including an HTTP endpoint for DID verification.
2. Attestor applies for a X.509 certificate for that endpoint, including in the application the DID they created in (1).
3. The certificate authority does it's usual proofing of the application and issues a certificate that includes the DID in the Subject Alternative Name field.
4. The issuer creates a credential definition in the usual way that includes their DID and writes it to whatever Verifiable Data Registry their DID method dictates.
5. Attestor issues a credential to a holder (Alice) using that credential definition.
6. At some later time, Alice presents the credential to the verifier (Certiphi).
7. Certiphi resolves the DID to get the DIDDoc and retrieves the verfication endpoint from the DIDDoc
8. Certiphi retrieves the certificate for that endpoint¹.
9. Certiphi verifies the certificate by checking it's signature and ensures that the DID in the DIDDoc for the credential matches the one in certificate.²

The issuer's DID has now been tied in a verifiable way to whatever information is in the certificate. Provided the certificate includes information about the entity beyond the domain name, the verifier can use that information to determine whether or not the credential is authentic (i.e., issued by who the credential definition purports issued it). That might be all the evidence they need to determine whether to trust the entity. Certificate authorities could also issue verifiable credentials to the customer attesting the same verified claims—after all, it's one more product they can offer.

The benefit of doing issuer validation using X.509 certificates is that there are already many trusted X.509 certificate authorities in business who already do proofing of attributes about businesses. That's a huge chunk of the verifiable data ecosystem that doesn't need to be built because it can be leveraged. To make this work, digital certificate authorities would need to start offering to validate DIDs and include them in a certificate as a Subject Alternative Name. I don't discount that this will take some bureaucratic maneuvering. Certificate authorities will need to see a business opportunity. I'd love to see Digitcert or someone do a pilot on this.

Notes

1. Note that this step might be combined with the previous step if the Verifiable Data Registry is the same server as the endpoint, but that's not necessarily going to be the case for a number of reasons.
2. Note that this does not create a call back wherein Attestor can determine which credential was used, preserving the privacy of the presentation. Attestor does know one of its credentials has been presented to Certiphi. If this information leakage bothers you, then any web-based DID method is potentially a problem.

Tags: identity ssi decentralized+identifiers verifiable+credentials x.509

Summary: This spring's IIW was full of interesting people and interesting discussions with people from around the globe.

We recently completed the 38th edition of the Internet Identity Workshop. We had 330 people from around the world who called 169 sessions. As usual there was lots of energy and thousands of side conversations. IIW is a place to get things done and it showed in the energy and the comments people made to me about how much they enjoyed it.

As you can see by the pins in the map at the top of this post, there were attendees from all over the world. Not surprisingly, most of the attendees were from the US (241), followed by Canada (11). Germany, India, and Switzerland rounded out the top five with 9, 8, and 7 attendees respectively. Attendees from India (5), Thailand (3), and Korea (3) showed IIW's diversity with attendees from APAC. And there were 4 attendees from South America this time. Sadly, there were no attendees from Africa again. Please remember we offer scholarships for people from underrepresented areas, so if you'd like to come to IIW39, please let us know. If you're working on identity, we want you there.

For states and provinces, California was first with 122. Washington (16), Utah (10), Texas (10) and New York (10) rounded out the top five. San Francisco (14) Oakland (13), San Jose (12), Seattle (11), and New York (9) were the top cities.

In addition to sessions, we have a demo hour on Wednesday that is a little like speed dating. There were 20 different projects highlighted. There's always more than one session that I want to attend in any given time slot and choosing is hard. That's a common refrain. Luckily we have sessions notes that we publish in a Book of Proceedings.

Here's pictures from all three days courtesy of Doc Searls

You belong at IIW! IIW is where you will meet people to help you solve problems and move your ideas forward. Please come! IIW 39 will be held October 29-31, 2024 at the Computer History Museum. We'll have tickets available soon.

Tags: identity iiw

Summary: We know that LLMs hallucinate. And we know that we can overcome some of that problem with better prompts. But can LLMs provide references for their work? I conducted an experiment.

Recently my friend Scott Mace asked this on X in response to a post about the evolution of software and how LLMs will likely follow that same trajectory:

Yes, but how trustworthy will it be? Can I at least see the links it used to create its response?

From X
Referenced 2024-05-21T18:09:06-0400

The short answer is "no", but the real answer is a bit more nuanced because of how LLMs like ChatGPT work. First the short answer: LLMs don't understand what they're saying so they can't reference the material that it used to create a response. They don't work like that. They don't go out, do a bunch of research and then create a response. Instead lots (and I mean LOTS) of material is fed into the program that creates the model, a multi-dimensional matrix of word orders. Then when you ask a question ("give it prompt" in LLM-speak), it processes the question and generates text based on the probabilities of words in its model¹. There's no way it can satisfy Scott directly because the model doesn't—can't, as far as I know—include the references that it used to create the text because it's generating it on the fly from material that has been thoroughly blended together.

But, in fairness, that's not what people do most of the time either. If you asked me over lunch or at the end of a tech presentation to describe zero trust and its pros and cons, I'd start talking. I wouldn't start looking up things on the web and somehow weave them into text complete with references. I'd go look for references if you asked me to back up something I said. So, let's try that with ChatGPT 4o. I gave it the following prompt:

You are a writer for a website focusing on technology. Your specialty is security. Write a 150 word explanation of zero trust with three pros and three cons.

ChaptGPT answered with this text:

Zero Trust is a security model based on the principle of "never trust, always verify." Unlike traditional security models that assume everything inside the network is safe, Zero Trust assumes that threats can exist both inside and outside the network. It requires strict identity verification for every user and device attempting to access resources, regardless of their location.

Pros:

1. Enhanced Security: By continuously verifying users and devices, Zero Trust reduces the risk of breaches and unauthorized access.
2. Minimized Attack Surface: It limits access to only what is necessary, reducing potential entry points for attackers.
3. Improved Compliance: Helps meet regulatory requirements by ensuring strict access controls and logging all access attempts.

Cons:

1. Complex Implementation: Deploying Zero Trust can be complex and time-consuming, requiring a significant overhaul of existing systems and processes.
2. Increased Costs: The initial investment in technology and training can be high.
3. User Experience Impact: Continuous verification can lead to friction and inconvenience for users if not implemented smoothly.

Zero Trust is essential for modern cybersecurity, but it requires careful planning and resources to implement effectively.

That's pretty good. But what if we need some references to other material to back up the pros and cons? I asked ChatGPT to supply them:

Now repeat that task, but this time include references as hyperlinks to back up each pro and con.

ChaptGPT answered with this text:

Zero Trust is a security model based on the principle of "never trust, always verify." Unlike traditional security models that assume everything inside the network is safe, Zero Trust assumes that threats can exist both inside and outside the network. It requires strict identity verification for every user and device attempting to access resources, regardless of their location.

Pros:

1. Enhanced Security: By continuously verifying users and devices, Zero Trust reduces the risk of breaches and unauthorized access (CSO Online).
2. Minimized Attack Surface: It limits access to only what is necessary, reducing potential entry points for attackers (NIST).
3. Improved Compliance: Helps meet regulatory requirements by ensuring strict access controls and logging all access attempts (Gartner).

Cons:

1. Complex Implementation: Deploying Zero Trust can be complex and time-consuming, requiring a significant overhaul of existing systems and processes (Forrester).
2. Increased Costs: The initial investment in technology and training can be high (ZDNet).
3. User Experience Impact: Continuous verification can lead to friction and inconvenience for users if not implemented smoothly (TechRepublic).

Zero Trust is essential for modern cybersecurity, but it requires careful planning and resources to implement effectively.

That looks great! Nice references for each bullet. There's just one problem. All the links, except the NIST reference, are dead. I don't know if they're wrong, made up, or stale. I tried finding content on a few of the sites by searching and came up dry. As I heard Johannes Ernst say once, ChatGPT is a "large language model" not a "large fact model" and this bears that out.

Still, asking for references or evidence for statements is something people are going to want. So, I tried a different tack. This time I asked this:

Why do you say complex implementation is a problem for zero trust? Can you give me a few references on that I can read myself?

ChatGPT responded with this:

Implementing a Zero Trust security model can be challenging for several reasons:

1. Overall Complexity: Zero Trust requires a comprehensive understanding of your network's intricacies, including users, devices, applications, and data. This can involve significant changes to existing infrastructure, which can be disruptive and costly. Organizations need to be prepared for the extensive planning and resources required for successful implementation​ (Help Net Security)​​ (Enterprise Networking Planet​).
2. Legacy Systems: Many organizations have legacy systems that are not designed to operate within a Zero Trust framework. These systems might require different security measures or even complete replacement, adding to the complexity and cost (Help Net Security)​​ (Enterprise Networking Planet​)
3. Cultural Shift: Zero Trust is not just a technological shift but also a cultural one. It requires continuous verification and strict access controls, which can lead to user frustration and resistance if not managed properly. Ensuring user buy-in and minimizing disruption to workflows through training and communication is essential (Deloitte United States)​​ (Guidehouse).
4. Resource Intensive: Implementing and maintaining Zero Trust can put a strain on IT resources due to the need for continuous monitoring and management. The need for advanced security tools and ongoing updates further adds to the resource demands (Help Net Security)​​ (Enterprise Networking Planet​).
5. Stakeholder Alignment: Achieving buy-in from all stakeholders and aligning them with the Zero Trust principles is critical. This requires a coordinated effort to educate stakeholders, prioritize gaps, and ensure consistent understanding and application of Zero Trust principles across the organization (Deloitte United States)​​ (Guidehouse).

These challenges highlight the importance of a phased and well-planned approach to Zero Trust implementation, considering both technological and human factors. For more detailed insights, you can refer to articles from Help Net Security and Guidehouse.

Much better. The links in the bullets all work, but the ones at the end don't. The articles it references aren’t very detailed, so I wouldn’t say they’re stellar references, but at least there’s a pointer to outside material that discusses similar challenges. So, partial success.

I've found that when you're using ChatGPT to do research, treating it like a librarian and asking questions that follow up are the best way to gain confidence that the material is correct and find the supporting material, just as I did above. I'm sure you could wrap additional helper functions around an LLM to make getting references easier. But for now interrogation through chat is the best way to get comfortable with the results.

Notes

1. Yeah, this is really simplified and thus wrong, but it's directionally correct. For a better explanation, see What Is ChatGPT Doing … and Why Does It Work?.

Photo Credit: Older Man Talking to Robot Librarian from DALL-E (public domain) Prompt: draw me a rectangular picture of an older man talking with a robot librarian. Use earth tones.

Tags: genai llm chatgpt prompt+engineering

Summary: In session after session, attendees at EIC are hearing the message that decentralized identity is the answer to their identity problems.

I'm at European Identity Conference (EIC) this week. I haven't been for several years. One thing that has struck me is how much of the conversation is about decentralized identity and verifiable credentials. I can remember when the whole idea of decentralized identity was anathema here. The opening keynote, by Martin Kuppinger is Vision 2030: Rethinking Digital Identity in the Era of AI and Decentralization. And all he's talking about is decentralized identity and how it's at the core of solving long standing identity problems. Another data point: Steve McCown and Kim Hamilton-Duffy ran a session this morning called Decentralized Identity Technical Mastery which was a hands-on workshop. The rather large room was packed—standing room only.

I attended a couple of sessions on decentralized identity where I didn't know the companies, the speakers, or the specific platforms they were using. The space is too big to keep track of anymore. Identity professionals who were ignoring, or talking down, decentralized identity a few years ago are now promoting it.

This truly feels like a tipping point to me. At IIW, it's identity geeks talking with other identity geeks, so it's no surprise to see lots of discussion about new things. EIC is a different kind of conference. There are about 1000 people here I'd guess. Most of them aren't working on new standards or open source projects. Instead they're the folks from companies who come to conferences like EIC to learn how to solve the problems their organization is facing.

In the keynotes and in numerous sessions, the message that they're hearing is "decentralized identity will solve your problems." Martin closed his talk with the proclamation that "decentralized identity is the new paradigm for identity."

Photo Credit: Credential Tipping Point by DALL-E (public domain) Prompt: Draw a rectangular picture that shows a credential at a tipping point. Make the credential look like a lifelike credential, include cartoon picture, and some writing. Use bright friendly colors.

Tags: identity ssi decentralized+identity verifiable+credentials

Summary: What is decentralized identity and why is it important? My attempt at a simple explanation.

In Yeah, yeah, yeah, yeah, yeah, nah, Alan Mayo references my recent blog post, Decentralized Identity Comes of Age, and says:

My challenge to the decentralization community is for them (someone) to explain how it works in relatively simple and reasonable terms. I say relative because identity is not simple, so we should not expect simple solutions.

This post is my attempt to do that for Alan and others.

Identity is how we recognize, remember, react to, and interact with other people, organizations, and services. Put another way, identity is about relationships. Online we suffer from a proximity problem. Since we're not near the parties we want to have relationships with, our natural means of recognizing, remembering, and interacting with others can't be used. Digital identity systems are meant to provide us with the means of creating online relationships.

Traditional identity systems have not served us well because they are owned and controlled by companies who build them for their own purposes. The relationships they support are anemic and transactional. We can't use them for any purpose except what their owner's allow.

Decentralized identity systems¹ on the other hand allow you to create online relationships with any person, organization, or service you choose and give you the tools to manage and use those relationships. They help you recognize, remember, react to, and interact with them. The most important tool is a decentralized identity wallet. The world of decentralized identity wallets is still young, but organizations like the Linux Foundation's Open Wallet Foundation give me hope that useful, interoperable wallets are a tool we'll all be able to use soon. They are as foundational to decentralized identity as a browser is to the web.

Besides helping you manage peer-to-peer relationships with others online, wallets hold verifiable credentials, the digital analog to the credentials and cards you carry in a physical wallet. One of the most important aspects of digital relationships is providing information about yourself to those you interact with. Sometimes that information can come from you—it's self-asserted—but many times the other party wants to reliably know what others say about you. For example, if you establish a banking relationship, the bank is legally obligated to verify things like your name and address independent of what you say. Decentralized identity wallets allow you to prove things about yourself using credentials others provide to you. At the same time, they protect your privacy by limiting the information disclosed and forgoing the need for the party you're interacting with to directly contact others to verify the information you provide.

In summary, decentralized identity systems allow you to create digital relationships with other parties independently, without relying on any other organization or service. These relationships are direct, private, and secure. They also provide the means for you to prove things about yourself inside these relationships so that even though you're operating at a distance, you and the other party can have confidence in the relationship's authenticity.

How Does It Work

The preceding paragraphs say what decentralized identity is, and provide its benefits, but don't say how it works. Alan and others will likely want a few more details. Everything I describe below is handled by the wallet. The person using the wallet doesn't need to have any more knowledge of how they work than the operator of a browser needs to understand HTTP and HTML.

The foundation of a peer-to-peer, decentralized online relationship is an autonomic identifier like a peer DID. Identifiers are handles that someone else can use to identify someone or something else online. Peer DIDs can be created by a wallet at will, they're free, and they're self-certifying (i.e., there's no need for a third party). A relationship is created when two identity wallets create and exchange peer DIDs with each other on behalf of their owners. Peer DIDs allow the parties to the relationship to exchange private, secure messages.

There are four primary interaction patterns that wallets undertake when exchanging messages:

1. DID Authentication which uses the DIDs to allow each party to authenticate the other
2. Single-Party Credential Authorization where the same party issues and verifies the credential.
3. Multi-Party Authorization where the credential issuer and verifier are different parties.
4. Generalized Trustworthy Data Transfer which uses a collection of credentials to aid the wallet owner in completing online workflows.

Verifiable credentials make heavy use of cryptography to provide not only security and privacy, but also confidence that the credential data is authentic. This confidence is based on four properties a properly designed credential presentation protocol provides:

1. The identifier of the credential issuer
2. Proof that the credential is being presented by the party is was issued to
3. Proof that the credential has not been tampered with
4. The revocation status of the credential

The credential presentation can do all this while only disclosing the information needed for the interaction and without the verifier having to contact the credential issuer. Not having to contact the issuer ensures the credential can be used in situations with poor connectivity, that the issuer needn't be online, and preserves the credential subject's privacy about where the credential is being used.

A properly designed credential exchange protocol has four important properties:

1. The system is decentralized and contextual. There is no central authority for all credentials. Every party can be an issuer, an owner, and a verifier. The system can be adapted to any country, any industry, any community, any set of credentials, any set of trust relationships.
2. Issuers are free to determine what credentials to issue and whether or not to revoke them.
3. Wallet owners are free to choose which credentials to carry and where and when they get shared. While some verifiers require a specific credential—such as a customs agent requiring a passport—others will accept a range of credentials. Therefore owners can decide which credentials to carry in their wallet based on the verifiers with whom they interact.
4. Verifiers make their own decisions about which credentials to accept. For example, a bar you are trying to enter may accept any credential you have about your date of birth. This means some credentials (e.g., passports, driving licenses, birth certificates) may be much more useful than just for the original purpose for which they were issued.

These properties make a decentralized identity system self sovereign.

Why is Decentralized Identity Important?

Decentralized identity systems are designed to provide people with control, security, and privacy while enhancing the confidence we have in our online relationships. Some time ago, I wrote the following. I think it's an apt way to close any discussion of decentralized identity because unless we keep our eyes on the goal, we'll likely take shortcuts in implementation that fail to live up to their promise.

Presently, people don't have operational relationships anywhere online.² We have plenty of online relationships, but they are not operational because we are prevented from acting by their anemic natures. Our helplessness is the result of the power imbalance that is inherent in bureaucratic relationships. The solution to the anemic relationships created by administrative identity systems is to provide people with the tools they need to operationalize their self-sovereign authority and act as peers with others online. Peer-to-peer relationships are the norm in the physical world. When we dine at a restaurant or shop at a store in the physical world, we do not do so under the control of some administrative system. Rather, we act as embodied agents and operationalize our relationships, whether they be long-lived or nascent, by acting for ourselves. Any properly designed decentralized identity system must provide people with the tools they need to be "embodied" in the digital world and act autonomously.

Time and again, various people have tried to create decentralized marketplaces or social networks only to fail to gain traction. These systems fail because they are not based on a firm foundation that allows people to act in relationships with sovereign authority in systems mediated through protocol rather than by the whims of companies. We have a fine example of a protocol mediated system in the internet, but we've failed to take up the daunting task of building the same kind of system for identity. Consequently, when we act, we do so without firm footing or sufficient leverage.

Ironically, the internet broke down the walled gardens of CompuServe and Prodigy with a protocol-mediated metasystem, but surveillance capitalism has rebuilt them on the web. No one could live an effective life in an amusement park. Similarly, we cannot function as fully embodied agents in the digital sphere within the administrative systems of surveillance capitalists, despite their attractions. The emergence of self-sovereign identity, agreements on protocols, and the creation of metasystems to operationalize them promises a digital world where decentralized interactions create life-like online experiences. The richer relationships that result from properly designed decentralized identity systems promise an online future that gives people the opportunity to act for themselves as autonomous human beings and supports their dignity so that they can live an effective online life.

Notes

1. I prefer the term self-sovereign to decentralized because it describes the goal rather than the implementation, but I'll stick with decentralized here. All self-sovereign identity systems are decentralized. Not all decentralized identity systems are self-sovereign.
2. The one exception I can think of to this is email. People act through email all the time in ways that aren't intermediated by their email provider. Again, it's a result of the architecture of email, set up over four decades ago and the culture that architecture supports.

Photo Credit: Young Woman Using a Wallet from DALL-E (public domain) Prompt: draw a rectangular picture of a young woman using a wallet.

Tags: identity ssi decentralized+identity verifiable+credentials

Summary: Until we value freedom and independence in the digital world, we will yield up control of our digital lives to others who will act in their own interests, not ours.

In response to a post on X about China's social credit system, Paul Conlon said:

Digital ID is ultimately about access control where those who impose the system are the ones determining what you are required to be and do.

Provision of resources and liberties become conditional upon the whims of the affluent. Doesn't sound safe or convenient to me.

From X
Referenced 2024-08-28T08:10:31-0400

How Paul said this struck me because I've been thinking a lot about access control lately. I believe that we build identity systems to manage relationships, but, as Paul points out, in many cases the ultimately utility of identity systems is access control.

This isn't, by itself, a bad thing. I'm glad that Google controls access to my GMail account so that only I can use it. But it doesn't stop there. If I use my Google account to log into other things, then Google ultimately controls my access to everything I've used it for. This is federation's original sin¹.

Paul's comment points out the primary problem with how we build identity systems today: when access control is centralized, it inherently shifts power towards those who manage the system. This dynamic can lead to a situation where individuals must conform to the expectations or demands of those in control, just to maintain their access to essential services or resources. While we often accept this trade-off for convenience—like using Google to manage multiple logins—the broader implications are troubling.

The more we rely on federated identity systems, with their tendency to centralization, the more we risk ceding control over our digital lives, reducing our autonomy, and increasing our dependence on entities whose goals may not align with our own. This is why the principles of self-sovereign identity (SSI) are so compelling. SSI proposes a model where individuals maintain control over their own identity, reducing the risks associated with centralized access control and enhancing personal freedom in the digital realm.

Critics of SSI will claim that giving people control over their identity means we have to accept their self assertions. Nothing could be further from the truth. When someone wants me to prove I'm over 18, I use a driver's license. The state is asserting my age, not me. But I'm in control of who I show that to and where. Sovereignty is about borders and imposes a system of relationships.

Now, China could use decentralized identity technology to build their social credit system. One credential, controlled by the state, that is used to access everything. Technology alone can't solve this problem. As a society, we have to want a digital world, modeled on the physical one, where individuals are the locus of control and use information and assertions from a variety of credentials to build and interact in authentic peer-to-peer relationships. Until we value freedom and independence in the digital world, we will yield up control of our digital lives to others who will act in their own interests, not ours.

Notes

1. For similar reasons, I think federated social media systems are a bad idea too, but that's another blog post.

Photo Credit: Papers Please from DALL-E (public domain). Prompt: Draw a rectangular picture of police checking identity papers of people on the street

Tags: identity access+control ssi

Summary: We held the 39th edition of Internet Identity Workshop last week. Like always, it was a great week.

The 39th edition of the Internet Identity Workshop wrapped up last week. We have 364 attendees from around the world who called 178 sessions. I can't begin to describe the energy of the identity community when they all get together to discuss their favorite topics. If you like identity, or simply want to be part of an enthusiastic technical community, you should come to IIW.

As you can see by the pins in the map at the top of this post, there were attendees from all over the world. Not surprisingly, most of the attendees were from the US (251), followed by Canada (18) and France (14). Germany, Japan, and Australia rounded out the top six with 12, 9, and 7 attendees respectively. Attendees from India (5), Columbia (3), and Chile (2) show IIW's geographic diversity. Sadly, there were no attendees from Africa again. Please remember we offer scholarships for people from underrepresented areas, so if you'd like to come to IIW40, please let us know. If you're working on identity, we want you there.

For states and provinces, California was first with 131 attendees. Washington (19), Utah (14), New York (9), and Massachusetts (9) made up the rest of the top 5. San Jose (20), San Francisco (16), Paris (12), Oakland (11), and Seattle (9) were the top five cities.

We'll have the book of proceedings out in a month or so with notes from the different sessions and descriptions of the 20 demos given during demo hour. Past proceedings are available here.

The next IIW takes place April 8-10, 2025 at the Computer History Museum. This will be IIW XL, number 40! We'll have registration open the first part of December. If you're interested in sponsoring, send me a note.

Tags: iiw identity

The National Archives and Records Administration (NARA) has released their Request for Proposal (RFP) for its Electronic Records Archive project. The eight-year performance-based ERA contract could be worth about $122 million.

Emarketing firms IMH, Inc. and eLaw Marketing offer new RSS services for publishing eNewsletters. Can the same thing be accomplished using your existing blogging software?

Florida is famous for “Florida Man” news stories and memes, for the extreme heat frying people’s brains, and for more and more extreme Republicans taking over the state. When I was younger, it was a swing state in national elections— one of the key swing states. It seems that it’s ... [continued]

The post Should Democrats Abandon Florida? appeared first on CleanTechnica.

By Kyle Julian, Regional Director, Commercial & Industrial Sales, U.S. West Without data centers, life as we know it would collapse. That may sound like hyperbole, but our entire digital economy relies on data centers. But it turns out that data centers use a lot of electricity. In fact, the ... [continued]

The post Behind the Curtain: Power Grid Resilience for Data Centers appeared first on CleanTechnica.

At the Internet Librarian's Conference, Steven M. Cohen demonstrated many real cool RSS applications including HubMed. Not being a health sciences librarian, I wasn't yet familiar with this relatively new alternative search of the familiar PubMed medical literature database. If you're one who monitors the latest news about a drug or treatment, or if you're doing serious medical research, you'll absolutely love the assortment of alerts and exporting features HubMed provides.

You won't appreciate any of this until you do a search. So go ahead, look for something of interest. I have a niece just diagosed with Hodgkin's Lymphoma so I'll do a search of that. HubMed allows users to perform a search, click on the orange "feeds" button in the right corner of the search results, and save it as an RSS feed. When new articles have been added to PubMed, HubMed will send you this information notification as an RSS feed.

So from the page of the search results I click on the orange button and now I see a page with the urls for query based feeds in both RSS and Atom formats. You can simply drag this button into a RSS news reader like NetNewsWire Pro (Mac) or NewzCrawler (PC) . Myself, I click on my Bloglines brower bookmarklet, and bingo, I'm into Bloglines where with one more click I'm subscribed to this feed for Hodgkins's Lymphoma. Now, Hubmed will keep checking the literature and deliver to me everything new it finds. Three clicks, literally. This is better than a dog that brings the morning paper.

If you are subscribed to a HubMed RSS feed, you can also post directly from your aggregator using the Blogger API at http://www.biologging.com/xmlrpc.php. Biologging, is a community weblog for biomedical researchers. It allows you to create your own annotated store of abstracts, and to browse the logs of other users. You can create an account and submit posts to your personal weblog within biologging by using the 'Blog This' or 'Make A List' buttons in HubMed.

But wait, there's more. So much more, in fact that Matt Eberle at Library Techlog calls Hubmed "The Swiss Army knife of PubMed interfaces." If you go back to your search results, you'll see for each result a number of links to things like Abstract, Fulltext, SFX, Clip, Citation, Related, TouchGraph, and References.

A click on the SFX link (a library link server) connects you to a look up of the resource in the holdings in your local library's catalog. It supports Innovatic Innopac, BIBSYS, Dynix Horizon, Endeavor VOYAGER, SIRSI Unicorn catalogs. You can also ook up holdings in other catalogs (such as MELVYL and Library of Contress, and OCLC WorldCat), request the document be sent to you using your library's document delivery service or another (such as ILLiad and Infotrieve), download the bibliographic record for importation into your software (Refworks, Endnote, Procite, Reference Manager), save the citation, capture it using the wonderful award winning Windows utility NetSnippets, and more.

My compliments to Alf Eaton and the creators of HubMed. "I have used HubMed for a while now," writes Steven, "and have been absolutely thrilled with the results. This is one of those tools that awes the crowds at some of my presentations, and rightfully so."

I agree and only wish that HubMed had more in the way of tutorials to help novices like myself get the most out of this wonderful service. Have fun exploring it!

Speaking of the health sciences, look for the syndication of more and more publications from federal agencies. I saw recently, for example, that the National Network of Libraries of Medicine South Central Region (NN/LM SCR) is publishing Network News, their bimonthly Newsletter from the South Central Region, as a RSS feed. Thank you, Greg Bodin, for offering this.

Tired of Chrome? While Google Chrome is a popular choice for many due to its speed and extensive library of extensions, it’s not the only option out there. If you’re looking for a change, here are three web browsers that offer unique benefits and might just enhance your browsing experience. DuckDuckGo  Known primarily for its […]

Christmas is just a few weeks away, and if you’re planning to work on some fun DIY projects—the earlier you do it, the better. Getting an early start on your holiday DIY projects comes with a long list of benefits, and here are five reasons why it’s always a good idea. More Time The earlier […]

HTML5 is a technology that is all the rage in the web world with a great potential to considerably ease the process of video playback, enhance the web application user interface and boost the offline or online synchronization of web applications. video plug-ins. You can find so many websites over the World Wide Web that …

7 best html5 jquery video plug-ins Read More »

As more businesses move to the cloud, they are becoming increasingly vulnerable to cloud network security threats. Here are the top three threats and how to avoid them: Data breaches One of the most common and devastating cloud security threats is data breaches. These can occur when hackers gain access to a company’s cloud-based data, …

The Top 3 Cloud Network Security Threats (And How to Avoid Them) Read More »

Although it may not make the headlines as often as other forms of cybercrime, identity theft remains an issue. Now NordVPN has launched an identity theft protection service called NordProtect. Currently available to NordVPN Prime plan users in the US, it merges years of cybersecurity expertise with cutting-edge technology to offer a solution users can trust. "NordProtect is yet another step in NordVPN's mission to fully secure customers as online threats advance," says Tomas Sinicki, managing director of NordProtect. "You can have all of the necessary tools for cybersecurity installed but one careless click can end up giving your identity… [Continue Reading]

Your website’s command center, the WordPress dashboard, arrives with several widgets that enhance functionality. However, not all of these may be beneficial for every user. As plugins introduce more widgets over time, your dashboard may start to feel crowded and …

UX surveys can be pivotal tools for designers seeking to understand user preferences, opinions, and behaviors. They foster alignment between design strategies and user expectations and can improve product or service usability. Our overview unravels the process of conducting UX …

If you’re looking for stunning black and gold wedding themes, look no further. Here are some ideas to help guide your choice.

In video editing, one key aspect that can significantly enhance the visual appeal of your videos is...

As we cruise into the future of electric vehicles (EVs), the buzz around solid-state battery technology is getting louder and more electrifying. Imagine a world where EVs charge faster than your smartphone, drive huge distances, and are safer than your gran on a Friday night. That’s the promise of solid-state batteries, a technology that’s poised to supercharge the EV revolution. Solid-state batteries are like the cool new kids on the block, set to replace the lithium-ion batteries we’ve come to...

The post The Solid State Battery Race: Who’s Going To Win? appeared first on The Red Ferret Journal.

Spencer is back with Jared to host this week’s episode of the Niche Pursuits News Podcast.  Like they always do, they discuss the major happenings related to SEO, small publishers, Google, and beyond, and it has been a very eventful…

The post DOJ Tries to Break Up Google Chrome, Android, and Search Monopoly appeared first on Niche Pursuits.

This week Jared Bauman sits down with Jake Cain, a long-time blogger with a portfolio of sites, a former Niche Pursuits employee, and an attendee at Google’s recent Creator Summit. In this interview, Jake shares his experience at the event,…

The post Jake Cain Was Inside Google’s “Secret” Meeting with 20 HCU Crushed Bloggers. Here’s What Happened appeared first on Niche Pursuits.

Bidding on branded terms is an essential PPC strategy. Understand how your company can improve performance by bidding on your competitor’s branded terms.

The post Why You Should Bid on Your Competitor’s Branded Terms appeared first on Portent.