This is a solid blog post on the identity crisis #SSI industry itself faces, from @rileyphughes. ππΎ (Discussion on that thread is very valuable too, for different perspectives.)
It's a challenge we've been mulling over @cheqd_io as well. Some of my own thoughts below (unordered)
twitter.com/rileyphughes/status/1595064056993681408?s=20&t=J_wAhAwnJDtpYOfUgucMlA
1οΈβ£ "IDtech" is overly-broad. It covers what we know as "self-sovereign identity", "SSI", or "Web5"...but it *also* covers traditional selfie-scan-check (e.g., Onfido, Jumio), single sign-on (e.g., Auth0, Okta, Microsoft AD).
The concept of "identity providers" or "identity & access management" is *too* strongly entrenched in the minds of this corner of tech industry as relating to authentication + authorisation.
We need a more *precise* term than IDtech to distinguish it from the broad idea of IAM.
I don't think SSI / Verifiable Credentials *supplants* IAAA (acronym alert! thorteaches.com/cissp-iaaa/), it *augments* it. This from actual conversations with clients/architects over many years where they don't really understand why SSI is powerful, until that distinction is made.
2οΈβ£ "Self-sovereign identity" / "SSI" is a mouthful and too much of an in-crowd term. I like @rileyphughes's points on "reusable" vs "authentic". Similar thread here with @kimdhamilton on alternative terms ππ½
twitter.com/ankurb/status/1586786749782581251
The more I think of it, the more I get to the conclusion that a constellation of different-but-related terms will need to replace "SSI", at least outside of the in-crowd.
E.g., I can totally see "self-custodied" perform with the crypto crowd, because they love their "not your keys, not your crypto" mantra.
Unsure whether "self-managed" has the same ring to it for general audience, especially since it doesn't have widely-known mantra like above.
3οΈβ£ "Verifiable Credentials" are "verifiable" in exactly one sense: that it's cryptographically untampered since the point it was issued (or tamper evident).
Where this breaks down is when the term "verifiable" is used with legal/compliance audience, especially as it often gets mangled to "VERIFIED credentials".
In *their* context, "verifi..." means "the data contained within can be trusted". Not whether it's untampered (but false).
Which is why @cheqd_io we played around with "trusted" data or "authentic" data to distinguish "verifiable cryptographically as untampered" (since the data itself could still be "false") vs "cryptographically verifiable AND you can trust it".
Tbh, I don't think either of those takes is *quite* there yet. "Trusted" performs slightly better than "authentic", IMO. Like @rileyphughes, the problem is that the usage of these terms in English just varies so much based on context!
And to answer the question "how many terms have you heard 'verified credential' instead of 'verifiable credential'?" Honestly? Too many times than either I or @fraser_again can count, as soon as we step outside SSI. Especially when talking to teams in large enterprises/govt. π₯²
(For context, I've sat on non-technical standards bodes/panels such as Open Identity Exchange, Tech UK, Fintech Panel etc and a lot of bank teams while at R3, and their interpretation of "verified"/"verifiable is completely different, and the mix-up between the two VERY common.)
The reason why, IMO, that distinction between untampered vs data inside can be trusted comes into play is ultimately it's the latter they care about. I also use it as a *reminder* to those teams that assessing verifiable credentials is *exactly* the same as they assess a PDF
...upload, as far as the legal perspective/liability goes. Yes, an SSI VC will speed up some of the steps/checks by rejecting obvious tampering etc but they still need to trust:
a) data in the credential
b) the issuer
...which is where we run into *trust* registries π€
...rules that apply, but rather it's the *portability* that's the key characteristic.
E.g.: I've seen in past few weeks, as people are moving Twitter -> Mastodon, that unscrupulous actors are replicating entire Twitter profiles (with posts) on a different Mastodon server
Having said that..."trusted"/"trustable" over-indexes for the definition of those two terms as defined in traditional KYC/ID verification processes.
But there are other use cases, e.g., porting a social media profile from Twitter to Mastodon, where it's not traditional "trust"
Also, a lot of *technical* engineers/architects, especially if they have any IAM background at all, in my experience find it hard to distinguish "verifiable" (checking the envelope) vs "checking what's inside the envelope". Traditional IAM often cares only about the former.
...than the one the original author created. VCs can enable a form of portability, Obviously, there's no legal/regulatory body that can define a "trust registry" for Twitter (unless they get into this game themselves - and why would they?!)
I'm unsure how to frame that example ("this is THE correct Mastodon profile for THIS Twitter user), which I do think VCs will play a role in.
Outside of a regulated industry, what's the term that will land? Is it verified? Trusted/trustable? Portable? (Likely a blend.)
Thanks for this enlightening read @rileyphughes (and other contributors on that blog post) - definitely very thought-provoking! π€ (And sorry for reply-spamming - will post it as a Medium comment too later, but I find conversations are much better on Twitter.)